Salesforce SOX Compliance

Setting up source control for your Salesforce team is generally a good idea, but it’s especially important for publicly traded companies and those that aspire to be publicly traded. Going public is exciting and lucrative, but before you start lighting cigars with hundred dollar bills, it’s worth remembering that an IPO brings with it additional regulation and compliance requirements including the beloved Sarbanes-Oxley Act, lovingly known as SOX.

SOX regulations relate to financial reporting. Given the centrality of Salesforce in so many companies’ Salesforce development is frequently implicated in SOX compliance requirements. At Blue Canvas we have helped IT departments across the country ease their compliance burden.

At Blue Canvas we make SOX compliance simpler in two key ways: we make it easier to audit your changes and we help enforce a reliable and user friendly separation of duties between developers and release managers.

Auditing Salesforce for SOX

For an enterprise software company, Salesforce provides a relatively sparse audit trail. You get only six months of information about metadata changes in your orgs. And the information you are given is limited to name and title of the file changed. You don’t know what code or metadata was actually changed.

Blue Canvas provides unprecedented visibility into Salesforce metadata. We are listening to your Salesforce orgs in real time and tracking changes that get made. We know who has changed what and when. We present this in a user friendly interface that you can use to improve your knowledge of what has gone on in your orgs. This is helpful during audit season when you sit down with your auditors.

The key to what makes this effective with auditors is that it’s automated. Changes are automatically tracked. There is no requirement of manual intervention to track these changes. And that makes the audit trail far more robust. We are even able to use the Salesforce APIs to access and attribute the correct Salesforce user with each change.

And we provide an audit and history trail that goes on forever from the start of your engagement with us.

Delegation of Duties in Salesforce

The other key requirement for Salesforce teams looking to stay SOX compliant, is that the developer who wrote the code is not the same person who deploys the code. Most teams have some sort of release manager function to fulfill this role. They can do code reviews and ensure that the code is up to standard.

Blue Canvas provides role based deployments. This means you can prevent certain users from making deployments to specific environments. Let’s say you only want your release manager to be able to deploy to production. Blue Canvas can help make that a requirement by only making deployments available to specific users.

You can also keep track of everything that is included in each deployment in a nice and clean interface of deployed code. In each deployment you can see which lines of code were specifically included in the deployment, as well as all the commentary around the deployment. This makes it really easy to review changes that have gone on in your org over time.

Jack Moxon