If you have made the decision to go with a SOC 2 because it is the right report for your organization, but you still have customers who are asking for a SOC 1 (SSAE 16), here's what you can tell them.
We have determined through careful examination of our services, and in consultation with our CPA firm that SOC 1 (SSAE 16) is not applicable to us because our services do not have the potential to impact the accuracy of our customer's financial statements. Our customers have expressed the need to obtain assurance pertaining to our internal controls as they relate to the security, integrity, confidentiality, and privacy of the data we process, store, or transmit for them, as well as the availability of the systems we host for them. Consequently, we have selected to undergo a SOC 2 engagement that is based on the same family of standards as SSAE 16, but is more applicable to the services we provide our customers.
Our SOC 2 report, based on SSAE 10, 11, 12, and 14; cumulatively referred to as AT-101, provides assurance regarding security, availability, processing integrity, confidentiality, and privacy. It is not intended to provide our customers with assurance relevant to internal controls over financial reporting (ICFR). If your internal or external auditors require supporting documentation regarding how we determined that our services do not pertain to our customer's ICFR process, we will be happy to provide the information to them upon request.
Thank you very much for your business.
You will have to tailor the references to all five TSPC principles if you only received an attestation on a subset of the five (ie. just security and availability).
If your CPA firm has not helped you document why your internal control environment does not have ICFR impact on your customers, then you can contact me at email@example.com, and I will document it for you using the Degrees of Risk Separation (DoRS) approach to determining ICFR.