SOC 2 Reporting Standard is Gaining Popularity for Data Centers According to Reckenen Inc.

Share Article

According to a recent study conducted by Reckenen Inc., SOC 2 audits are gaining momentum for data centers as compared to SSAE 16 in 2013.

SOC/SSAE Infographic

SOC/SSAE16 Survey Results Infographic

SOC 2 reports cover for the deficiencies of SSAE 16 by providing a standard benchmark by which two data centers' audit reports could be compared.

In 2012, SOC 2 reports were about 7% of the total SOC audits for data centers, while in 2013 so far 14% of the audits have been for SOC 2, a YOY% growth of 100%. Reckenen Inc. surveyed 91 data centers and found that 90% of the colocations data centers are SOC compliant. 82% of the data centers are SOC 1 or SSAE16 audited. The remaining 18% are either SOC 2 or SOC 3 compliant.

After the issuance of SOC reporting framework in June, 2011, most data centers which had a SAS 70 certification initially obtained SOC 1 (SSAE 16) examination. SOC 1 (SSAE 16) is primarily for ensuring control over financial reporting by the user organizations. AICPA came up with SOC 2 for service organization like colocations and web hosts to provide a standard benchmark by which two data centers could be compared with. The top reasons for obtaining SOC compliance cited by data centers are: client needs (42%), competition (21%), and marketing advantage (17%).

“SOC 2 reports cover for the deficiencies of SSAE 16 by providing a standard benchmark by which two data centers' audit reports could be compared,” said Hassan Sultan, Partner at Reckenen Inc. “Looking forward, SOC 1 coupled with SOC 2 audits are becoming the standard for data centers and cloud based service providers.”

SOC 2 reports are designed to meet the needs of existing or potential customers who need assurance about the effectiveness of controls at a service organization that are relevant to the security, availability, or processing integrity of the system used by the service organization to process customers’ information, or the confidentiality or privacy of that information. The following principles and related criteria have been developed by the American Institute of CPAs (AICPA) and the Canadian Institute of Chartered Accountants (CICA) for use by practitioners in the performance of SOC 2 engagements:

  •     Security. The system is protected against unauthorized access (both physical and logical).
  •     Availability. The system is available for operation and use as committed or agreed.
  •     Processing integrity. System processing is complete, accurate, timely and authorized.
  •     Confidentiality. Information designated as confidential is protected as committed or agreed.
  •     Privacy. Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA.

The Reckenen’s report, SOC/SSAE16 Insights, is based on a survey of 91 data centers located in United States by data centers by size, sophistication, and ownership. The report provides the data center owners and decision makers with the industry trends in SOC reporting standards, the time when the reports and the audits are conducted, and the top reasons why data centers are choosing to get audited.

About Reckenen:
Reckenen provides SOC audit services to data centers and other service organization. It offers a sophisticated array of services and capabilities to clients, combined with the personal attention of experienced professionals. Its professional staff is driven to understand each client’s business and fully prepare it to meet unique challenges in a manner that’s personal, proactive, and progressive. To learn more, please visit

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Hussain Sultan

Email >
Follow us on
Visit website