For over five years, I have worked in IT compliance, developing strategies to help clients understand and manage the Sarbanes-Oxley Act (SOX) requirements within Software as a Service (SaaS) applications. Today, I’m sharing those insights to help simplify this complex yet critical topic.
Compliance isn't a one-size-fits-all concept. It takes many forms, and each situation requires its own tailored approach. To understand when, where, why, and how to be 'compliant,' it's essential to break compliance down into bite-sized pieces—making it easier to grasp and communicate across an organization.
In this post, I'm discussing SOX in the context of Salesforce—one of the world's largest SaaS providers and a company that Own is now a part of. SOX compliance encompasses a broad spectrum of controls and processes that organizations must implement and continuously monitor. Combine that with Salesforce—a platform used for countless mission-critical business functions—and it's easy to see how this topic can feel overwhelming.
My goal is to simplify these questions and bridge the gap between Salesforce and SOX compliance. To clarify, this isn't about Salesforce as a company but rather about ensuring that the business applications companies use on the Salesforce platform meet SOX compliance requirements.
[green]
What is SOX Compliance?
SOX, enacted in 2002 in response to corporate scandals, ensures transparency in corporate financial reporting. Section 404 of the SOX regulation requires that organizations design, implement, and maintain effective internal controls for financial reporting, while Section 302 focuses on the completeness and accuracy of financial statements, disclosures, and reports. We’ll explore these requirements and their implications for IT Compliance later in this post. To learn more about the origins of SOX, specific requirements, and who needs to comply, check out this article.
[/green]
Why Salesforce and SOX?
You might be wondering, what does this have to do with Salesforce? During my time at KPMG, I frequently discussed the relevance of SaaS applications in SOX audits with clients. Traditionally, financial reporting controls were supported by on-prem solutions, ERP systems, or accounting software— common when SOX was enacted over 20 years ago. Teams handling these systems were typically well-versed in SOX compliance.
However, Salesforce teams didn't always have the same familiarity, as Salesforce wasn't initially as integral to financial reporting as it is today. With the rise of cloud computing and the growing reliance on SaaS applications, it's no surprise that SOX and SaaS are converging. It's like the warning on a car's side mirror: Objects in mirror (SOX compliance) are closer than they appear.
As mentioned, SOX requires organizations to design, implement, and maintain effective controls for financial reporting. Auditors refer to these as "management's controls”, including manual and automated controls. Any controls involving system functionality or data from applications like Salesforce are considered "automated controls."
Salesforce business applications likely play a key role in executing internal controls at your organization—whether through the data they manage or the tasks they automate. Because of this, Salesforce is almost certainly an in-scope application for SOX compliance.
As organizations increasingly rely on cloud platforms like Salesforce to manage mission-critical, financially relevant data, ensuring Salesforce meets SOX standards is not only important but essential for maintaining compliance, preparing for external audits, and protecting the organization.
SOX Compliance Scope: Salesforce & Financially Relevant Data
You may have noticed the word "scope" appear a few times in the section above. It might just be an IT auditor's favorite word—but what does it actually mean? In a SOX audit, the first step for external auditors is to "define the scope," which essentially means identifying which automated controls need testing for SOX compliance. When an application is in scope, it's responsible for performing a control or producing data that directly impacts financial reporting.
When it comes to Salesforce applications and SOX compliance, the real challenge isn't determining whether Salesforce is in scope—it's determining which parts of your Salesforce environment must be SOX compliant.
Focus your SOX compliance efforts on the subset of financially relevant data within your Salesforce environment. Examples include Configure Price Quote (CPQ) data, metadata affecting quotes and revenue, and sales data used to calculate commissions, influencing expenses, and the bottom line. By pinpointing financially relevant data, you can protect it and ensure compliance.
IT SOX Controls and How to Prove Compliance
Once you've determined the SOX scope for financially relevant data in Salesforce, the next step is to implement and test controls to protect the financially relevant data you identified. In IT SOX, compliance controls fall into two main categories : IT Application Controls (ITACs) and General IT Controls (GITCs/ITGCs).
What are IT Application Controls (ITACs)?
ITACs are system-level configuration controls designed to ensure accuracy and integrity of software applications and transactions. They automate tasks such as maker-checker reviews, calculations, and system-generated reports. Implementing ITACs lays the groundwork for reliable financial processes and SOX compliance. Salesforce-specific examples of ITACs include:
- Salesforce CPQ configuration: Ensuring quotes are calculated accurately based on company policies.
- Commission report generation: Ensuring Salesforce produces complete and accurate commission reports using underlying system data.
Great! We've learned how to test ITAC controls to ensure Salesforce business applications produce complete and accurate data for financial reporting. So, are we done? Not quite. For ITACs to be relied upon in a SOX audit, auditors require assurance that the systems running these controls are secure and properly managed. This is where General IT Controls (GITCs/ITGCs) come in. General IT Controls were introduced as part of the Sarbanes-Oxley Act of 2002 to ensure that the IT systems supporting the integrity of financial reports are governed according to policies and procedures that ensure the proper operation of information systems. These controls are a cornerstone of SOX compliance and are designed to protect investors from fraudulent financial reporting, aiming to prevent accounting scandals like those of Enron, WorldCom, and Tyco.
What are General IT Controls (GITCs)??
