Backup and Recovery
Compliance
Data Archiving
Salesforce
Security

How to Achieve SOX Compliance in Salesforce

Mike Melone
|
Sr. Content Marketing Manager, Own Company
No items found.

Financial data has long been one of the most heavily regulated classes of information. While there are many regulations that govern the manner in which organizations handle financial data, one of the most well-known is the Sarbanes-Oxley Act of 2002.

This Act, commonly referred to as “SOX," establishes compliance regulations around corporate public records. Since the cost of non-compliance with SOX is high, it’s a key topic of discussion for businesses reviewing their compliance practices- particularly public or pre-IPO companies.

For years, SOX requirements have primarily applied to enterprise resource planning (ERP) and accounting solutions. However, as CRMs like Salesforce continue to evolve and support more financial applications, auditors are taking a closer look at how companies are handling revenue-related or financially relevant data on the platform.

Although Salesforce is a dynamic platform, its basic auditing capabilities are insufficient to ensure compliance with SOX requirements. With that in mind, we’ve created this guide to Salesforce SOX compliance.

The Sarbanes-Oxley Act of 2002

The full title of SOX is the Corporate and Auditing Accountability, Responsibility, and Transparency Act, which was created in response to financial scandals like the one involving Enron Corporation. The primary purpose of SOX was to ensure that companies were keeping appropriate financial records for auditing purposes.

While SOX requirements have remained relatively unchanged over the last two decades, the technology that it governs has evolved significantly, which is why the topic of Salesforce SOX compliance is still relatively new.

Who falls under the purview of SOX requirements?

SOX applies to wholly-owned subsidiaries, public companies, and foreign companies that do business in the United States. Accounting firms that audit the aforementioned types of companies must also adhere to SOX.

Additionally, some SOX requirements apply to information technology departments. Specifically, these departments are required to provide proof that a company’s digital asset management practices fall within established data security guidelines. SOX clearly lays out these thresholds.

Steps to getting your Salesforce org SOX-compliant

Now that you know how SOX applies to Salesforce, what steps can your organization take toward achieving compliance?

Classify your data

The larger and more complex your org, the higher the chances that a seemingly insignificant customization or change to an object, role, or report may have a profound impact on other objects. In turn, this could result in SOX data being viewed or changed by unauthorized parties and lead to compliance issues.

While it’s impossible to predict the repercussions of all of the complex interactions that will occur in a highly customized org, you can safeguard against these repercussions by appropriately classifying your data. Once you have classified your data, you can flag objects that fall under the purview of SOX. From there, you can connect these objects to the appropriate compliance policies.

Secure user access and review permissions

Classifying your data in accordance with SOX and other relevant guidelines is a great first step on your journey toward compliance. But you must also carefully review your user access policies and permissions settings.

As a best practice, you should implement the “Principle of Least Privilege,” which states that users and programs should only have the necessary privileges to fulfill their work responsibilities. Granting users too much access can lead to a SOX violation and put your organization in a compromised position.

During a SOX audit, you will also be asked to demonstrate that you are ensuring that only authorized users are able to access the system. It is a best practice to require all users to login using multi-factor authentication.

Streamline change management

In the event of an audit, you will have to demonstrate that you track all org change requests and have established a request approval protocol. Change requests must undergo an approval process because changes may impact financial processes or data. Therefore, the risk of these requests must be analyzed before granting approval for implementation.

Change requests and subsequent approvals fall under the category of “configuration data.” Tracking and creating records of configuration data is critical to SOX compliance, and auditors will pay close attention to your configuration data during a compliance review.

Set up data retention policies

Data retention policy is inherent to SOX compliance. The requirements listed under SOX Section 802: Criminal Penalties for Altering Documents, focus on business data retention and protection. This rule outlines penalties and fines that come with the alteration, destruction, or concealment of business records to obstruct or influence a legal investigation.

The SOX compliance rules stipulate how long certain audit records should be kept. For example, receivable or payable ledgers and tax returns must be kept for seven years, while customer invoices must be retained for five years.

Back up your data

Under the provisions of SOX, you are responsible for maintaining data integrity. This holds true even if your network is penetrated by a bad actor. With that in mind, the final step to ensuring SOX compliance involves backing up your Salesforce data. Having a viable backup of your entire org is the best way to guard against a cyber attack that compromises your financial records.

How Own helps with SOX compliance

When paired with a well-designed compliance strategy, Own can help you achieve SOX compliance in Salesforce and reduce your risk of incurring SOX-related fines.

Below are some of our product features that are particularly helpful for getting SOX-audit ready:

Own Secure:

  • Demonstrate operational effectiveness and improvements to security controls over time
  • Provide downloadable reports with different security risk lenses
  • Analyze and adjust permissions to ensure fulfillment of the principle of least privilege
  • Provide audit feeds for changes that occurred to specific records
  • Monitor MFA usage
  • Automate the data classification process

Own Recover:

  • Ensure accurate and reliable data and metadata backups with precision restore capabilities
  • Ensure proactive alerting and communication of data changes, corruption, or deletion

Own Archive

  • Automate custom retention policies to meet the 3-7 year retention requirements                          
  • Apply litigation holds for specific records to prevent change or deletion in the event of any investigation

To learn more about Own and how we can help you achieve Salesforce SOX compliance, request a demo below.

Get started

Submit your details and we will contact you shortly to schedule a custom 25-minute demo.

Book a demo
Get started

Submit your details and we will contact you shortly to schedule a custom 25-minute demo.

Book a demo
Own Logo
Mike Melone
Sr. Content Marketing Manager, Own Company

Mike Melone is a Sr. Content Marketing Manager at Own. With a passion for storytelling and expertise in SaaS data protection, Mike shares his insights to help organizations safeguard their critical data.

You may also like

No items found.
No items found.
No items found.
Backup and Recovery
Backup and Recovery
Backup and Recovery
Compliance
Data Archiving
Salesforce
Security

Get started

Share your details and we’ll contact you shortly to schedule a custom 25-minute demo.

Schedule a Demo