Clients are sometimes surprised to hear me say this, but in the competitive insurance landscape, the compliance audit is a friend and ally of well-run agencies which have conscientious leadership. Why?! How!? By ensuring that all participants adhere to industry standards and state regulations the compliance audit, creates a level playing field, encouraging proper conduct while punishing bad actors. In this blog post, I’ll delve into the intricacies of the compliance audit, and provide practical steps you can take before and during a compliance audit.


What is a Compliance Audit?

A compliance audit is a systematic examination of an insurance licensee’s operations, processes, and records to determine its adherence to federal and state laws, codes, rules, and regulations as promulgated by the Department of Insurance, or the designated state agency responsible for regulating the insurance marketplace in that state, and acceptable industry standards. The aim of an audit is to identify any non-compliance issues and ensure that the agency is conducting its business ethically and in accordance with acceptable industry standards.


Who Conducts Compliance Audits?

Compliance audits are typically conducted by regulatory bodies and industry associations, within the insurance sector. These entities are entrusted with the responsibility of upholding the integrity of the industry and safeguarding the interests of policyholders.


Why Insurance Agencies and Producers May Become Subject to a State Compliance Audit

Insurance agencies may become subject to a compliance audit for various reasons. Common triggers include consumer complaints, a history of non-compliance, and changes in regulations. Additionally, random audits may be conducted as part of regulatory oversight to maintain the overall integrity of the insurance industry.


The Two Types of Audits: Desk Audits and Field Audits

Compliance audits can be categorized into two main types: desk audits and field audits.

Desk Audits

Desk audits involve a review of an agency's documentation, policies, and procedures without physical on-site presence. In such instances, the examiner conducting the audit will send a request to the licensee mandating the production of the documentation to be audited by a certain date. The examiner will analyze records, contracts, and/or other materials requested remotely to determine compliance. Activities such as underwriting practices, fees charged, policy issuance and cancellation, agency licensing and claims handling may come under scrutiny as part of a desk audit.

Field Audits

Field audits, on the other hand, require auditors to be present physically at the agency's location. This type of audit involves a more in-depth examination of operational activities, including interviews with staff, observation of processes, and inspection of physical documents. Field audits are generally conducted when an examiner believes, or has reason to believe, that the agency's practices constitute a serious violation of acceptable industry standards, such as in the case of fraud.


Possible Outcomes of a Compliance Audit: Sanctions or Penalties

The outcomes of a compliance audit can vary based upon the examiner’s findings. Agencies may receive a clean bill of health indicating full compliance, or the audit may uncover areas of non-compliance. In such cases, agencies and the individuals who are responsible for ensuring compliance, including the agency Designated Responsible Producer, may receive an administrative action to cease and desist a practice deemed noncompliant with the insurance law, and/or a fine. In the most serious cases however, including fraud and tax evasion, not only may a licensee lose their insurance license, but they may also face criminal charges which could lead a felony conviction resulting in imprisonment.    


How to Avoid Being Audited

Insurance agencies can take proactive measures to minimize the risk of being audited. This includes maintaining meticulous records, staying abreast of regulatory changes, and implementing robust compliance management systems. Regular internal audits and self-assessments can help identify and address potential compliance issues before external audits occur.

I also recommend insurance agencies consider undergoing a SOC 2, or similarly recognized, annual audit. While these can be expensive and are not legally mandated pursuant to complying with state insurance laws or state department promulgated regulations, completing the audit will almost certainly help ensure the integrity of the audited company’s cyber systems which will put it in good stead to certify compliance with state department regulations relating to licensee cybersecurity as promulgated in New York State Cybersecurity Regulation, 23 NYCRR Part 500.


What to Do If You Receive a Notice of an Impending Audit

Receiving notice of an impending audit can be a daunting experience, but agencies can navigate the process effectively by following these steps:

1. Consult Legal Counsel

Legal Counsel specializing in insurance regulation brings expertise and experience to your team. This could save your agency and DRP tens of thousands of dollars or more in fines.

2. Prepare Thoroughly

Gather all relevant documentation, policies, and records that auditors may request.

3. Designate a Point of Contact

Appoint a dedicated point of contact to liaise with examiners. This individual should have a deep understanding of the agency's operations and compliance measures.

4. Cooperate Fully

Cooperate transparently with examiners during both desk and field audits. Provide access to requested information promptly and facilitate open communication.

5. Address Findings Promptly

If non-compliance issues are identified, take immediate action to address and rectify them. Implement corrective measures to prevent recurrence.



The compliance audit is an important tool for state insurance regulators. It protects consumers and well-run agencies from bad actors and maintains the integrity of the insurance marketplace. By understanding the purpose, types, and potential outcomes of audits, insurance executives can proactively ensure their agencies operate within acceptable regulatory compliance parameters. Taking preventive measures and responding effectively to audit findings are key strategies for navigating the complex landscape of compliance in the insurance industry. If you would like assistance with your own internal compliance review, or legal counsel to guide you through an audit, please contact the team here at 3H Corporate Services.