Steps for Achieving SOX Compliance in Salesforce

Does SOX compliance for Salesforce apply to your company? 

If you're a public company and don't store financial data in Salesforce, SOX compliance may not necessarily apply to your Salesforce org. It comes into SOX's scope if it stores revenue-related information or other financial data.

Any development work that challenges a business' financial data's accuracy falls under SOX auditing. Although Salesforce has native tools to help you manage access, change, and risks, some things are tricky to scope. 

A Salesforce Center of Excellence (CoE) can help your team reach SOX compliance. It keeps everyone on the same page, and professionals know their roles and responsibilities. Before we dive further into the how-to part, let's look at SOX in detail. 

What is SOX Compliance? 

SOX compliance is derived from the Sarbanes-Oxley Act (SOX). It requires publicly traded companies operating in the U.S. to build financial reporting standards. These reporting standards help in safeguarding data against breaches. You need to log electronic records for audits, helping businesses prove compliance. 

The act requires companies to implement internal controls to ensure accurate financial records. The CEO and CFO must attest to the financial statement's accuracy. The act increases fines and criminal sentences for fraudulent reporting. 

To comply with the Sarbanes-Oxley Act (SOX), organizations' accounting practices need to change to ensure the security of financial documents. SOX requires your organization to make accurate financial disclosures and to back them up with financial statements.

 It mainly affects the following areas, including:

• Corporate governance
• Risk management
• Auditing
• Financial reporting

However, SOX doesn't exhaustively dictate what a company needs to reach SOX compliance. At a high level, it expects organizations to implement appropriate internal controls, file accurate financial reports, and pass regular audits. 

How to Achieve SOX Compliance In Salesforce 

Salesforce natively offers access management features like single sign-on, multi-factor authentication, and user provisioning and de-provisioning capabilities. It has relevant checks for concurrent sessions, privileges, and user access changes. Salesforce has already implemented these internal controls. However, businesses usually struggle with the following challenges. 

• Ensuring complete visibility into who can see critical data. Not every type of data comes under the scope of SOX. For example, your marketing ops data is outside SOX's scope. To get complete visibility of in-scope data, you need to see what the access controls are on critical data. However, this keeps changing. As a result, you start the scoping process again after you complete it. 
• Selecting the metadata that impacts critical business processes. It involves considering how the system is customized to drive order-to-cash or other processes like license provisioning. 
• Considering applications that rely on configuration data. These applications extend beyond Configure, Price, Quote (CPQ) to include all apps that rely on configuration data impacting billing, revenue recognition, pricing, and commissions. 

SOX audits cover many areas beyond release workflows, such as change management, data backup, IT security, and access controls. They'll look for controls and approval processes with clarity on what was changed, who changed it, and why. Such things should be internally documented.   

You need to show that your organization's financial data has secure backups, which are easy to retrieve in testing events like a data breach. An auditor will evaluate tools used to monitor environments and detect unauthorized changes or data breaches. It involves examining access control management tools and details who can see and edit critical financial information.

Let's explore aspects of Salesforce's systems and processes that SOX auditors typically look into. 

1. Access Management

Make sure your Salesforce has the following access management systems and checks in place: 

• Password policies to specific complexity and expiration of passwords.
• Time/location-based controls to limit access if requesting at odd hours or from a new geographic location. 
• Concurrent sessions prompt the user to end one session before they initiate additional sessions.
• Operating system (OS) and browser checks will limit access if the system is accessed from a new OS or browser. 
• The least privileges principle gives processes or users only those access privileges required to perform their function. 
• Provisioning and de-provisioning systems ensure proper documentation of approval and changes in accounts with privileged access. You need to put formal processes in place to decommission or modify user access upon employment termination or role changes. 
• Login history to show successful and failed login attempts over a period of time. 
• Login forensics to identify suspicious login activity.  
• Access controls include identity and access management options like single sign-on, single log-out, social sign-on, multi-factor authentication (MFA), passwordless login, etc. 

To meet SOX compliance, it's essential that you're able to prove control over systems, processes, and people who work with financial data. 

2. Change management

Below are a few best practices that you should practice to support reliable and secure operations in Salesforce.

