Outsourcing Services? Why a SOC Report Matters.

Many public risk pools outsource some of their day-to-day activities, such as payroll, claims administration and underwriting to third party administrators (TPAs). When partnering with a TPA, it is critical that your TPA has the right controls in place so you can ensure that the data produced by the TPA and recorded in your books is complete and accurate. So, how do you know if the proper controls are in place and are working effectively at your TPA? You may have asked your TPA to complete a controls questionnaire, but is it really enough?

Best Way to Evaluate Your TPA’s Internal Controls

A Service Organization Controls or SOC report is a handy tool to help you evaluate the effectiveness of the internal controls over financial reporting that your TPA has in place. The SOC report is prepared by a CPA who provides an opinion on the operating effectiveness of those controls. Leveraging this report is far more efficient than going to your TPA and testing the effectiveness of the controls yourself or sending a questionnaire that doesn’t give you peace of mind.

SOC reports are not the most glamorous documents to read but they go a long way toward documenting your Pool’s governance.

What’s Next?

Here are six easy steps that you can implement annually to assure that you have covered your bases:

  1. Obtain and read the report.
  2. Ensure the opinion is signed by a reputable CPA firm.
  3. Look for an unmodified (clean) opinion.  If it’s not, understand the reason why and the potential impact to your Pool.
  4. Identify the internal controls relevant to your organization (not all of them will be applicable).
  5. Note any exceptions to the applicable controls. If any, conclude on the potential impact.
  6. Finally, implement the user controls. They are so important and often forgotten.

User Controls

Those pesky “user controls”!  They are too often ignored but are vital. Although the TPA lists these controls in their report, it is your responsibility to design and implement these controls in your organization. The user controls are intended to work in conjunction with the TPA’s controls.


Too often, organizations do not know to request or simply forget to request a copy of their TPA’s SOC report.  This is a critical piece of the internal control puzzle and makes your auditors abundantly happy when management has read and understands the SOC report.

We encourage our clients and prospects to contact us to request a template to help you implement these steps.

Magali Welch
Magali Welch | Partner