Every SOC 2 audit looks at your organization’s security controls, also known as common criteria. Depending on the nature of your operations, systems, and services, an effective SOC 2 framework should also include additional trust services criteria, such as processing integrity. This guide explains what the SOC 2 processing integrity TSC is, why it matters, and which organizations need to monitor it.
What Is Processing Integrity in SOC 2?
In the SOC 2 framework, processing integrity involves making sure that system data is accurate, authentic, and complete. You must have controls to prevent, detect, and correct errors.
The processing integrity TSC has five key focus areas:
- Setting and communicating processing integrity objectives
- Ensuring the accuracy of system inputs
- Establishing the necessary processes, procedures, and controls for data integrity during processing
- Protecting system outputs by preventing unauthorized access, theft, deletion, or modification
- Storing data securely and maintaining accurate records of stored information
The point of processing integrity in SOC 2 is that customers must be able to trust your data. Whether you’re gathering, storing, analyzing, or transmitting information, the system must have controls in place to ensure accuracy from start to finish. Achieving SOC 2 compliance requires governance initiatives and technical measures.
What Organizations Need To Audit Processing Integrity for SOC 2?
Many organizations opt to include processing integrity in their compliance scope. This TSC is especially vital for companies that process large volumes of information or handle sensitive data:
- Analytics platforms: Third-party analytics solutions and internal databases must maintain data accuracy to be useful.
- Payment processors and gateways: Cardholder data, payments, and financial information are some of the most sensitive data out there, requiring state-of-the-art verification and security measures.
- Supply chain management systems: Logistics, shipping, inventory, and order fulfillment data must have an accurate paper trail and timely updates.
- Customer relationship management tools: Accuracy and streamlined data processing are critical for CRM tools that integrate billing, order management, lead tracking, and marketing solutions.
- Electronic health record systems: The processing and storage of patient data in EHR systems must adhere to regulatory requirements, including validation and access controls.
- Hosted cloud providers: Clients expect the highest infosec and processing integrity standards from cloud storage and computing providers, such as third-party IT-cybersecurity companies.
SOC 2 processing integrity standards benefit your operations, improving efficiency and enabling data-driven decisions.
What Do SOC 2 Processing Integrity Controls Require?
SOC 2 certification for processing integrity relies on understanding each focus area and tracking your organization’s progress.
Processing Integrity PI1.1: Communication of All Processing Integrity Objectives
This focus area requires clear objectives and standardized definitions of data categories. It involves performing an in-depth assessment of:
- All the data your system needs for products, services, or internal objectives
- Your processing actions
- Necessary controls for maintaining processing integrity
Definitions should outline performance targets for completeness, correctness, and promptness. The idea is for your entire organization to understand and follow the same standards.
PI1.2: Policies and Procedures Pertinent to System Inputs
SOC 2 PI1.2 revolves around the accuracy of system inputs, from user-added data to electronically created records. Your framework must define accuracy targets, monitor for quality, and create detailed records of each event.
PI1.3: Policies and Procedures Pertinent to System Processing
Whereas PI1.1 involves setting objectives, PI1.3 requires your organization to develop a policy framework that covers:
- Data validation, error detection, and corrective actions
- Records security
- Technical and organizational safeguards needed for processing integrity
- Evidence chains
- Acceptable workflows
Time stamps, registration numbers, acceptable value ranges, and user identification numbers are a few examples of processing integrity controls at work.
PI1.4: Policies and Procedures Pertinent to System Outputs
Maintaining processing integrity with outputs means keeping records intact and secure during the document workflow. Data must go to the right places and only be accessible to authorized users. Outputs must be secure at all times, protected against cybercriminals, accidental deletion, corruption, and loss.
PI1.5: Policies and Procedures Pertinent to System Storage
In SOC 2, processing integrity also means implementing processes to ensure that stored data is archived correctly and securely. Controls range from document formats and secure backups to access logs and metadata about your processing integrity measures.
How Can Your Organization Meet SOC 2 Processing Integrity Requirements?
In general, your SOC 2 compliance framework should include controls for:
- Input validation: Input checks for data fields, signs, limits, ranges, sizes, formats, mandatory data, and document completeness
- Input quality: Captcha tools to prevent bot-generated data, drop-down lists for predefined values, and reconciliation checks for expected ranges
- Processing authorization: Change management, checksums, logging, system monitoring, and role-based access controls
- Output verification: File updates, balance testing, and data reconciliation measures
- Output security: Database admins, file write protection, and parity checks
Every enterprise has unique data processing requirements related to customers, employees, operations, and regulatory compliance. Processing integrity controls must be customized based on these factors.
When Should Your SOC 2 Audit Scope Include Processing Integrity?
Regardless of the industry, regularly auditing your organization’s processing integrity controls can be valuable.
1. Client Expectations
Are you pursuing a SOC 2 Type 2 report to assure clients that your data processing activities follow infosec best practices? Broadening the scope of your validation audit to include processing integrity can be essential. Enterprise organizations want assurances that your system keeps their data secure and error-free, both at rest and in transit.
2. Regulatory Compliance
SOC 2 data processing controls align with GDPR, HIPAA, and PCI DSS controls for accuracy, integrity, validation, and record-keeping. GDPR Article 5 — Principles Relating to Processing of Personal Data states that personal data must be accurate, up to date, and free of errors.
3. Internal Risk Management
The effectiveness of enterprise risk management safeguards depends on having access to trustworthy data and dependable information-sharing pathways. Including processing integrity in a SOC 2 readiness audit can help you identify and correct information bottlenecks, low-quality or unreliable data inputs, and other obstacles to accurate risk assessments.
Streamline SOC 2 Processing Integrity Management
Workflow automation is a powerful tool for ensuring processing integrity in SOC 2 frameworks. Automation reduces the risk of human error and supports monitoring with comprehensive insights. Contact us to discover Compyl’s robust management systems for SOC 2 certification today.
