Policy Audit for Compliance: The Complete Guide for Insurance Professionals

Insurance audits fall into two categories with very different implications. The first is the premium audit - a routine end-of-policy verification of actual exposure data (payroll, sales, vehicle counts) to reconcile against the deposit premium. The second is the compliance audit - a review of whether coverage terms, named-insured designations, endorsements, and policy structures meet regulatory, contractual, or underwriting requirements.

Both types affect named-insured businesses and the brokers who place their coverage. Understanding the triggers, scope, dispute procedures, and timelines for each type is essential for managing client accounts and reducing E&O exposure.

Key Takeaways

• Premium audits are standard on workers compensation, commercial GL written on a sales or payroll basis, and some commercial auto fleet policies. They occur at policy expiration and sometimes mid-term on large accounts.
• Compliance audits are triggered by regulatory investigations, contract requirements (lenders, project owners), underwriting reviews, and agency management system flags.
• Audits typically look back 3 years for standard premium audits, and 5 to 7 years for fraud or material misrepresentation investigations.
• Policyholders can dispute audit findings. Effective disputes require documented payroll records, classification worksheets, state DOL classifications, and payroll tax filings.
• Workers compensation audits that find additional premium owed result in a final earned premium billing. The insured must pay or face cancellation of the current policy.
• Policy-checking at binding - verifying that the policy delivered matches the application and proposal - is the agency-side compliance audit that catches errors before they compound.

What "Policy Audit for Compliance" Means

The term is used two ways in the industry, and the distinction matters.

Carrier-initiated premium audits verify the accuracy of the exposure data on which the original premium was calculated. For workers compensation, the audit verifies actual payroll by class code. For GL written on a gross sales basis, it verifies actual sales. For commercial auto fleet policies, it verifies the actual vehicle count and drivers. The audit produces either additional premium owed (if actual exposure exceeded the estimate) or a return premium (if actual exposure was lower).

Compliance audits verify that a policy meets a specific standard set by a regulator, a lender, a contract counterparty, or the carrier's own underwriting rules. A lender may require an annual certificate audit to confirm that property coverage meets the loan-to-value requirement. A project owner may audit subcontractor insurance certificates to verify additional insured status and required limits. State insurance departments conduct market conduct examinations that review agency files and policy documentation for regulatory compliance.

This guide covers both types but focuses primarily on the premium audit mechanics - which are the most common source of post-binding disputes between insureds, carriers, and brokers - and on the compliance audit triggers most relevant to commercial insurance professionals.

Lines of Business That Trigger Premium Audits

Not all commercial lines use deposit premiums subject to audit. The lines that routinely audit are those where exposure is variable and cannot be determined precisely at inception.

Workers Compensation Audits

Workers compensation is the most heavily audited commercial line. The National Council on Compensation Insurance (NCCI) governs workers comp rating in 38 states; 12 states (including California, New York, Pennsylvania, and Wisconsin) use independent rating bureaus. In all jurisdictions, the WC premium is based on payroll by class code, and the final earned premium is determined at audit.

Audit trigger: Standard WC policies audit at policy expiration. Large accounts (over $100,000 in deposit premium at most carriers) audit mid-term as well - typically at the 6-month mark. Very large accounts (over $500,000 in deposit premium) may audit quarterly.

What the audit examines: Total payroll by employee and by classification code, overtime pay (which is excluded from the payroll base in most NCCI states after deducting the time-and-a-half component), payroll for officers (which is subject to minimum and maximum weekly payroll caps by state), payroll for independent contractors (which the auditor may include if the contractor does not have their own WC policy), and executive officer inclusion or exclusion elections.

The classification question is the most financially significant. NCCI class codes carry vastly different rates. A construction laborer may carry a class code rate of $12 per $100 of payroll; a clerical employee in the same company carries $0.25 per $100. If the auditor reclassifies employees from clerical to field operations - because their actual duties were misrepresented at inception - the additional premium can be substantial.

Typical audit result ranges: IIABA's Agency E&O report found that WC audits produce additional premium billings in 54% of cases, return premiums in 31% of cases, and zero adjustment in 15% of cases.

General Liability Audits

GL audits apply when the policy is written on a variable exposure basis: gross sales, square footage, or payroll (for GL policies covering contracting operations). GL policies written on a flat rate per occurrence basis (common for small retail) do not audit.

For a contractor's GL policy written on payroll, the audit mirrors the WC audit - actual payroll by type of work is verified. For a manufacturer's GL written on gross sales, the audit compares actual annual sales to the estimated sales at inception.

GL audits occur at policy expiration. Mid-term audits on GL are rare except on very large accounts or when the carrier suspects material misrepresentation.

Certificates and the audit connection: A client who expanded operations mid-year - adding a new service line not described in the policy application - may find the GL audit produces additional premium for exposures that were not underwritten. Worse, the carrier may disclaim coverage for claims arising from the new undisclosed operations. Brokers should advise clients to notify the agency of any new operations mid-term, not just at renewal.

Commercial Auto Fleet Audits

Commercial auto fleet policies audit vehicle counts and driver lists. Audits occur at expiration. Carriers including Travelers, Nationwide, and Progressive Commercial verify the vehicle schedule against DMV registration records and driver records against MVR data.

If the insured added vehicles during the year without notifying the broker, the audit will find the unscheduled vehicles and charge additional premium. If those unscheduled vehicles were in accidents during the policy period, coverage for those accidents may be disputed.

