SOX ComPLIANCE In SALESFORCE:

WHat's in scope, and how to make it simple

It is increasingly common for Salesforce Orgs to be in scope for SOX. Auditors are concerned about revenue-related data and critical business processes on the platform.

The problem is that Orgs are complex, often highly customized, and much of what auditors are most concerned about is hidden away in custom objects or very difficult to track. 

On this page, you'll find an overview of the seven things auditors are most concerned about, and some of the ways Strongpoint helps busy Salesforce teams achieve them. 

Read on for details, or use the form below to download our newest eBook, Four Steps to a SOX-Compliant Salesforce Org.

Table of Contents

Download today:

four steps to a sox-compliant salesforce org

ebook sf edit

Documentation

Not everything in Salesforce is in scope for SOX. Your auditors probably don’t care about marketing operations, for example, because marketing operations typically don’t touch revenue data. 

The problem is that unless you have a comprehensive understanding of the customizations and dependencies in your Org — something that’s virtually impossible in all but the smallest businesses — you can’t fully know what’s a material change that’s in scope for SOX, and what isn’t.

Documenting your account is the first step in determining what's relevant to SOX, and building policies to manage it effectively. 

How Strongpoint Helps

Canva Design DAEabv9n7EM-1
Canva Design DAEbMwK3MvY

Next Steps

Visit our Salesforce Documentation page for more info, demo videos and other resources.  

Access Management

For audit purposes, understanding who has access to various parts of your Org is just as important as understanding what’s in your Org. In fact, they’re two sides of the same coin — it’s great to know where revenue-related data is in your Org, but you also need to know who can see it, who can edit it, and who can delete it. 

There are only specific types of access that matter for compliance purposes. The problem is that a complex object in Salesforce may contain multiple custom fields, standard fields, formula fields, record types, picklist values, buttons and links — without the right tools, it can be almost impossible to get accurate insights into who can see what.

How Strongpoint Helps

Canva Design DAEabq472UE-2
Canva Design DAEbMwK3MvY-1

NEXT STEPS

Visit our Salesforce Access Management page for more info, demo videos and other resources.  

Impact Analysis

Together, documentation and access review give you the layout of your Org. Impact analysis shows you how to navigate it. When you can see the impact of a potential change, you can know whether or not it affects anything in scope for SOX, and ensure that it undergoes the appropriate reviews and approvals. 

Impact analysis in Salesforce is just as important from a resource allocation standpoint. The fact is the most changes are non-material and safe to make. When you can immediately identify those changes, you can avoid hours of discovery and free up your team to focus on what’s most important. 

How Strongpoint Helps

Canva Design DAEabl7CLSs
Canva Design DAEbMwK3MvY

NEXT STEPS

Visit our Salesforce Impact Analysis page for more info, demo videos and other resources.  

Change Enablement

Not all development activity in Salesforce requires review. But in a mature Org, risk factors can be complex — if your team makes a change to a custom object or field without knowing its impact, it may accidentally break a business-critical process, or affect financial reporting and SOX compliance. 

The problem is that there is no easy way to know what’s safe to change and what requires review. As a result, Salesforce teams are faced with two extremes: spend hours on discovery with each change — something that’s virtually impossible to do in a busy Org — or accept risk and manage things reactively when something breaks. 

In reality, most Salesforce teams will do a mix of both, relying on institutional knowledge and, often, luck, to decide what requires review. But what if there was a way to formalize and automate this, and base decisions on actionable intelligence rather than one admin’s understanding of the system?

How Strongpoint Helps

Canva Design DAEab4W9p8Q
Canva Design DAEbMwK3MvY-1

NEXT STEPS

Visit our Salesforce Change Enablement page for more info, demo videos and other resources.  

Reporting and Reconciliation

How easy is it for your team to get a complete view of the material changes taking place in your Org? Can you view changes by person, by object and by type? Can you reconcile your audit log with your Jira tickets, and demonstrate why changes were made? 

These are all things your auditors may ask to see. If you can’t produce these reports automatically, you and your team will need to manually sort through your audit trail, at great effort and expense. And if you don’t do it ahead of time, you’ll run the risk of your auditors finding deficiencies, which will be even more costly to address.

How Strongpoint Helps

Canva Design DAEab44r1Xc
Canva Design DAEbMwK3MvY

NEXT STEPS

Visit our Salesforce Reporting and Reconciliation page for more info, demo videos and other resources.  

Deployment

Deploying with Salesforce change sets is time consuming. And, for areas where SOX is in scope or security is an issue, it provides no way of enforcing separation of duties between users that develop and users that deploy. 

Too often, Salesforce teams are stuck between productivity and compliance — and the ability to evolve your Org effectively suffers as a result.

How Strongpoint Helps

Canva Design DAEab6tZqSg
Canva Design DAEbMwK3MvY-1

NEXT STEPS

Visit our Salesforce Deployment page for more info, demo videos and other resources.  

Configuration Data

For many teams, monitoring configuration data is the hardest part of SOX compliance. In the CPQ application, for example, important rules about products, prices, discounts, and approvals are stored as data in custom objects. Getting visibility into these changes is incredible time-consuming, and there are few options for preventing changes that could put compliance in jeopardy.

This isn’t limited to CPQ, either. The Billing application and many others that touch revenue related data are all potentially in scope. If your auditors aren't asking about them yet, it’s highly likely that they will in the future.

How Strongpoint Helps

Canva Design DAEYeN8WofA
Canva Design DAEbMwK3MvY

NEXT STEPS

Visit our Salesforce Configuration Data page for more info, demo videos and other resources.  

Learn More

Canva Design DAEbNGD39vQ

Get in touch to book a free needs assessment with one of our SOX compliance experts. We'll provide a comprehensive review of your system, your processes and your setup — and let you know if Strongpoint can help make the compliance process fast and simple.