In recent years, the topics of Business Continuity and Disaster Recovery have taken on increased significance as customer organizations attempt to understand how capable their service provider is of handling a business interruption. Recent events such as the Code Red virus and the Nimda worm, as well as the catastrophe of September 11th, have demonstrated that organizations must have contingency plans in place to mitigate such risks.

Therefore, many organizations that use a third party service organization have a vested interest in the adequacy of their service provider's business continuity and disaster recovery efforts. Historically, service providers have included a control objective related to business continuity in their description of controls as part of the SAS 70 examination. However, business continuity planning is a concept that addresses how an organization mitigates future risks as opposed to actual controls that provide user auditors with a level of comfort surrounding the processing of transactions. Because of this ambiguity, the AICPA has recently provided the following guidance:

"A service organization's plans related to business continuity and contingency planning generally is of interest to the management of user organizations. If a service organization wishes to describe its business continuity and contigency plans, such information may be included in Section Four (4), "Other Information Provided by the Service Organization." Because plans are not controls, a service organization should not include in its description of controls (Section Two of the report) a control objective that addresses business continuity or contingency planning."

Therefore, controls related to business continuity and disaster recovery can still be disclosed, but the description of these activities should be included in Section Four of the final service auditor's report.

If a service organization has an additional need to communicate the adequacy of its business continuity activities to its customers or stakeholders, the service organization should consider a Trust Services attestation engagement using the Trust Services Availability principle. The Trust Services Availability principle provides specific criteria related to system availability, service level agreements, and business continuity that the auditor can measure the service organization against. The resulting Trust Services report can actually be distributed to a much wider audience and thus provide an added marketing benefit and considerable value to the service organization.

If you need further information, contact us.

Comments are closed
Anonymous commented on 05-Jul-2011 07:34 AM
Following up on above, does this also mean that from a SOX point of view, there is no need to ask for an ISAE 3402 report for a disaster recovery data center? (so it is sufficient to have a ISAE 3402 for the data center that is productively used).