SAS70-I’m often asked about Business Continuity & Disaster Recovery (BCDR) when preparing a new client for a SAS70 Type I or Type II audit that. Specifically, they ask me if it is a requirement for a SAS70 audit and what should they be doing in order to adequately prepare and document a BCDR strategy and plan.
Technically, NO, BCDR or any variation thereof (also commonly known as BCM, etc.) is NOT a requirement for testing for a SAS70 audit, based purely on the amended SAS70 publication of 2005 and 2007 that states a “plan is not a control objective”, thus BCDR and BCM Plans are not included in the scope of the SAS70. That’s the technical NO answer.
In theory, many auditors would say that YES, a BCDR or BCM plan should be in scope and should have a control objective in place for testing for the plan.
Regardless of which decision the auditor makes, its paramount that service organization’s have a working and documented BCDR or BCM plan in place. It just makes good business sense.
To learn more about what is SAS70, visit the official SAS70 resource guide where you can receive a complimentary SAS70 Type II audit report.