SOC 1 SSAE 18 for Third-Party Administrators (TPA) – Employee Benefits

NDNB provides fixed-fee SOC 1 SSAE 18 Type 1 and Type 2 audit reports for Third-Party Administrators (TPA) and other benefit related organizations. While service organizations are aggressively moving towards SOC 2 annual compliance, TPA’s and other benefit related organizations generally have strict reporting requirements for the ICFR concept – Internal Controls Over Financial Reporting. Because of this, SOC 1SSAE 18 is the preferred – truly the only – auditing mechanism capable of assessing financial related controls.

SOC 1 Experts for TPA’s in Employee Benefits Marketplace

The Third-Party Administrator (TPA)/Benefits industry is large, complex, and heavily regulated by any number of state and federal jurisdictions. Additionally, because of the incredibly large amounts of aggregated financial transactions they support, TPA need to ultimately perform annual SOC 1 SSAE 18 Type 2 reports. NDNB has been performing audits on TPA’s for over two decades, starting with the now retired SAS 70 auditing standard. In short, we know TPA’s inside and out, how they work, what controls need to be in place, how to test, along with many other factors. We offer fixed-fee pricing and superior knowledge when it comes to SOC 1 SSAE 18 audits for TPA’s.

Essential SOC 1 Information TPA’s Need to Know

But enough about us! Let’s take a deeper dive into the world of SOC auditing, providing a inside look at the world of SOC 1 SSAE 18 audits for TPA’s. Here are the essential things you need to know for auditing success, courtesy of NDNB:

Begin with a Scoping & Readiness Assessment: If you’re new to the world of SOC auditing – and thankfully, most TPA’s are not – or just need a refresher on critical audit issues, then a SOC 1 SSAE 18 scoping & readiness is highly recommended. Why? Because we’ll ensure the following issues are clearly identified, confirmed, and resolved:

  • Scoping boundaries
  • Any technical and/or documentation gaps and internal control weaknesses
  • Relevant ICFR control objectives for testing various transactions
  • Third-Party providers who may be in-scope for the audit
  • Other related factors

A SOC 1 SSAE 18 scoping & readiness will help “clear the air” on any open items that you may not have a full understanding of. Because audits on TPA’s are generally more complex than other service organizations, you’ll really want to ensure that all of the above issues (and others) are fully resolved.

Identify ICFR Controls and Develop Relevant Control Objectives: Agreeing on and testing internal controls related to a TPA’s actual business processes and financial transactions is critically important. After all, intended users of the report are wanting to know what specifics about certain processes and procedures, such as the following (which are sample control objectives used for assessing and testing controls for a TPA):

  • Controls provide reasonable assurance that all new plans are setup and established in a timely, accurate, and complete manner.
  • Controls provide reasonable assurance that the billing & eligibility department (B&E) facilitates, processes and maintains all necessary and vital information relating to member eligibility for clients.
  • Controls provide reasonable assurance that all incoming claims, both electronic and paper based, are received, handled and processed in a timely, accurate, and complete manner.
  • Controls provide reasonable assurance that all new claims are established and priced in a timely, accurate, and complete manner.
  • Controls provide reasonable assurance that the claims process is conducted and administered in a timely, accurate, and complete manner.

Identify ITGC Controls and Develop Relevant Control Objectives: SOC 1 SSAE 18 reports also require a healthy application of Information Technology General Controls (ITGC), so consider the following:

  • (Change Management): Controls provide reasonable assurance that changes to existing systems and the implementation of new systems as well as any internal company-wide changes, are authorized, tested, approved, properly implemented, and documented.
  • (Logical Access): Controls provide reasonable assurance that access to all information systems (Network Devices, Operating Systems, Applications, and Databases) and other components that require authentication and authorization activities is limited to those who are authorized, and access rights are commensurate with user roles and responsibilities within the organization.
  • (Network Security): Controls provide reasonable assurance that formalized network policies and procedures are in place, secure data transmission protocols are utilized, and information systems are appropriately hardened, configured, and monitored as needed for ensuring a secure environment.
  • (Data Backup): Controls provide reasonable assurance that data files are backed up in a timely and complete manner, backup logs are generated for appropriate review, and critical system maintenance activities are undertaken on a regular basis.

Remediate as Necessary: For TPA’s, we often find that the biggest area of remediation is documentation – specifically – ensuring processes and procedures are well-written, followed, updated as necessary, and approved by management. After all, a well-run TPA is an organization that carefully follows documented policies and procedures for workflow efficiency.

SOC 1 SSAE 18 and SOC 2 Policy Templates and Information Security Policies

NDNB can assist with any documentation remediation efforts as necessary, such as authoring processes and procedures, and providing recommendations for enhanced control activities. We’ve been auditing TPA’s for years – and know how such businesses function.

Engage in Continuous Monitoring: Assessing internal controls and one’s related processes and procedures is an incredibly important – and required – element of SOC 1 SSAE 18 compliance. The best solution for such measures is to identify a capable “champion” within your organization who can regularly assess internal controls for all information security and operational environments. Becoming SOC 1 SSAE 18 compliant is an accomplishment indeed – but staying compliant can be even more challenging.

NDNB is North America’s Leading Provider of SOC Audits

Looking for a well-respected CPA firm that offers fixed-fees to Third-Party Administrators (TPA) for SOC 1 SSAE 18 compliance? Then get to know NDNB and our expertise and pricing model. Contact Chris Nickell, CPA, at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more about NDNB’s fixed-fees for SOC 1 SSAE 18 Type 1 and Type 2 reporting for the TPA/health and wellness/benefits sector.

NDNB also offers comprehensive SOC 1 and SOC 2 audits for businesses using Amazon AWS, Microsoft Azure, and Google GCP

Let’s Talk About Your SOC Audit Needs

NDNB can assist with a wide variety of SOC 1 SSAE 18 needs for TPA’s. We can perform a scoping & readiness assessment, develop documentation, assist in developing control objectives, put in place continuous monitoring, and so much more. We’ve been working with the TPA/health and wellness/benefits sector for decades, giving us an inside view into the world of operations – and regulatory compliance – that few possess. Need a SOC 1 SSAE 18 Type 1 and/or Type 2 assessment performed, we can help. Contact Chris Nickell, CPA, at This email address is being protected from spambots. You need JavaScript enabled to view it..

Fixed-Fees. Superior Service. Nationwide Coverage

How much does it cost to perform an actual SOC 1 SSAE 18 Type 1 or Type 2 audit on a TPA? That depends on a number of factors, but rest assured, NDNB will provide the very best fee and the very best service – guaranteed. From coast to coast, we offer regulatory compliance expertise that few can offer, so let’s talk about your SOC 1 SSAE 18 reporting needs.