UPDATE: The guidance has been taken down. Follow the link here... Let's see what happens next.
This is big news! The AICPA said the following in guidance released today:
This means that those service organizations who were left scratching their heads when their publicly traded customers told them that they would need a SOC 1 report that covers physical security because their external auditors had told them that they would get a significant deficiency on their financial statement audit otherwise, even though their SOC 2 covers physical security in more depth can breathe a sigh of relief.