Financial data has long been one of the most heavily regulated classes of information. While there are many regulations that govern the manner in which organizations handle financial data, one of the most well-known is the Sarbanes-Oxley Act of 2002.
This Act, commonly referred to as “SOX," establishes compliance regulations around corporate public records. Since the cost of non-compliance with SOX is high, it’s a key topic of discussion for businesses reviewing their compliance practices- particularly public or pre-IPO companies.
For years, SOX requirements have primarily applied to enterprise resource planning (ERP) and accounting solutions. However, as CRMs like Salesforce continue to evolve and support more financial applications, auditors are taking a closer look at how companies are handling revenue-related or financially relevant data on the platform.
Although Salesforce is a dynamic platform, its basic auditing capabilities are insufficient to ensure compliance with SOX requirements. With that in mind, we’ve created this guide to Salesforce SOX compliance.
The Sarbanes-Oxley Act of 2002
The full title of SOX is the Corporate and Auditing Accountability, Responsibility, and Transparency Act, which was created in response to financial scandals like the one involving Enron Corporation. The primary purpose of SOX was to ensure that companies were keeping appropriate financial records for auditing purposes.
While SOX requirements have remained relatively unchanged over the last two decades, the technology that it governs has evolved significantly, which is why the topic of Salesforce SOX compliance is still relatively new.
Who falls under the purview of SOX requirements?
SOX applies to wholly-owned subsidiaries, public companies, and foreign companies that do business in the United States. Accounting firms that audit the aforementioned types of companies must also adhere to SOX.
Additionally, some SOX requirements apply to information technology departments. Specifically, these departments are required to provide proof that a company’s digital asset management practices fall within established data security guidelines. SOX clearly lays out these thresholds.
Steps to getting your Salesforce org SOX-compliant
Now that you know how SOX applies to Salesforce, what steps can your organization take toward achieving compliance?
Classify your data
The larger and more complex your org, the higher the chances that a seemingly insignificant customization or change to an object, role, or report may have a profound impact on other objects. In turn, this could result in SOX data being viewed or changed by unauthorized parties and lead to compliance issues.
While it’s impossible to predict the repercussions of all of the complex interactions that will occur in a highly customized org, you can safeguard against these repercussions by appropriately classifying your data. Once you have classified your data, you can flag objects that fall under the purview of SOX. From there, you can connect these objects to the appropriate compliance policies.
Secure user access and review permissions
Classifying your data in accordance with SOX and other relevant guidelines is a great first step on your journey toward compliance. But you must also carefully review your user access policies and permissions settings.
As a best practice, you should implement the “Principle of Least Privilege,” which states that users and programs should only have the necessary privileges to fulfill their work responsibilities. Granting users too much access can lead to a SOX violation and put your organization in a compromised position.
During a SOX audit, you will also be asked to demonstrate that you are ensuring that only authorized users are able to access the system. It is a best practice to require all users to login using multi-factor authentication.
Streamline change management
In the event of an audit, you will have to demonstrate that you track all org change requests and have established a request approval protocol. Change requests must undergo an approval process because changes may impact financial processes or data. Therefore, the risk of these requests must be analyzed before granting approval for implementation.
Change requests and subsequent approvals fall under the category of “configuration data.” Tracking and creating records of configuration data is critical to SOX compliance, and auditors will pay close attention to your configuration data during a compliance review.
Set up data retention policies
Data retention policy is inherent to SOX compliance. The requirements listed under SOX Section 802: Criminal Penalties for Altering Documents, focus on business data retention and protection. This rule outlines penalties and fines that come with the alteration, destruction, or concealment of business records to obstruct or influence a legal investigation.
The SOX compliance rules stipulate how long certain audit records should be kept. For example, receivable or payable ledgers and tax returns must be kept for seven years, while customer invoices must be retained for five years.
Back up your data
Under the provisions of SOX, you are responsible for maintaining data integrity. This holds true even if your network is penetrated by a bad actor. With that in mind, the final step to ensuring SOX compliance involves backing up your Salesforce data. Having a viable backup of your entire org is the best way to guard against a cyber attack that compromises your financial records.
How Own helps with SOX compliance
When paired with a well-designed compliance strategy, Own can help you achieve SOX compliance in Salesforce and reduce your risk of incurring SOX-related fines.
Below are some of our product features that are particularly helpful for getting SOX-audit ready:
Own Secure:
- Demonstrate operational effectiveness and improvements to security controls over time
- Provide downloadable reports with different security risk lenses
- Analyze and adjust permissions to ensure fulfillment of the principle of least privilege
- Provide audit feeds for changes that occurred to specific records
- Monitor MFA usage
- Automate the data classification process
Own Recover:
- Ensure accurate and reliable data and metadata backups with precision restore capabilities
- Ensure proactive alerting and communication of data changes, corruption, or deletion
Own Archive
- Automate custom retention policies to meet the 3-7 year retention requirements
- Apply litigation holds for specific records to prevent change or deletion in the event of any investigation
To learn more about Own and how we can help you achieve Salesforce SOX compliance, request a demo below.
