SOX ComPLIANCE In SALESFORCE:
WHat's in scope, and how to make it simple
It is increasingly common for Salesforce Orgs to be in scope for SOX. Auditors are concerned about revenue-related data and critical business processes on the platform.
The problem is that Orgs are complex, often highly customized, and much of what auditors are most concerned about is hidden away in custom objects or very difficult to track.
On this page, you'll find an overview of the seven things auditors are most concerned about, and some of the ways Strongpoint helps busy Salesforce teams achieve them.
Read on for details, or use the form below to download our newest eBook, Four Steps to a SOX-Compliant Salesforce Org.
Table of Contents
Documentation
Not everything in Salesforce is in scope for SOX. Your auditors probably don’t care about marketing operations, for example, because marketing operations typically don’t touch revenue data.
The problem is that unless you have a comprehensive understanding of the customizations and dependencies in your Org — something that’s virtually impossible in all but the smallest businesses — you can’t fully know what’s a material change that’s in scope for SOX, and what isn’t.
Documenting your account is the first step in determining what's relevant to SOX, and building policies to manage it effectively.
How Strongpoint Helps

Strongpoint's dependency relationship diagrams show you how different customizations are connected:
Detailed customization records show you everything you need to know about a customization — who created it, who has access to it, how it's changed and what it's connected to:

Next Steps
Visit our Salesforce Documentation page for more info, demo videos and other resources.
Access Management
For audit purposes, understanding who has access to various parts of your Org is just as important as understanding what’s in your Org. In fact, they’re two sides of the same coin — it’s great to know where revenue-related data is in your Org, but you also need to know who can see it, who can edit it, and who can delete it.
There are only specific types of access that matter for compliance purposes. The problem is that a complex object in Salesforce may contain multiple custom fields, standard fields, formula fields, record types, picklist values, buttons and links — without the right tools, it can be almost impossible to get accurate insights into who can see what.
How Strongpoint Helps

Create policies that monitor for changes to specific profiles or permission Sets — and log everything in audit-friendly reports. Strongpoint treats changes to user permissions the same way it treats other metadata — giving you a verifiable audit log showing who changed what and a full diff of what was affected:
A complex object in Salesforce may contain multiple custom fields, standard fields, formula fields, record types, picklist values, buttons and links.
Strongpoint gives you easy-to-work-with reports and spreadsheets showing all settings attached to an Object, profile or permission set:
Get an in-depth look at everything a user can see and do, find the permissions attached to a profile, and more — Strongpoint makes it easy to perform detailed reviews and determine who has access to in-scope financial data:

NEXT STEPS
Visit our Salesforce Access Management page for more info, demo videos and other resources.
Impact Analysis
Together, documentation and access review give you the layout of your Org. Impact analysis shows you how to navigate it. When you can see the impact of a potential change, you can know whether or not it affects anything in scope for SOX, and ensure that it undergoes the appropriate reviews and approvals.
Impact analysis in Salesforce is just as important from a resource allocation standpoint. The fact is the most changes are non-material and safe to make. When you can immediately identify those changes, you can avoid hours of discovery and free up your team to focus on what’s most important.
How Strongpoint Helps

Strongpoint gives you detailed reports for analyzing the impact of a proposed change. Our impact reports show you all the customizations on a base record, as well as their dependencies. This method is particularly useful for investigating and reviewing changes in multiple customizations at once.
If you use Jira or ServiceNow to manage tickets, you can access Strongpoint's impact analysis directly at the ticket level, and get a comprehensive list of related customizations that will be affected by a potential change.
You can also synch Jira/ServiceNow tickets to change requests in Strongpoint, so the impact analysis and approval, if required, is collected in an audit-ready report.
Here's a short video showing how it works:
Strongpoint lets you build out specific change policies and approval requirements based on risk.
Here's the Strongpoint policy record, where we can specify which types of changes require a full SDLC, which require testing in the Sandbox, which require approval, which can be handled via a process issue, and which are simply logged, ie. they are safe and require no additional investigation:

NEXT STEPS
Visit our Salesforce Impact Analysis page for more info, demo videos and other resources.
Additional Resources
Change Enablement
Not all development activity in Salesforce requires review. But in a mature Org, risk factors can be complex — if your team makes a change to a custom object or field without knowing its impact, it may accidentally break a business-critical process, or affect financial reporting and SOX compliance.
The problem is that there is no easy way to know what’s safe to change and what requires review. As a result, Salesforce teams are faced with two extremes: spend hours on discovery with each change — something that’s virtually impossible to do in a busy Org — or accept risk and manage things reactively when something breaks.
In reality, most Salesforce teams will do a mix of both, relying on institutional knowledge and, often, luck, to decide what requires review. But what if there was a way to formalize and automate this, and base decisions on actionable intelligence rather than one admin’s understanding of the system?
How Strongpoint Helps

