Institutions of Higher Education and SOC Engagements Greg Kolvoord 19 Apr 2017 07:14 EST

Good Morning,

First, I apologize if this is a duplicate post (I don't see my original post so I'm re-posting).

I'm interested to know if there are any institutions of higher education (IHEs) out there that have recently (or ever) undergone a Service Organization Controls (SOC) examination, specifically a SOC 2 examination with a type 2 report?

We have a situation where a unit within our university system is quite active in bidding for and receiving State service contracts however, it appears that the State recently modified its IT security policies and now, many State RFPs are requiring potential contractors to provide independent certification (in the form of a SOC report) of the internal controls impacting all data processed and/or hosted on the remote systems of contracted service providers. Has anyone else encountered this issue?

If anyone has gone through a SOC 2 review, would you be willing to share a brief summary of the experience and/or a ballpark estimate of the cost and time involved? I realize that the cost and time frame for a SOC engagement could vary significantly by entity size and audit scope but I'm curious to see how this has impacted other institutions.

Thanks for any insight that can be provided on this issue.

Greg

<br>
======================================================================<br>
 Instructions on how to use the RESADM-L Mailing List, including<br>
 subscription information and a web-searchable archive, are available<br>
 via our web site at http://www.healthresearch.org (click on the<br>
 "LISTSERV" link in the upper right corner)<br>
<br>
 A link directly to helpful tips:  http://tinyurl.com/resadm-l-help<br>
======================================================================<br>