What's in scope, and how to make it simple
Four Steps to a SOX-Compliant Salesforce Org
It is increasingly common for Salesforce Orgs to be in scope for SOX. Auditors are concerned about revenue-related data and critical business processes on the platform.
The problem is that Orgs are complex, often highly customized, and much of what auditors are most concerned about is hidden away in custom objects or very difficult to track.
Read on for details, or use the form to download our newest eBook, Four Steps to a SOX-Compliant Salesforce Org.
SOX and Salesforce: How Strongpoint Helps
Automatic Org Documentation
Not everything in Salesforce is in scope for SOX. Your auditors probably don’t care about marketing operations, for example, because marketing operations typically don’t touch revenue data. For this reason, documenting the customizations in your account is the first step in determining what's relevant to SOX.
Strongpoint is the only Salesforce-native tool that scans your Org on an ongoing basis and indexes all metadata, and the connections between it. Then, it gives you a set of tools for tracking how these customizations change over time, and how they're connected.
For audit purposes, understanding who has access to various parts of your Org is just as important as understanding what’s in your Org. In fact, they’re two sides of the same coin — it’s great to know where revenue-related data is in your Org, but you also need to know who can see it, who can edit it, and who can delete it.
Strongpoint treats changes to user permissions the same way it treats other metadata — giving you a verifiable audit log showing who changed what, and a full diff of what was affected. You'll also get tools for drilling down into specific Objects, fields, profiles, permission sets, and users, for a granular look at who can see and do what in your Org.
Strongpoint lets you build out specific change policies and approval requirements based on automatic impact analysis, routing more complex changes to the proper authority. When you can immediately identify material changes, you can avoid hours of discovery and free up your team to focus on what’s most important.
If you use Jira or ServiceNow to manage tickets, you can access Strongpoint's impact analysis directly at the ticket level, and get a comprehensive list of related customizations that will be affected by a potential change.
Strongpoint identifies simple declarative changes and fast tracks them without further investigation. Changes with business or regulatory risk — changes that could impact SOX compliance — are required to be handled via a process issue or change request, or tested across a full SDLC.
Everything is checked for compliance with the policies you’ve set out. Anything that doesn’t follow policy is captured in a noncompliant changes report for review and clearance. And if you try to change a policy, that's logged and monitored using the same process — creating an airtight and, most importantly, audit-ready, system.
Reporting and Reconciliation
How easy is it for your team to get a complete view of the material changes taking place in your Org? Can you view changes by person, by object and by type? Can you reconcile your audit log with your Jira tickets, and demonstrate why changes were made?
Strongpoint automatically reconciles changes that took place in your Org with their originating requests and approvals. As a result, passing an audit is as easy as printing out three reports showing you — and your auditors — all changes that followed policy, all changes that didn't but were resolved after the fact, and everything still outstanding.
Configuration data in CPQ, Billing and related applications contain important rules about products, prices, discounts, and approvals that could affect revenue recognition. Unfortunately, tracking changes to this data is virtually impossible — unless you have Strongpoint.
Strongpoint gives you a systematic way to identify, track and monitor changes to configuration data for in-scope custom Objects. Custom policies allow you to create mitigating and blocking controls that protect critical CPQ rules and eliminate your reliance on field history reports and manual review at audit time.
See Strongpoint in Action — Book a Demo
Get in touch to book a free needs assessment with one of our SOX compliance experts. We'll provide a comprehensive review of your system, your processes and your setup — and let you know if Strongpoint can help make the compliance process fast and simple.