It is increasingly common for Salesforce Orgs to be in scope for SOX. Auditors are concerned about revenue-related data and critical business processes on the platform.
The problem is that Orgs are complex, often highly customized, and much of what auditors are most concerned about is hidden away in custom objects or very difficult to track.
On this page, you’ll find an overview of the seven things auditors are most concerned about, and some of the ways Netwrix Strongpoint helps busy Salesforce teams achieve them.
Documentation
Not everything in Salesforce is in scope for SOX. Your auditors probably don’t care about marketing operations, for example, because marketing operations typically don’t touch revenue data.
The problem is that unless you have a comprehensive understanding of the customizations and dependencies in your Org — something that’s virtually impossible in all but the smallest businesses — you can’t fully know what’s a material change that’s in scope for SOX, and what isn’t.
Documenting your account is the first step in determining what’s relevant to SOX, and building policies to manage it effectively.
How Netwrix Strongpoint Helps
- Automatic Org Documentation: Netwrix Strongpoint is the only Salesforce-native tool that scans your Org on an ongoing basis and indexes all metadata, and the connections between it.
- Dependency Mapping: Netwrix Strongpoint’s dependency relationship diagrams show you how different customizations are connected.
- Customization Record: Detailed customization records show you everything you need to know about a customization — who created it, who has access to it, how it’s changed and what it’s connected to.
Access Management
For audit purposes, understanding who has access to various parts of your Org is just as important as understanding what’s in your Org. In fact, they’re two sides of the same coin — it’s great to know where revenue-related data is in your Org, but you also need to know who can see it, who can edit it, and who can delete it.
There are only specific types of access that matter for compliance purposes. The problem is that a complex object in Salesforce may contain multiple custom fields, standard fields, formula fields, record types, picklist values, buttons and links — without the right tools, it can be almost impossible to get accurate insights into who can see what.
How Netwrix Strongpoint Helps
- Roles, Profiles, and Permission Sets Monitoring: Create policies that monitor for changes to specific profiles or permission Sets — and log everything in audit-friendly reports. Netwrix Strongpoint treats changes to user permissions the same way it treats other metadata — giving you a verifiable audit log showing who changed what and a full diff of what was affected.
- Field Access Review: A complex object in Salesforce may contain multiple custom fields, standard fields, formula fields, record types, picklist values, buttons and links. Netwrix Strongpoint gives you easy-to-work-with reports and spreadsheets showing all settings attached to an Object, profile or permission set.
- User/Profile/Permission Sets Reviews: Get an in-depth look at everything a user can see and do, find the permissions attached to a profile, and more — Netwrix Strongpoint makes it easy to perform detailed reviews and determine who has access to in-scope financial data.
Impact Analysis
Together, documentation and access review give you the layout of your Org. Impact analysis shows you how to navigate it. When you can see the impact of a potential change, you can know whether or not it affects anything in scope for SOX, and ensure that it undergoes the appropriate reviews and approvals.
Impact analysis in Salesforce is just as important from a resource allocation standpoint. The fact is the most changes are non-material and safe to make. When you can immediately identify those changes, you can avoid hours of discovery and free up your team to focus on what’s most important.
How Netwrix Strongpoint Helps
- Impact Reports: Netwrix Strongpoint gives you detailed reports for analyzing the impact of a proposed change. Our impact reports show you all the customizations on a base record, as well as their dependencies. This method is particularly useful for investigating and reviewing changes in multiple customizations at once.
- Jira/ServiceNow Integration: If you use Jira or ServiceNow to manage tickets, you can access Netwrix Strongpoint’s impact analysis directly at the ticket level, and get a comprehensive list of related customizations that will be affected by a potential change. You can also synch Jira/ServiceNow tickets to change requests in Netwrix Strongpoint, so the impact analysis and approval, if required, is collected in an audit-ready report.
- Risk Decisioning: Netwrix Strongpoint lets you build out specific change policies and approval requirements based on risk.
Here’s the Netwrix Strongpoint policy record, where we can specify which types of changes require a full SDLC, which require testing in the Sandbox, which require approval, which can be handled via a process issue, and which are simply logged, ie. they are safe and require no additional investigation:
Change Enablement
Not all development activity in Salesforce requires review. But in a mature Org, risk factors can be complex — if your team makes a change to a custom object or field without knowing its impact, it may accidentally break a business-critical process, or affect financial reporting and SOX compliance.
The problem is that there is no easy way to know what’s safe to change and what requires review. As a result, Salesforce teams are faced with two extremes: spend hours on discovery with each change — something that’s virtually impossible to do in a busy Org — or accept risk and manage things reactively when something breaks.
In reality, most Salesforce teams will do a mix of both, relying on institutional knowledge and, often, luck, to decide what requires review. But what if there was a way to formalize and automate this, and base decisions on actionable intelligence rather than one admin’s understanding of the system?
