As a Salesforce expert, the examples and terminology used in this session are Salesforce-specific. However, Sox applies to any company that wants to prevent financial or operational fraud and build trust with their shareholders. Furthermore, most of the controls discussed can be applied to any software application, such as SAP, ServiceNow, etc. Join us to learn about What is SOX (Sarbanes-Oxley Act) Compliance?
What is SOX (Sarbanes-Oxley Act)?
The Sarbanes-Oxley Act of 2002, commonly referred to as SOX, was enacted in response to a series of high-profile corporate scandals. The scandals involved significant accounting fraud and corporate misconduct, led to a loss of investor confidence and highlighted the need for more stringent regulatory oversight.
SOX was signed into law on July 30, 2002, by President George W. Bush. The Act introduced major changes to the regulation of financial practices and corporate governance, with the goal of protecting investors by improving the accuracy and reliability of corporate disclosures.
Types of Controls – Categorization by Purpose
Operational Controls: (Scope for this presentation)
These controls focus on the efficiency and effectiveness of day-to-day business operations. They aim to prevent errors, fraud, and inefficiencies.
Financial Accounting and Reporting Controls:
These controls specifically target the financial reporting process, ensuring accuracy, completeness, and compliance with accounting standards.
Categorization by Nature
- Preventive Controls: These controls aim to prevent errors or irregularities from occurring.
- Examples: segregation of duties, access controls, and Change management.
- Detective Controls: Designed to identify errors or irregularities that might have already occurred.
- Examples: audit log reviews.
- Corrective Controls: Implemented to rectify errors or irregularities that have been detected.
Segregation of Duties
It is a fundamental control to prevent fraud and errors by ensuring that no single person has complete control over a process.
Key Principles of SoD
- Separation of roles: Different users should have distinct responsibilities and access levels.
- Limiting access: Restrict user permissions to only what is necessary for their job function.
Example of SoD
- Sales users should have access to create and edit opportunities, but not modify pricing or discounts.
- Finance users should have read-only access to opportunities but full access to quote and contract
information. - A developer should have limited access to the Production – Should not be able to change any metadata
- Approval processes should be in place for discounts and contract modifications.
User Access Controls/User Access Review
It is a control to regulate who can access what data and perform which actions within a system
periodically.
Key Principles of UAR
- Verify the users have only the required level of access periodically (Monthly, Quarterly)
- Verify the users who no longer need access to the application (Change position, left the organisation)
Examples of UAR failures
- A user no longer with the company logged into the application
- A user who received a delegated access for a limited time period, still holds the privileged access
Change Management
It is a critical control that ensures that modifications to an application are planned, tested, and implemented systematically to minimize disruptions and risks. It involves a structured process for evaluating, approving, and implementing changes to the platform.
Key Principles of Change management
- Change Request: A formal document outlining the proposed change, its impact, and the required resources.
- Impact Assessment: Evaluating the potential consequences of the change on the system, users, and processes.
- Testing: Conducting thorough testing in a sandbox environment to verify the change’s functionality and identify potential
issues. - Approval Process: Obtaining necessary approvals from relevant stakeholders before implementing the change.
- Documentation: Maintaining detailed records of the change request, approval, testing, and implementation.
- Communication: Informing users about the change, its impact, and the implementation timeline.
- Rollback Plan: Developing a contingency plan to revert to the previous state if the change fails.
Examples of Change Management failures
- A validation rule has been deactivated directly in Prod without proper approvals
- A wrong version of flow has been deployed due to lack of proper review and testing
Detective Control – Setup Audit trail review
- Any errors/Inefficiencies identified occurred with Preventive controls are detected
- All the metadata changes made in the org will be logged in the object ‘SetupAuditTrail’
- All the log entries have to be reviewed for errors happened during the period in scope
Examples of Change Management failures
- A validation rule has been deactivated directly in Prod without proper approvals
- A wrong version of flow has been deployed due to lack of proper review and testing
Corrective Controls
Any errors/Inefficiencies identified occurred with Preventive and Detective controls should be addressed.
Developer changing metadata directly in the prod. Sol: Proper training and guidelines should be provided.
Frequency
- Risk Assessment:
- Criticality of controls: High-risk controls, such as those related to financial reporting, access controls, and fraud prevention, should be audited more frequently.
- Change in control environment: Significant changes in systems, processes, or personnel can increase risk, necessitating more frequent audits.
- Historical error rates: A higher frequency of errors in previous audits may warrant increased audit attention.
- Regulatory Requirements:
- Industry-specific regulations might impose additional audit requirements or frequencies. For example, financial institutions often have stricter compliance
standards.
- Industry-specific regulations might impose additional audit requirements or frequencies. For example, financial institutions often have stricter compliance
- Company Size and Complexity:
- Larger, more complex organizations with numerous subsidiaries or business units may require more frequent audits to ensure comprehensive coverage.
- Audit Resources:
- The availability of audit staff and resources can impact audit frequency. Prioritization of audits based on risk is essential.
- Cost-Benefit Analysis:
- The cost of additional audits should be weighed against the potential benefits in terms of risk mitigation and control effectiveness.
Common Audit Frequencies
While there’s no one-size-fits-all approach, here are typical audit frequencies:
- Annual audits: Mandatory for financial statements.
- Quarterly or semi-annual audits: For high-risk controls, significant changes, or regulatory requirements.
- Monthly or bi-monthly audits: For extremely critical controls or in response to specific incidents or issues.
Bringing Compliance – by leveraging Salesforce features
- Profiles: Define granular access levels based on roles.
- Permission Sets: leverage expiration date, session-based granting, and User Access
policies. - Object Permissions: Control access to specific objects and records.
- Field-Level Security: Restrict visibility and editing capabilities for specific fields.
- Field-History Tracking: Who, when and what values were changed
- Classic Encryption: Helps to restrict the visibility of actual values
- Sharing Rules: Determine data visibility based on record ownership and user criteria.
- Validation Rules: Enforce data integrity and prevent errors.
- Approval Processes: Implement multiple levels of review and approval.
- Flows/Apex: To automate any use case which cannot be addressed with the OOTB features
Conclusion
Maintaining SOX compliance is critical for the financial integrity and accountability of any organization. Throughout this presentation, we have explored the essential components of SOX controls, including the importance of segregation of duties, robust user access controls, and effective change management processes.
By leveraging Salesforce features, organizations can streamline their compliance efforts. These tools not only help in automating and enforcing compliance policies but also in reducing the risk of errors and fraud. Implementing these controls and best practices ensures that your organization remains compliant with regulatory requirements, thus safeguarding your financial data and enhancing stakeholder trust.