On the anniversary of SOC report launch, Hussain Sultan of Reckenen Accountants & Associates published the following results of their survey of data centers in the U.S. The results clearly indicate the market's response to the AICPA's attempt to correct the misuse of SAS 70 that was so pervasive in the industry before SSAE 16, and that continues under the new attestation standard.
With the rejection of SOC 2, the data center industry is telling the AICPA, we hear you, but we are not interested. Our customers are not asking for SOC 2 because our SOC 1 (SSAE 16) reports contain the information they are looking for with regard to the security, availability, processing integrity, confidentiality, and privacy of the services we provide them.
Until the AICPA gets tough on CPAs that are issuing opinions under the SSAE 16 attestation standard on engagements that include testing of controls that are not relevant to internal controls over financial reporting (non-ICFR controls), there will not be a significant change in this reality. Two years after the launch of SOC reports, the data center industry is ignoring SOC 2.