SOX and Salesforce: Is Your Org Audit-Ready?

It is increasingly common for Salesforce Orgs to be in scope for SOX. Auditors are concerned about revenue-related data and critical business processes on the platform. Their concerns boil down to three different groups:

Access
Metadata
Configuration Data

The problem is that Orgs are complex, often highly customized, and much of what auditors are most concerned about is hidden away in custom objects or very difficult to track.

Adding to the problem, most Salesforce teams are busy enough as it is, no one's really sure what your auditors will want to see, and CPQ systems, for example, are so critical to core business processes that leadership is hesitant to make changes that could impact them.

The result is a lot of stress for everyone. And if your auditors identify material deficiencies, the time and expense of addressing them can be astronomical.

Fortunately, there is an easier way.

“My confidence in my team went through the roof after we implemented Strongpoint”

Ben Fuller brought Strongpoint into healthcare provider LifeWorks to apply governance across their entire process. He was looking for a change management system that would bring order, but also make things more efficient.

Leveraging the best practices built into Strongpoint, as well as expertise of our Customer Success Managers, Ben was able to get up and running quickly. And when he saw his team adopt Strongpoint, it increased his confidence that the project would be a success.

⭐⭐⭐⭐⭐

We implemented Strongpoint to ensure we could prove to auditors that no unapproved changes made their way into production without review.

Strongpoint monitors changes with precision so we can monitor all changes but only flag those that are in scope and not need to sort through thousands of logs for relevant changes. It also gives us the ability to manage the approval/review processes as part of our deployment processes and the evidence necessary to make the auditors comfortable that we know exactly what changed and what didn't.

They've even thought ahead to build the "controls on top of the controls" - so you can show your auditors that configurations for what gets logged/monitored requires an approved change request or it can't be changed.

Great tool and great partners to get through what can be an otherwise challenging process.

— AppExchange review

“We would probably have crashed and burned without Strongpoint”

Michelle Hash first used Strongpoint at automotive parts supplier Aptiv. There, she needed to make a major organizational change within her Org and needed to be sure it was safe. A consultant had told her that only four critical reports would be affected.

After running Strongpoint, she found seven others. Had she not, these reports would have been missed — and could have affected critical business process. “We would probably have crashed and burned if we hadn’t been introduced to Strongpoint at that point, because this was a high failure point for our leadership.”

Not everything in Salesforce is in scope for SOX. Your auditors probably don’t care about marketing operations, for example, because marketing operations typically don’t touch revenue data.

The problem is that unless you have a comprehensive understanding of the customizations and dependencies in your Org — something that’s virtually impossible in all but the smallest businesses — you can’t fully know what’s a material change that’s in scope for SOX, and what isn’t.

How Strongpoint Helps

Every Strongpoint implementation starts by scanning your Org and indexing every customization and dependency. Strongpoint then continues to monitor your system, tracking every change to Standard or Custom Objects and Fields, Roles, Profiles and Permission Sets, List Views, Reports and Dashboards, and other types of Apex Metadata.

Exclusive Strongpoint tools such as Dependency Relationship Diagrams and the Customization Finder help you analyze and search this data, so you always have an accurate, up-to-date understanding of the customizations and dependencies in your Org. With great documentation and powerful tools to work with it, you can instantly see what’s in scope for SOX, and know where to dedicate resources in the lead up to an audit.

For audit purposes, understanding who has access to various parts of your Org is just as important as understanding what’s in your Org. In fact, they’re two sides of the same coin — it’s great to know where revenue-related data is in your Org, but you also need to know who can see it, who can edit it, and who can delete it.

There are only specific types of access that matter for compliance purposes. The problem is that a complex object in Salesforce may contain multiple custom fields, standard fields, formula fields, record types, picklist values, buttons and links — without the right tools, it can be almost impossible to get accurate insights into who can see what.

How Strongpoint Helps

Strongpoint’s Object Export tools allow you to quickly perform an access review for individual profiles and permission sets, or look closely at specific Objects and see who can view, edit or delete the various fields, values and links attached to them.

Knowing this is essential to building out SOX-compliant change policies/controls, but in a mature Org, it can take days of work. Strongpoint greatly simplifies this by giving you reports containing exactly what you need to know to move forward.

Together, documentation and access review give you the layout of your Org. Impact analysis shows you how to navigate it. When you can see the impact of a potential change, you can know whether or not it affects anything in scope for SOX, and ensure that it undergoes the appropriate reviews and approvals.

Impact analysis in Salesforce is just as important from a resource allocation standpoint. The fact is the most changes are non-material and safe to make. When you can immediately identify those changes, you can avoid hours of discovery and free up your team to focus on what’s most important.

How Strongpoint Helps

Strongpoint’s impact analysis tools leverage its comprehensive understanding of the customizations and dependencies in your Org to give you the most accurate, actionable assessment of what’s safe and what requires review.

Strongpoint is the only Salesforce impact analysis tool that can tell you, for example, whether or not a change to a custom field will affect the opportunity-to-order process, and potentially impact Revenue Recognition. To maintain compliance, changes like this will require more rigorous review than something that only impacts, for example, a sales activity dashboard.

With impact analysis to define the risk and scope of a proposed change, the next step is to build formal policies based on that risk. With a set of rules to identify what types of changes that are in scope for SOX, you can streamline your change management process by automatically elevating risky changes to the proper authority.

