Skip to main content

How Salto Enhances Audit Compliance and Change Tracking

Lior Neudorfer avatar
Written by Lior Neudorfer
Updated this week

Using Salto for change management helps teams stay compliant. Instead of directly making changes in production environments in an undocumented, unstructured, non-auditable way, teams can deploy their changes with Salto, getting:

  1. Comprehensive audit trails - all configuration changes are tracked, with links to specific tickets

  2. Deployment gating mechanisms - proper review and approval can be ensure before implementation

  3. Enhanced release visibility - the release process across environments can be visualized and controlled

These capabilities are essential for maintaining IT General Controls (ITGC) and ensuring compliance with regulatory frameworks like SOX, ISO/IEC 27001, and others.

Key Compliance Features

Detailed Change Tracking

Salto creates a complete audit trail by:

  • Recording all modifications in SaaS applications like NetSuite and Salesforce, deployed through Salto or made directly in the app

  • Linking each change to specific tickets or work items

  • Connecting changes to documentation outlining business rationale and implementation details

Deployment Control

Salto strengthens ITGC through:

  • Git repository integration for automated pull request (PR) creation

  • Structured approval workflows for configuration changes

  • Ensuring only authorized and vetted changes are implemented

  • Maintaining system integrity through controlled deployments

Release Management

Salto's Pipelines provides:

  • Visualization of release flows

  • Tracking of feature progress across environments

  • Streamlined promotions and back-promotions

  • Environment alignment to reduce unauthorized changes

Case Study: How Riskified obtained NetSuite Compliance with Salto

Setting Up Configuration Change Tracking

To maintain an audit-ready paper trail of all environment changes, first setup your system as detailed below. Then, make sure you follow the recommended documentation best practices.

  1. Connect Salto to Git

    1. Ensure your Salto environment is connected to Git

    2. Set Version Control to automatically update branches with fetches and deployments

    3. Configure environment settings as shown in the documentation

  2. Establish Regular Monitoring

    1. Set a daily fetch cadence for automatic tracking

  3. Integrate your ticketing system (Jira, ServiceNow, Monday, Azure DevOps) with your Git repository

    1. Configure commit messages to link to tickets by ID

    2. For example: Connect GitHub to Jira using this guide

Documentation Best Practices

The best practice for optimal compliance is to have every change to your production environment deployed through Salto. This helps track changes in an accurate, properly-documented manner.

  1. For Deployments via Salto

    1. Include a valid ticket ID(s) in every deployment

    2. Enforce this using Commit Message Patterns

  2. For Out-of-Band Changes

    1. Review the Salto change log regularly for changes made during fetches. Alternatively, you can define a monitor if you'd like to get alerts on out-of-band changes made on specific elements - this helps you focus on configuration changes that are in the audit's scope.

    2. Associate these entries with appropriate ticket IDs, by renaming the relevant entries

    3. Salto Recommends performing reviews weekly to prevent accumulation of unreviewed changes

Following this process ensures all production environment changes are properly documented and associated with tickets, regardless of how they were implemented.

Audit Response Process

When auditors review your system, they typically examine specific configuration changes observed in application audit logs, such as Netsuite's System Notes. Here's how to provide the necessary documentation:

For Individual Configuration Changes

  1. Navigate to the corresponding Git branch for your environment

  2. Locate the relevant NACL or SDFX file:

    • Use "code search" in the repository with the configuration element ID, name, tag or other details

    • Contact Salto support if you need assistance finding specific elements

  3. Review the file's change history to see all modifications:

    • Both changes deployed through Salto and direct environment changes will be visible

    • Match the audited change to a specific commit by date and time

  4. Examine the change's commit message to find:

    • A link to the relevant fetch or deployment in Salto

    • Associated ticket ID(s)

    • Deployer details (for deployment changes)

For Ticket-Based Audits

When auditors want to review all changes associated with a specific ticket, they can do this in 2 ways: through Salto, or through the ticketing system.

In Salto:

  • Search the change log for the ticket ID

  • View all changes associated with that ticket, including both deployments and direct environment modifications

In Your Ticketing System:

  • Each ticket contains links to associated commits from relevant deployments

  • Follow these commits to view the precise configuration changes in your Git repository

Did this answer your question?