Posts

SOC 2 Academy: Documentation of Inputs

Processing Integrity Criteria 1.5

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the processing integrity category in their audit, they would need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.5 says, “The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives.” Let’s take a look at why your organization needs documentation of inputs if you’re pursuing SOC 2 compliance.

Why Do You Need Documentation of Inputs?

Like with the other criteria assessed during a SOC 2 audit, an auditor will want to see that an organization has effective documentation of inputs to determine whether or not the organization complies with processing integrity criteria 1.5. This means that organizations who include the processing integrity category will need to demonstrate that they have policies and procedures in place regarding how they store inputs, items in processing, and outputs in a complete, accurate, and timely manner. Why? Because if there’s ever an instance where the integrity of processing activities is called into question, there needs to be a process that’s documented and readily available to verify when an action took place and who completed it.

Complying with Processing Integrity Criteria 1.5

Auditors will use the following points of focus to determine compliance with processing integrity criteria 1.5:

  • Does the entity protect stored items from theft, corruption, destruction, or deterioration?
  • Does the entity archive and protect system records?
  • Does the entity have procedures in place to store data completely and accurately?
  • Does the entity create and maintain records of system storage activities?

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Video Transcription

Processing integrity 1.5 of the SOC 2 Trust Services Criteria states that the entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives. What is this about? This is making sure that everything that was relied upon when the process occurred is still there and available for review if there ever had to be an audit or examination to determine where a piece of information came from. This is especially true in cases of fraud where perhaps someone tried to execute fraud in a payment process or the cutting of a check out of a system, and it’s imperative to go back and see who took what action when. You want to have those records archived and available in a way so that you can prove that process occurred based on the information that was input and provided every step of the way.

SOC 2 Academy: Complete, Accurate, and Timely Outputs

Processing Integrity Criteria 1.4

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the processing integrity category in their audit, they would need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.4 says, “The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives.” Let’s discuss why it’s important for organizations to deliver complete, accurate, and timely output when pursuing SOC 2 compliance.

Delivering Complete, Accurate, and Timely Output

Part of being a secure and trusted service provider is delivering complete, accurate, and timely outputs. Why? Because if your clients can’t rely upon you to deliver outputs that are complete, accurate, and timely, why would they continue to do business with you? If a client is relying on you to provide them with reports that are critical to their operations, what would happen if you failed to deliver them in a timely manner? What if inaccurate information was included in those reports?

During a SOC 2 audit then, an auditor will verify an organization’s compliance with processing integrity criteria 1.4 to ensure that they are delivering complete, accurate, and timely outputs. For example, let’s say that the organization being audited is a billing firm. At the end of each month, that firm provides their client with a complete and accurate list of all of the billing that occurred that month, the payments received, and the credits and adjustments made. That report has to be delivered in a complete, accurate, and timely way to ensure that when the client receives the report, they can rely upon that output.

Complying with Processing Integrity Criteria 1.4

To assess an organization’s compliance with processing integrity criteria 1.4, auditors will use the following four points of focus:

  1. The entity protects output when it is stored or delivered with the intention of preventing theft, destruction, corruption, or deterioration.
  2. The entity distributes output only to intended parties.
  3. The entity distributes output completely and accurately.
  4. The entity creates and maintains records of system output activities.
More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Video Transcription

Processing integrity 1.4 says that the entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives. If your processing system produces some output that your client relies upon, you have to make sure that that is complete and accurate and that you protect and control it until it gets into the hands of your client who relies upon it. For example, you might be some type of a billing service provider, and there’s a statement at the end of the month that goes to your client that says, “This is the true and accurate representation of all the billing that occurred this month. These are the payments we received. These are the credits and adjustments.” This report has to be delivered in a secure and accurate way to ensure that your client, when they get it, can rely upon that output.

SOC 2 Academy: Identifying Logging Errors

Processing Integrity Criteria 1.3

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. If an organization opts to include the processing integrity category in their audit, they need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.3 says, “The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives.” Let’s discuss why identifying logging errors is crucial to complying with this criterion.

Identifying Logging Errors for SOC 2 Compliance

For service organizations whose services rely on processing data for clients, it’s important that they do so in a complete, accurate, and timely manner. However, in order to ensure that this happens, organizations must have policies and procedures in place to identify any errors in processing data. For example, let’s say that a data processor who processes mortgage data for a bank notices that there’s an error in the data. If that organization does not have effective policies and procedures to identify and communicate that error in a timely way, banks and their customers relying on that information could be greatly impacted. In addition to policies and procedures, organizations should also be identifying logging errors. Why? Because using logs helps organizations identify and record any errors that arise while processing data and can be used to review and verify that certain processes were carried out if an issue or error occurs.

