Dynamics GP and SOC Reports

At Fastpath, I occasionally get questions about SOC reports for Dynamics GP. In many cases this results from misplaced or misunderstood auditor questions.

The AICPA’s Service Organization Controls (SOC) framework is a standard for controls that safeguard the confidentiality and privacy of information stored and processed in the cloud. Essentially, SOC reports provide a level of assurance such that auditors don’t need to individually audit every cloud provider for every client. The key phrase there is “in the cloud”.

Since Microsoft doesn’t host GP in the cloud, it sells GP as an on-premise application, Microsoft doesn’t issue any SOC reports for GP. Indeed, it can’t issue SOC reports because it doesn’t host GP in the cloud. With respect to GP, Microsoft is software vendor not a cloud service provider.

If GP is hosted locally by the organization there also wouldn’t be a SOC report required. An auditor would simply test controls locally.

Where this gets interesting is when a company hosts GP somewhere else. This could be running GP in a shared data center, hosting GP in an AWS or Azure virtual machine, or using GP in a SAAS environment from a full service provider. In any of those scenarios one or more SOC reports would be appropriate.

Microsoft for example, offers SOC reports for Azure and the Dynamics products that it hosts (Like Dynamics 365 Finance and Dynamics 365 Business Central)

There are two main categories of service audits based on the SOC framework, namely a SOC 1 and SOC 2.

A SOC 1 audit evaluates the effectiveness of a cloud service provider’s (CSP) internal controls that affect the financial reports of a customer using the provider’s cloud services. SOC 1 reports are appropriate in situations where the service provider has access to GP data or other tools that could affect the financial statements. This would include something like Management Reporter, but might exclude an HR product. Despite the sensitivity of HR data, HR data isn’t used for financial statements.

A SOC 2 audit gauges the effectiveness of a CSP’s system based on the AICPA Trust Service Principles and Criteria. A SOC 2 evaluates the processes and controls of the service provider. A SOC 2 might be used alone in a scenario where a server is simply hosted in a data center and where the data center is responsible for physical security, but doesn’t control the customer’s server. It might also be appropriate for a cloud provider where the data doesn’t affect financial statements, like our HR application described above.

SOC 1 & 2 reports can also be a Type 1 or a Type 2. In a Type 1, the company describes its controls and provides documentation as of a point in time. The auditor’s report is based on reviews of the controls and documentation. A Type 2 report provides a higher level of assurance than a Type 1. With a Type 2 report, the auditor reviews both the design and the operating effectiveness of controls over time. Since a Type 2 SOC takes time, often 6 months or more, many organizations pursue a Type 1 audit until they are able to complete a Type 2.

At the conclusion of a SOC audit, the service auditor renders an opinion in a SOC 1 Type 2 or SOC 2 Type 2 report. The report describes the CSP’s system and assesses the fairness of the CSP’s description of its controls. It also evaluates whether the CSP’s controls are designed appropriately, were in operation on a specified date, and were operating effectively over a specified time period.

Microsoft has a nice review of SOC reports at this link https://docs.microsoft.com/en-us/compliance/regulatory/offering-soc

SOC reports provide a level of assurance for users of a service provider. They also simplify the audit process for users since auditor can evaluate and choose to rely on a SOC report instead of performing their own audit. Choosing a cloud service provider without a SOC report is not generally recommended, but SOC reports only apply to Dynamics GP when it is hosted somewhere.

Personal Note: There’s Less of Me

Since we haven’t seen each other in person lately, and it will probably be a while until we do, I though you might want to know there’s less of me now. I covered this on my personal blog, link below.


Underused Software Syndrome

Do you have low level anxiety, a feeling you’re not getting everything you could out of your existing software? Is there a nagging guilt that it’s your fault? Does it seem if only you had more time or training you could really master that piece of software and life would be so much easier?

Welcome to Underused Software Syndrome!

I’ve searched for a term for this phenomenon and not found one so I’ve decided to coin my own. Feel free to set me straight if this anxiety already has a name.

I see this low-level fear a lot. The idea that there is something more, some magic, hiding in a piece of software. Finding this magic would result in a life of unicorns, rainbows, and tropical drinks…or so we believe. Part of the challenge is that occasionally we do stumble onto a feature that solves a significant problem or increases productivity. That reinforces the syndrome. Surely the developers added more features like the one we just found if only we had time to look harder. With Underused Software Syndrome, we think software problems are our fault. While it’s right to want to be more productive and to solve problems, it’s wrong to blame yourself.

Underused Software Syndrome manifests frequently in business software users. Users of applications like ERP systems (accounting), CRM (sales), and even Office apps like Excel are common sufferers. The software is so big and complex that user’s blame themselves for not being more efficient. This seems to be a form of impostor syndrome mixed with a little FOMO, the fear of missing out. The user feels that despite their knowledge of their job and the relevant software, they don’t know enough and they aren’t good enough. Surely everyone else is getting more out of the software.