• Document every change. Every change in your Salesforce environment should be recorded, justified, and approved through formal steps. Although Salesforce has options to track these details, you can consider dedicated tools if you need more robust functionality. For example, Flosum monitors every change across code, accessibility, and workflow. It makes it easier for you to reach compliance. 
• Audit configuration changes. Tracking these changes is crucial as it allows you to see the nature of the configuration change and who made it. It makes it easier to identify changes made outside planned deployments. Salesforce's Setup Audit Trail features lets you see who made what type of change on which date. It retains data for 180 days. You can extract this data if you want to run a deeper analysis. 
• Implement an application lifecycle management framework. It ties development, testing, and release processes into one structured pipeline. This ensures changes move from one stage to another in a controlled manner. Salesforce offers a Trailhead trail to help you determine the right ALM model. You can consider other AppExchange solutions to coordinate tasks seamlessly between different environments. 
• Improve DevOps processes. These practices package changes and test them before releasing them through approved pipelines. When you incorporate DevOps, you package updates to track them as smaller, well-defined units. You automate unit tests to verify the integrity of your metadata changes. This reduces human errors, and DevOps tools allow you to manage deployments consistently across different environments.
• Use a version control system. Maintain a clear record of who modified what, when, and why. This process, combined with branching strategies and pull requests (or merge requests), implements peer review and promotes accountability.
• Set up a quality management system. Monitors whether the controls you have in place remain suitable and effective over time. For SOX compliance, this oversight matters because you must continually demonstrate that your change management processes achieve their intended purpose, which is all about preventing misstatements and unauthorized changes.

You need a firm policy to govern changes and evidence that your team follows it. Make sure you can prove the formal processes associated with it. 

3. Data Backup

Salesforce data backup is often unreliable and tricky to restore from. Salesforce suggests the use of third-party backup solutions, making it easier for organizations to store and retrieve Salesforce data. Tools like Flosum help back up such data for a customizable retention period.

It ensures data is effectively stored and tracked even when it changes frequently. Auditors examine whether you can recover data if you face an incident. 

Read the complete story

The tool takes frequent snapshots of your metadata and notifies you whenever any changes are made to it. This helps keep track of unapproved changes in a production environment. 

4. Audits and Training

It's best to perform internal audits to review everything (people, processes, and systems)  that works with or modifies financial data. Check for noncompliance issues that might arise due to inadequate controls or data inconsistencies. These audits will help assess the integrity of your SOX compliance measures, allowing you to ensure data security measures. 

The people part of SOX compliance is even more crucial. You must educate employees about their roles and responsibilities in ensuring compliance. Educate about the access controls, change management, and data backup processes crucial in reaching SOX compliance as an organization. Staying informed and vigilant will help them keep up with formal processes and changes, keeping them in sync with evolving compliance requirements. 

Reaching Salesforce SOX Compliance With Flosum

Flosum delivers genuine financial controls that protect shareholders' interests in companies. It keeps financial data accurate while streamlining its control framework. 

You get a system of future-proof processes and people, helping you reach compliance through financial controls that you can prove. Here's how Flosum's way to achieve compliance is different from the traditional route:

Overall, Flosum delivers SOX controls that are enterprise-grade and integrated.  Learn more about how Flosum can help you meet SOX compliance requirements in an automated fashion.

Salesforce SOX compliance - FAQs 

1. What is SOX compliance in Salesforce?

SOX compliance in Salesforce ensures that a company's financial data, processes, and controls within the platform meet the requirements of the Sarbanes-Oxley Act. It protects shareholders and the public from accounting errors or fraud. 

2. What is the SOX compliance rule? 

Under SOX, company executives must personally certify the accuracy of financial reports and face penalties if they fail to comply. Companies must document financial processes, track system changes, and maintain audit trails.

3. What is the difference between SOC 2 and SOX compliance? 

System and Organization Controls (SOC) 2 and SOX compliance serve different purposes. 

• SOC 2 focuses on service organizations that handle customer data. It covers five trust service principles: security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports show how a company's controls protect sensitive information and meet industry standards. 
• SOX mandates companies to establish, document, and test internal controls to ensure accurate financial statements. While both support transparency and control, SOC 2 emphasizes data handling, and SOX highlights the need for accurate and reliable financial disclosure.

4. What is a SOX compliance checklist? 

SOX doesn't give an extensive list of items to check to reach compliance. It differs for every organization. However, you must define clear roles and responsibilities, set access controls, implement change management, and manage audit trails.