Can I Have Disaster Recovery Controls Within My SOC 1 Test of Controls Matrix?
The short answer is no. The long answer is that the AICPA considers disaster recovery forward looking controls which cannot be included in the audited section of the SOC report (which is a historical review). However, controls related to redundancy and availability can be included, but disaster recovery is typically included in Section 5 (Additional Info Provided by Management) or the service organization can consider other examinations (such as SOC 2, ISO certification, etc.) for assurance.
About the AuthorMore Content by Lauren Edmonds