Complying with Processing Integrity 1.3

During a SOC 2 audit, auditors will assess an organization’s compliance using five points of focus. An auditor will expect to see that an organization:

  • Defines processing specifications
  • Defines processing activities
  • Detects and corrects production errors
  • Records system processing activities
  • Processes inputs in a complete, accurate, and timely manner

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Video Transcription

Processing integrity criteria 1.3 says that the entity implements policies and procedures over system processing to result in product, services, and reporting to meet the entity’s objectives. You would want to have what the purpose of your system is and what the processing activities are, so that your clients can rely upon that and understand what your system does and does not do. If you are a data processor of some type of mortgage data that banks were relying upon, for example, your processing capabilities would need to be defined as such so that you would be able to identify errors in the process and be able to communicate those errors in a timely way, so they can be corrected before that deficiency was relied upon by your client. You would also want to have good logs built into your processing system so that any action that occurs during the processing life cycle is recorded so that any time someone had to go back and verify that particular step or process did occur, they would have an accurate record of that occurring.

SOC 2 Academy: How is Data Put Into Your System?

Processing Integrity Criteria 1.2

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. If an organization opts to include the processing integrity category in their audit, they need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.2 says, “The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity’s objectives.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss why organizations need to understand how data is put into their system.

Understanding How Data is Put Into Your System

The processing integrity category asks whether or not a service organization’s processing services are provided in a complete, accurate, and timely manner. To demonstrate compliance with this category, organizations need to not only demonstrate that they perform their due diligence to ensure the quality of accuracy of the data they process, but they also need to show their auditors that they know how data is put into their system. If organizations don’t know how data is being input into their systems, critical mistakes could be missed, which could make the data incomplete and inaccurate and could seriously impact a client’s ability to use that data. Considering this, organizations who include the processing integrity category in their SOC 2 audit will need to demonstrate that they have policies and procedures in place that guide how they input data into their system.

Complying with Processing Integrity Criteria 1.2

During a SOC 2 audit, an auditor will assess compliance with processing integrity criteria 1.2 by using the following three points of focus:

  1. The entity defines characteristics of processing inputs.
  2. The entity evaluates processing inputs for compliance with defined input requirements.
  3. The entity creates and maintains records of system inputs.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Video Transcription

Processing integrity 1.2 is part of the SOC 2 Trust Services Criteria that deals with system inputs. If your service that you provide to your clients is a service that relies on processing data, how that data is input into the system is very important. Do you have policies and procedures around how those inputs are supposed to be handled and how those things are checked to make sure that the data that’s relied upon is true and accurate and there weren’t any room for errors when entering that information into the system?

SOC 2 Academy: Quality and Accuracy of Your Data

Processing Integrity Criteria 1.1

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. If an organization opts to include the processing integrity category in their audit, they need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.1 says, “The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss why the quality and accuracy of your data is important for SOC 2 compliance.

Does the Processing Integrity Category Apply to My Organization?

While the security category applies to all organizations pursuing SOC 2 compliance, knowing whether or not you should include additional categories depends on the type of services you offer. If your organization provides services to your clients that relies on the quality and accuracy of data that is processed and output for your clients, you would need to include the processing integrity category in your SOC 2 audit.

How to Comply with Processing Integrity Criteria 1.1

The processing integrity category asks whether or not a service organization’s processing services are provided in a complete, accurate, and timely manner. To comply with this category, or more specifically, processing integrity criteria 1.1, service organizations should use the following two points of focus relating to the quality and accuracy of data:

  1. Entities should identify information specifications that are required to support the use of products and services.
  2. Entities should define data necessary to support a product or service.

Let’s say that an auditor is verifying compliance with processing integrity criteria 1.1. The organization in question is an employee benefits service provider who provides reports to clients that they rely upon. The auditor will want to see that the organization defines the data that’s used in the report, which could be done by providing the source of the data, the date range that the data was used to produce the report, or how the data was calculated. Whichever way organizations decide to define the data, ensuring the quality and accuracy of data is critical to complying with the processing integrity category.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Video Transcription

I’m going to read for you the additional criteria for processing integrity. It’s one of the categories for the SOC 2 Trust Services Criteria. Processing integrity 1.1 says “The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.” If your company provides a service to its clients that relies upon the quality and accuracy of data that perhaps is processed and output in some format to your clients, this is a category that would apply to you and your service offering. For example, maybe you are an employee benefits service provider and you’re providing reports to your clients that they rely upon, you would want to provide a definition of the data that you’re using in that report you’re providing. You might specify the source of the data or where it came from, the relevant date range of the data that was used to produce the report, or you might provide some type of unit of measurement of how this data was arrived at or how you calculated it. So, any time you have a processing element to your service that relies upon core data you would want to disclose that and explain it, and that’s where the processing integrity category comes into play.