Sign up for weekly AppOps insights.

Sign up for weekly AppOps insights.

Internal Controls in Salesforce ALM

Joe Marshall

Sr. Manager, Demand Generation

August 2, 2023

Automation Helps Ensure Compliance in Salesforce Change Management

A robust set of internal controls in your change management process doesn’t just keep your Salesforce instance secure—it’s also your insurance when auditors come knocking at your door. Prodly’s compliance tool is a superhero in this scenario—it saves the day by minimizing risk in Salesforce application lifecycle management (ALM). The best part? It makes proving compliance a breeze—and that’s a lifesaver when it comes to complying with regulations such as SOX and other anti-fraud regulations.

An open laptop with the words “internal controls” projected above it in VR.

Internal controls are like the pillars holding up your ALM process. Change management, access controls, segregation of duties, testing, and monitoring all work together to create a release pipeline that’s strong and compliant. Let’s take a closer look at how each factor contributes to maintaining your Salesforce instance’s integrity—and how automation can make them even more powerful.

Change Management

A formal change management process is essential to remaining in compliance. Imagine setting up an intricate domino line. A tiny, inadvertent shift to just one single piece can cause a cascade… and knock everything down. Similarly, the changes you make to Salesforce can affect the entire system. If you don’t properly track and manage them, even minor adjustments can result in considerable compliance headaches further down the line.

Why Do I Need a Change Management Process?

Picture this: A developer modifies a custom field within a Product in Salesforce CPQ, but they forget to document the change. If the change doesn’t work properly, it could create a ripple effect and even disrupt a quote that relies heavily on that field to determine the price structure. 

Unfortunately, because the developer didn’t document the change, it could take you a long time to sort out where the bug is and how to fix it. And that’s time your sales team doesn’t have in the fast-moving business world.

If this sounds familiar, you’ll be psyched to hear that you can avoid this kind of situation. How? By establishing a formal change management process that outlines the correct procedures to follow in the release process. 

Automation in Change Management

Enter Prodly. Our automation streamlines your Salesforce change management process with instant sandbox seeding, 1-click scratch orgs, org syncing, version control, data deployments, and regression testing. It replaces manual work, which eliminates human error—and drastically reduces the number of bugs in your pipeline. 

Prodly also provides automated change tracking, which essentially equips your Salesforce environment with a state-of-the-art surveillance system that records every single modification. It keeps a watchful eye on your domino line and ensures each piece stays in the right place. And because it records every change, you can easily trace any irregularities back to their source. 

Change tracking is a straightforward yet powerful principle: When you know the history of your Salesforce changes, you can protect your production environment. That’s why integrating tools like Prodly into your Salesforce change management process can mean the difference between remaining compliant or inadvertently triggering a domino effect of complications. 

Access controls

Access controls play a vital role in keeping your release pipeline compliant. Here’s why. 

Picture a multi-story building. If everyone had unrestricted access to every floor, chaos would inevitably break out. An intern might stumble across sensitive information or someone who’s not an employee could walk into the CEO’s office in the middle of a strategy meeting. 

In the same vein, not all users need access to every feature or dataset in your Salesforce instance. That’s where controls come in—they limit each user’s access to only the areas they need for their tasks.

Why Do I Need Access Controls?

Consider a real-world example. Your developers don’t need to view the actual information in Salesforce CPQ. They only need access to configuration data and test data to build and test adjustments. So there’s no reason to give them access to a Full or Partial Copy sandbox with potentially sensitive data. But without proper access controls, you always run the risk that a curious or misguided click could expose information that could be used in a nefarious way.

How Automation Helps

Our automation lets you set controls at the environment level so only authorized users can access environments with sensitive data. Let’s say a developer is working on a new feature in a dev environment. They do have to promote changes to integration, but they really shouldn’t be in any of your upper-level environments. With Prodly’s environment-level access controls, you can limit their access to development and integration orgs so they don’t accidentally stray into other environments. 

The result? You can effortlessly maintain the integrity of your release pipeline while simultaneously at the same time enhancing compliance.

Segregation of Duties

Segregation of duties is a cornerstone of your Salesforce ALM compliance strategy. Imagine a high school student who’s taking their driver’s license test. If they’re also responsible for scoring their own performance, they could simply give themself a pass—no matter how many mistakes they made. Do you really want to let that person get behind the wheel?