Strongpoint automatically records every change in your Org and logs it in change logs. Change logs are an immutable, date- and time-stamped record, containing a full, detailed diff showing what happened, and when it happened.
Strongpoint lets you create a set of rules to automatically elevate certain types of changes that require extra scrutiny. Simple declarative changes can be immediately identified and fast tracked without further investigation. More complex changes can be handled via a process issue or change request (in Jira, ServiceNow, or using Strongpoint’s native change management system).
Here's a short demo:
Strongpoint is a true closed loop change management system. Every change to metadata is captured in an immutable log. Every completed change is reconciled back to an originating request and, if necessary, an approval.
Every change and approval is checked for compliance with the policies you’ve set out. Anything that doesn’t follow policy is captured in a noncompliant changes report for review and clearance.
The best part? Changes to your policies are logged and monitored using the same process. This makes it impossible to alter an approval after the fact or artificially resolve a noncompliant change.
In other words, the whole process is airtight and fully validated — something that’s critical to security, governance and audit readiness.

NEXT STEPS
Visit our Salesforce Change Enablement page for more info, demo videos and other resources.
Additional Resources
Reporting and Reconciliation
How easy is it for your team to get a complete view of the material changes taking place in your Org? Can you view changes by person, by object and by type? Can you reconcile your audit log with your Jira tickets, and demonstrate why changes were made?
These are all things your auditors may ask to see. If you can’t produce these reports automatically, you and your team will need to manually sort through your audit trail, at great effort and expense. And if you don’t do it ahead of time, you’ll run the risk of your auditors finding deficiencies, which will be even more costly to address.
How Strongpoint Helps

The 'What Changed' report is your at-a-glance record of all development activity in your Org.
See what happened and whether it followed policy — and link to Strongpoint's Change Logs for a full diff of the changes:
It's no good to have an Excel doc or email chain approving a change if you can't reconcile it with development activity in your Org.
Demonstrating that change requests and approvals are tied to a verifiable log is a key part of passing an audit and maintaining the overall integrity of your Org. Normally, this requires hours, if not days, of manual reconciliation. Strongpoint solves this problem — by doing the work for you!
Here's a demo:
With Strongpoint up and running in your system, passing an audit is as easy as printing out three reports:
Compliant Changes
This report shows all changes that followed policy — ie, everything that was reviewed and approved according to the process you've set out in your policy records or everything that Strongpoint determined to be non-material and safe to change.
Resolved Noncompliant Changes
This report shows everything that didn't follow policy — such as emergency hotfixes — and the steps you've taken to resolve it
Unresolved Noncompliant Changes
This report shows everything that didn't follow policy and is still under review. Ideally, it should be empty when you head into audit! Many Salesforce teams schedule weekly or monthly standing meetings to review and clear out whatever outliers remain in the system.

NEXT STEPS
Visit our Salesforce Reporting and Reconciliation page for more info, demo videos and other resources.
Deployment
Deploying with Salesforce change sets is time consuming. And, for areas where SOX is in scope or security is an issue, it provides no way of enforcing separation of duties between users that develop and users that deploy.
Too often, Salesforce teams are stuck between productivity and compliance — and the ability to evolve your Org effectively suffers as a result.
How Strongpoint Helps

Automate critical decisions about the appropriate approvals, testing and release processes required for different types of changes.
Instantly get a full diff of changes between production, testing and sandbox Orgs.
Troubleshoot and validate deployments across multiple environments.

NEXT STEPS
Visit our Salesforce Deployment page for more info, demo videos and other resources.
Configuration Data
For many teams, monitoring configuration data is the hardest part of SOX compliance. In the CPQ application, for example, important rules about products, prices, discounts, and approvals are stored as data in custom objects. Getting visibility into these changes is incredible time-consuming, and there are few options for preventing changes that could put compliance in jeopardy.
This isn’t limited to CPQ, either. The Billing application and many others that touch revenue related data are all potentially in scope. If your auditors aren't asking about them yet, it’s highly likely that they will in the future.
How Strongpoint Helps

Strongpoint treats configuration data with the same scrutiny it applies to other Apex metadata in your Org.
Then, Strongpoint gives you a systematic way to focus on in-scope Objects and create highly granular policies to track and monitor them.
Strongpoint lets you create mitigating controls that automatically block changes to critical CPQ rules.
As a result, Strongpoint customers no longer have to rely on field history reports and manual review to ensure CPQ and other configuration data is protected. Auditors are satisfied, audit costs go down and IT leadership can rest easy knowing there will be no surprises.
Here's a demo:
Strongpoint gives you the option of blocking risky changes without prior approval. This is often used for pricing and discount data which impact revenue directly. If a user attempts to make a change to a field that has blocking enabled, they will be unable to do so unless a change request has been submitted in advance.
In this screenshot, we can see that Strongpoint has automatically blocked a change to the 'Price' field in the Block Price customization because it didn't have an approved change request:

NEXT STEPS
Visit our Salesforce Configuration Data page for more info, demo videos and other resources.
Learn More

Get in touch to book a free needs assessment with one of our SOX compliance experts. We'll provide a comprehensive review of your system, your processes and your setup — and let you know if Strongpoint can help make the compliance process fast and simple.