We are a software as a service vendor for research, and recently we had an IRB request an SOC 2 Certification (Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy). It's specifically for software as a service companies. As I understand, instead of providing your security infrastructure, operations and procedures, instead you provide the security certificate from an independent auditor. Though I could be wrong. I've asked around among my network of health IT companies, and while some had heard of it, one started the process, none have completed it yet.
I'm curious if other IRBs are thinking about forgoing the traditional IT review process instead of this independent review? It's a relatively expensive audit process ($20k to $70k), so if there are many IRBs thinking about it, and it will reduce the sometimes laborious IT security review, it's worth the investment. But if it's not widely known or accepted, its not worth the investment for one customer at our price points.
And for anyone that is familiar with the SOC 2, and does require it, how important is it to you who the auditor is? Do you need/expect it to be from a big five auditor like PWC or Ernst & Young (very expensive) or are you satisfied with an external audit by any organization (many of whom are a lot less expensive)?
For any companies that have been through the SOC 2 audit process before, about how long did it take?
Matthew Amsden, CEO ProofPilot