Processing Integrity Criteria 1.3
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. If an organization opts to include the processing integrity category in their audit, they need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.3 says, “The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives.” Let’s discuss why identifying logging errors is crucial to complying with this criterion.
Identifying Logging Errors for SOC 2 Compliance
For service organizations whose services rely on processing data for clients, it’s important that they do so in a complete, accurate, and timely manner. However, in order to ensure that this happens, organizations must have policies and procedures in place to identify any errors in processing data. For example, let’s say that a data processor who processes mortgage data for a bank notices that there’s an error in the data. If that organization does not have effective policies and procedures to identify and communicate that error in a timely way, banks and their customers relying on that information could be greatly impacted. In addition to policies and procedures, organizations should also be identifying logging errors. Why? Because using logs helps organizations identify and record any errors that arise while processing data and can be used to review and verify that certain processes were carried out if an issue or error occurs.
Complying with Processing Integrity 1.3
During a SOC 2 audit, auditors will assess an organization’s compliance using five points of focus. An auditor will expect to see that an organization:
- Defines processing specifications
- Defines processing activities
- Detects and corrects production errors
- Records system processing activities
- Processes inputs in a complete, accurate, and timely manner
More SOC 2 Resources
Processing integrity criteria 1.3 says that the entity implements policies and procedures over system processing to result in product, services, and reporting to meet the entity’s objectives. You would want to have what the purpose of your system is and what the processing activities are, so that your clients can rely upon that and understand what your system does and does not do. If you are a data processor of some type of mortgage data that banks were relying upon, for example, your processing capabilities would need to be defined as such so that you would be able to identify errors in the process and be able to communicate those errors in a timely way, so they can be corrected before that deficiency was relied upon by your client. You would also want to have good logs built into your processing system so that any action that occurs during the processing life cycle is recorded so that any time someone had to go back and verify that particular step or process did occur, they would have an accurate record of that occurring.