Salesforce Configuration Data

Track, monitor and manage what auditors are most concerned about 

Get Your Org SOX Compliant

Salesforce apps like CPQ and Billing store important rules about products, prices, discounts, and approvals as configuration data in custom Objects. The problem? Those rules could affect revenue recognition and, as a result, auditors are increasingly concerned about how you track and manage them. 

Public companies and large organizations with internal governance requirements may be required to show that they’re on top of changes to these Objects. It’s becoming an increasingly common issue for SOX compliance, and may be required for other standards, as well. 

Salesforce doesn’t give you any way of tracking changes to these Objects — but Strongpoint does.

deploy icon@2x
deploy image 2@2x

How Does Strongpoint Help?

Strongpoint treats revenue-related data in CPQ, Billing and other apps with the same scrutiny it applies to other Apex metadata in your Org. It is the only native solution that gives you visibility into changes to configuration data. It also lets you create mitigating controls that automatically block changes to critical CPQ rules.

As a result, Strongpoint customers no longer have to rely on field history reports and manual review to ensure CPQ and other configuration data is protected. Auditors are satisfied, audit costs go down and IT leadership can rest easy knowing there will be no surprises.

Salesforce and SOX: An Overview

Salesforce teams didn't always have to worry about regulatory compliance. But as the platform has evolved, that's changed. Now, auditors are starting to look at how public companies are handling revenue related data in their Orgs. 

What's In Scope?

Our customers have found that SOX auditors are typically looking at three things, in descending order of significance:

Applications — CPQ is the main example, though Revenue Cloud, Billing and others are also potentially applicable — that materially contribute to a company's financial records. 

 

Processes and applications — for example, provisioning processes — that materially contribute to a company's ability to meet its forecasts.

 

 

Systems and processes — such as role and permission assignments — that protect critical business data from abuse and fraud. 

 

What Do Auditors Want to See?

Our customers have found that SOX auditors are typically looking at three things, in descending order of significance:

Canva Design DAEZC_bOprk-1

Get the eBook

Four Steps to a SOX-Compliant Salesforce Org

 

ebook sf edit

Focus on what's in scope

Monitor Critical Financial Objects

Without clear guidelines on what’s in scope for compliance, every change needs to be reviewed to see if it could affect revenue recognition. But the reality is that most configuration data isn’t of concern to auditors.   

Strongpoint starts by giving you a systematic way to focus on in-scope Objects and create highly granular policies to track and monitor them. Track changes to CPQ rules and create blocking controls that prevent changes to critical data records without pre-approval.

With Strongpoint, you can do this all without relying on Field History reports — and capture everything those reports don't. As a result, your team can focus on the Objects that are most important to auditors, and you can move forward knowing your critical data is protected.

check-1

Capture changes that can't be tracked by Field Histories

check-1

Create granular change policies for critical data

check-1

Block changes to CPQ rules that could affect revenue recognition

check-1

Track everything in audit-ready, immutable logs

Key Features

Specify the process and required approver for individual metadata or data record. Widen or narrow the scope of the policy according to your compliance requirements. 

Here's a look at the Pricing Policy record — currently all fields are set to "Log Only," though Strongpoint lets you require a policy record, change request, testing in Sandbox, or even a full SDLC. Check out our Change Enablement page for more info about creating custom policies:

cpq-1

 

Just as it does for metadata in your Org, Strongpoint tracks all in-scope changes to configuration data in audit-ready logs. This gives you a detailed record of any change you — or your auditors — could potentially be concerned about, with a full diff and a detailed approval trail, if required. 

These change logs are collected for review in a list view. Here's what it looks like:

cpq change logs

 

 

Strongpoint gives you the option of blocking risky changes without prior approval. This is often used for pricing and discount data which impact revenue directly. If a user attempts to make a change to a field that has blocking enabled, they will be unable to do so unless a change request has been submitted in advance.

In this screenshot, we can see that Strongpoint has automatically blocked a change to the 'Price' field in the Block Price customization because it didn't have an approved change request:

cpq blocked change

 

Watch a Demo:

Creating Policy Records

Here's Strongpoint's resident Salesforce expert, Rick Roesler, walking you through how to create custom changes policies for CPQ rules.

Stress-free SOX audits

Reporting and Governance

We designed Strongpoint's configuration data tools to help public and pre-IPO companies build out SOX-compliant change policies. Many of our customers were finding that auditors were asking for this information, which was impossible to access using Salesforce's standard feature set. 

The result is that, with Strongpoint, passing an audit is extremely easy. All activity around in-scope objects is tracked in a closed-loop system — and passing an audit is as easy as printing three reports, showing what followed policy (and why), what didn't (and how it was resolved), and everything outstanding.

As a result, our customers are eliminating up to 90% of the work around SOX compliance in Salesforce — and freeing their team members to focus on more important goals.

check-1

Eliminate 90% of audit prep work by avoiding manual review

check-1

Reconcile in-scope changes to originating requests and approvals

check-1

Eliminate the stress and uncertainty of quarterly audits

check-1

Collect noncompliant changes in a single report for review

Key Features

Strongpoint change policies can be configured to block changes to your most sensitive data without prior approval. To enable development, it can also track changes for compliance with your policy, without blocking them outright.

Here's list view showing just how granular these policies can get:

cpq blog setup

With tracking or blocking enabled, Strongpoint will reconcile the completed change back to the request/approval, so you have a verifiable audit trail showing how a change passed through your system. 

With policies defining what's in scope for SOX, Strongpoint makes passing an audit as easy as printing out three reports. 

The Compliant Changes report showing everything that followed policy and had the proper approval.

The Noncompliant Changes Resolved report showing everything that didn't initially follow policy, but was later reviewed and cleared by your team. 

The Open Noncompliant Changes report showing everything that didn't initially follow policy but is still under review. Ideally, this will be empty when you head into audit. 

Here's what the Compliant Changes report looks like — note that you can easily see a full diff of the change:

compliant changes report

If you use Jira or ServiceNow to handle change tickets in Salesforce, don't worry — Strongpoint integrates seamlessly with both platforms. 

Here's a clip showing the integration in action:

 

Watch a Webinar

Strongpoint CPQ Walkthrough

Learn how to track and manage CPQ configuration data — and get your Org ready for audit.

Canva Design DAEaQXtZNHQ-2

Next Step:

Book a Meeting

Find the right Strongpoint solution for you — and see it in action in your Org.

Alternately, learn how other Strongpoint users are saving time and money in our Customer Stories.

Canva Design DAEbHAwGCj0