Skip to main content

Salesforce Best Practices for IT Compliance and SOX

 Salesforce Best Practices for IT Compliance and SOX:


The Sarbanes OXley Compliance was passed by US Congress in 2002 in order to regulate financial reporting standards for publicly listed companies their boards and accounting firms.

As many companies use Salesforce to generate financial reports and so many salesforce teams are interested in ensuring they are on the right side of the law by getting SOX Compliance. It's a really big deal since non-compliance can carry a penalty up to $1M and ten years in prison for corporates even in circumstances where they filed reports incorrectly by mistake.

For Salesforce developers, Admins, IT Managers SOX Compliance for Salesforce means that they need to take care of the following 3 things:

  • Access Management for Auditability
  • Separation of Duties
  • Integrity of Data

Let's first understand what is Auditability. 

Auditability is leveraging audit trial feature in Salesforce to monitory activity performed by Salesforce Administrators , including the creation, disablement and changes to permissions on user accounts. Setup Audit Trial records are retained for 180 days by default in Salesforce. However, if you require to retain them longer the Salesforce best practices recommend to extract them via any of the following means:

  1. Via API
  2. Data Loader Tool
  3. Event Monitoring

Salesforce provides many features (as shown below) to help admins control and monitor access to and within, Salesforce.org and data.


  1. Password Policies - Establish password policies to specify password complexity and expiration periods.
  2. Time and Location - Limit access by time of day and/or IP Address.
  3. Concurrent Sessions - Transaction security provides a means to regulate concurrent sessions. Add on tools such as Event Monitoring could be used to regulate concurrent user sessions. For example, you could prompt a user to end his session before allowing another session to start. Transaction security provides the means to trigger actions based upon complex and granular conditions that might involve client's operating system and/or browser settings which may differ from the ones typically used. 
  4. Provisioning and de-provisioning users - A formal process defined for approval of changes to privileged access (roles, profiles and permissions sets) is a critical requirement for any type of compliance including SOX compliance. It is a best practice to keep records of all access that has been approved through an established process.

Similar to implementation of a formal process for provisioning, the implementation of a formal process for decommissioning or adjusting user access upon employee termination or change of role is also very important and critical to compliance. 

Encapsulate and automate the above processes as much as possible to ensure consistency, accuracy and timely execution of business logic and documentation. Tools such as Workday, ServiceNow, AccessNow offer add ons with advanced provisioning and de-provisioning features such as "Just in time" access on Salesforce platform.


Separation of Duties:

Separation of duties is a key concept of internal controls providing increased protection from errors and frauds balanced with the increate effort/cost requirement. This requirement is one of the key requirements for SOX compliance and is to ensure that the developer who writes the code is not the person who deploys this code into production. 

While the requirement may look simple, this is hard for many companies who embrace salesforce's interactive clicks not code philosophy. Often there are still changes being made live on the production environment with out any kind of version control and tracking.

To ensure compliance, salesforce provides features such as permissions system on a set cadence to ensure their access is still appropriate. All changes should go through a review pipeline that starts from the sandbox. All changes should be reviewed & approved by someone who did not write the code. Once you determine which permission sets and users are in scope, there are several options for reviewing access assignments as shown below:

  1. Permission Set Assignment Object - can be queries to get a list of users that have given permission sets assigned to their user account.
  2. PermComparator is a free, web-based tool for comparing profiles, permission sets or users to identify similarities and differences.
  3. FairWarning is an AppExchange offering that provides a handy means of reviewing and auditing permission sets and profiles.

A release management tool for Salesforce such as Blue Canvas, BitBucket could also be used not just for continuous integration but to allow delegate permissions for deploying code between various environments and ensure your organisation's change management and software development cycle is compliant with SOX.

Integrity of Data:

Critical to a successful SOX audit is to ensure that data used to produce company financial reports is accurate and reliable. 

Every organisation requires restoration of some data, typically due to user error such as data corruption upon attempt to import records or accidental deletion. While Salesforce urges its customers to independently backup their individual orgs (data and metadata), its internal backups are intended for large scale business continuity and disaster recovery and are not available to individual org restorations.

Hence, the onus is now on the organisation to pick and choose the right tools for ensuring data accuracy and reliability. The following options are available to customers as a method for backing up their metadata:

  1. Change Sets - copy metadata from your production org to sandbox or developer org.
  2. Sandbox Refresh - By refreshing a related sandbox, your configuration metadata is copied over automatically.
  3. Field Audit Trial - Field Audit Trial (paid) and Field History Tracking (free) is another very useful salesforce feature and could be used for regulatory compliance, internal governance, audit and customer service. Built on big data backend for massive scalability, FAT helps companies create a forensic data-level audit trial and backups with longer retention periods.
  4. Event Monitoring - Event Monitoring is another paid add-on that provides the only source for most Salesforce event logs. Specifically relevant to SOX compliance, this tool enables you to identify which users viewed or exported which records. Event Monitoring is also valuable for monitoring security, troubleshooting performance of your custom code and assessing adoption. It's threat detection feature uses machine learning to report anomalous behaviour all across the salesforce org.
  5. App Exchange - AppExchange provides numerous third party backup solutions which could fit your organisational needs such as OwnBackup, OdaSeva, CloudAlly, etc.




As Salesforce MVP Ben advised , unfortunately there is no standard list of what kind of Salesforce changes are in scope for SOX compliance. Instead, Ben recommends that teams that actively work with auditor and get clarity about the scope of changes that need tracking are much happier come audit season. They tend to be able to focus on important matters and decrease the time it takes to complete the audit and ensure better results. Making this effort and investment up front saves time and money in the long run. 

 

           

 

 

 

 

 






Labels:

Comments

Post a Comment

Popular posts from this blog

(Insights) What is Automation? What are the key areas where automation provides a value add?

 (Insights) What is Salesforce Automation? What are the key areas where automation provides a value add? As organisations need to scale businesses, manually repeating tasks are costly and time consuming. Once automation is implemented to automate these manually repetitive tasks for business processes, they can increase productivity and reduce time and save money. A decent CRM system with automation that orchestrate sophisticated processes will provide a solid foundation for business growth. According to Gartner’s Magic Quadrant on CRM  report  , the future of automation will play a significant role in organisation’s business strategy. Long term road maps are including automation to gain insight on the automation capabilities competitors will be using. In this article, we will discuss what is salesforce automation and key areas where automation is more effective and why is this important for organisations to implement in their salesforce org. What is Salesforce Automation?...
Post a Comment
Read more

How do Sales Engagement Platforms drive Organisation’s revenue?

How do Sales Engagement Platforms drive Organisation’s revenue? Increasingly Sales Engagement platforms are used by organizations to enrich their sales teams with relevant information to improve their performance and increase sales productivity. These software tools help sales teams improve productivity by automating, optimising and analyzing their sales teams outreach and communication efforts. They typically provide a suite of features designed to help sales reps increase their productivity, improve their communication with prospects and customers leading to close more deals. Some common features of sales engagement platforms include: Email automation — Sales engagement platforms allow users to create and send personalized email messages to prospects and customers at scale. This helps sales reps to save time and increase their email response rates. Call automation — Some sales engagement platforms such as Gong, Chorus.io offer the ability to automate outbound phone calls, allowing sa...
Post a Comment
Read more

(DevOps) How to select a relevant Application Lifecycle Management (ALM) Salesforce model for your organisation?

  How to select a relevant Application Lifecycle Management Salesforce Model for your organisation ? Salesforce provides many different development tools and process to help meet customer requirements and needs. As many companies use Salesforce and Application Lifecycle management (ALM) processes, Salesforce has introduced three different models to manage ALM process within the organisation as shown below: Change set development Org development Package development From the surface all the above three development models follow the same ALM process. However, the models differ in the way they allow changes to your org and how you manage these changes. Controlling change is a huge deal in software development, and you could choose the development model that best suits your organisation needs and requirements. Firstly, let us understand what is the meaning of ALM for an organisation. Application Lifecycle Management is an integrated system of people, tools and processes that supervise a...
Post a Comment
Read more