GITCs are foundational controls that ensure IT systems' security, reliability, and proper operation. They cover critical areas like user access management, data backups, and change management. Think of GITCs as the ice cream cone that supports ITACs (the ice cream). Without a solid cone, the ice cream won't hold up. Ineffective GITC controls constitute a violation of SOX and can result in a material weakness within the SOX report, which must be disclosed in the 10-K report. Having a material weakness in a SOX control is a significant issue that can have serious implications. Together, ITACs and General IT Controls ensure the integrity of financially relevant data across IT. In short, without strong GITC coverage, ITACs—and the systems they depend on—cannot be fully trusted for compliance.
3 Pillars of GITC Controls for Salesforce:
- Access Controls: user permission controls, and segregation of duties.
- Data Backup and Recovery: robust data protection measures and regular testing.
- System Change Management: change planning, implementation, and testing.
Access management controls are critical safeguards that restrict and monitor access to financial data and systems, ensuring only authorized personnel can view or modify sensitive information. These controls protect data integrity and prevent unauthorized access.
For Salesforce, auditors focus on ensuring that appropriate users have access to edit financially relevant data (e.g., data used for CPQ controls or commission reports). To verify this, you must review and validate the users, profiles, and permission sets with access.
Data backup and recovery controls are measures designed to ensure the reliable backup, retention, and recoverability of financial data, protecting it from loss or corruption. These controls are critical for maintaining data integrity and continuity. Auditors focus on ensuring that processes are in place to back up and recover Salesforce data in the event of data loss. While Salesforce SOC reports provide coverage for data backup controls and are important for SOX compliance, they have limitations and shouldn't be relied upon exclusively. More on that later.
System change management controls ensure that changes to IT systems, applications, and configurations are authorized, tested, and implemented in a controlled manner. These controls are vital for maintaining system reliability and preventing unauthorized changes. Auditors often sample changes made to SOX-relevant data or metadata, or Salesforce functionality to ensure proper change management procedures were followed. Verifying that changes were approved, tested, and documented is essential, making clear audit trails crucial.
The Limitations of Solely Relying on SOC Reports
You've likely encountered SOC reports if you've ever been involved in a SOX audit or assessment. So, if SOC reports exist for third-party apps like Salesforce, why should you still implement and test controls within your company's Salesforce environment?
A SOC (System and Organization Controls) report is an independent audit certifying a service organization's security, availability, processing integrity, confidentiality, and privacy controls. While these reports provide assurance that third-party SaaS applications like Salesforce meet compliance and industry standards, blindly relying on them without testing your own General IT Controls (GITCs) is not the best practice.
Pointing to the Salesforce SOC report may check a box during SOX compliance reviews, but it doesn't fully protect your business. There's a difference between meeting the control letter for compliance and embracing the spirit of the control to proactively safeguard your data.
For example, while the Salesforce SOC report verifies the effectiveness of Salesforce's data backup and recovery controls, these controls do not apply to the specific data within your Salesforce environment. Under the shared responsibility model, SaaS users are responsible for protecting and recovering their data in Salesforce. If data is lost or corrupted, Salesforce is not responsible for recovering it for you. Testing GITCs within your own Salesforce instance is essential to ensure data resilience and mitigate risks effectively.
How Can Own Help with SOX Specific Use Cases
The shared responsibility model is central to SOX compliance for SaaS applications and is a core principle of our mission. Our products empower customers to protect mission-critical information within Salesforce, aligning perfectly with the shared responsibility model.
Below are some tips and strategies to enhance your SOX compliance frameworks using Own from Salesforce.
Access Management
Challenge: Salesforce access management is complex. 20% of admin time is spent managing permissions, yet 80% of incidents are caused by misconfigurations, over-permissioning, and insider threats. As organizations grow, tracking access within Salesforce's native setup becomes increasingly challenging.
Solution: Own Secure improves the efficiency of implementing least privilege access by 75% using the Who Sees What Explorer to surface and prioritize risks. Paired with Data Classification, it helps classify SOX-relevant data and identify users with privileged access. The Who Sees What Explorer enables object-level audits of profiles and permission sets, focusing on financial data for SOX compliance. Acting as a centralized hub, Secure provides a clear view of your organization's access controls, streamlining access management and strengthening SOX compliance.
Data Backup and Recovery
Challenge: 80% of organizations lack automated backups and the ability to restore data quickly and reliably. InfoSec teams and auditors require documentation of backup processes for annual compliance exercises, which can be time-consuming to produce.
Solution: Own Recover reduces downtime by 71%, improves RTO and RPO objectives, and protects mission-critical data, including SOX data in Salesforce. In the event of data loss, you can quickly restore SOX-relevant data and prove compliance with backup history and audit trails. With Recover, you can automate backups, maintain a complete backup history, and retain data for up to 99 years, making it easy to retrieve backups for audits. Recover also enables smart alerts that can detect and alert you of any anomalies or data loss in real time.
System Change Management
Challenge: During a SOX audit, organizations must provide accurate records of changes to data, configuration metadata, and access to in-scope automated controls and reports.
Solution: Secure reduces time spent managing and reviewing field history by 75% with its Time Machine and Field History Tracking functionality, cutting Salesforce admin tasks from hours to minutes. Time Machine allows you to view your Salesforce organization at any point in time, providing valuable, accurate audit trails for SOX compliance efforts.
Final Thoughts
Navigating SOX compliance within Salesforce may seem daunting, but with the right approach and tools, it can become manageable and even strategic. By identifying financially relevant data, implementing effective controls, and understanding the shared responsibility model, you can confidently meet compliance requirements while ensuring the integrity and security of your organization’s Salesforce environment.
To learn more about how Own can help with your SOX compliance in Salesforce, request a demo today.
