Can I Have Disaster Recovery Controls Within My SOC 1 Test of Controls Matrix?
The short answer is no. The long answer is that the AICPA considers disaster recovery forward looking controls which cannot be included in the audited section of the SOC report (which is a historical review). However, controls related to redundancy and availability can be included, but disaster recovery is typically included in Section 5 (Additional Info Provided by Management) or the service organization can consider other examinations (such as SOC 2, ISO certification, etc.) for assurance.
About the Author
Lauren is a Principal at Schellman with over 10 years of attestation and compliance experience. Lauren has evaluated risks and controls for a number of industries including financial services, manufacturing, marketing, distribution and service-based organizations.More Content by Lauren Edmonds