Saleforce auditing is a crucial part of finanical audits, especially SOX audits. There are key questions that must be answered to conduct these audits:
Does my organization use salesforce for revenue-related data?
- Which fields in salesforce have this data?
- Who has access to this data?
- What can affect these fields and reports?
Auditors want proof that the business knew about and approved changes in Salesforce that affect the financially relevant process and data – and ACCESS to the data. Bottom line – it is imperative that you be able to document and attest to who has access to this data (read and write).
And auditors will want to see that access is limited to only approved sources. Defined roles and profiles must be extracted from Salesforce and attested. During a SOX audit, you will also be asked to demonstrate that you are ensuring that only authorized users are able to access the system.
In essence, an auditor wants to confirm you are implementing the “principle of least privilege”, (NIST CSF PR.AC-6), on the financial information reported in Salesforce.
YouAttest for Salesforce Auditing
YouAttest has long made macro permission to Salesforce audible through our access audits of Azure AD, Okta, JumpCloud, AD and others.
But customers have asked YouAtest to provide fine grained entitlements via a direct agent to salesforce.
YouAttest has delivered. We have utilized our newly coded middleware (fully documented and available to 3rd parties) to extract Salesforce entitlement information.
YouAttest utilizes these newly developed Online Connectors to connect with the customer’s Salesforce tenant using client credentials. With the direct connection, YouAttest can obtain granular data on the users based on the user Salesforce roles and profiles.
Workflow of the YouAttest Salesforce Audit
- Connect your YouAttest tenant to your Salesforce tenant via standard app credentials.
- Map the relevant fields of your Salesforce user with YouAttest fields to obtain relevant information for your reviewers. (see image #1)
- The Risk Manager (internal or 3rd party) now sets up a review that will extract the requested salesforce entitlement information (See image #2)
- The Risk Manager can auto-delegate or manually delegate to the reviewers.
- The Reviewer now just sees the Salesforce permissions relevant to their staff. (see image #3)
- The Review approves, revokes or delegates
- Once all reviewers are complete, YouAttest creates an attestation report of all the reviews.
How YouAttest Benfits the Saleforce Auditing Process
YouAttest is a product that continues to provide exceptional IGA value to the customer – usually eliminating up to 80-90% the manual load in conducting an identity audit. The Salesforce connector continues on this path of value.
Because YouAttest Audits goes very granular into the access and permission of users based on the users roles and profile:
- YouAttest Audits provides visibility into user attributes inside Salesforce for auditors.
- YouAttest Audit campaigns can be delegated to the exact user managers defined against a user in Salesforce.
- YouAttest provides a detailed report of your Salesforce Audit covering from audit creation, delegation to attestation and completion of an audit campaign.
The audit reports are available in PDF and in CSV format and are submissible to external auditors as proof of the identity audit process.