SOC 2 · Trust Services Criteria · Processing Integrity
SOC 2 Processing Integrity
Data Accuracy & Completeness
Demonstrate that your system processes data accurately, completely, and in a timely manner. Processing Integrity proves your data processing is reliable — critical for financial systems, payment processors, and data-driven SaaS platforms.
Processing Integrity is an optional Trust Services Criteria (the PI1 series) — only Security (CC1–CC9) is mandatory in every SOC 2 report.
AICPA Trust Services Criteria · SSAE 18 attestation · Last reviewed June 2026
Direct Answer
Is the Processing Integrity criterion mandatory?
The SOC 2 Processing Integrity criterion is the optional AICPA Trust Services Criterion that evaluates whether system processing is complete, valid, accurate, timely, and authorized — in other words, that correct data in produces correct data out. It is defined as the PI1 series of criteria and examined as part of a SOC 2 report, an SSAE 18 attestation performed by a licensed CPA rather than a certification (AICPA).
The Criterion
What is the SOC 2 Processing Integrity criteria?
Processing Integrity criteria demonstrate that your system processes data accurately, completely, and in a timely manner. Unlike Security criteria (which is mandatory), Processing Integrity is optional — but it's critical for systems where data accuracy is paramount.
If your customers depend on accurate data processing (financial calculations, payment processing, data analytics, reporting), you should include Processing Integrity in your SOC 2 report.
Optional but Critical for Data-Driven Systems
Financial, payment, analytics, and reporting systems need this
Proves Data Accuracy & Completeness
Validates that your processing logic produces correct results
Covers Error Detection & Handling
Demonstrates systematic error management processes
Required by Financial Services Customers
Banks and fintech companies often require Processing Integrity
When to Include Processing Integrity
Financial Calculations
Billing, invoicing, payment processing, accounting systems
Data Analytics & Reporting
Business intelligence, dashboards, customer-facing reports
Transaction Processing
E-commerce, payment gateways, order management systems
Regulatory Compliance
Systems subject to financial or healthcare regulations
The Controls
8 Key Processing Integrity Controls
Implement these controls to demonstrate data processing accuracy and meet SOC 2 Processing Integrity criteria requirements.
Data Validation & Input Controls
Ensure data accuracy and completeness through validation rules and input controls.
Key Implementation Points
- Input validation for all user-submitted data
- Data type and format validation
- Required field enforcement
- Range and boundary checks
- Duplicate detection and prevention
Error Detection & Handling
Systematic error detection, logging, and resolution processes.
Key Implementation Points
- Automated error detection and logging
- Error notification and alerting
- Error correction procedures documented
- Root cause analysis for recurring errors
- Error metrics tracking and reporting
Transaction Processing Controls
Ensure transactions are processed completely, accurately, and in a timely manner.
Key Implementation Points
- Transaction completeness checks
- Duplicate transaction prevention
- Transaction sequencing and ordering
- Failed transaction handling and retry logic
- Transaction audit trails
Data Quality Monitoring
Continuous monitoring of data quality metrics and anomaly detection.
Key Implementation Points
- Data quality metrics dashboard
- Anomaly detection for unusual patterns
- Data completeness monitoring
- Data accuracy spot checks
- Quality trend analysis and reporting
Authorization & Approval Workflows
Ensure processing activities are properly authorized before execution.
Key Implementation Points
- Multi-level approval workflows
- Segregation of duties for critical processes
- Authorization limits and thresholds
- Approval audit trails
- Automated authorization checks
Data Reconciliation
Regular reconciliation processes to ensure data consistency across systems.
Key Implementation Points
- Daily/weekly reconciliation schedules
- Cross-system data consistency checks
- Discrepancy investigation procedures
- Reconciliation exception handling
- Reconciliation reporting to management
Processing Timeliness Controls
Ensure data is processed within defined timeframes and SLAs.
Key Implementation Points
- Processing SLAs defined and monitored
- Batch processing schedules documented
- Real-time processing for critical data
- Processing delay alerting
- Timeliness metrics and reporting
Change Management for Processing Logic
Controlled changes to processing logic to prevent data integrity issues.
Key Implementation Points
- Change approval for processing logic updates
- Testing requirements for logic changes
- Rollback procedures for failed changes
- Version control for processing code
- Change impact analysis
From the Audit Floor
Common Processing Integrity Mistakes
The patterns we see derail Processing Integrity evidence — and how to keep your report clean the first time.
No Input Validation
Accepting user input without validation leads to data quality issues and security vulnerabilities.
Fix: Implement comprehensive input validation (data type, format, range, required fields) on both client and server side.
Poor Error Handling
Errors are silently ignored or not logged, making it impossible to detect processing failures.
Fix: Implement comprehensive error logging, alerting, and documented error resolution procedures.
No Data Reconciliation
Data inconsistencies between systems go undetected without regular reconciliation.
Fix: Implement daily/weekly reconciliation processes with documented discrepancy investigation procedures.
Untested Processing Logic Changes
Changes to processing logic deployed without adequate testing can introduce data accuracy issues.
Fix: Require comprehensive testing (unit, integration, UAT) before deploying processing logic changes.
No Transaction Completeness Checks
Partial transaction processing without completeness verification leads to data integrity issues.
Fix: Implement transaction completeness checks, duplicate prevention, and failed transaction handling.
Missing Authorization Controls
Critical processing activities executed without proper authorization or approval workflows.
Fix: Implement multi-level approval workflows with segregation of duties for critical processes.
Frequently Asked Questions
Core questions on the AICPA SOC 2 Processing Integrity criterion (PI1.x), how it differs from Security and Confidentiality, and the evidence auditors request.
