SOX compliance came into play after the Sarbanes-Oxley Act was passed in 2002. This legislation applies strict financial reporting standards to all publicly traded companies that carry out business in the US. With many businesses relying on Salesforce for their key financial activities, as well as the ever-growing capabilities of the Salesforce platform, more teams are finding that their orgs need to be SOX compliant.
In this article, we’ll look at what Salesforce SOX compliance means in practice, whether it applies to you and how you can achieve it.
What is SOX compliance?
If you’re working in a publicly traded company or a private company that’s getting ready for an IPO, SOX compliance is a term you’ll come across a lot.
After the Enron financial scandal, the Sarbanes-Oxley Act was passed to mandate accurate financial reporting and increase transparency. The requirements of SOX are broad and, because all companies manage their financial information in unique systems and databases, it’s impossible to give a one-size-fits-all checklist to ensure compliance. This can make it difficult to assess what you need to do to ensure your processes are compliant, especially when it comes to Salesforce.
When does SOX compliance apply to Salesforce orgs?
Not every public company holds financial data in their Salesforce instance, so SOX compliance doesn’t necessarily apply to your Salesforce orgs. Even where it does apply to your org, it may not apply to every part of it.
To work out whether your org needs to be SOX compliant, it’s important to understand whether your org holds financial, revenue-related information. If the development work happening in your orgs could impact the accuracy of financial reporting by the business, it is in scope for SOX auditing and compliance. CPQ configuration data and Industries are common components of your org that will likely fall under SOX compliance requirements.
What’s involved in a Salesforce SOX audit?
While a robust DevOps process is a great way to make your orgs secure, SOX audits cover many areas of your Salesforce setup beyond just your release workflow. Let’s look at the key areas involved and how they apply to Salesforce:
- Change management. Auditors will look at the controls and approval systems in place for deployments to production and orgs that contain financial data. They will also want to see records on who changed what, when they made the change, and why.
- Data backup. You’ll be expected to demonstrate that sensitive financial data in your orgs is securely backed up and retrievable if a data incident occurred.
- IT security. Auditors will assess the tools in place to monitor your environments and detect unapproved changes or data breaches. They’ll also be checking whether you can effectively resolve incidents with the systems you have in place.
- Access controls. An auditor will review your access control management and the details of who can view and edit sensitive financial information.
Make your Salesforce release process SOX compliant with Gearset
Preparing your Salesforce instance for SOX compliance can be daunting given the scope of the regulation. But Gearset can help in all areas of SOX compliance for Salesforce and can be configured to support your specific workflow. Let’s look at how Gearset can get you up and running with SOX compliance.
Change management
Delegated org access
Delegated org access gives you control over who can deploy to your connected environments. You’ll be able to specify whether team members have comparison, validation or deployment level access to your org connections. By delegating org access, you can avoid bottlenecks and give the development team ownership of their changes all the way to validation, while still ensuring that no changes get deployed without the necessary approval. Once reviewed and approved, the validated package can be deployed in just a few clicks.
Ticketing integrations
Before deploying your changes, you can associate Jira, Azure DevOps Work Items and Asana tickets to your deployment. By adding associated tickets, Gearset will automatically update the selected tickets with the deployment name and summary notes, as well as who ran the deployment and when. This helps to maintain a strong audit trail of who made what changes and when. You can even opt to change the ticket status on the kanban board and Gearset will handle that for you, without you having to manually update the ticket post-deployment.
If you select the option to append all items to the selected ticket/s, Gearset will also automatically include a list of any items included in the deployment on the ticket, so that an auditor can see exactly what was changed without having to leave your ticketing system.
Full deployment reporting
Gearset automatically generates a detailed report of each deployment run through the app. This report includes information on who ran the deployment and when, as well as all the items included in the deployment, user notes, any associated tickets and the results of static code analysis. These reports are saved in your deployment history page for easy access at any time.
Deploy CPQ, Industries and metadata in a single deployment
Your CPQ configuration data and Industries are most likely in scope for SOX compliance. This can cause an audit trail nightmare, as teams often deploy CPQ and Industries separate to their metadata. Not only does this cause a split papertrail, it can be more difficult to put the necessary checks and approval processes in place for CPQ and Industries deployment tools.
With Gearset, you can deploy CPQ and Industries as part of your metadata deployment. This means that the deployments are subject to the same SOX internal controls and approvals as your metadata deployment flow and will be included as part of Gearset’s deployment reporting.
Data backup
Automatic daily and hourly backups
Using Salesforce Data Export as a backup is unreliable and incredibly difficult to restore from — in fact, Salesforce encourages users to invest in third-party backup solutions. Gearset automatically backs up the data in your orgs on a daily basis with a customizable retention period, so you’re only keeping the data as long as your SOX compliance requirements dictate.
But we know that your critical objects are often changing lots throughout the day, such as Opportunity, Contact, and Lead. Gearset’s high-frequency jobs can back up the data from your ten most important objects on an hourly basis.
Flexible data restore options
A backup is only as useful as your ability to restore the data that’s been backed up — auditors are looking to see that you can recover data successfully if an incident arises and ensure data integrity.
With Gearset’s flexible restoration options, you can tackle any type of data incident whether it’s a single deleted field or rebuilding an entire org.
IT security
Monitoring metadata changes
Gearset will take a daily snapshot of the metadata in your org and notify you if any changes have been made, so you can easily catch any unapproved changes to your production environment.
If the change wasn’t approved or causes problems in production, the daily snapshots in your change monitoring job can be used to carry out a rollback. You can restore your orgs to their pre-change state in just a few clicks.
Monitoring data changes
With Gearset’s data backup, you can see a visual overview of the changes happening to your org’s data and easily spot suspicious activity, such as mass deletions or editing. Configure smart alerts for your most important objects, to receive notifications when the number of changes to the data in these objects exceeds your specified thresholds.
Access controls
Data masking
Having realistic test data in lower environments is key to accurate testing, but populating a test environment with customer data from production raises data security concerns. Seeding your test environments with production data exposes personal and financial information unnecessarily and is a nightmare for SOX compliance.
Gearset’s data masking can obfuscate data, keeping the data in your testing environment realistic while avoiding compliance risks. You can then deploy confidently to production, knowing that the package won’t disrupt the data in your live environment.
Deploy profiles and permission sets with ease
NOTE: Gearset’s comparisons have had an upgrade! We’re in the process of updating all our blog posts with the new UI images, but in the meantime you can find out more here.
Because profiles and permissions are tricky to deploy, teams often opt to recreate them in production instead. But this leaves you at risk of human error and is a huge time sink.
Gearset offers a new approach to deploying these notoriously tricky metadata types — our org comparison view shows you the differences between profiles and permissions across your source and target org, and allows you to build granular deployment packages rather than deploying the whole profile or permission set. For example, you can deploy a single field level security setting without having to include the rest of the profile.
Making your Salesforce orgs SOX complaint
Getting your Salesforce deployment and security processes to a SOX compliant state can feel like a daunting task — but it doesn’t need to be. You can get full access to all areas of Gearset as part of a free 30-day trial, with nothing to install in your orgs and no credit card details!
Our team of DevOps experts are also on hand to support your journey to Salesforce compliance, and then help you in maintaining compliance. Get in touch to book a consultation with our expert team and find out how Gearset can help.