News > TPAs & The SOC 1 Audit



By: Mark Welp, CPA, CFE, MAcc- Principal, Audit & Assurance

Why Third Party Administrators Should Consider a SOC 1 Report

When it comes to the type of organization that makes a good candidate for a SOC 1 Report, Third Party Administrators, also known as TPAs, truly fit the bill. What exactly is a TPA? Let’s take a look at the definition according to Wikipedia:

A third-party administrator is an organization that processes insurance claims or certain aspects of employee benefit plans for a separate entity. It is also a term used to define organizations within the insurance industry which administer other services such as underwriting, customer service. This can be viewed as outsourcing the administration of the claims processing, since the TPA is performing a task traditionally handled by the company providing the insurance or the company itself. Often, in the case of insurance claims, a TPA handles the claims processing for an employer that self-insures its employees. Thus, the employer is acting as an insurance company and underwrites the risk. The risk of loss remains with the employer, and not with the TPA. An insurance company may also use a TPA to manage its claims processing, provider networks, utilization review, or membership functions. While some third-party administrators may operate as units of insurance companies, they are often independent.

Assurance, Accountability & Confidence When Processing A High Volume of Sensitive Data

Did you notice how many times the word processing was used above? TPAs are processing lots of information, and very sensitive information at that. Insurance information and claims, financial information, payment information, social security numbers. The need for sound controls in this environment is strong. Companies who partner with a TPA need assurance like never before. These companies are pushing for TPAs to have a SOC 1 performed so they have the peace of mind that the TPA has internal controls in place that are sound and effective.

Why a SOC 1 Over a SOC 2 for a TPA?

The SOC 1 Report is the correct report due to the services the TPAs provide which are often linked to the outside user’s controls as they relate to finances and financial reporting.

A Greater Focus on Internal Controls Related to Financial Reporting

Agreeing on and testing internal controls related to a TPA’s actual business processes and financial transactions is critically important. After all, intended users of the report are wanting to know what specifics about certain processes and procedures, such as the following (which are sample control objectives used for assessing and testing controls for a TPA):

• Controls provide reasonable assurance that all new plans are setup and established in a timely, accurate, and complete manner.
• Controls provide reasonable assurance that the billing & eligibility department (B&E) facilitates, processes and maintains all necessary and vital information relating to member eligibility for clients.
• Controls provide reasonable assurance that all incoming claims, both electronic and paper based, are received, handled and processed in a timely, accurate, and complete manner.
• Controls provide reasonable assurance that all new claims are established and priced in a timely, accurate, and complete manner.
• Controls provide reasonable assurance that the claims process is conducted and administered in a timely, accurate, and complete manner.

Are You Ready For a SOC 1 Report?

H&M can assist with a wide variety of SOC 1 SSAE 18 needs for TPA’s. We can perform a scoping and readiness assessment, develop documentation, assist in developing control objectives, put in place continuous monitoring, and so much more. We’ve been working with the TPA/health and wellness/benefits sector for decades, giving us an inside view into the world of operations – and regulatory compliance – that few possess.