Best Practices

Salesforce SOX Compliance

How Blue Canvas can help ensure your Salesforce development team and process are SOX compliant.

Last Update:
June 11, 2018

Table of Contents


For an enterprise software company, Salesforce provides a relatively sparse audit trail. You get only six months of information about metadata changes in your orgs. And the information you are given is limited to name and title of the file changed. You don’t know what code or metadata was actually changed.

Blue Canvas provides unprecedented visibility into Salesforce metadata. We are listening to your Salesforce orgs in real time and tracking changes that get made. We know who has changed what and when. We present this in a user friendly interface that you can use to improve your knowledge of what has gone on in your orgs. This is helpful during audit season when you sit down with your auditors.

The key to what makes this effective with auditors is that it’s automated. Changes are automatically tracked. There is no requirement of manual intervention to track these changes. And that makes the audit trail far more robust. We are even able to use the Salesforce APIs to access and attribute the correct Salesforce user with each change.

And we provide an audit and history trail that goes on forever from the start of your engagement with us.


The other key requirement for Salesforce teams looking to stay SOX compliant, is that the developer who wrote the code is not the same person who deploys the code. Most teams have some sort of release manager function to fulfill this role. They can do code reviews and ensure that the code is up to standard.

Blue Canvas provides role based deployments. This means you can prevent certain users from making deployments to specific environments. Let’s say you only want your release manager to be able to deploy to production. Blue Canvas can help make that a requirement by only making deployments available to specific users.

You can also keep track of everything that is included in each deployment in a nice and clean interface of deployed code. In each deployment you can see which lines of code were specifically included in the deployment, as well as all the commentary around the deployment. This makes it really easy to review changes that have gone on in your org over time.

More like this