SOC 2 Academy: How is Data Put Into Your System?

by Joseph Kirkpatrick / April 5th, 2019

Processing Integrity Criteria 1.2

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there are additional criteria for the availability, confidentiality, processing integrity, and privacy categories. If an organization opts to include the processing integrity category in their audit, they need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.2 says, “The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity’s objectives.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss why organizations need to understand how data is put into their system.

Understanding How Data is Put Into Your System

The processing integrity category asks whether or not a service organization’s processing services are provided in a complete, accurate, and timely manner. To demonstrate compliance with this category, organizations need to not only demonstrate that they perform their due diligence to ensure the quality or accuracy of the data they process, but they also need to show their auditors that they know how data is put into their system. If organizations don’t know how data is being inputted into their systems, critical mistakes could be missed, which could make the data incomplete and inaccurate and could seriously impact a client’s ability to use that data. Considering this, organizations that include the processing integrity category in their SOC 2 audit will need to demonstrate that they have policies and procedures in place that guide how they input data into their system.

Complying with Processing Integrity Criteria 1.2

During a SOC 2 audit, an auditor will assess compliance with processing integrity criteria 1.2 by using the following three points of focus:

  1. The entity defines the characteristics of processing inputs.
  2. The entity evaluates processing inputs for compliance with defined input requirements.
  3. The entity creates and maintains records of system inputs.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Processing integrity 1.2 is part of the SOC 2 Trust Services Criteria that deals with system inputs. If your service that you provide to your clients is a service that relies on processing data, how that data is input into the system is very important. Do you have policies and procedures around how those inputs are supposed to be handled and how those things are checked to make sure that the data that’s relied upon is true and accurate and there weren’t any room for errors when entering that information into the system?