Is the Processing Integrity criterion mandatory for SOC 2?
No. Only the Security category (the Common Criteria, CC1–CC9) is mandatory in every SOC 2 report. Processing Integrity is one of four optional add-on Trust Services Criteria, alongside Availability, Confidentiality, and Privacy. It is most commonly added by fintech, payments, billing, and data-processing platforms whose customers rely on the system producing complete, accurate, and timely results.
What does the Processing Integrity criterion (PI1.x) actually cover?
The AICPA Processing Integrity criteria are the PI1 series. They evaluate whether system processing is complete, valid, accurate, timely, and authorized — in short, that correct data in produces correct data out. The criteria address the definition of processing specifications and data quality (PI1.1–PI1.2) and integrity over inputs, processing, and outputs (PI1.3–PI1.5), covering input validation, error handling, transaction completeness, reconciliation, and output accuracy.
How is Processing Integrity different from the Security criterion?
Security (the Common Criteria) is about protecting the system from unauthorized access — access controls, encryption, monitoring, and change management. Processing Integrity is about whether the data the system processes is complete, valid, accurate, timely, and authorized. You can have flawless security and still ship a wrong billing calculation; Processing Integrity is the criterion that gives customers assurance over the correctness of processing itself.
How is Processing Integrity different from the Confidentiality criterion?
Processing Integrity ensures data is processed accurately and completely — correct calculations, no dropped or duplicated records, timely output. Confidentiality ensures information you have agreed to keep confidential is protected from unauthorized disclosure through classification, access controls, and encryption. Example: Processing Integrity confirms an invoice of ₹100 × 12 = ₹1,200 is computed correctly; Confidentiality confirms that invoice is only visible to authorized parties.
What evidence will auditors request for Processing Integrity?
For a Type II report a CPA samples evidence across the period: documented processing and data-quality specifications (PI1.1–PI1.2); input-validation rules and rejected-input handling (PI1.3); error logs, alerting, and resolution records and transaction-completeness and reconciliation reports (PI1.4); and output-review, distribution, and accuracy checks (PI1.5). Expect requests for change-management and testing records for any changes to processing logic as well.
Continue your SOC 2 research
- SOC 2 compliance hub — the Common Criteria and all five Trust Services Criteria in one place.
- SOC 2 consulting for Indian companies — readiness and audit support from Tranquility Cybersecurity (indicative ₹2–4L).
- Tranquility Cybersecurity credentials & proof — 250+ SOC 2 attestations delivered.
Written By Expert Auditors
Going Deeper
More on SOC 2 Processing Integrity
Is Processing Integrity criteria mandatory for SOC 2?
No, Processing Integrity is optional. Only Security criteria (CC1-CC9) is mandatory. However, financial systems, payment processors, and data analytics platforms should include Processing Integrity because customers depend on accurate data processing. If your system performs calculations, generates reports, or processes transactions, you likely need this criteria.
What's the difference between Processing Integrity and Security criteria?
Security criteria focus on protecting data from unauthorized access (confidentiality, access controls, encryption). Processing Integrity criteria focus on ensuring data is processed accurately, completely, and in a timely manner (data validation, error handling, transaction completeness). You can have perfect security but still have data accuracy issues — that's what Processing Integrity addresses.
What are the most important Processing Integrity controls?
The top 3 controls are: (1) Input validation - Validate all user input for data type, format, range, and required fields; (2) Error detection and handling - Automated error logging, alerting, and documented resolution procedures; (3) Data reconciliation - Regular reconciliation processes to ensure data consistency across systems. These three controls address the majority of data accuracy issues.
How do I prove data accuracy to SOC 2 auditors?
Auditors will request: (1) Input validation rules - Code reviews showing validation logic; (2) Error logs - Evidence of error detection and resolution; (3) Reconciliation reports - Regular reconciliation with discrepancy investigation; (4) Test results - Evidence of testing for processing logic changes; (5) Data quality metrics - Dashboards showing accuracy, completeness, timeliness metrics; (6) Transaction audit trails - Complete audit logs for critical transactions.
Do I need Processing Integrity if I'm a SaaS company?
It depends on your product. Include Processing Integrity if: (1) You process financial transactions or billing; (2) You generate customer-facing reports or analytics; (3) You perform calculations that customers rely on; (4) You integrate with financial systems or payment processors; (5) Your customers are in regulated industries (finance, healthcare). Skip Processing Integrity if: You're a simple CRUD app, collaboration tool, or content management system where data accuracy is less critical.
What's the difference between Processing Integrity and Confidentiality?
Processing Integrity ensures data is processed accurately and completely (correct calculations, no data loss, timely processing). Confidentiality ensures data is protected from unauthorized disclosure (encryption, access controls, data classification). Example: Processing Integrity ensures your billing calculation is correct ($100 × 12 months = $1,200). Confidentiality ensures that billing data is only accessible to authorized users and encrypted at rest/in transit.
Keep Exploring
Related Reading
Trust Services Criteria
Security, Availability, Confidentiality, Processing Integrity, Privacy.
Read moreTSC: Security (CC Series)
The mandatory common criteria — every SOC 2 report includes these.
Read moreTSC: Availability
Uptime SLAs, monitoring and incident response criteria.
Read moreSOC 2 Knowledge Hub
Type 1 vs Type 2, criteria, timelines and audit prep — all guides.
Read moreSOC 2 for Fintech
Sponsor banks, RBI overlap and the criteria fintechs actually need.
Read moreSOC 2 Audit Preparation
Evidence, readiness checks and what the CPA firm will sample.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours