SOC 2 Academy: Quality and Accuracy of Your Data
by Joseph Kirkpatrick / April 5th, 2019
Processing Integrity Criteria 1.1
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. If an organization opts to include the processing integrity category in their audit, they need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.1 says, “The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss why the quality and accuracy of your data is important for SOC 2 compliance.
Does the Processing Integrity Category Apply to My Organization?
While the security category applies to all organizations pursuing SOC 2 compliance, knowing whether or not you should include additional categories depends on the type of services you offer. If your organization provides services to your clients that relies on the quality and accuracy of data that is processed and output for your clients, you would need to include the processing integrity category in your SOC 2 audit.
How to Comply with Processing Integrity Criteria 1.1
The processing integrity category asks whether or not a service organization’s processing services are provided in a complete, accurate, and timely manner. To comply with this category, or more specifically, processing integrity criteria 1.1, service organizations should use the following two points of focus relating to the quality and accuracy of data:
- Entities should identify information specifications that are required to support the use of products and services.
- Entities should define data necessary to support a product or service.
Let’s say that an auditor is verifying compliance with processing integrity criteria 1.1. The organization in question is an employee benefits service provider who provides reports to clients that they rely upon. The auditor will want to see that the organization defines the data that’s used in the report, which could be done by providing the source of the data, the date range that the data was used to produce the report, or how the data was calculated. Whichever way organizations decide to define the data, ensuring the quality and accuracy of data is critical to complying with the processing integrity category.
More SOC 2 Resources
Understanding Your SOC 2 Report
SOC 2 Compliance Handbook: The 5 Trust Services Criteria
I’m going to read for you the additional criteria for processing integrity. It’s one of the categories for the SOC 2 Trust Services Criteria. Processing integrity 1.1 says “The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.” If your company provides a service to its clients that relies upon the quality and accuracy of data that perhaps is processed and output in some format to your clients, this is a category that would apply to you and your service offering. For example, maybe you are an employee benefits service provider and you’re providing reports to your clients that they rely upon, you would want to provide a definition of the data that you’re using in that report you’re providing. You might specify the source of the data or where it came from, the relevant date range of the data that was used to produce the report, or you might provide some type of unit of measurement of how this data was arrived at or how you calculated it. So, any time you have a processing element to your service that relies upon core data you would want to disclose that and explain it, and that’s where the processing integrity category comes into play.