How Netwrix Strongpoint Helps
- Change Logs: Netwrix Strongpoint automatically records every change in your Org and logs it in change logs. Change logs are an immutable, date- and time-stamped record, containing a full, detailed diff showing what happened, and when it happened.
- Change Policies: Netwrix Strongpoint lets you create a set of rules to automatically elevate certain types of changes that require extra scrutiny. Simple declarative changes can be immediately identified and fast tracked without further investigation. More complex changes can be handled via a process issue or change request (in Jira, ServiceNow, or using Netwrix Strongpoint’s native change management system).
- Closed-Looped Change Management: Netwrix Strongpoint is a true closed loop change management system. Every change to metadata is captured in an immutable log. Every completed change is reconciled back to an originating request and, if necessary, an approval.
Every change and approval is checked for compliance with the policies you’ve set out. Anything that doesn’t follow policy is captured in a noncompliant changes report for review and clearance.
The best part? Changes to your policies are logged and monitored using the same process. This makes it impossible to alter an approval after the fact or artificially resolve a noncompliant change.
In other words, the whole process is airtight and fully validated — something that’s critical to security, governance and audit readiness.
Reporting and Reconciliation
How easy is it for your team to get a complete view of the material changes taking place in your Org? Can you view changes by person, by object and by type? Can you reconcile your audit log with your Jira tickets, and demonstrate why changes were made?
These are all things your auditors may ask to see. If you can’t produce these reports automatically, you and your team will need to manually sort through your audit trail, at great effort and expense. And if you don’t do it ahead of time, you’ll run the risk of your auditors finding deficiencies, which will be even more costly to address.
How Netwrix Strongpoint Helps
- ‘What Changed’ Report: The ‘What Changed’ report is your at-a-glance record of all development activity in your Org.
- Change Log Reconciliation: It’s no good to have an Excel doc or email chain approving a change if you can’t reconcile it with development activity in your Org. Demonstrating that change requests and approvals are tied to a verifiable log is a key part of passing an audit and maintaining the overall integrity of your Org. Normally, this requires hours, if not days, of manual reconciliation. Netwrix Strongpoint solves this problem — by doing the work for you!
10-Minute Audit Prep
With Netwrix Strongpoint up and running in your system, passing an audit is as easy as printing out three reports:
Compliant Changes
This report shows all changes that followed policy — ie, everything that was reviewed and approved according to the process you’ve set out in your policy records or everything that Netwrix Strongpoint determined to be non-material and safe to change.
Resolved Noncompliant Changes
This report shows everything that didn’t follow policy — such as emergency hotfixes — and the steps you’ve taken to resolve it
Unresolved Noncompliant Changes
This report shows everything that didn’t follow policy and is still under review. Ideally, it should be empty when you head into audit! Many Salesforce teams schedule weekly or monthly standing meetings to review and clear out whatever outliers remain in the system.
Deployment
Deploying with Salesforce change sets is time consuming. And, for areas where SOX is in scope or security is an issue, it provides no way of enforcing separation of duties between users that develop and users that deploy.
Too often, Salesforce teams are stuck between productivity and compliance — and the ability to evolve your Org effectively suffers as a result.
How Netwrix Strongpoint Helps
- Automatic Release and Deployment: Automate critical decisions about the appropriate approvals, testing and release processes required for different types of changes.
- Environment Comparison: Instantly get a full diff of changes between production, testing and sandbox Orgs.
- Post-Deployment Validation: Troubleshoot and validate deployments across multiple environments.
Configuration Data
For many teams, monitoring configuration data is the hardest part of SOX compliance. In the CPQ application, for example, important rules about products, prices, discounts, and approvals are stored as data in custom objects. Getting visibility into these changes is incredible time-consuming, and there are few options for preventing changes that could put compliance in jeopardy.
This isn’t limited to CPQ, either. The Billing application and many others that touch revenue related data are all potentially in scope. If your auditors aren’t asking about them yet, it’s highly likely that they will in the future.
How Netwrix Strongpoint Helps
- Configuration Data Monitoring: Netwrix Strongpoint treats configuration data with the same scrutiny it applies to other Apex metadata in your Org. Then, Netwrix Strongpoint gives you a systematic way to focus on in-scope Objects and create highly granular policies to track and monitor them.
- Policy Records: Netwrix Strongpoint lets you create mitigating controls that automatically block changes to critical CPQ rules. As a result, Strongpoint customers no longer have to rely on field history reports and manual review to ensure CPQ and other configuration data is protected. Auditors are satisfied, audit costs go down and IT leadership can rest easy knowing there will be no surprises.
- Blocking Controls: Netwrix Strongpoint gives you the option of blocking risky changes without prior approval. This is often used for pricing and discount data which impact revenue directly. If a user attempts to make a change to a field that has blocking enabled, they will be unable to do so unless a change request has been submitted in advance.