Disaster Recovery as Control Objective

In some of the recent years, the issues of Disaster Recovery and/or Business Continuity has received a lot of significance from the service organizations as more and more customer organizations are attempting to know how their service provider is capable of handling a business disaster and interruption in business operations. The Code Red virus and then the Nimda worm all were am major threats to the data in the cyber world, and then the catastrophe of September 11th, which all have demonstrated why all service organizations need to have contingency plans and processes in place to reduce and mitigate all such risks.

All user organizations that use any third party service usually have a vested interest in the provision and adequacy of disaster recovery procedures and controls at their service provider's business. Historically, all service providers provide for a control objective which relates to their business continuity in case of disaster in their details and descriptions of the internal controls which form part of the audit report under SAS-70 examination. Business continuity and recovery planning in case of disaster is a concept which addresses how any service organization tries to mitigate the unforeseen future risks in contrast to actual controls that usually provide the user auditors a level of assurance regarding the processing of the customers transactions.

A service organization which has plans related to is business continuity and has contingency planning for disaster recovery which is of general interest to the auditors of the user organizations is allowed to describe its such business continuity and disaster recovery contingency plans in the Service Auditor’s report under the heading "Other Information Provided by the Service Organization" . As plans are not internal controls, a service organization is not allowed to these in the description of controls as a control objective which addresses its business continuity or disaster recovery contingency planning.