What is a TPA?
A Third Party Administrator (TPA) is a service organization that provides a variety of services to the insurance industry in accordance with a service agreement. TPAs are usually utilized to provide services associated with employee benefits such as insurance related services to both insurance providers and companies that provide insurance to their employees.
What is a TPA Audit?
TPAs present a huge risk to user organizations (companies using a particular TPA) since TPAs may be processing millions of dollars worth of benefit claims for their clients. User organizations need assurance that the TPA’s internal controls are designed and operating effectively to provide the outsourced benefit services.
An independent audit of a TPA is one way to gain assurance regarding the TPA’s internal control environment. TPA audits may include detailed tests of claims processed during a particular period of time, data analysis to identify trends and irregularities, and contract analysis.
Services Provided by TPAs
Many companies see TPAs as their own outsourced claims departments that can provide resources as needed to meet their needs. It can be more expensive to keep internal resources on staff to perform typical TPA duties, so for many companies outsourcing to a TPA makes sense.
For example, certain companies may determine that they do not want to perform benefits administration themselves. Instead, they may decide to select a company like ADP to provide benefits services. In this scenario, ADP becomes a TPA for the company outsourcing their benefits services. Following are some additional examples of services provided by TPAs:
- Customer service related to 401(k)s
- Preparing employer and employee benefit statements
- Claims processing and pricing
- Amending and restating plan documents
- Risk management
- Billing services
- Subrogation expertise
- Data and analytics
- Loss control
- Managed care
- Mental health administrations
- Return to work programs
Types of Claims Handled By TPAs
TPAs may handle a wide variety of claims for their clients.
The types of claims handled by TPAs include:
- Professional liability
- General liability
- Employment practices
- Water damage
- Construction defect
- Property and casualty
TPA Compliance – What Type of Regulations Must a TPA Follow When Processing Claims?
If you are a TPA, chances are your clients have asked you to provide some assurance that your services and surrounding internal control environment is designed and operating effectively. Strangely, some of your clients don’t take your word for it that your control environment is in order and may request additional assurance. When that occurs, you may be wondering the best way to provide the assurance. The correct answer for most TPAs is a SOC 1 (f. SSAE 16) report due to the fact that TPAs’ services are typically closely related to their user organizations’ internal controls over financial reporting (ICFR).
TPAs also provide services that are usually financial in nature such as processing and pricing of claims, stop-loss/reinsurance claims, and claims payment. In addition to your clients, your financial auditors may request assurance that your TPA has an adequate internal control environment so that they can rely on the transactional information coming from the TPA that will be used within the financial statements.
If you work for a company that is considering outsourcing to a TPA, it is a good idea to ask whether the TPA has a SOC 1 or other independent compliance report. What is a SOC 1?
Third Party Administrator Audits
In summary, companies considering outsourcing to a TPA should perform due diligence to ensure that the TPAs are reputable and have gone through a third party audit. A SOC 1 audit is a good choice for TPAs because it includes testing of controls at the TPA that are relevant to their clients’ ICFR. If you are interested in hearing more about SOC audits, please contact us.
Related blog posts:
- What is a SOC 1 Report? Expert Advice You Need to Know
- SSAE 18 – Attestation Standards: Clarification and Recodification
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.