Out-of-the-box, Salesforce can get you much of the information you need to pass a SOX audit. But there are gaps, and the process can be frustrating and time-consuming. Before you start, it’s important to understand what you can — and can’t — do in your Org already.
In this post, we’re taking a look at two of the main Salesforce tools for SOX audit prep — the Setup Audit Trail and Field History Tracking.
SOX Compliance: What’s In Scope
Before we get into the specific tools Salesforce offers for audit prep, it’s worth reviewing what, exactly, auditors want to see. Unfortunately, there’s no clear answer for this; it’s only been in the past few years that auditors have started to look more closely at Salesforce, and each will bring a different level of familiarity with the platform.
With that caveat, what we’re seeing is a focus on three things, and how they can potentially impact revenue recognition:
- Access: Your policies around provisioning, passwords, multi-factor authentication, and changes to users, profiles and permissions sets.
- Metadata/configuration changes: How your teams review and approve change requests, and how those approvals are reconciled to actual changes in the system.
- Configuration data changes: How you track configuration changes to critical Objects tied to revenue (usually in the CPQ and Billing apps)
The Setup Audit Trail
Why We Like It
Salesforce’s Setup Audit Trail is simple and straightforward — it logs modifications to a wide range of change types, and collects them in an exportable file showing what the change was, who made the change, and when it was done. It tracks changes to everything from company and currency information to profile and permission set details — check out the Salesforce Security Guide for the full list.
Once you’ve generated your report, you can filter the data by Type and drill down on the changes your auditors are most concerned about.
Where It’s Available
Salesforce Classic and Lightning Experience; Contact Manager, Essentials, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions
Where It Falls Short
The Setup Audit Trail provides you with a fairly voluminous amount of information, but it only stores that data for 180 days. This means that any changes your auditors want to see beyond that timeframe would be unobtainable. This leaves teams storing the data somewhere else – which often raises questions about its accuracy from auditors.
The other major problem with the Setup Audit Trail is that, while it shows you the changes that took place in your Org, it doesn’t show if they were reviewed or approved — critical details for auditors who will want to see that sensitive changes followed an appropriate process.
As a result, Salesforce teams have to manually reconcile the Audit Trail to the relevant requests and approvals (which could be in an external ticketing system like Jira, in an email, in a shared doc, etc.) It’s an extremely time-consuming process that requires considerable resources in the lead-up to an audit.
What Else?
The Setup Audit Trail does a good job at capturing configuration changes, but it still misses some things. For example, it can’t track:
- Custom list view changes
- Changes to Report types or filter criteria
- New Report creation
Ultimately, these aren’t necessarily big gaps, but if your auditors want to see them, you’ll need to rely on something other than the Setup Audit Trail.
Field History Tracking
Why We Like It
Field History Tracking allows you to select individual fields in a Standard or Custom Object and automatically track any changes within them.
Once you’ve selected certain fields to track, a record of any changes will be added to the History related list, capturing the date and time of the change, who made it, and other important details. And unless you purchase the Field Audit Trail add-on, this information is only retained for 18 months through your Org, and up to 24 months if you export via the API.
Where It’s Available
Salesforce Classic (not available in all Orgs), Lightning Experience, and the Salesforce app; Contact Manager, Essentials, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions (Standard Objects aren’t available in Database.com)
Where It Falls Short
Similar to the Setup Audit Trail, the data collected by field history Tracking is both too much, and not enough. You’ll get a lot of information, but only up to a certain point — a maximum of 20 fields can be selected per Object, and only 18 months of data (24 using the API) are collected.
Additionally, Field History Tracking only records changes from the time it’s enabled onward — which can be a problem if you aren’t taking time to determine what’s in scope ahead of time.
What Else?
Field History Tracking isn’t available in all Orgs, or all Objects. Additionally:
- If a field has more than 255 characters, old and new values won’t be recorded
- Changes to time fields aren’t tracked either
The Bottom Line
It’s entirely possible to pass a SOX audit using Salesforce’s built-in tools. But depending on your Auditors’ expectations, the process can be harder and more time-consuming than it needs to be. The expectations and demands from Auditors are also increasing for the Salesforce platform. More and more, we are seeing that additional tools are required.
We designed Netwrix Strongpoint to close the gaps left by Field History Tracking and the Setup Audit Trail. Our products offer a comprehensive set of compliance tools that track and report changes to user access, metadata and revenue-related configuration data in a detailed, immutable log. We also have integrations built for major ticketing systems to help automate reconciliation of our logs back to the originating change requests where the changes began. We give you several tools for working with this data and producing audit-ready reports that will greatly reduce both your costs and your stress levels.
