What are the SOC 2 Processing Integrity Controls?

SOC 2 compliance is essential for service organizations that want to prove their security and operational practices meet industry standards. One of the key trust service criteria in a SOC 2 audit is processing integrity. This principle focuses on ensuring that data processing is accurate, complete, timely, and authorized, supported by specific controls across objectives, inputs, processes, outputs, and storage.

Is your organization preparing for a SOC 2 audit? Schedule a consultation today to assess your readiness.

 

Understanding Processing Integrity for SOC 2 Audits

The American Institute of Certified Public Accountants (AICPA) oversees several reporting standards, but the most widely used is the SOC 2 report. This report evaluates how well a service organization meets the Trust Services Criteria (TSC), sometimes called Trust Service Principles (TSP). These five criteria are:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy
  

Every audit measures these principles through a set of Common Criteria (CC) controls, which apply to all organizations seeking compliance.

 

Baseline Common Criteria (CC1–CC5)

These are the foundation of SOC 2 compliance, focusing on core governance and security operations:

• CC1: Control Environment
• CC2: Communication and Information
• CC3: Risk Assessment
• CC4: Monitoring Activities
• CC5: Control Activities

Supplemental Common Criteria (CC6–CC9)

Building on the baseline, these add more detailed and flexible safeguards:

• CC6: Logical and Physical Access Controls
• CC7: System Operations
• CC8: Change Management
• CC9: Risk Mitigation
  

The full SOC 2 controls list drills even deeper, with sub-requirements (e.g., CC1.1, CC1.2, etc.) based on the COSO Principles. For a detailed breakdown, see our SOC 2 checklist or whitepaper.

All five Trust Services Criteria are addressed across these controls, with security as the most emphasized. Depending on your organization, auditors may also evaluate Additional Criteria tied to the other principles, such as processing integrity or privacy, to match your unique risk environment.

 

Processing Integrity Controls for SOC 2 Compliance

Organizations that require a SOC 2 report with a focus on processing integrity must first implement all Common Criteria (CC) controls and their points of focus. They must also meet the Additional Criteria outlined in the Trust Services Criteria (TSC).

Unlike other Trust Services Criteria, the processing integrity principle does not have unique points of focus embedded in the CC series. Instead, organizations needing a PI-focused report must follow a separate set of Additional Criteria requirements. In many cases, these reports are requested alongside evaluations of other Additional Criteria, such as confidentiality or privacy. Defining the exact scope of your SOC 2 audit requires clear communication with clients and stakeholders.

The processing integrity Additional Criteria include five key requirements, supported by several points of focus, that every organization seeking a PI report must address.

Below, we’ll break down these specific controls in detail.

 

1.1: Communication of Objectives

The first processing integrity (PI) control in SOC 2 compliance focuses on setting clear expectations for how data should be defined, processed, and communicated within an organization’s systems.

According to the control:

“The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.”

To meet this requirement, organizations should address several points of focus for PI-specific assessments:

• Identify both functional and non-functional requirements in system specifications.
• Define all data needed to support a product or service effectively.
• Make data definitions and purposes available to all relevant users.
• Include critical details such as data sources, scale, and population.
• Ensure accuracy and completeness across all data definitions.
• Provide enough context for stakeholders to understand each data element.

For systems that produce or distribute physical or digital products, there are additional requirements:

• Define all data needed to support the product or good.
• Make this data accessible and identifiable for end users.
• Validate data for accuracy, completeness, and accessibility.
  

Because these criteria can vary depending on your business model, it’s best to consult with a compliance advisor to determine how PI1.1 applies to your environment and how to document controls effectively.

 

1.2: Control Over System Inputs

The second processing integrity control in SOC 2 compliance addresses governance over system inputs. Alongside PI1.1 (Communication of Objectives), it forms part of a three-part series covering inputs, processing, and outputs.

The control states:

“The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity’s objectives.”

To comply with PI1.2, organizations should focus on three critical areas:

• Defining input characteristics required to meet processing objectives.
• Evaluating system inputs against compliance requirements and organizational goals.
• Maintaining accurate records of all system inputs to ensure reliability and traceability.
  

Here, the “objectives” directly tie back to the expectations outlined in PI1.1: Communication of Objectives, as well as any broader objectives established for overall SOC 2 compliance.

 

1.3: Control Over System Processing

The third processing integrity control in SOC 2 compliance extends governance from system inputs (PI1.2) to the actual processing activities performed on that data.

