SOX Compliance:

What's in scope, and how to make it simple

Four Steps to a SOX-Compliant Salesforce Org

It is increasingly common for Salesforce Orgs to be in scope for SOX. Auditors are concerned about revenue-related data and critical business processes on the platform.

The problem is that Orgs are complex, often highly customized, and much of what auditors are most concerned about is hidden away in custom objects or very difficult to track. 

Read on for details, or use the form to download our newest eBook, Four Steps to a SOX-Compliant Salesforce Org.

Four Steps to a SOX-Compliant Salesforce Org eBook
"Strongpoint is a compliance dream" AppExchange review
"Audit controls made easier" AppExchange review
"Strongpoint has been an outstanding partner for us" AppExchange review
"Our team has saved a great deal of time" AppExchange review

SOX and Salesforce:

How Strongpoint Helps

Automatic Org Documentation

Not everything in Salesforce is in scope for SOX. Your auditors probably don’t care about marketing operations, for example, because marketing operations typically don’t touch revenue data. For this reason, documenting the customizations in your account is the first step in determining what's relevant to SOX.

Strongpoint is the only Salesforce-native tool that scans your Org on an ongoing basis and indexes all metadata, and the connections between it. Then, it gives you a set of tools for tracking how these customizations change over time, and how they're connected.

Automated Salesforce Documentation

Access Management

For audit purposes, understanding who has access to various parts of your Org is just as important as understanding what’s in your Org. In fact, they’re two sides of the same coin — it’s great to know where revenue-related data is in your Org, but you also need to know who can see it, who can edit it, and who can delete it.

Strongpoint treats changes to user permissions the same way it treats other metadata — giving you a verifiable audit log showing who changed what, and a full diff of what was affected. You'll also get tools for drilling down into specific Objects, fields, profiles, permission sets, and users, for a granular look at who can see and do what in your Org.  

Salesforce Access Management

Impact Analysis

Strongpoint lets you build out specific change policies and approval requirements based on automatic impact analysis,  routing more complex changes to the proper authority. When you can immediately identify material changes, you can avoid hours of discovery and free up your team to focus on what’s most important. 

If you use Jira or ServiceNow to manage tickets, you can access Strongpoint's impact analysis directly at the ticket level, and get a comprehensive list of related customizations that will be affected by a potential change. 

Salesforce Impact Analysis

Change Enablement

Strongpoint identifies simple declarative changes and fast tracks them without further investigation. Changes with business or regulatory risk — changes that could impact SOX compliance — are required to be handled via a process issue or change request, or tested across a full SDLC.  

Everything is checked for compliance with the policies you’ve set out. Anything that doesn’t follow policy is captured in a noncompliant changes report for review and clearance. And if you try to change a policy, that's logged and monitored using the same process — creating an airtight and, most importantly, audit-ready, system.

Salesforce Change Enablement

Reporting and Reconciliation

How easy is it for your team to get a complete view of the material changes taking place in your Org? Can you view changes by person, by object and by type? Can you reconcile your audit log with your Jira tickets, and demonstrate why changes were made? 

Strongpoint automatically reconciles changes that took place in your Org with their originating requests and approvals. As a result, passing an audit is as easy as printing out three reports showing you — and your auditors — all changes that followed policy, all changes that didn't but were resolved after the fact, and everything still outstanding. 

Salesforce Change Reporting

Configuration Data

Configuration data in CPQ, Billing and related applications contain important rules about products, prices, discounts, and approvals that could affect revenue recognition. Unfortunately, tracking changes to this data is virtually impossible — unless you have Strongpoint. 

Strongpoint gives you a systematic way to identify, track and monitor changes to configuration data for in-scope custom Objects. Custom policies allow you to create mitigating and blocking controls that protect critical CPQ rules and eliminate your reliance on field history reports and manual review at audit time. 

Salesforce Configuration Data

Check out a recent case study to learn how one Strongpoint customer is prepping for SOX with automated change controls.


“It’s not just a ‘nice to have.’ It’s kind of a necessity.”

Strongpoint Customer

Canva Design DAFAaJsAc1Q-1

See Strongpoint in Action — Book a Demo

Get in touch to book a free needs assessment with one of our SOX compliance experts. We'll provide a comprehensive review of your system, your processes and your setup — and let you know if Strongpoint can help make the compliance process fast and simple.