Skip to main content

Preparing Compliance-Ready Documentation

Compliance audits require evidence that your Salesforce configurations are documented, reviewed, and maintained. aprity generates documentation that can serve as audit artifacts, covering business rules, security configurations, access controls, and cross-object dependencies.

What Auditors Look For

Compliance frameworks such as SOC 2, GDPR, and internal audit standards typically require evidence in the following areas:

AreaWhat Auditors NeedHow aprity Helps
Change managementProof that changes are documented and reviewedScan history shows when documentation was generated; Business Rule Changelog tracks changes between scans
Access controlsDocumentation of who can access whatValidation rule and sharing rule documentation; permission-related metadata
Business logicClear description of automated business rulesAI-generated business rule documentation with evidence from triggers, flows, and validation rules
Data integrityControls that protect data qualityValidation rule documentation showing data quality enforcement
Process documentationEnd-to-end descriptions of business processesProcess documentation generated from execution graphs

Output Formats for Auditors

Choose the output format based on your auditor's preferences:

PDF

Best for formal submissions. PDF output is formatted with aprity branding, table of contents, and page numbers. It is the most commonly accepted format for audit evidence.

DOCX (Professional and Enterprise)

Best when auditors need to annotate or mark up documentation. Microsoft Word format allows auditors to add comments and track changes directly in the document.

Markdown and HTML

Best for internal documentation portals, wikis, and Git-based documentation repositories. These formats are ideal for teams that maintain documentation alongside their codebase.

tip

For compliance audits, generate documentation in PDF format immediately before the audit period begins. This creates a point-in-time snapshot that auditors can reference.

Key Features for Compliance

Global Analysis (Professional and Enterprise)

Global Analysis provides a cross-object view of your Salesforce org, showing how objects, automation, and processes interact. This is valuable for compliance because:

  • It reveals hidden dependencies between objects that may affect data integrity.
  • It documents cross-object automation chains that auditors need to understand.
  • It provides an org-wide map that demonstrates comprehensive documentation coverage.

Enable Global Analysis in the scan configuration to include it in your output.

Business Rule Changelog (Professional and Enterprise)

The Business Rule Changelog tracks how business rules change between scans:

  • Additions -- New validation rules, triggers, or flows added since the last scan.
  • Deletions -- Automation components removed since the last scan.
  • Modifications -- Changes to existing business logic.

This changelog serves as a change audit trail, demonstrating that modifications to business rules are tracked and documented.

Execution Graph (Enterprise)

The Execution Graph provides a visual representation of trigger execution order, showing:

  • Which triggers fire on each DML operation.
  • The order of execution across triggers, flows, and validation rules.
  • Dependencies between automation components.

This is particularly relevant for compliance reviews of complex automation that involves multiple interacting components.

Building a Compliance Documentation Package

Step 1: Generate comprehensive documentation

Run a scan with the following configuration:

  • All business-critical objects selected.
  • Global Analysis enabled.
  • Business Rule Changelog enabled (if you have a previous scan to compare against).
  • Output format set to PDF or DOCX.

Step 2: Include scan history as evidence

The scan history in the aprity Scans tab serves as an audit trail:

  • It shows the date and time of each documentation generation run.
  • It identifies who initiated each scan.
  • It records the configuration used for each scan.

Export or screenshot the scan history to include in your compliance package.

Step 3: Document your feedback process

If you have used the Feedback feature to correct AI-generated documentation, include evidence of this review process:

  • The Feedback tab shows all submitted corrections with timestamps.
  • Feedback entries demonstrate that documentation was reviewed by human experts.
  • The progression from ACTIVE to ARCHIVED feedback shows that corrections were applied and verified.

Step 4: Include access control evidence

Document who has access to aprity features:

  • Export the list of users assigned to Aprity_Admin and Aprity_User permission sets.
  • Reference the permission set comparison in the Permission Sets Explained article to show the separation of duties between admins and viewers.

Compliance Framework Alignment

SOC 2

SOC 2 Trust Criteriaaprity Evidence
CC6.1 (Logical access)Permission set assignments, JWT authentication documentation
CC8.1 (Change management)Scan history, Business Rule Changelog
CC3.1 (Risk assessment)Global Analysis showing cross-object dependencies

GDPR

GDPR Requirementaprity Evidence
Article 30 (Records of processing)Documentation of data-related objects and their automation
Article 25 (Data protection by design)Validation rule documentation showing data integrity controls
Article 17 (Right to erasure)Metadata purge capability documented in Data Residency

Internal Audits

For internal audit teams, aprity documentation provides:

  • A comprehensive inventory of all documented objects and automation.
  • Business rule descriptions in plain language (not code).
  • Evidence of documentation review through the feedback system.
  • Historical snapshots through scan history.

Maintaining Compliance-Ready Documentation

  • Schedule regular scans to ensure documentation stays current.
  • Run a fresh scan before each audit to capture the latest state.
  • Review and resolve feedback before generating audit documentation.
  • Archive the PDF or DOCX output from each audit period for historical records.