I’m sure this feeling isn’t limited to business software. Video editing and graphic design software seem more than complex enough to generate Underused Software Syndrome feeling. I just have more experience with business software.

In some cases, there’s a financial element to the feeling of Underused Software Syndrome. The idea that software is expensive, and it’s fiscally responsible to use as many features as possible, can sometimes underly the feelings of anxiety. Much like an underused gym membership, people feel guilty if they aren’t fully utilizing it.

In other examples, anxiety may manifest itself based on unfulfilled expectations. Users believe that a software package should have a particular feature and that feature should behave a certain way. Features often manifest differently than expectations leaving users with a vague feeling they missed something.

Finally, there is the fear of missing out. For example, lots of people use Excel and lots of people use a tiny fraction of Excel’s features. Even if they know a feature is there, they have to remember the feature exists at the time they want to use it. Most people are not experts in a given software and most are not getting more out of it than you are.

People like me make this worse. For a long time, I’ve helped people get the most out of the software they own. But that was part of my job. It’s also something I really enjoy, and yet I feel Underused Software Syndrom symptoms about software I deeply understand.

I differentiate underused software from shelfware. Shelfware is software that is not being used. The organization may still be paying maintenance or fees for software they aren’t using at all. Shelfware is easier to address. Ignore the sunk costs and cancel any maintenance or monthly fees. Alternatively, revisit why the software was purchased in the first place and potentially put it to use.

Underused software is harder. The organization is getting some value from the software, maybe not enough value to match the cost, but value nonetheless. It’s hard to toss out software that is being used.

I have a couple of thoughts on options to address underused software and it’s related syndrome:

  1. Accept that value is being generated by using the software. Even if it’s only used for a small task, it is still helping accomplish the task. Accept that this software does this task and move one. Sometimes you just need to accept something and move on.
  2. Evaluate the value of that task against any ongoing costs. A small task with a big cost is not a good value proposition. In that case, it may make sense to figure out if there are additional uses or if it’s time to switch to something else.
  3. Pick one thing to improve and search for that. You’d be amazed at what’s available for any given piece of software. Maybe there’s a need to automate a process or export data, whatever. Someone else has probably already tried it and written about it. At a minimum, you’ll get an answer that something can’t be done. Even in that worst-case scenario, a quick answer makes it easier to stop obsessing and move on to the next thing.
  4. Make sure the organization has the latest version. Underused software may be neglected enough to be on an old version. Updating can reveal improvements in features and UI that help resolve anxiety.
  5. Get some help. It’s a big world. There are books, classes, training, blogs, videos, you name it, on some of the most obscure software ever made. There are resources to help. Use them.

“But I don’t have enough time” is the common refrain. There is a problem, but not a priority. People find the time for a priority. It’s okay if this isn’t a priority right now. When it becomes a priority you’ll make the time. Until then, don’t stress about it.

Vote for my DynamicsCon Session!

DynamicsCon is a FREE 2-day virtual learning experience for Microsoft Dynamics 365 & Power Platform users and professionals. Previously, Dynamics GP was not included in the mix, but you asked for it and now GP content will be included as well.


If you want GP content, go and vote for it at https://dynamicscon.com/submissions/. Hurry, you only have a couple of days. Voting closes this Friday the 22nd.

I would love for you to vote for my session, 50 Security Tips for Dynamics GP at this link: https://dynamicscon.com/submissions/?query=polino, but ultimately vote for any of the GP content that appeals to you!

Fastpath Update blog series – Platform

In addition to module updates, the Fastpath team added a number of cross-module improvements to our platform in 2020. Some of these updates added significant power to what users can do, while others improved usability.

Check out the list at:


Fastpath Update blog series – Identity Manager

Fastpath’s move to the cloud a few years back opened up significant opportunities for ourIdentity Manager features. In 2020, we added even more. Check out some of the highlights at:


Fastpath Update blog series – Access Certifications

Access Certifications was extremely popular in 2020. In my Fastpath Update blog series I look at new features added to Access Certs last year. Be sure to checkout the full post at the link below:


Fastpath Update blog series – SOD

I’ve got a short blog series running on the Fastpath blog. In it I highlight some of the new features that came out 2020. Up first is a list of SOD enhancements.

Be sure to check out the post at:


Microsoft Dynamics GP Fall 2020 – Additional User Defined field in General Ledger Transaction Entry – Microsoft Dynamics GP Community

This should be helpful to clarify JE info. Of course, notes is always available, but that seems to be harder for people to find. It’s certainly harder to report off of.

In the General Ledger Transaction Entry window there are now two new user defined fields. When users enter transactions into the General Ledger, they like to add information/comments regarding the tra…
— Read on community.dynamics.com/gp/b/dynamicsgp/posts/additional-user-defined-field-in-general-ledger-transaction-entry

%d bloggers like this: