Salesforce Entitlement Auditing
by YouAttest

Saleforce auditing is a crucial part of finanical audits, especially SOX audits.   There are key questions that must be answered to conduct these audits:

Does my organization use salesforce for revenue-related data?

  • Which fields in salesforce have this data?
  • Who has access to this data?
  • What can affect these fields and reports?

Auditors want proof that the business knew about and approved changes in Salesforce that affect the financially relevant process and data – and ACCESS to the data.  Bottom line – it is imperative that you be able to document and attest to who has access to this data (read and write).  

And auditors will want to see that access is limited to only approved sources.  Defined roles and profiles must be extracted from Salesforce and attested.  During a SOX audit, you will also be asked to demonstrate that you are ensuring that only authorized users are able to access the system.

In essence, an auditor wants to confirm you are implementing the “principle of least privilege”, (NIST CSF PR.AC-6), on the financial information reported in Salesforce.

YouAttest for Salesforce Auditing

YouAttest has long made macro permission to Salesforce audible through our access audits of Azure AD, Okta, JumpCloud, AD and others.

But customers have asked YouAtest to provide fine grained entitlements via a direct agent to salesforce.

YouAttest has delivered.   We have utilized our newly coded middleware (fully documented and available to 3rd parties) to extract Salesforce entitlement information.   

YouAttest utilizes these newly developed Online Connectors to connect with the customer’s Salesforce tenant using client credentials.  With the direct connection,  YouAttest can obtain granular data on the users based on the user Salesforce roles and profiles.  

Workflow of the YouAttest Salesforce Audit

  1. Connect your YouAttest tenant to your Salesforce tenant via standard app credentials.
  2. Map the relevant fields of your Salesforce user with YouAttest fields to obtain relevant information for your reviewers.   (see image #1)
  3. The Risk Manager (internal or 3rd party) now sets up a review that will extract the requested salesforce entitlement information  (See image #2)  
  4. The Risk Manager can auto-delegate or manually delegate to the reviewers.
  5. The Reviewer now just sees the Salesforce permissions relevant to their staff.   (see image #3)
  6. The Review approves, revokes or delegates
  7. Once all reviewers are complete, YouAttest creates an attestation report of all the reviews.

 

Image #1: A risk manager utilizing YouAttest can extract as much or as little information via the YouAttest Salesforce connector to conduct an access review of the granular Salesforce entitlements.

 

Image #2: The risk manager then has a view of the entitlements and can use YouAttest’s manual or automated delegation to have the right managers review the entitlements.

 

Image #3: Each reviewer receives (via email or Slack) a custom URL to the YouAttest portal which enable them to review ONLY the user entitlements that they are responsible for reviewing.

How YouAttest Benfits the Saleforce Auditing Process

YouAttest is a product that continues to provide exceptional IGA value to the customer – usually eliminating up to 80-90% the manual load in conducting an identity audit.  The Salesforce connector continues on this path of value.

Because YouAttest Audits goes very granular into the access and permission of users based on the users roles and profile:

  • YouAttest Audits provides visibility into user attributes inside Salesforce for auditors.
  • YouAttest Audit campaigns can be delegated to the exact user managers defined against a user in Salesforce.
  • YouAttest provides a detailed report of your Salesforce Audit covering from audit creation, delegation to attestation and completion of an audit campaign.

The audit reports are available in PDF and in CSV format and are submissible to external auditors as proof of the identity audit process.

 —

Contact us today to learn more about how YouAttest can help improve your identity audits, via automating user access reviews for compliance and better identity security.

Facebook
Twitter
LinkedIn

More
articles