We are often asked about internal controls that need to be in place around a certain type of technology whether its Salesforce, SAP, Oracle, etc. The short answer? It “depends on the process the technology is automating.” Because we want our blog posts to be actionable and informative, we will get right down to how to view Sarbanes Oxley (SOX) controls for Salesforce.
Let’s start with a quick definition of SOX controls, the relevant areas of Salesforce one should consider, and how one might approach putting a compliance review in place.
First, what are “Sarbanes Oxley controls?” Technically speaking, there is no such thing. The correct technical view is that Sarbanes Oxley (SOX) governs a specific type of internal control; namely “internal controls over financial reporting.” OK, now that we are using the correct technical term, what does it mean? Let’s break it down:
- What are internal controls? They are the people, processes, and systems in place to achieve a desired business outcome.
- What is financial reporting? In the SOX context, it means the financial statements and reports filed with the Securities and Exchange Commission (SEC).
- Therefore, “internal controls over financial reporting” are the people, processes, and systems that ensure the financial statements and reports filed with the SEC are current, accurate, and complete.
Second, let’s apply this to Salesforce. The first question to ask is how do Salesforce users (people), the sales approach (process), and the Salesforce Org itself (systems) affect financial reporting? The answer to this question will be highly individualized, but we can provide some limited general examples based upon typical circumstances:
- Financial reporting concerns typically begin when two or more parties strike a deal. In this light, the parties should consider controls over who approves a sale (pricing, volume, and terms), and if the sale is complex, whether these parties should involve the legal, finance, or other departments.
- The sale needs to be documented in some way that is auditable. In other words, “one version of the truth” is needed.
- Once the parties approve and document the sale, a good control must communicate the facts of that sale to those responsible for recording the sale in the financial statements.
- There must be a periodically occurring control in place to answer the questions: “Who has access to Salesforce; what can be done with this access; and is this access appropriate for that person?” This typically takes the form of a quarterly system access review.
- You should pay attention to the ability to change pricing and deal terms, as these directly affect the way the sale is recorded in the financial statements.
- There should be a control to ensure that integration with financial systems is tested periodically.
- If sales backlog (consummated deals where revenue has not yet been booked) is a metric that is reported in the financial statements or in reports to the SEC, you should pay close attention to opportunities that are closed and won—who makes this designation and is it independently reviewed?
Third, how might one begin to make a compliance assessment about Salesforce-related internal controls? The basic cadence would be:
- Identify what could go wrong. Ask what could negatively affect financial reporting coming from people, processes, and systems related to Salesforce.
- Identify the controls you have in place (or don’t as the case may be) to prevent these bad things from occurring.
- Conduct tests of internal controls to identify if the controls you have in place (or think you have in place) are working.
- Put in place automated tools within Salesforce and via Salesforce apps that will automate the compliance process.
The topic of revenue in financial reporting is in the spotlight these days, due to the recently released accounting standards for revenue (ASC 606). Auditors, regulators, and board members are sure to focus on this area in the coming months.
Hopefully, you have a basic understanding about what SOX controls for Salesforce mean and how to begin to analyze them. If you need a more in-depth analysis, please contact us and our CPAs, CFEs and Certified Salesforce professionals will be happy to put your concerns at ease.