Can I have disaster recovery controls within my SOC 1 test of controls matrix?
The short answer is No. The long answer is that the AICPA considers disaster recovery and business continuity planning to be plans and not controls. Additionally, while disaster recovery and business continuity planning may be of interest to user entities, the AICPA does not consider business continuity to be relevant to internal controls over financial reporting, and therefore cannot be included in the description of controls or test of controls within a SOC 1.
Controls related to redundancy and availability can be included, if appropriate, but disaster recovery is typically included in Section 5 (Additional Information Provided by Management) or the service organization can consider other assessments that discuss disaster recovery (such as SOC 2, ISO certification, etc.).
About the Author
Lauren is a Principal at Schellman with over 10 years of attestation and compliance experience. Lauren has evaluated risks and controls for a number of industries including financial services, manufacturing, marketing, distribution and service-based organizations.More Content by Lauren Edmonds