Capita Business Services Limited

SIMS Finance

SIMS Finance is our new solution to streamline financial management across an academy or multi-academy trust, providing them with a complete and consolidated picture of their finances.


  • Cloud based, accessible at any time from any device.
  • Central bank account, enabling organisations to generate payments, undertake reconciliation.
  • Integration with SIMS Personnel.
  • Multi-company with real-time reporting and consolidation.
  • Powerful analysis tools, graphical reporting, dashboards drill to source transactions.
  • Central Administration of Chart of Accounts, Suppliers, Access and Permissions.
  • Inbuilt workflow managing a robust authorisation process.
  • Email functionality, sending PRL, SLS documents to suppliers and debtors.
  • Fully secure and encrypted, GDPR Compliant.
  • Unlimited no. of users.


  • Automatically receive reports straight to your inbox using scheduled tasks.
  • Increase efficiencies with inbuilt workflows and alerts.
  • Easy to use with quick access from homepage and favourites.
  • Improve decision making with dashboards providing KPIs at your fingertips.
  • Provide evidence for auditors and accountants by attaching documents.
  • Easily export information for further analysis.
  • Easily import data, including journals and budgets.
  • Budget Holder Access, Read Only Access, reducing paper and time.
  • Access to all stakeholders at no extra cost, eg, accountants.
  • View information in chosen format, eg, graphically.


£2243 per licence

  • Education pricing available

Service documents

G-Cloud 10


Capita Business Services Limited

Capita Business Services Ltd


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints The service desk operates Monday to Friday 08:00 – 17:30 (excluding English public holidays).
System requirements User requires an internet browser and internet access.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times The service desk operates Monday to Friday 08:00 – 17:30 (excluding English public holidays).

P1 – Critical Priority = <30 minutes
P2 – High Priority = 1 hour
P3 – Medium Priority = 8 hours
P4 – Low Priority = 24 hours
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Customer support is delivered through our application support desk which acts as a first point of contact for customer requests and problems.
A number of useful tools can be found within My Account, which provides, as SIMS Finance customers, access to the latest news, resources, discussions and events.
If a solution cannot be located, the Authority can log a support incident or enquiry directly with the SIMS service desk. This (and any associated solution) can then be viewed online using our My Account facility, where the Authority can also add notes to the case and review updates from us.
Knowledgebase article search can be used to obtain an immediate solution to any issue the Authority may have, 24/7.

The Support Desk Analysts can be contacted via telephone, email or a dedicated customer web portal called My Account. Target response and resolution times are based on the severity/urgency of the reported fault and are summarised below.

Target response time:
P1 – Critical Priority = <30 minutes
P2 – High Priority = 1 hour
P3 – Medium Priority = 8 hours
P4 – Low Priority = 24 hours

The service desk operates Monday to Friday 08:00 – 17:30 (excluding English public holidays).
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started The implementation approach involves an initiation stage, with project management co-ordination, to ensure a clear plan for delivery of the product in timescales agreed with the Customer.

Customers are also engaged in a requirement gathering exercise at project initiation to capture several technical and functional project prerequisites, such as:
- Internet connectivity
- Operating system compatibility
- Current system integration and module requirements
- System handover (options for on-site or remote)
- Business process input: customers may need to provide more detailed requirements to configure SIMS Finance to meet their business needs, within the product capability.

Consultancy, Technical Services and Training for the product are included in our implementation approach to ensure the Customer is enabled to configure and deploy the system effectively to meet their needs.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction As part of the end-of-contract process, users will have access to extract information they require within the contractual specified timescales.
End-of-contract process At contract end, the Customer will have a specified timescale to obtain data they require. Data will be deleted from the environment and any data backups overwritten.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service SIMS Finance is a web based application providing flexible access to data to meet the needs of users; available securely 24/7 and on mobile devices such as an iPad or tablet, either in the office, whilst travelling, or at home.
Accessibility standards None or don’t know
Description of accessibility The applications provide customisation for accessibility needs at an operating systems or browser level (which include changes to the font size, font and background colour). Accessibility includes font size alteration by standard configuration or browser controls (CTRL and +/-), robustness to use with assistive technologies, such as screen reader, screen magnifier and colour inverting systems that would be essential to anybody needing these methods of access.

There is no flashing or scrolling text within the solution.
Accessibility testing • We periodically test our products using web compliance tools and use WAI-ARIA Markup to help assistive technologies.
• We ensure that all products capabilities are accessible via the keyboard.
• Our products are designed to be zoomed assisting those with poor eyesight, and physical and cognitive disabilities.
• We ensure that all text meets colour contrast standards.
• To promote consistency and help training and support, we don't provide comprehensive establishment-specific customisation options for labels or colours.
Customisation available Yes
Description of customisation The system can be customised to suit the organisation and users, for example, creating favourites, cheque printing parameters and work flow processes.