Why Do I Need Segregation of Duties?

You can compare this to segregation of duties in ALM. If one person is responsible for every stage of your Salesforce development cycle, they can wreak all sorts of havoc. They could make mistakes that change the way your production environment works, which could result in data corruption, loss, or exposure. Or worse: They could intentionally make changes to gain access to sensitive financial data, PHI, or PII, 

That’s where segregation of duties comes into play. It divides critical functions among different individuals or teams to minimize the risk of errors and fraud.

In a compliant ALM process, one person is responsible for developing a new feature, another for testing it, and a third for deploying it to production. Because multiple sets of eyes scrutinize the change at each stage of development, the potential for bugs and unauthorized changes is drastically reduced.

How to Prove Segregation of Duties

So how can you prove these duties are appropriately segregated in your change management process? 

Without automation, this involves a time-consuming, laborious process of toggling between your version control’s audit log and your work management app to match change requests to deployments. It’s an incredibly painstaking process—yet it’s one you can’t afford to get wrong. What’s more: You have to get your documentation in order within the time that the auditor requests—otherwise you risk noncompliance. 

That’s why we automated this process—to make it super fast and easy! With Prodly’s powerful documentation capability, you can quickly and easily generate comprehensive audit reports. These reports show all the work items that are linked to a specific deployment—including the what, when, why, and by whom of every change. And those details are exactly what a SOX auditor or other auditor wants to know.


The importance of testing in a compliant Salesforce ALM process simply cannot be understated. Think about it: Would you launch a new product without conducting a quality check first? Probably not.

The same applies to any changes to your Salesforce instance. If you don’t test thoroughly, you could expose it to bugs or issues that could affect your business operations.

Why Do I Need Testing?

Let’s consider a scenario where your development team creates a new feature to streamline your sales process but doesn’t test it in a sandbox before deploying it to production. Unfortunately, the new feature doesn’t function properly, and it results in downtime, data corruption, or other unexpected issues. This domino effect could be detrimental to your operations.

The Value of Automated Testing

Salesforce CPQ Upgrade Testing from Prodly acts like your quality assurance team. It lets you meticulously check that every element of your change functions the way it should and doesn’t introduce bugs into your production environment. You can spot issues before they become a problem and affect your compliance posture. It’s as simple as this—test, don’t guess!


Monitoring serves as the lifeguard in your Salesforce ALM compliance strategy. Imagine being responsible for the safety and wellbeing of everyone on the beach. Without a lifeguard station, you wouldn’t have the bird’s eye view to be able to see when someone’s in danger.

Why Do I Need Monitoring?

The same principle applies to your Salesforce application lifecycle management. Without effective monitoring, you won’t have the visibility to detect uncontrolled changes to your production environment. That means you could be blindsided by bugs, issues, or other unanticipated changes to prod that could impact your operations.

Benefits of Monitoring Your Release Pipeline

Monitoring your release pipeline promotes compliance with regulatory requirements because you’ll know when an uncontrolled modification is deployed to production. On top of that, it offers several other benefits, including improved visibility of your ALM process and increased reliability of your changes.

Implement Internal Controls With Confidence

It’s an undeniable truth: Regulatory compliance in Salesforce ALM is critical to mitigating your company’s risk and maintaining the trust of the public. And when it comes to internal controls, requirements like change management, access controls, segregation of duties, testing, and monitoring aren’t just best practices—they’re compliance lifelines. 

Prodly automates and simplifies these processes—so you can create a bulletproof change management process that aligns with the regulatory requirements that apply to your business.


What is the purpose of internal controls?

When it comes to financial regulations, internal controls ensure the reliability and integrity of financial reporting—plus, they help safeguard your assets. In the context of privacy requirements, they protect sensitive data like PHI and PII to mitigate the risk associated with data breaches and ensure compliance with data privacy laws.

Can you provide examples of regulations that require internal controls?

Depending on where you operate and what your industry is, you might be subject to various internal controls requirements such as SOX, GLBA, HIPAA, CCPA, and GDPR.

How can I use internal controls to comply with privacy regulations in Salesforce change management?

You can use internal controls to help protect sensitive data against unauthorized access, as well as data loss and corruption.


Prodly Compliance Center

The gold standard for documenting SOX in Salesforce CPQ!