Skip to content
AuditFront
PI1.2 SOC 2

SOC 2 PI1.2: Processing Integrity - System Processing is Complete, Accurate, Timely, and Authorized

What This Control Requires

The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity's objectives. Processing is performed in a complete, accurate, timely, and authorized manner.

In Plain Language

PI1.1 defines what correct processing looks like. This control is about proving your systems actually deliver it. Records cannot go missing, calculations cannot be wrong, SLAs cannot be missed, and nobody should be able to trigger processing they are not authorised to run.

This means automated controls that check completeness (no dropped records), verify accuracy (outputs match expectations), enforce timeliness (SLAs are tracked and met), and ensure authorisation (only approved users and processes can initiate work). It also means reconciliation processes that compare what went in against what came out.

Auditors test this by examining system configurations, reviewing processing logs, verifying reconciliation results, and tracing individual transactions end-to-end through your systems. If they pick a random input record, they want to see it arrive correctly at the output.

How to Implement

Build automated processing controls into each critical system. For completeness, implement record counts at every processing stage, compare input and output volumes, detect and alert on missing or skipped records, and run end-to-end validation confirming every input is accounted for in the output.

For accuracy, validate calculations against known test cases, reconcile data across systems that share it, verify data integrity with checksums or hashes during transfers, and automatically compare actual outputs against expected results for representative scenarios.

For timeliness, monitor processing schedules and alert when jobs run late, maintain SLA dashboards tracking completion against targets, escalate automatically when processing exceeds defined thresholds, and implement queue management that prioritises work by urgency.

For authorisation, enforce role-based access for initiating or modifying processing, require approval workflows for manual interventions, log all processing activities with who triggered them and when, and maintain segregation of duties between initiating, executing, and reviewing processing.

Set up reconciliation processes. Compare source system records to downstream records on a regular cadence. Identify discrepancies, investigate them, and document the resolution. Automate wherever possible and define clear review procedures for anything that requires manual reconciliation.

Define how processing errors are detected, logged, escalated, investigated, and corrected. Make sure error handling never silently drops records or produces wrong outputs. Implement retry logic for transient failures and escalation for persistent ones. Use dead-letter queues or error tables to capture failed records for reprocessing. Keep error logs as audit evidence.

Evidence Your Auditor Will Request

  • Automated processing control configurations including completeness checks and validation rules
  • Reconciliation procedures and records showing input-to-output comparisons across systems
  • Processing schedule monitoring and SLA compliance reports
  • Authorization controls for processing initiation with role-based access and approval workflows
  • Error handling procedures and logs showing detection, investigation, and resolution of processing errors

Common Mistakes

  • Processing systems lack completeness checks, allowing records to be silently dropped or skipped
  • No reconciliation processes exist between systems, allowing data inconsistencies to persist undetected
  • Processing timeliness is not monitored, with SLA violations going unnoticed
  • Error handling suppresses errors without logging or alerting, creating silent processing failures
  • Manual processing interventions are not logged or authorized, creating integrity risks

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.8.11 Related
ISO 27001 A.8.24 Partial overlap
nist-csf PR.DS-08 Equivalent

Frequently Asked Questions

What types of reconciliation should we perform?
The main types are: input-output reconciliation (do input record counts match output counts?), cross-system reconciliation (is shared data consistent across systems?), financial reconciliation (do monetary amounts balance?), and temporal reconciliation (did time-sensitive processing finish within expected windows?). Which ones matter most depends on your processing architecture, but most organisations need at least the first two.
How do we handle processing errors without disrupting service?
Use a tiered approach. Transient errors get automatic retries with exponential backoff. Non-critical errors get logged for investigation without stopping the pipeline. Critical errors trigger alerts and may pause affected processing until someone resolves them. Dead-letter queues or error tables capture failed records so they can be reviewed and reprocessed later. The worst thing you can do is silently swallow errors - that is how small issues become big ones.
How frequently should reconciliation be performed?
Match the frequency to the risk. Financial data typically needs daily reconciliation. High-volume transactional data might need hourly or even real-time checks. Lower-volume or less critical data can be reconciled weekly or monthly. The goal is catching discrepancies before they compound. If you find yourself discovering last month's errors, your reconciliation is not frequent enough.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment