Sign up for weekly AppOps insights.

Sign up for weekly AppOps insights.

SOX Compliance Audits: Is Your CPQ Data Ready?

Hayley Coxon

VP of Marketing
Hayley Coxon is the Vice President of Marketing and Revenue Operations for Prodly and accidental admin since 2010. You can find her on LinkedIn.

February 28, 2022

SOX auditors are increasingly informed about configuration data within Salesforce CPQ and other modern configure-price-quote apps. That’s why it’s vital to have a governance plan to maintain auditability of your financial data. 

Don’t wait until an auditor comes knocking to find out you weren’t SOX compliant. In this blog, we discuss what SOX legislation is and how it applies to Salesforce. We also explain that Prodly can help protect your CPQ processes from unnecessary headaches that may come up in an audit!

What Is SOX Legislation?

SOX stands for the Sarbanes-Oxley Act of 2002. This in itself is short for the Corporate and Auditing Accountability, Responsibility and Transparency Act. Around the turn of the century, large corporations like Enron were being swept up in financial scandals. 

Congress reacted with this piece of legislation. It essentially set standards for governance and accountability for public companies—and, to an extent, private ones—specifically regarding financial data.

Salesforce’s functions are expanding and evolving to various pricing and finance functions. That means SOX legislation can come into play if a Salesforce client is audited.

What Does SOX Govern?

The SOX Act of 2002 enacted penalties for any company that committed fraud or did not properly maintain records and disclosures. It also established higher standards for security around data and tightening internal access to financial records.

Now, auditors want to see required executive responsibility and enhanced financial disclosures.  They also check that companies have internal controls around data access, security, and backup, as well as change management.

How Does SOX Apply to Salesforce CPQ?

Due to the explosion of low-code development, auditors have rethought how they view Salesforce and what’s in scope for an audit. They don’t just look at metadata and code changes anymore—they also look at data and configuration data.

Proper oversight is sometimes not enough when it comes to an audit. Instead, you need to make sure your company can demonstrate compliance end-to-end.

CPQ applications store data regarding pricing, discounts, rules for discounting, and so on. Auditors are interested in what controls are in place for any changes to that data. 

Let’s say someone changes the price of a product or an advanced approval rule. Auditors want to see that change was approved and tracked—all with proper delegation of duties. If you can’t show that it was, you have a problem.

Gears representing compliance.

Get Automatic Compliance

Prodly takes the headache out of the auditing process for you. Our automatic change tracking feature documents every change made. What’s more: It stores the change log as long as you want to keep it. That means it’s simple to generate an audit report when requested.

In addition, using Prodly, it’s easy to enforce separation of duties, as well as restrict access to specific data for specific users.

Contact us to learn more about how we can help you maintain auditability of your valuable CPQ data!


Prodly Compliance Center

The gold standard for documenting SOX in Salesforce CPQ!