Disaster Recovery Controls Within My SOC 1?

July 27, 2015 Lauren Edmonds

Can I Have Disaster Recovery Controls Within My SOC 1 Test of Controls Matrix?

The short answer is no. The long answer is that the AICPA considers disaster recovery forward looking controls which cannot be included in the audited section of the SOC report (which is a historical review). However, controls related to redundancy and availability can be included, but disaster recovery is typically included in Section 5 (Additional Info Provided by Management) or the service organization can consider other examinations (such as SOC 2, ISO certification, etc.) for assurance.

About the Author

Lauren Edmonds

Lauren is a Principal at Schellman with over 10 years of attestation and compliance experience. Lauren has evaluated risks and controls for a number of industries including financial services, manufacturing, marketing, distribution and service-based organizations.

More Content by Lauren Edmonds
Previous Article
Formal Risk Assessment Before Our SOC 1?
Formal Risk Assessment Before Our SOC 1?

Do we have to go through a formal risk assessment before our SOC 1?

Next Article
Can I include multiple subservice organizations within my SOC 1?
Can I include multiple subservice organizations within my SOC 1?

Can I include multiple subservice organizations within my SOC 1?


The SOC 1 vs. SOC 2 Decision

Webinar on July 13th @1pm EDT

Learn More