SOX Compliance for Salesforce

Get compliant — and prove it — with automated SOX compliance tools for Salesforce

Reduce audit costs by up to 90%, and cut prep time by more than half

Get the eBook

Four Steps to a SOX-Compliant Salesforce Org

ebook sf edit

Download the Salesforce SOX Compliance Ebook

Technician preparing check list in server room

Powerful compliance tools — recommended by Salesforce

For public companies, faster audits begin with automation

The Salesforce platform puts several key aspects of SOX compliance within easy reach. But getting there takes the right tools — particularly in mature and heavily customized Orgs, where lots of users are making changes regularly.

Some of the most common challenges we see include:
  • Monitoring access to critical data
  • Maintaining segregation of duties between those that develop and those that deploy
  • Maintaining visibility to all changes that take place in the Org
  • Reconciling audit logs back to originating change requests in systems such as Jira or ServiceNow

Salesforce specifically recommends Strongpoint in their white paper, Salesforce Best Practices Around IT Compliance for SOX. Working with our customers, we’ve found our full suite of tools can cut prep time by 50% or more, and eliminate around 90% of the costs. 

SOX and Salesforce:

What Are Auditors Looking At?

When SOX auditors look at Salesforce, they will want to know where revenue-related data is stored in your Org, and they'll want to see that you have appropriate controls in place for managing and monitoring it. 

In our experience, they are most concerned with three things: access management, change controls and configuration data.

arrow 2@2x

Access Management

When it comes to critical data and revenue-related Objects, one of the first questions auditors will ask is, “Who has access to it?"

Salesforce profiles, permission sets and permission set groups specify the levels of access users have to various custom objects. (If you’d like a refresher course on how access works in Salesforce, we’ve got a great webinar on the topic here). So for SOX purposes, knowing who has access to what — who can view, edit or delete revenue-related data — is critical to determining whether or not something is in scope. 

Strongpoint gives you a verifiable audit log showing who changed what, and a full diff of what was affected. You'll also get tools for drilling down into specific Objects, fields, profiles, permission sets, and users, for a granular look at who can see and do what in your Org.  

Salesforce Access Management

arrow 3@2x

Change Controls

To effectively meet SOX requirements for the Salesforce platform, you need to understand which objects and automation touch revenue-related processes. Auditors will want to see that you have a system for monitoring and managing changes to that metadata.

In Salesforce, or integrated with a ticketing system like Jira, Strongpoint checks every change for compliance and logs it in an immutable report. Anything that doesn’t follow policy is captured in a noncompliant changes report for review and clearance. And if you try to change a policy, that's logged and monitored using the same process — creating an airtight and, most importantly, audit-ready, system.

Salesforce Change Enablement

arrow 4@2x

Configuration Data

When it comes to SOX and Salesforce, auditors typically only care about configurations that can affect revenue recognition. Where do you find that? In most Orgs, primarily in Revenue Cloud's CPQ and Billing applications. The problem is that CPQ and similar apps store product, pricing, approvals and discount rules as configuration data — and without Strongpoint, there's no easy way to track changes to it. 

Strongpoint gives you a systematic way to identify, track and monitor changes to configuration data for in-scope custom Objects. Custom policies allow you to create mitigating and blocking controls that protect critical CPQ rules and eliminate your reliance on field history reports and manual review at audit time. 

Salesforce Configuration Data

How Strongpoint Helps



Visibility to Access

Strongpoint's customizable reports automatically summarize levels of access to objects and fields by profile, permission set and user.


IT Segregation of Duties

Automate your deployment process and maintain separation between team members building in sandbox and deploying into production. 


Change Logs

Strongpoint automatically captures a detailed record for all changes that take place in the Org — who did it, when it was done and what exactly changed — regardless of how the change was made.


Automated Reconciliation

Strongpoint integrates with JIRA and ServiceNow to streamline impact analysis and automate reconciliation of your audit log back to the tickets that the changes originated from.



  • Automate review of field level access across objects by profile, permission sets and users

  • Dramatically reduce deployment time, while separating duties between those that develop and those that deploy

  • Streamline reporting, saving more than 50% of your audit prep time

  • Save 100+ hours a year spent reconciling tickets to audit logs