The control states:

“The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives.”

To meet this requirement, organizations should establish the following points of focus:

• Define processing specifications necessary to satisfy compliance requirements.
• Identify processing activities that system inputs are expected to undergo.
• Detect and correct errors or inconsistencies throughout processing activities.
• Record processing activities as they occur, keeping accurate logs and documentation.
• Ensure completeness, accuracy, and timeliness of processing, aligned with the objectives set in PI1.1.

When integrated into a broader cybersecurity monitoring framework, these practices help organizations maintain visibility, prevent errors, and strengthen overall control across their systems.

 

1.4: Control Over System Outputs

The fourth processing integrity control in SOC 2 compliance focuses on the results of system processing. Building on PI1.2 (inputs) and PI1.3 (processing), this requirement ensures that all system outputs are delivered as expected and safeguarded against compromise.

The control states:

“The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives.”

To comply with PI1.4, organizations must implement the following points of focus:

• Protect outputs from theft, destruction, or unauthorized modification.
• Restrict distribution so that outputs are available only to intended and authorized recipients.
• Deliver outputs completely and accurately, maintaining full data integrity.
• Document outputs with clear, accurate records of delivery and related activities.

PI1.4 concludes the before during after sequence of processing integrity: governing inputs, monitoring processing, and securing outputs. While this closes the operational cycle, organizations must still address additional PI controls to achieve full SOC 2 compliance.

 

1.5: Secure Storage at All Stages

The final processing integrity control in SOC 2 compliance focuses on safeguarding all data in storage,  including inputs, items in processing, and outputs.

The control states:

“The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives.”

To meet PI1.5 requirements, organizations must implement the following points of focus:

• Protect stored data (inputs, processing records, and outputs) from compromise.
• Archive and preserve system records, ensuring protection against deterioration or loss.
• Maintain accuracy, completeness, and integrity of stored data for the long term.
• Document storage activities with clear, timely, and accurate records.

Addressing PI1.5 effectively completes the SOC 2 processing integrity framework, ensuring that data remains secure not only during input, processing, and output but also throughout storage. The most reliable way to achieve this,  and meet all SOC 2 requirements, is to work with a trusted compliance advisor who can guide implementation and audit readiness.

 

Additional SOC 2 Compliance Considerations

While SOC 2 is the most widely applicable framework for service organizations, it’s not the only type of SOC audit. Depending on your industry, clients, and regulatory environment, you may need to prepare for SOC 1, SOC 2, or SOC 3.

• SOC 2:  The most common framework, applicable across all service organizations. It focuses on the Trust Services Criteria (TSC) and is often considered a gold standard, even though it is not legally mandated. Many clients and partners treat SOC 2 as a business requirement.
• SOC 1:  Designed for financial services providers or organizations with financial reporting functions. It evaluates Internal Control over Financial Reporting (ICFR) under a separate, parallel framework.
• SOC 3: Similar in scope to SOC 2 but created for general audiences. SOC 2 reports are highly technical and not meant for public distribution, whereas SOC 3 reports are public-facing and often published on an organization’s website.

SOC Report Types: Type 1 vs. Type 2

Both SOC 1 and SOC 2 have two reporting styles:

• Type 1:  Evaluates the design of controls at a single point in time, offering moderate assurance.
• Type 2: Assesses the effectiveness of controls over an extended period, providing stronger assurance and more credibility.

SOC 3 does not have a Type designation but typically aligns more closely with the extended review of a SOC 2 Type 2.

For most organizations, SOC 2 Type 2 is the preferred approach. It provides the most thorough assurance to stakeholders and can easily translate into a SOC 3 report for public distribution.

 

Streamline Your SOC 2 Compliance Today

Achieving SOC 2 compliance requires addressing both the Common Criteria and Additional Criteria tied to the Trust Services Criteria (TSC), including processing integrity. To provide reliable assurance to your clients, your organization must implement and maintain the PI-series controls that govern every stage of processing: inputs, activities, outputs, and storage.

At RSI Security, we specialize in helping organizations prepare for and achieve SOC 2 compliance. From advisory and implementation to readiness assessments, our team has guided countless companies through the process. By building a strong compliance foundation, you not only satisfy client requirements but also strengthen your overall cybersecurity posture to support long-term growth.

Contact RSI Security today to learn more about our compliance services.

 

Download Our SOC 2 Compliance Checklist