SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Disaster Recovery Controls Within SOC 1 Test of Controls Matrix

SOC Examinations

Can I have disaster recovery controls within my SOC 1 test of controls matrix?

The short answer is No. The long answer is that the AICPA considers disaster recovery and business continuity planning to be plans and not controls. Additionally, while disaster recovery and business continuity planning may be of interest to user entities, the AICPA does not consider business continuity to be relevant to internal controls over financial reporting, and therefore cannot be included in the description of controls or test of controls within a SOC 1.

Controls related to redundancy and availability can be included, if appropriate, but disaster recovery is typically included in Section 5 (Additional Information Provided by Management) or the service organization can consider other assessments that discuss disaster recovery (such as SOC 2, ISO certification, etc.).

About LAUREN EDMONDS

Lauren is a Principal at Schellman with over 10 years of attestation and compliance experience. Lauren has evaluated risks and controls for a number of industries including financial services, manufacturing, marketing, distribution and service-based organizations.