At Fastpath, I occasionally get questions about SOC reports for Dynamics GP. In many cases this results from misplaced or misunderstood auditor questions.
The AICPA’s Service Organization Controls (SOC) framework is a standard for controls that safeguard the confidentiality and privacy of information stored and processed in the cloud. Essentially, SOC reports provide a level of assurance such that auditors don’t need to individually audit every cloud provider for every client. The key phrase there is “in the cloud”.
Since Microsoft doesn’t host GP in the cloud, it sells GP as an on-premise application, Microsoft doesn’t issue any SOC reports for GP. Indeed, it can’t issue SOC reports because it doesn’t host GP in the cloud. With respect to GP, Microsoft is software vendor not a cloud service provider.
If GP is hosted locally by the organization there also wouldn’t be a SOC report required. An auditor would simply test controls locally.
Where this gets interesting is when a company hosts GP somewhere else. This could be running GP in a shared data center, hosting GP in an AWS or Azure virtual machine, or using GP in a SAAS environment from a full service provider. In any of those scenarios one or more SOC reports would be appropriate.
Microsoft for example, offers SOC reports for Azure and the Dynamics products that it hosts (Like Dynamics 365 Finance and Dynamics 365 Business Central)
There are two main categories of service audits based on the SOC framework, namely a SOC 1 and SOC 2.
A SOC 1 audit evaluates the effectiveness of a cloud service provider’s (CSP) internal controls that affect the financial reports of a customer using the provider’s cloud services. SOC 1 reports are appropriate in situations where the service provider has access to GP data or other tools that could affect the financial statements. This would include something like Management Reporter, but might exclude an HR product. Despite the sensitivity of HR data, HR data isn’t used for financial statements.
A SOC 2 audit gauges the effectiveness of a CSP’s system based on the AICPA Trust Service Principles and Criteria. A SOC 2 evaluates the processes and controls of the service provider. A SOC 2 might be used alone in a scenario where a server is simply hosted in a data center and where the data center is responsible for physical security, but doesn’t control the customer’s server. It might also be appropriate for a cloud provider where the data doesn’t affect financial statements, like our HR application described above.
SOC 1 & 2 reports can also be a Type 1 or a Type 2. In a Type 1, the company describes its controls and provides documentation as of a point in time. The auditor’s report is based on reviews of the controls and documentation. A Type 2 report provides a higher level of assurance than a Type 1. With a Type 2 report, the auditor reviews both the design and the operating effectiveness of controls over time. Since a Type 2 SOC takes time, often 6 months or more, many organizations pursue a Type 1 audit until they are able to complete a Type 2.
At the conclusion of a SOC audit, the service auditor renders an opinion in a SOC 1 Type 2 or SOC 2 Type 2 report. The report describes the CSP’s system and assesses the fairness of the CSP’s description of its controls. It also evaluates whether the CSP’s controls are designed appropriately, were in operation on a specified date, and were operating effectively over a specified time period.
Microsoft has a nice review of SOC reports at this link https://docs.microsoft.com/en-us/compliance/regulatory/offering-soc
SOC reports provide a level of assurance for users of a service provider. They also simplify the audit process for users since auditor can evaluate and choose to rely on a SOC report instead of performing their own audit. Choosing a cloud service provider without a SOC report is not generally recommended, but SOC reports only apply to Dynamics GP when it is hosted somewhere.