I will do a video like the ones I did for OnlineTech and CBeyond, or we can just do a Q&A format like is done in magazines if you would prefer.
You can say whatever is on your mind, but you might want to consider the following questions depending on the type of organization you work for:
- What do you think about the launch of SOC reports? Who was responsible for the [SAS 70 has been replaced by SSAE 16] spin on the AICPA's announcement that [SAS 70 was replaced by SOC reports]?
- What do you think the effect of this spin has been on the marketplace?
- How do you think the market missing the opportunity to adopt SOC2 for assurance regarding security and availability in the first year of SOC reports will affect it in the coming years?
- What are some of your personal experiences with regard to these reports?
- Why do you think service organizations that used SAS 70 to provide assurance regarding security and availability gravitated to SSAE 16 instead of SOC2?
- Do you think SOC2 reports provide sufficient assurance regarding security and availability? If not, how do you supplement the report?
- What advice would you give other user entities?
- Why do you think customers that requested SAS 70 to provide assurance regarding security and availability requested SSAE 16 instead of SOC2?
- What do you think about SOC2? Do you think that the Trust Services Principles and Criteria are adequate to provide assurance regarding security and availability?
- What advice would you give other service organizations?
- Why do you think some service auditors allowed their clients to include all of the same controls that were previously included in their SAS70 reports?
- Do you think more clarification is needed from the AICPA regarding what should be considered ICFR?
- What advice would you give other service auditors?