Frequently Asked Questions:

Business Continuity | BCM | BCDRP and SAS 70

As a SAS 70 Auditor, I'm often asked about disaster recovery plans and their overall importance and requirement, if any, in regards to a SAS 70 Type I or Type II audit. What's interesting to note about Business Continuity Disaster Recovery (BCDR) or any variation thereof (Business Continuity Management, etc), is that under the amended SAS7 0 auditing guidelines put forth by the AICPA publication, a plan is not a control objective. In short, BCDR is not a requirement of SAS 70. So, there's the technical answer.

In theory, many auditors will devise a control objective for BCDR for the SAS 70 audit purely based on the importance of the plan itself. It ultimately depends on the CPA firm that is conducting the audit whether they decide to include it or not include it in the scope of the audit. If an auditor does not test for it, it can still be included in a section called "additional information provided by the service organization". This section gives service organizations a chance to discuss or include in the final SAS 70 report any other material, documents, etc. they feel are vital to understanding the organization as a whole.

If you want to learn more about SAS70 audits, what is SAS 70 or to receive a free SAS 70 Type II audit report, then visit the official SAS70 Resource guide, where a voluminous amount of information can be found on the SAS70 auditing standard. White papers, current industry articles, a glossary of commonly used SAS70 terms-its all there for you in at the most widely recognized website on the Internet for this highly specialized audit process.

.