SAS 70 and Disaster Recovery Plan of service provider? 1050

  • The external auditor has asked for evidence and proof that the user/customer control considerations specified in the SAS 70 report were tested for key service providers. We believe that some of these controls were already tested either in the application controls or general controls already. At least we are hoping.
    After reviewing the SAS 70 report, one of the user controls is to obtain the service organization’s disaster recovery plan and particpate in their disaster recovery testing. In another one, they wanted us to ensure that our disaster recovery plan integrates with theirs.
    what should we expect in participating in the service organization’s disaster recovery testing?
    Is this necessary?
    any suggestions?

  • See this discussion =
    If it is out of scope for the reporting entity, it is out of scope for a service provider.

  • Thanks kymike.
    I think we will need to check with the external auditor on this because they wanted us to provide evidence that we are performing the ‘user control considerations’ in the SAS 70. I find the SAS 70 to state that we should be participating in testing the service provider’s disaster recovery plan. It also states we shoud have BCP which has been tested.
    If DR and BCP are out of scope then we don’t want the external auditor to fail us on the SAS 70 part because we didn’t test the service organization’s DR.

  • Remember that the SAS 70 is not just a report to be used for SOX purposes. It can cover operational and/or compliance controls as well. The suggestion in the report that you participate in testing the disaster recovery plan is correct from an operational control perspective, but should not impact your SOX work.

  • Our external auditor told us that Disaster Recovery is out of scope but they consider Business Continuity in scope. This is not what appendix C of the AS 2 from PCAOB states.
    See Appendix C section 5 addresses Business Continuity
    ‘Furthermore, management’s plans that could potentially affect financial reporting in future periods are not controls. For example, a company’s business continuity or contingency planning has no effect on the company’s current abilities to initiate, authorize, record, process, or report financial data. Therefore, a company’s business continuity or contingency planning is not part of internal control over financial reporting.’
    It is very concerning that our external auditor defines business continuity differently then we do. They were discussing what happens when the network goes down and SLA’s. We don’t have any internal SLA’s currently. If a problem occurs then it is all hands on deck to resolve it.
    I am wondering whether our external auditors have DR confused with BCP.

  • I am wondering whether our external auditors have DR confused with BCP.
    Common mistake

  • I am wondering whether our external auditors have DR confused with BCP.
    From a practical perspective a BCP is really built on top of a DRP. DR restores systems and connectivity while BC extends that to a more practical level where people can resume critical business functions.
    Some people use the two terms somewhat interchangably and that is not technically correct. What I have found is that people asking for a DRP really want a BCP, but people asking for a BCP seem to want both a DRP and BCP. The best thing to do is to ask for a definition of what they expect.

Log in to reply