Change controls also help you produce accurate, audit-ready reports, showing your auditors that safe, compliant changes were quickly identified and cleared, and that non-compliant changes were resolved according to policy.

How Strongpoint Helps

Strongpoint makes it easy to quickly implement change controls/policies in your Org. Simple declarative changes can be automatically approved, while those that require more resources are given the appropriate scrutiny.

This, in turn, helps you maintain a validated, SOX-compliant Org, while freeing up your Center of Excellence and as a result maintaining the pace of change required of a growing public company.

If change controls are your policies, change management is your process for enacting them. A key part of passing an audit is demonstrating that change requests and approvals are tied to a verifiable audit log. Normally, this requires hours, if not days, of manual reconciliation.

Worst of all, most change management systems are inflexible. Changes that don’t follow the right process, whether due to human error or the need for a hotfix, can easily fall through the cracks, leading to material deficiencies in audit that are expensive and time-consuming to address.

How Strongpoint Helps

Strongpoint offers a true ‘closed-loop’ change management system that tracks everything happening in your Org and automatically reconciles deployed changes back to their originating request and approval. Anything that did not follow the right process/policy is collected in a single report for review and clearance.

If you use Jira/ServiceNow to manage changes in Salesforce, Strongpoint integrates seamlessly with both systems, so there’s no need to retrain your team or abandon the processes that have been working for you in the past — you’ll simply enjoy an added layer of accountability and stress less knowing you have a system in place that will help you stay SOX compliant.

How easy is it for your team to get a complete view of the material changes taking place in your Org? Can you view changes by person, by object and by type? Can you reconcile your audit log with your Jira tickets, and demonstrate why changes were made?

These are all things your auditors may ask to see. If you can’t produce these reports automatically, you and your team will need to manually sort through your audit trail, at great effort and expense. And if you don’t do it ahead of time, you’ll run the risk of your auditors finding deficiencies, which will be even more costly to address.

How Strongpoint Helps

We designed Strongpoint to provide easy answers to some of the most critical questions an auditor may ask. Our change management system automatically reconciles your audit log, showing your and your auditors what changed, whether or not it was materially significant and, if it was, who approved it and why.

Strongpoint automates what would otherwise be a time-consuming process and gives you an added layer of certainty knowing that you can easily produce out-of-the-box, audit-ready reports detailing everything that’s happening in your Org.

Deploying with Salesforce change sets is time consuming. And, for areas where SOX is in scope or security is an issue, it provides no way of enforcing separation of duties between users that develop and users that deploy.

Too often, Salesforce teams are stuck between productivity and compliance — and the ability to evolve your Org effectively suffers as a result.

How Strongpoint Helps

Strongpoint streamlines the deployment process and lets you see in advance any potential downstream impacts you should be concerned about. It avoids the often lengthy wait for change sets to validate, but doesn’t require you or your team to change other parts of your deployment and development processes.

The result is that productivity is increased, separation of duties is maintained and auditors are happy that everything is being done in a compliant manner.

For many teams, monitoring configuration data is the hardest part of SOX compliance. In the CPQ application, for example, important rules about products, prices, discounts, and approvals are stored as data in custom objects. Getting visibility into these changes is incredible time-consuming, and there are few options for preventing changes that could put compliance in jeopardy.

This isn’t limited to CPQ, either. The Billing application and many others that touch revenue related data are all potentially in scope. If your auditors aren't asking about them yet, it’s highly likely that they will in the future.

How Strongpoint Helps

Strongpoint solves this major pain point by treating configuration data with the same scrutiny it applies to other Apex metadata in your Org. It is the only native solution that gives you visibility into these changes. It also lets you create mitigating controls that automatically block changes to critical CPQ rules.

As a result, Strongpoint customers no longer have to rely on field history reports and manual review to ensure CPQ and other configuration data is protected. Auditors are satisfied, audit costs go down and IT leadership can rest easy knowing there will be no surprises.

Salesforce teams and audit leadership at public and pre-IPO companies:

Stop stressing about SOX!

Get compliant in 30 days without burning out your team!

The Most Comprehensive Compliance Solution for Salesforce

As recommended in Salesforce’s Best Practices Around IT Compliance for SOX solution guide

Reduce the cost of compliance by 90%

Get audit-ready reporting on-demand in 30 days

Reduce audit fees by 75%

And do it all without driving your team crazy.

Get a Price

Trusted by Audit Leaders

Here's what organizations like yours are saying about Strongpoint

"Strongpoint is a compliance dream"

"Audit controls made easier"

Who Uses Strongpoint?

Salesforce and SOX — What Are Auditors Looking At?

Learn about the eight biggest areas of concern for Salesforce teams, or reach out to get pricing:

Documentation

How Strongpoint Helps

Key Features:

Resources:

Access

How Strongpoint Helps

Key Features:

Resources:

Impact Analysis

How Strongpoint Helps

Key Features

Resources:

Change Controls

How Strongpoint Helps

Key Features

Resources:

Change Management

How Strongpoint Helps

Key Features

Resources:

Reporting and Reconciliation

How Strongpoint Helps

Key Features

Resources:

Deployment

How Strongpoint Helps

Key Features

Resources:

Configuration Data

How Strongpoint Helps

Key Features

Resources:

See Strongpoint in Action

If you have a heavily customized Salesforce Org, or ongoing compliance/governance requirements, we can help you move faster, stay safe, and maintain productivity.

Take the quiz to get pricing and get started: