Keeping Salesforce SOX Compliance

For most people, 2002 was the year Avril Lavigne made her name to fame, we got the second Fast and Furious movie, and Tobey Maguire hit the big screen as our favorite web-slinging hero.

As we cherish these memories, the same can’t be said for Andrew Fastow, CFO of Enron, and the cause of one of the largest financial scandals in American history. Following the outing of the scandal in October of 2001, congress passed the Sarbanes-Oxley (SOX) Act in 2002 to regulate and reform financial reporting standards for publicly traded companies, their boards, and accounting firms.

Basically, if your company is looking to go public, you better make sure you comply with these standards. Fortunately, there are several steps you can take within your Salesforce organizations to help do the heavy lifting of staying compliant.

If you have not heard of the Enron scandal it’s the reason we have SOX compliance requirements today. Long story short, Andrew Fastow, CFO of Enron, misled investors by hiding company losses in offshore entities and sent the stock from ninety dollars a share to just sixty cents almost overnight.

Maintaining Auditability~Salesforce

One of the key issues that caused the Enron scandal was financial visibility or lack thereof. Visibility, however, requires audit-ability, so setting up your organization in a method that is easy to audit can help reduce the challenge of providing visibility. A way to accomplish this is to use standard objects wherever possible. Salesforce designs standard objects using audit trail feature, so let Salesforce do heavy lifting and use their objects when possible.

Natively, Salesforce does not offer a ton of features to provide broad scope audit-ability of an organization. Instead, Salesforce has multiple tools that each allow for very specific auditing capabilities. The closest thing Salesforce has to a broad-scale log is the Salesforce Field Audit Trail. With Field Audit Trail empowered, documented information is put away as long as ten years on a plenty of upheld objects – including accounts, battles, cases, contacts, openings, requests, items, and some more.

Field Audit Trail must empower, What information will be gather make a field review trail approach that characterizes . If you would like more information on setting up Field Audit Trail click on this link here.

Depending upon how the financial side of your company is set up, just logging field data might not be enough. For more information about if this applies to you, please discuss with your accounting and finance department.

But if your company is set up to declare estimated profits instead of just actual ones, then your audit ability will need to extend further than the tools that Salesforce offers natively.

Salesforce Organization

In this case, source control is a great tool to implement into your Salesforce organization to provide an audit trail. Source control is exactly like version control for development, but instead of keeping a log of application versions, source control tools log the who, what, when, where, and how of targeted metadata changes. Source control, of course, takes time to set up to ensure that the correct metadata objects and fields are being tracked to maintain financial visibility. But source control methods are the most comprehensive to provide a single-tool solution to SOX compliance.

Setting up source control is an in-depth process, and there are tons of different options on the App Exchange. Popular tools like Flosum, Bitbucket, GitHub, or Blue Canvas are great starting points for building a metadata audit repository and have a wealth of online forums to help.

Separating Development from Deployment

Another important regulation of Sarbanes-Oxley compliance is that developers can’t deploy to production. In DevOps, basically your development and operations department can’t be the same person.

Compliance areas to handle in Salesforce, a quick way to ensure that your development team is not deploying to production. Your production team is not messing with development, is to set permissions on who can access each environment. To maintain full transparency, all development changes should undergo a review process beginning with the development team in a sandbox organization, and end with the operations team in the production environment. Someone will approve all code and change.

Salesforce thankfully offers a solution to help with this. Change sets,  a Salesforce native tool, requires a sandbox user to package and a production user to deploy the application. In other words, Change sets take a long time, especially with larger applications, and can seriously slow down your development teams. Salesforce DX, however, offers a wonderful suite of tools that can help your development and operations team collaborate. Manage application versions, and receive approval for implementation.

Rope in Your Accounting Department

Similarly, The people that know what needs to be logged for your organization are in your accounting and finance departments. The bet that you’re logging everything is to schedule a meeting and discuss objects and fields that need tracking. This will take time and serious work to get an existing organization compliant. But it’s certainly possible and with the right tools can be easily accomplished.

Just like with anything related to finance, it’s all about dotting the i’s and crossing the t’s. If you are curious about all the different requirements of Salesforce Sarbanes-Oxley compliance there’s a great checklist that can be found at this link here.

Next Steps