Processing Integrity Criteria 1.4
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the processing integrity category in their audit, they would need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.4 says, “The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives.” Let’s discuss why it’s important for organizations to deliver complete, accurate, and timely output when pursuing SOC 2 compliance.
Delivering Complete, Accurate, and Timely Output
Part of being a secure and trusted service provider is delivering complete, accurate, and timely outputs. Why? Because if your clients can’t rely upon you to deliver outputs that are complete, accurate, and timely, why would they continue to do business with you? If a client is relying on you to provide them with reports that are critical to their operations, what would happen if you failed to deliver them in a timely manner? What if inaccurate information was included in those reports?
During a SOC 2 audit then, an auditor will verify an organization’s compliance with processing integrity criteria 1.4 to ensure that they are delivering complete, accurate, and timely outputs. For example, let’s say that the organization being audited is a billing firm. At the end of each month, that firm provides their client with a complete and accurate list of all of the billing that occurred that month, the payments received, and the credits and adjustments made. That report has to be delivered in a complete, accurate, and timely way to ensure that when the client receives the report, they can rely upon that output.
Complying with Processing Integrity Criteria 1.4
To assess an organization’s compliance with processing integrity criteria 1.4, auditors will use the following four points of focus:
- The entity protects output when it is stored or delivered with the intention of preventing theft, destruction, corruption, or deterioration.
- The entity distributes output only to intended parties.
- The entity distributes output completely and accurately.
- The entity creates and maintains records of system output activities.
More SOC 2 Resources
Processing integrity 1.4 says that the entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives. If your processing system produces some output that your client relies upon, you have to make sure that that is complete and accurate and that you protect and control it until it gets into the hands of your client who relies upon it. For example, you might be some type of a billing service provider, and there’s a statement at the end of the month that goes to your client that says, “This is the true and accurate representation of all the billing that occurred this month. These are the payments we received. These are the credits and adjustments.” This report has to be delivered in a secure and accurate way to ensure that your client, when they get it, can rely upon that output.