FICA, POPIA, and audit trail design in cloud ERP

South African finance teams operate under two compliance regimes that show up in nearly every Sage Intacct implementation: the Financial Intelligence Centre Act (FICA), which sets out customer and supplier due-diligence requirements; and the Protection of Personal Information Act (POPIA), which governs how personal information is collected, used, and retained.

Neither is a software question, strictly speaking. Both are process questions. But cloud ERP can either help or hurt — depending on how it is configured.

FICA — documentation at the customer / supplier record

FICA requires accountable institutions (and the businesses that report to them) to verify customer and supplier identities, document beneficial ownership, and maintain those records for at least five years. In Sage Intacct, we configure this as:

• Customer / supplier custom fields: FICA status (verified / pending / re-verification due), date of last verification, beneficial owner details, registration numbers, BEE level, sanctions screening status.
• Document attachment: FICA documents (proof of address, identity, beneficial ownership disclosure, tax clearance, BEE certificate) attached to the customer / supplier record.
• Workflow: new customer / supplier cannot be transacted with until FICA status is verified by a designated user.
• Re-verification reminders: where FICA documentation has a validity period, the system flags re-verification.

Result: when an auditor or a FIC inspector asks for the FICA file on a counterparty, it is one click away. The finance team is not chasing emails.

POPIA — role-based access, retention, and logging

POPIA's principles map to Sage Intacct's native security model:

• Lawful processing: documented business purpose for each field of personal information captured. (Process, not software.)
• Purpose specification: customer / supplier records hold only the data needed for the relationship. (Configuration choice — do not enable fields you don't need.)
• Information quality: data update workflows for changes.
• Openness: privacy notice referenced in onboarding workflows.
• Security safeguards: role-based access controls; multi-factor authentication; encrypted transit and at rest.
• Data subject participation: documented process for handling access, correction, and deletion requests.

Sage Intacct is a SOC 1 and SOC 2 certified platform with role-based access controls, optional multi-factor authentication, encryption in transit (TLS) and at rest, and an immutable audit log. The platform supports POPIA — but the policy decisions (who has access to what, how long records are retained, how requests are handled) are yours to make and document.

The audit trail — same feature, two regulatory uses

Sage Intacct's audit trail records every action: who created or modified a record, when, and what changed. The same feature answers two regulatory questions:

• FICA / SARS / auditor: who posted this journal? When? With what supporting documentation?
• POPIA / Information Regulator: who accessed this customer's personal information? When? For what purpose?

For the latter, we recommend periodic access review reports. The information officer (or the CFO acting as such) should be able to demonstrate that the access pattern matches the documented business purpose.

What this looks like in practice

For a typical SA mid-market organisation, configuring FICA and POPIA-aligned controls in Sage Intacct adds about three days to a standard implementation: one day to design the custom fields and workflows; one day to configure the security model; one day to document the policy and brief the information officer. This is included in the Bo Gartner Intacct Activation fixed-price scope.

One important caveat: Bo Gartner is an implementation partner, not a legal adviser. Your final compliance posture under FICA and POPIA is determined by your organisation's policy decisions, your information officer's discretion, and where relevant, the FIC and the Information Regulator. We support that work technically; we do not certify it.