I have heard on more than one occasion that a datacenter was told by their service auditor that they need an SSAE 16 (SOC 1) report because they are hosting applications that are relevant to their customer's financial reporting.
Okay, well what if the datacenter does not have logical access to the server? What if backup processes are controlled by the client? Then we are left with physical access, and environmental controls.
I have walked through the types of scenarios that would need to occur before these kind of controls could have any relevance to financial reporting, and have demonstrated that it is unreasonable to conclude that they are ICFR domains.
I would like to challenge anyone out there to take a control from such a datacenter's SOC 1 report and walk through a scenario to demonstrate how the absence or failure of that control could impact their customer's financial statements. You can leave a comment on this post, or upload your analysis here.