NDNB provides fixed-fee SOC 1 SSAE 18 Type 1 and Type 2 audit reports for Third-Party Administrators (TPA) for property & casualty and other P&C related organizations. Organizations involved with comprehensive property claims management and casualty claims management often have strict regulatory compliance reporting requirements, with SOC 1 SSAE 18 reporting being the default assessment audit report.
SOC 1 Experts for TPA’s and Property & Casualty Marketplace
NDNB has years of experience in working with TPA’s in the property & casualty marketplace. This has given us unrivaled experience when it comes to planning, assessing, and reporting on controls for SOC 1 SSAE 18 compliance. Many of the functions performed by TPA’s in the property & casualty marketplace require a structured process from beginning to end, starting with first responses measures for a claim, up through the final adjudication process. In between, there’s dozens of steps and related processes that must be assessed for SOC 1 SSAE 18 compliance.
NDNB can assist in developing the proper scope, identifying financial related controls (ICFR concept), along with Information Technology General Controls (ITGC) for ensuring full coverage in terms of audit scope. Very few firms licensed to perform SOC 1 reports have our knowledge when it comes to the property & casualty marketplace.
Essential SOC 1 Information TPA’s Need to Know
But enough about NDNB. Let’s take a deeper dive into the world of SOC auditing, providing you with an inside look at the world of SOC 1 SSAE 18 audits for TPA’s in the property & casualty marketplace. Here are the essential things you need to know for auditing success:
Begin with a Scoping & Readiness Assessment: Is this your first SOC 1 SSAE 18 audit, or are you looking for a second set of eyes for ensuring your annual audit process gets off on the right track? Either way, a scoping & readiness assessment is essential for determining the following:
- Actual audit scoping boundaries
- What financial and operational related controls relating to property claims and casualty claims are to be assessed and in-scope?
- What Information Technology General Controls (ITGC) are to be assessed for the audit?
- Are their relevant third-party providers deemed in-scope – and if so – what roles do they play?
- What specific reporting requirements are being requested by clients, prospects, regulators, etc.
- What gaps and deficiencies exist within your control environment and what measures are in place to correct them?
These issues – and more – are critical items to assess for TPA’s in the property & casualty marketplace, and NDNB can assist.
Identify ICFR Controls and Develop Relevant Control Objectives: SOC 1 SSAE 18 reports for TPA’s in property & casualty marketplace require the development and subsequent testing of control objectives that are specific to one’s operations. Reports that are too generic and lack clarity will be dismissed as insufficient, causing even bigger challenges. With that said, listed below are sample control objectives (both financial/operational control objectives that should be considered for SOC 1 SSAE 18 reports for TPA’s in property & casualty marketplace:
- Controls provide reasonable assurance that all new claims are setup and established in a timely, accurate, and complete manner.
- Controls provide reasonable assurance that all incoming claims, both electronic and paper based, are received, handled and processed in a timely, accurate, and complete manner.
- Controls provide reasonable assurance that the entire claims process is conducted and administered in a timely, accurate, and complete manner.
- Controls provide reasonable assurance that adequate and sufficient support material, such as pricing parameters, work instruction documents, and all other necessary legal, contractual, and operational material is in place for aiding and facilitating the entire claims process.
- Controls provide reasonable assurance that adequate and sufficient financial reporting is communicated and provided to all clients regarding claims.
Identify ITGC Controls and Develop Relevant Control Objectives: SOC 1 SSAE 18 reports for TPA’s also require a healthy application of Information Technology General Controls (ITGC), so consider using the following for the scope of your report:
- (Change Management): Controls provide reasonable assurance that changes to existing systems and the implementation of new systems as well as any internal company-wide changes, are authorized, tested, approved, properly implemented, and documented.
- (Logical Access): Controls provide reasonable assurance that access to all information systems (Network Devices, Operating Systems, Applications, and Databases) and other components that require authentication and authorization activities is limited to those who are authorized, and access rights are commensurate with user roles and responsibilities within the organization.
- (Network Security): Controls provide reasonable assurance that formalized network policies and procedures are in place, secure data transmission protocols are utilized, and information systems are appropriately hardened, configured, and monitored as needed for ensuring a secure environment.
- (Data Backup): Controls provide reasonable assurance that data files are backed up in a timely and complete manner, backup logs are generated for appropriate review, and critical system maintenance activities are undertaken on a regular basis.
Engage in Essential Remediation: Identifying gaps, and then correcting deficiencies is an extremely common process – after all – doesn’t every organization have internal controls they can improve upon? They do, and it usually falls under two (2) categories:
- Remediation for documentation (i.e., missing processes and procedures, etc.), and
- Security remediation, such as enhancing system configurations, making passwords stronger, etc.
Perform Continuous Monitoring: Completed your initial SOC 1 SSAE 18 audit – congratulations – and now the real hard work begins as staying compliant is often a more challenging and time-consuming process. The solution is to speak with NDNB about proven strategies for reducing audit costs and saving thousands of dollars each year on regulatory compliance.
NDNB is North America’s Leading Provider of SOC Audits
NDNB has performed dozens of SOC 1 SSAE 18 Type 1 and Type 2 audit reports for Third-Party Administrators (TPA) for property & casualty and other P&C related organizations. Additionally, going further back – to the original SAS 70 auditing standard – we’ve actually issued over 100 attest reports for TPA’s in the property & casualty marketplace.
Fixed-Fees. Superior Service. Nationwide Coverage