Framework Guidance

Information on various compliance frameworks and their requirements.

SOC 2 Processing Integrity

Processing integrity provides assurance that information in the audited system is complete, valid, accurate, timely and authorized to fully satisfy the entity’s objectives. Controls are in place to prevent errors in processing. If errors occur, controls assure timely correction. Principles of this Trust Service Criteria (TSC) include: 

  • Processing Integrity Objectives
  • System Inputs
  • System Processing
  • System Outputs
  • System Storage

Overall, this TSC is used to verify that the audited system is operating as intended. 

Who should include Processing Integrity in the scope of their audit?

  • A company with a software that processes a lot of data or integrates with other systems, may want to consider processing integrity. 
  • Organizations providing financial type services, may want to consider adding processing integrity in the scope of their report. Companies performing any type of transactions on behalf of clients, should consider including processing integrity in their SOC 2.

What type of evidence will be requested for processing integrity?

  • Processing Integrity Policy
  • Edit checks & input validations
  • Error processing evidence including tickets, logs, configurations monitoring tool and/or evidence of system processing errors
  • Evidence of all data exports, export configuration settings
  • Daily backup configurations, data storage logs

How do I add Processing Integrity to my SOC 2 framework in Secureframe?

  • Work with your auditor and points of contact at Secureframe to tailor controls and tests specific to your business and environment. Add any of the following controls as applicable: 
    • PI-01-1
    • PI-01-2
    • PI-01-3
    • PI-01-4
    • PI-01-5
    • PI-01-6
    • PI-02-1
    • PI-02-2
    • PI-03-1
    • PI-03-2
    • PI-03-3
    • PI-03-4
    • PI-03-6
    • PI-04-1
    • PI-04-2
    • PI-04-3
    • PI-04-4
  • If controls are not applicable to your business or environment, please indicate so if it is not already marked N/A. 
  • Add custom tests that are descriptive and useful for your specific tools and processes. See “What type of evidence will be requested for processing integrity?” above for examples. 
  • Be sure to tailor the Processing Integrity Policy to align with applicable controls and tests. 

Frequently Asked Questions (FAQ)

  • Which auditors can test for processing integrity?  
    • Any auditors that assess for SOC 2 can test for Processing Integrity. 
  • Do I need to include processing integrity to get a SOC 2 report? 
    • No, it's not required for SOC 2. Security is the only required criteria for SOC 2, the remaining 4 trust criteria are optional. 
  • Does it cost more to include processing integrity in my scope? 
    • Yes, an auditor will charge more for PI since it’s more work for them. However, Secureframe will include PI in the price of our customer’s SOC 2 framework. 
  • Does PI have much overlap with the other SOC 2 TSC? What about other frameworks? 
    • Aside from backups, there is not too much control overlap with the other SOC 2 criteria. 
    • Data backups are part of many frameworks and error processing is included in NIST 800-53. 

 

 

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.