SOC 2 Terminology

The Trust Services Criteria are a set of criteria established by the AICPA to be used when evaluating the suitability of the design and operating effectiveness of controls in a SOC 2 audit.  There are five categories:

  • Security – Is the system protected, both physically and logically, against unauthorized access?
  • Availability – Is the system available for operation and use as agreed upon?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed upon?
  • Processing Integrity – Are the processing services provided in a complete, accurate, and timely, manner?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the service organization’s privacy notice and business objectives?

All organizations must be audited against the security category, but they can decide which of the other categories to include based upon their unique environments and service offerings.

In the AICPA’s updates to SOC 2 reporting in 2018, there were quite a few SOC 2 terminology changes. Most notably, the Trust Services Principles and Criteria are now strictly referred to as the Trust Services Criteria. However, it’s important to note that the AICPA did not update the acronym to reflect this change. Instead, the acronym for Trust Services Criteria will remain TSP.

An additional SOC 2 terminology update is that security, availability, confidentiality, processing integrity, and privacy are now referred to as categories as opposed to criterion or principles. So, for example, when a service organization begins their SOC 2 audit journey, one of the first steps they will take will be to determine which of the categories they’ll need to include in their audit.

Common Criteria and Additional Criteria

The common criteria refer to the complete set of criteria for the security category, which is what the remaining categories are based on. There is additional criteria for each individual category. For example, if a service organization includes both security and availability categories, the SOC 2 audit will be assessed on compliance with the common criteria as well as the following additional criteria for the availability category:

  • The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives
  • The entity tests recovery plan procedures supporting system recovery to meet its objectives.

Work with KirkpatrickPrice to Meet Your SOC 2 Compliance Goals

For assistance deciding which categories best apply to your organization, or with help meeting your SOC 2 compliance goals, connect with one of our experts today!

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

There are some slight terminology changes in the 2017 SOC 2 Trust Services Criteria. Security, availability, processing integrity, confidentiality, and privacy are now known as categories. Anything that relates to all five of those categories is still referred to as common criteria. There’s additional criteria that’s provided for availability, processing integrity, confidentiality, and privacy – basically anything other than security. It’s important to know how this criteria is organized throughout the SOC 2 framework so that you can tackle your audit and become compliant with the SOC 2 requirements.

Processing Integrity Criteria 1.5

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the processing integrity category in their audit, they would need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.5 says, “The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives.” Let’s take a look at why your organization needs documentation of inputs if you’re pursuing SOC 2 compliance.

Why Do You Need Documentation of Inputs?

Like with the other criteria assessed during a SOC 2 audit, an auditor will want to see that an organization has effective documentation of inputs to determine whether or not the organization complies with processing integrity criteria 1.5. This means that organizations who include the processing integrity category will need to demonstrate that they have policies and procedures in place regarding how they store inputs, items in processing, and outputs in a complete, accurate, and timely manner. Why? Because if there’s ever an instance where the integrity of processing activities is called into question, there needs to be a process that’s documented and readily available to verify when an action took place and who completed it.

Complying with Processing Integrity Criteria 1.5

Auditors will use the following points of focus to determine compliance with processing integrity criteria 1.5:

  • Does the entity protect stored items from theft, corruption, destruction, or deterioration?
  • Does the entity archive and protect system records?
  • Does the entity have procedures in place to store data completely and accurately?
  • Does the entity create and maintain records of system storage activities?

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Processing integrity 1.5 of the SOC 2 Trust Services Criteria states that the entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives. What is this about? This is making sure that everything that was relied upon when the process occurred is still there and available for review if there ever had to be an audit or examination to determine where a piece of information came from. This is especially true in cases of fraud where perhaps someone tried to execute fraud in a payment process or the cutting of a check out of a system, and it’s imperative to go back and see who took what action when. You want to have those records archived and available in a way so that you can prove that process occurred based on the information that was input and provided every step of the way.

Processing Integrity Criteria 1.4

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the processing integrity category in their audit, they would need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.4 says, “The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives.” Let’s discuss why it’s important for organizations to deliver complete, accurate, and timely output when pursuing SOC 2 compliance.

Delivering Complete, Accurate, and Timely Output

Part of being a secure and trusted service provider is delivering complete, accurate, and timely outputs. Why? Because if your clients can’t rely upon you to deliver outputs that are complete, accurate, and timely, why would they continue to do business with you? If a client is relying on you to provide them with reports that are critical to their operations, what would happen if you failed to deliver them in a timely manner? What if inaccurate information was included in those reports?