Independence of resources The platform is designed to scale with increasing demand. Virtual infrastructure is employed to allow for rapid provision of additional resource where required. The environment is monitored 24/7.
The solution is sized to handle the predicted number of concurrent users and to maintain adequate response times across the full solution.
Synthetic transactions are applied against the solution to determine and log service availability. The service is proactively monitored 24/7, using a real-time facility, network, OS, DB, hardware and application monitoring tools.


Service usage metrics Yes
Metrics types The My Account portal provides dashboards where customers can view open and closed tickets along with other service metrics.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Other
Other data at rest protection approach Data is encrypted at rest using Microsoft Transparent Data Encryption (TDE).
Encryption of the database file is performed at the page level. The pages in an encrypted database are encrypted before they are written to disk and decrypted when read into memory.
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Data is easily exported from reports, views and dashboards in a range of formats including CSV, XLSX and XLS.
Data export formats
  • CSV
  • Other
Other data export formats
  • Native application reporting.
  • XLSX.
  • XLS
  • PDF
  • HTML
Data import formats
  • CSV
  • Other
Other data import formats
  • XLSX
  • XLS

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability The Service Level Agreement (SLA) provides a target service availability of 99.5%.
Approach to resilience Windows Azure runs in geographically distributed Microsoft facilities, sharing space and utilities with other Microsoft Online Services. Each facility is physically constructed, managed and designed to run 24/7/365, employing various measures to help protect operations from power failure, physical intrusion, environmental threats and network outages. These datacentres comply with industry standards (such as ISO 27001) for physical security and availability. They are managed, monitored and administered by Microsoft operations personnel.

Consisting of multiple servers, the solutions have been grouped into role types and placed within ‘Availability Sets’ located within an ‘Affinity Group’. The Affinity Group ensures that servers are located in the same area within the Windows Azure Datacentre to optimise performance while the Availability Set splits roles across multiple host servers to minimise the risk of service outage.

Highly Available Hardware – Placing the servers into availability sets guarantees that the servers are spread across multiple racks within the Windows Azure Datacentre. Each server is then hosted on a different physical host, utilising separate power feeds and connected via different switches.

In the event of an individual server failure, load balancers route traffic automatically to other functioning servers within the environment.
Outage reporting Any service interruption notifications are published to the My Account portal, with email notification functionality. In the event of a critical system failure, the service desk will liaise with all necessary parties to resolve the problem and keep all customers informed of the situation.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Access is limited to a known subset of Capita engineers. Access is secured by VPN and unique and individual username and password protected accounts. Unused interfaces and consoles are locked down as part of the security hardening process.
Access restriction testing frequency At least once a year
Management access authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 The British Assessment Bureau
ISO/IEC 27001 accreditation date 31/03/2017
What the ISO/IEC 27001 doesn’t cover We are certified for the following activities: design, develop and host, produce, support and deliver associated services.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Capita is committed to maintaining the highest risk management standards and ensuring compliance with legal and regulatory requirements. To this end, Capita has developed a policy portfolio, which includes a Cyber & Information Security Policy and associated standards, which must be adopted as the minimum requirements. Implementing a programme of internal information security audits provides assurances that the level of conformance with the Capita baseline Cyber & Information Security requirements are being continually assessed and any identified areas of non-conformance are being addressed by appropriate corrective actions/ risk management framework.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach - Changes to the Capita deployed application, IT infrastructure and data services are considered and logged into the Change Management Register to be tracked through the Change Management process.

- Change Records must give sufficient information indicating why the change is required, what services/ customers will be affected, what comprises the change, how a completed change will be tested and how it can be rolled back.

- Change Records must include a timetable for completion and indicate whether there will be a noticeable service impact.

- Team Leaders within the Live Services and Support Desk Teams provide approval for changes.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Capita has defined a set of rigorous security standards and practices derived from the most recent OWASP Top 10 Web Application Vulnerabilities and SANS Top 25 Software Errors.
Capita conducts vulnerability scanning, evaluates identified risks and develops mitigation plans to remove the vulnerability using a third party commercial tool.
Vulnerability management is a critical role in keeping the environments secure. Capita manages patching in the estate prudently and methodically, looking at each vendor patch qualification, impact to the environment, mitigating controls in place for the issue the patch is addressing and any additional risks introduced by the patch.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Capita proactively monitors the service 24/7 using a suite of real-time facility, network, OS, DB, hardware and application monitoring tools.
In the event of any security incident, and after containment, a root cause analysis and remediation plan will be put into place. Throughout, Capita shall provide customers timely updates and information. Capita would be transparent, working with customers as to progress, what has occurred and steps being taken to address.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Capita Incident Response Plan includes identification, containment/ eradication, root cause analysis and the implementation of any mitigating controls to prevent recurrence. Capita would be transparent, working with customers as to progress, what has occurred and steps being taken to address. Capita maintains an escalation procedure to notify appropriate Capita management employees and customer contacts in the event of a security incident.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £2243 per licence
Discount for educational organisations Yes
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