Disaster Recovery Controls Within SOC 1 Test of Controls Matrix

September 14, 2015 Lauren Edmonds

Can I have disaster recovery controls within my SOC 1 test of controls matrix?

The short answer is No. The long answer is that the AICPA considers disaster recovery and business continuity planning to be plans and not controls. Additionally, while disaster recovery and business continuity planning may be of interest to user entities, the AICPA does not consider business continuity to be relevant to internal controls over financial reporting, and therefore cannot be included in the description of controls or test of controls within a SOC 1.

Controls related to redundancy and availability can be included, if appropriate, but disaster recovery is typically included in Section 5 (Additional Information Provided by Management) or the service organization can consider other assessments that discuss disaster recovery (such as SOC 2, ISO certification, etc.).

About the Author

Lauren Edmonds

Lauren is a Principal at Schellman with over 10 years of attestation and compliance experience. Lauren has evaluated risks and controls for a number of industries including financial services, manufacturing, marketing, distribution and service-based organizations.

More Content by Lauren Edmonds
Previous Article
A Kinship: SOC 2 and ISO 27001
A Kinship: SOC 2 and ISO 27001

Have you ever wondered if the ISO 27001 certification is at all similar to a SOC 2 report?  Many organizati...

Next Article
Sharing Your SOC 1 During RFP
Sharing Your SOC 1 During RFP

Can I share my SOC 1 with a prospect while we are going through an RFP process?