Sign up for weekly AppOps insights.

Sign up for weekly AppOps insights.

Is Your CPQ Data Process Ready for an Audit? How SOX Legislation May Come To Bite You.

Hayley Coxon

VP of Marketing

February 28, 2022

Ah, yes, that pesky word: compliance. The bane of any RevOps or Salesforce Admin’s existence. As SOX auditors become more savvy to the notion of configuration data within Salesforce CPQ and other modern configure-price-quote apps, it’s vital to have a governance plan to maintain auditability of your financial data. You don’t want to wait on until an auditor comes knocking to find out you weren’t compliant. Learn how to protect your CPQ processes from unnecessary headaches that may come up in an audit!

What is SOX Legislation, Anyway?

SOX is short for the Sarbanes-Oxley Act of 2002, which itself is short for the Corporate and Auditing Accountability, Responsibility and Transparency Act. Around the turn of the century when the Enrons of the world were being swept up in accounting scandals, this piece of legislation was how Congress reacted. It essentially set standards for governance and accountability for public (and, to an extent, private) companies, specifically regarding financial data.
As Salesforce’s functions expand and evolve to various pricing and finance functions, SOX legislation can come into play if a Salesforce client is audited – for a variety of reasons.

What Does SOX Govern?

The SOX Act of 2002 enacted punishments for any company that committed fraud or did not properly maintain records and disclosures, and ushered in higher standards for security around data and tightening internal access to financial records.
In addition to required executive responsibility and enhanced financial disclosures, auditors want to see that companies have internal controls around data access, data security, data backup and change management.

How Does SOX Apply to Salesforce and, Specifically, CPQ?

The explosion of “clicks, not code” has caused auditors to rethink how it views Salesforce and what is in scope for an audit (hint: they’re not just looking at metadata and code changes anymore). Proper oversight is sometimes not enough when it comes to an audit—you need to make sure your company can demonstrate compliance end-to-end.

CPQ apps store data regarding pricing, discounts, rules for discounting, etc. Auditors will be interested in seeing what controls are in place for any changes to that data. If someone changes the price of a product or an advanced approval rule, auditors want to see that change was approved, tracked, and there was proper delegation of duties. If you can’t show that it was, you have a problem.

Prodly takes the headache out of the auditing process for you. Contact us to learn more about how we can you version and maintain auditability of your valuable CPQ data!