During a SOC 2 audit then, an auditor will verify an organization’s compliance with processing integrity criteria 1.4 to ensure that they are delivering complete, accurate, and timely outputs. For example, let’s say that the organization being audited is a billing firm. At the end of each month, that firm provides their client with a complete and accurate list of all of the billing that occurred that month, the payments received, and the credits and adjustments made. That report has to be delivered in a complete, accurate, and timely way to ensure that when the client receives the report, they can rely upon that output.

Complying with Processing Integrity Criteria 1.4

To assess an organization’s compliance with processing integrity criteria 1.4, auditors will use the following four points of focus:

  1. The entity protects output when it is stored or delivered with the intention of preventing theft, destruction, corruption, or deterioration.
  2. The entity distributes output only to intended parties.
  3. The entity distributes output completely and accurately.
  4. The entity creates and maintains records of system output activities.
More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Processing integrity 1.4 says that the entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives. If your processing system produces some output that your client relies upon, you have to make sure that that is complete and accurate and that you protect and control it until it gets into the hands of your client who relies upon it. For example, you might be some type of a billing service provider, and there’s a statement at the end of the month that goes to your client that says, “This is the true and accurate representation of all the billing that occurred this month. These are the payments we received. These are the credits and adjustments.” This report has to be delivered in a secure and accurate way to ensure that your client, when they get it, can rely upon that output.

Processing Integrity Criteria 1.3

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. If an organization opts to include the processing integrity category in their audit, they need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.3 says, “The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives.” Let’s discuss why identifying logging errors is crucial to complying with this criterion.

Identifying Logging Errors for SOC 2 Compliance

For service organizations whose services rely on processing data for clients, it’s important that they do so in a complete, accurate, and timely manner. However, in order to ensure that this happens, organizations must have policies and procedures in place to identify any errors in processing data. For example, let’s say that a data processor who processes mortgage data for a bank notices that there’s an error in the data. If that organization does not have effective policies and procedures to identify and communicate that error in a timely way, banks and their customers relying on that information could be greatly impacted. In addition to policies and procedures, organizations should also be identifying logging errors. Why? Because using logs helps organizations identify and record any errors that arise while processing data and can be used to review and verify that certain processes were carried out if an issue or error occurs.

Complying with Processing Integrity 1.3

During a SOC 2 audit, auditors will assess an organization’s compliance using five points of focus. An auditor will expect to see that an organization:

  • Defines processing specifications
  • Defines processing activities
  • Detects and corrects production errors
  • Records system processing activities
  • Processes inputs in a complete, accurate, and timely manner

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Processing integrity criteria 1.3 says that the entity implements policies and procedures over system processing to result in product, services, and reporting to meet the entity’s objectives. You would want to have what the purpose of your system is and what the processing activities are, so that your clients can rely upon that and understand what your system does and does not do. If you are a data processor of some type of mortgage data that banks were relying upon, for example, your processing capabilities would need to be defined as such so that you would be able to identify errors in the process and be able to communicate those errors in a timely way, so they can be corrected before that deficiency was relied upon by your client. You would also want to have good logs built into your processing system so that any action that occurs during the processing life cycle is recorded so that any time someone had to go back and verify that particular step or process did occur, they would have an accurate record of that occurring.

Processing Integrity Criteria 1.2

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there are additional criteria for the availability, confidentiality, processing integrity, and privacy categories. If an organization opts to include the processing integrity category in their audit, they need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.2 says, “The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity’s objectives.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss why organizations need to understand how data is put into their system.

Understanding How Data is Put Into Your System

The processing integrity category asks whether or not a service organization’s processing services are provided in a complete, accurate, and timely manner. To demonstrate compliance with this category, organizations need to not only demonstrate that they perform their due diligence to ensure the quality or accuracy of the data they process, but they also need to show their auditors that they know how data is put into their system. If organizations don’t know how data is being inputted into their systems, critical mistakes could be missed, which could make the data incomplete and inaccurate and could seriously impact a client’s ability to use that data. Considering this, organizations that include the processing integrity category in their SOC 2 audit will need to demonstrate that they have policies and procedures in place that guide how they input data into their system.

Complying with Processing Integrity Criteria 1.2

During a SOC 2 audit, an auditor will assess compliance with processing integrity criteria 1.2 by using the following three points of focus:

  1. The entity defines the characteristics of processing inputs.
  2. The entity evaluates processing inputs for compliance with defined input requirements.
  3. The entity creates and maintains records of system inputs.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Processing integrity 1.2 is part of the SOC 2 Trust Services Criteria that deals with system inputs. If your service that you provide to your clients is a service that relies on processing data, how that data is input into the system is very important. Do you have policies and procedures around how those inputs are supposed to be handled and how those things are checked to make sure that the data that’s relied upon is true and accurate and there weren’t any room for errors when entering that information into the system?