There are five trust services criteria that can be included in a SOC 2 report, including: security, availability, processing integrity, confidentiality, and privacy (see definitions from the AICPA below). Only one of the five criteria is required in the SOC 2 — security. The other four trust services criteria are optional, and we get many questions from current clients and prospective clients on which criteria they should include, if any, in addition to security. I want to focus on processing integrity for this post because I have added that to a number of SOC 2 reports for clients recently.
The Trust Services Criteria as defined by the American Institute of Certified Public Accountants (AICPA):
- Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability. Information and systems are available for operation and use to meet the entity’s objectives.
- Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
- Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.
What is the Processing Integrity Trust Services Criteria?
As shown above, the AICPA defines the processing integrity trust services criteria as: “System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.” The processing integrity criteria tests that there are not errors in processing, and if there are they are detected timely and corrected. Additionally, the processing integrity criteria covers inputs and outputs to the system and they are accurate throughout the processing. And lastly, this criteria covers data and how it is stored and maintained.
Who needs to Include Processing Integrity in their SOC 2?
If the services your organization provides are financial services related or e-commerce type services, you may want to consider adding processing integrity as a trust services criteria in your report. If you are performing any type of transactions on behalf of your clients, you should consider including processing integrity in your SOC 2.
If your clients are familiar with SOC 2 reports and know what the trust services criteria are, and you are providing processing on behalf of your clients, they will most likely ask that processing integrity be included in your report. They will want to know if the services you are providing are complete, valid, accurate, timely, and authorized.
What Additional Testing is Included with Processing Integrity?
There are six criteria that are tested as part of processing integrity, which include:
- PI1.1: Procedures exist to prevent, or detect and correct, processing errors to meet the entity’s processing integrity commitments and system requirements.
- PI1.2: System inputs are measured and recorded completely, accurately, and timely to meet the entity’s processing integrity commitments and system requirements.
- PI1.3: Data is processed completely, accurately, and timely as authorized to meet the entity’s processing integrity commitments and system requirements.
- PI1.4: Data is stored and maintained completely, accurately, and in a timely manner for its specified life span to meet the entity’s processing integrity commitments and system requirements.
- PI1.5: System output is complete, accurate, and distributed to meet the entity’s processing integrity commitments and system requirements.
- PI1.6: Modification of data, other than routine transaction processing, is authorized and processed to meet with the entity’s processing integrity commitments and system requirements.
To identify what testing will be included with the addition of the processing integrity trust services criteria, the service auditor will walk through the services provided to your clients and identify control points in the process. This could include controls such as (these are just a few examples taken from the AICPA’s Appendix B — Illustration of Risks and Controls for a Sample Entity):
- Application edits limit input to acceptable value ranges.
- System edits require mandatory fields to be complete before record entry is accepted.
- Electronic files received contain batch control totals. During the load processing, data captured is reconciled to batch totals automatically by the application.
- Inputs are coded with identification numbers, registration numbers, registration information, or time stamps to enable them to be traced from initial input to output and final disposition and from output to source inputs.
- Data is reconciled on a monthly basis by rolling forward prior period balances with monthly activity and comparing results to the stored data balances.
- Output values are compared against prior cycle values. Variances greater than X percent are flagged on the variance report, logged to the incident management system, and investigated by the output clerk. Resolutions are documented in the incident management system. Open incidents are reviewed daily by the operations manager.
Is Processing Integrity Required?
The processing integrity trust services criteria is not required in SOC 2 reports, though if you are completing processing or transactions on behalf of your clients, you may want to include it. Chances are your clients will ask for processing integrity to be included in your report.
Processing integrity can be added to your SOC 2 if it is determined it is needed. We have many clients that start with the security trust services criteria for their initial report and then add the additional trust services criteria as they identify their needs. If you are not sure if you should include processing integrity, as your service auditor and they can help you determine if you should.
Processing Integrity is one of the five trust services criteria that can be included in a SOC 2. It is an optional criteria, but should be considered if your organization is performing transactions or completing processing on behalf of clients.
Linford & Company completes many SOC 2 reports that includes processing integrity, and would be happy to answer any questions about processing integrity or SOC examinations in general. Learn more about our SOC 2 audits.
Nicole Hemmer started her career in 2000. She is the co-founder of Linford & Co., LLP. Prior to Linford & Co., Nicole worked for Ernst & Young in Indianapolis, Chicago, and Denver. She specializes in SOC examinations and royalty audits and loves the travel and challenge that comes with clients across all industries. Nicole loves working with her clients to help them through examinations for the first time and then working together closely after that to have successful audits.