SSAE 16 & SOC1 Reports for Sage X3
Are your auditors requesting SOC1 compliance reports for Sage X3? Sage Software has released information regarding SSAE 16 and SOC compliance reports via Sage Knowledgebase article 22901. Because Sage X3 is not a multi-tenant application hosted by the publisher, it is not appropriate for Sage to provide a SOC1 report for Sage X3 under the SSAE certification guidelines (NOTE: Sage Intacct DOES provide a SOC1 report because clients are hosted by Sage on a multi-tenant cloud with Intacct.)
Does Statement of Auditing Standards SSAE 16 certification apply to Sage products?
- Does Statement of Auditing Standards SSAE 16 certification apply to Sage products
- Does Sage provide an SOC1 report
**SSAE 16 effectively replaced SAS 70 as the standard for reporting on service organizations**
- SOC1 Report (Service Organization Controls Report) is under the SSAE-18 standards.
- SSAE-18 supersedes SSAE 16.
- Because Sage products are provided as packaged software solutions rather than as services, SSAE 16 certification does not apply.
- The Statement on Auditing Standards SSAE 16, Service Organizations, is an auditing standard that was issued by the American Institute of Certified Public Accountants (AICPA).
- The intent of the standard is to provide a guideline to ensure that adequate controls are in place over service organizations and service providers.
- SSAE 16 applies when financial statements are audited only if the organization obtains services from another organization. Sage accounting and specialized solutions (such as Sage X3, Sage 100, Sage 500, Sage FAS, Sage 300, Sage Pro, and Sage Business Vision) are provided as packaged software solutions rather than as services.
- Organizations that use Sage accounting solutions are always in full control of their data – from establishing access, entering information, and producing reports.
- While organizations may provide data or reports to Sage for specific projects (for example, professional service engagements), no data is ever automatically sent outside of the organization’s control.
- Under no circumstances is Sage represented as a service provider for retrieving, analyzing, and reporting on any organization’s information.