Yesterday, there was a post on Data Center Knowledge titled "Why SOC 1/SSAE 16 is Still the King of the Hill." The post celebrated the fact that data centers chose SOC 1 over SOC 2 in the first 12 months since the launch of SOC reports. This really perplexes me, because my firm belief is that the market missed a huge opportunity by going with the status quo in year 1 of SOC reports. So I asked myself, why would someone celebrate when there is no cause for celebration? Perhaps people do not see how small the hill, that the SOC 1 King sits on, is.
I'm not sure if everyone is aware or not, but the cloud wars have begun, and companies are racing to the cloud. The AICPA understood this seismic shift, and the need for risk assurance other than the product that had been criticized by the Gartner Report as follows:
So in a climate where data centers are competing fiercely to win the business of SaaS customers, what happened after the launch of SOC reports? Everyone rushed out to get their SOC 2 report, the one that the AICPA said is the right report for cloud security...right?
Not exactly. Everyone decided to sit tight and embrace the status quo (please see a partial list of companies that selected SOC 1 over SOC 2 here). The market heard "SSAE 16 replaces SAS 70", and promptly went out and received their SAS 70 replacing SSAE 16 report. I would think that CPAs would be extremely disappointed about this rather than calling for a celebration of the SOC 1 King.
There are some majestic mountains right in front of us, and a King of the Mountain of cloud security has not been crowned yet. If CPAs do not want to expand their dominion beyond assurance related to internal controls over financial reporting (ICFR), perhaps there is another that can adapt the SOC 2 audit methodology, and establish themselves as King of the Mountain.