Financial data has long been one of the most heavily regulated classes of information. While there are many regulations that govern the manner in which organizations handle financial data, one of the most well-known is the Sarbanes-Oxley Act of 2002.
This Act, commonly referred to as “SOX," establishes compliance regulations around corporate public records. Since the cost of non-compliance with SOX is high, it’s a key topic of discussion for businesses reviewing their compliance practices- particularly public or pre-IPO companies.
For years, SOX requirements have primarily applied to enterprise resource planning (ERP) and accounting solutions. However, as CRMs like Salesforce continue to evolve and support more financial applications, auditors are taking a closer look at how companies are handling revenue-related or financially relevant data on the platform.
Although Salesforce is a dynamic platform, its basic auditing capabilities are insufficient to ensure compliance with SOX requirements. With that in mind, we’ve created this guide to Salesforce SOX compliance.
The full title of SOX is the Corporate and Auditing Accountability, Responsibility, and Transparency Act, which was created in response to financial scandals like the one involving Enron Corporation. The primary purpose of SOX was to ensure that companies were keeping appropriate financial records for auditing purposes.
While SOX requirements have remained relatively unchanged over the last two decades, the technology that it governs has evolved significantly, which is why the topic of Salesforce SOX compliance is still relatively new.
SOX applies to wholly-owned subsidiaries, public companies, and foreign companies that do business in the United States. Accounting firms that audit the aforementioned types of companies must also adhere to SOX.
Additionally, some SOX requirements apply to information technology departments. Specifically, these departments are required to provide proof that a company’s digital asset management practices fall within established data security guidelines. SOX clearly lays out these thresholds.
Now that you know how SOX applies to Salesforce, what steps can your organization take toward achieving compliance?
The larger and more complex your org, the higher the chances that a seemingly insignificant customization or change to an object, role, or report may have a profound impact on other objects. In turn, this could result in SOX data being viewed or changed by unauthorized parties and lead to compliance issues.
While it’s impossible to predict the repercussions of all of the complex interactions that will occur in a highly customized org, you can safeguard against these repercussions by appropriately classifying your data. Once you have classified your data, you can flag objects that fall under the purview of SOX. From there, you can connect these objects to the appropriate compliance policies.
Classifying your data in accordance with SOX and other relevant guidelines is a great first step on your journey toward compliance. But you must also carefully review your user access policies and permissions settings.
As a best practice, you should implement the “Principle of Least Privilege,” which states that users and programs should only have the necessary privileges to fulfill their work responsibilities. Granting users too much access can lead to a SOX violation and put your organization in a compromised position.
During a SOX audit, you will also be asked to demonstrate that you are ensuring that only authorized users are able to access the system. It is a best practice to require all users to login using multi-factor authentication.
In the event of an audit, you will have to demonstrate that you track all org change requests and have established a request approval protocol. Change requests must undergo an approval process because changes may impact financial processes or data. Therefore, the risk of these requests must be analyzed before granting approval for implementation.
Change requests and subsequent approvals fall under the category of “configuration data.” Tracking and creating records of configuration data is critical to SOX compliance, and auditors will pay close attention to your configuration data during a compliance review.
Data retention policy is inherent to SOX compliance. The requirements listed under SOX Section 802: Criminal Penalties for Altering Documents, focus on business data retention and protection. This rule outlines penalties and fines that come with the alteration, destruction, or concealment of business records to obstruct or influence a legal investigation.
The SOX compliance rules stipulate how long certain audit records should be kept. For example, receivable or payable ledgers and tax returns must be kept for seven years, while customer invoices must be retained for five years.
Under the provisions of SOX, you are responsible for maintaining data integrity. This holds true even if your network is penetrated by a bad actor. With that in mind, the final step to ensuring SOX compliance involves backing up your Salesforce data. Having a viable backup of your entire org is the best way to guard against a cyber attack that compromises your financial records.
When paired with a well-designed compliance strategy, OwnBackup can help you achieve SOX compliance in Salesforce and reduce your risk of incurring SOX-related fines.
Below are some of our product features that are particularly helpful for getting SOX-audit ready:
To learn more about OwnBackup and how we can help you achieve Salesforce SOX compliance, request a demo today.