Business Owners Policy

The business-owners-policy (BOP) does not typically audit. BOP premiums are written on a flat or per-location basis with no variable exposure component. However, a BOP may be superseded mid-term by a commercial package policy if the insured's size grows beyond the BOP eligibility thresholds - carriers including Hartford, Travelers, and The Cincinnati publish BOP eligibility rules limiting coverage to businesses with revenues below a specified threshold (typically $5 million to $10 million depending on carrier and industry class).

Can an Insurance Company Audit You?

Yes. The carrier's right to audit is established in the policy's conditions. Workers compensation policies universally include an audit clause. The standard WC policy (NAIC standard form) states that the insurer has the right to examine and audit the insured's books and records at any time during the policy period and within 3 years after the policy ends.

The audit right covers: payroll records, tax records (941 payroll tax returns, W-2s, 1099s), certificates of insurance from subcontractors, contracts with independent contractors, and job cost records for contractors.

Refusing to cooperate with an audit is a policy condition violation. Carriers that cannot complete an audit due to insured non-cooperation typically terminate the policy and calculate a final premium using an estimated basis - often the maximum possible exposure - which is almost always worse for the insured than the actual audit would produce.

For the agency-side compliance audit - verifying that a policy document matches the application - the relevant authority is the agency's own quality control obligation. Agencies have a duty-of-care standard requiring them to deliver coverage that matches what was requested. Policy-checking is the operational implementation of that duty at policy delivery.

Do You Have to Do an Insurance Audit?

For premium audits on auditable lines (WC, auditable GL): yes, cooperation with the carrier's audit is a policy condition. Refusal to cooperate is a material breach of the policy that can result in policy cancellation and an estimated additional premium.

For compliance audits requested by a lender, contract counterparty, or regulator: the obligation depends on the specific agreement or regulatory requirement. A lender's loan agreement may require annual insurance certification and permit the lender to audit insurance documentation. A contract requiring certificates of insurance may give the certificate holder the right to verify coverage. A state DOI market conduct examination requires agency cooperation under state insurance code.

For voluntary compliance audits - agencies reviewing their own policy files for accuracy - there is no external compulsion. But the E&O risk justification is strong. An agency that reviews its own file quality and finds errors can correct them proactively. An agency that discovers errors first through a client claim has a much worse outcome.

How Far Back Can an Insurance Company Audit?

Standard premium audits: 3 years. The standard audit clause in workers compensation and GL policies gives the carrier the right to audit within 3 years after the policy ends. After 3 years, the audit right typically expires under the policy's own terms, and the statute of limitations on contract claims (3 to 6 years depending on state) may also bar recovery.

Fraud or material misrepresentation: 5 to 7 years. If the carrier discovers evidence of intentional misrepresentation - payroll that was systematically underreported, class codes that were deliberately misassigned, or employee counts that were hidden - the audit can extend beyond the standard 3-year window. California Insurance Code § 331 and New York Insurance Law § 3105 permit rescission of policies obtained by material misrepresentation without time limit if the misrepresentation was fraudulent. In practice, carriers and state DOI fraud units investigate back 5 to 7 years when fraud is suspected.

Market conduct examinations (agency-level): State insurance departments conducting market conduct exams of agencies typically review 3 years of transaction records. The NAIC's Market Regulation Handbook specifies that standard market conduct exams review a 3-year period. Extended exams for suspected systemic violations may go back 5 years.

Retained records recommendation: Agencies should retain all policy files, correspondence, and supporting documentation for a minimum of 7 years - longer in states with extended statute of limitations (New York contract claims have a 6-year limit). This retention standard covers the audit window for both carrier-initiated audits and state market conduct examinations.

How to Fight an Insurance Audit

Audit disputes are winnable when the insured has documentation and understands the classification rules. The dispute process differs by line.

Workers Compensation Audit Disputes

Step 1: Request the audit worksheet. The carrier's auditor produces a detailed worksheet showing each employee, their assigned class code, their payroll, and the applicable rate. Request this worksheet in writing within 30 days of receiving the audit billing.

Step 2: Identify contested classifications. Compare the auditor's class code assignments against your original policy classifications and the NCCI Basic Manual class code descriptions. Focus on employees the auditor moved from lower-rate codes to higher-rate codes.

Step 3: Prepare payroll documentation. Gather: quarterly 941 payroll tax returns, W-2s for all employees, time records showing hours worked and duties, job descriptions, and any state DOL classification rulings for disputed positions. The DOL's classification of a position for wage-and-hour purposes is persuasive but not binding in the WC context - NCCI class codes use their own definitions.

Step 4: Challenge contractor classifications. Auditors frequently include 1099 contractor payments in the payroll base if the contractor cannot produce a certificate of insurance showing their own WC coverage. Review the certificates you hold for each contractor used during the audit period. If any certificates are missing or show lapsed WC, those contractors may legitimately appear in the audit.

Step 5: Submit a written dispute. Send the carrier a written dispute letter identifying each contested item, the auditor's classification, the correct classification with the NCCI Manual reference, and supporting documentation. Request a conference call with the audit supervisor if initial review does not resolve the dispute.

Step 6: Escalate to the carrier's audit department. If the field auditor's supervisor does not resolve the dispute, request escalation to the carrier's home office audit unit. Large carriers including Liberty Mutual, Travelers, and Zurich have dedicated audit dispute resolution teams.

Step 7: Consider independent classification review. A workers compensation classification consultant (several operate nationally, including ComplianceOne and Class Act Analytics) can review the NCCI manual against the employer's actual operations and prepare an independent opinion letter. This document is useful in negotiation and, if necessary, in formal dispute proceedings.

GL Audit Disputes

GL audit disputes typically center on the sales or payroll figures the auditor used as the exposure basis. Effective disputes require: signed contracts showing actual revenue figures, monthly financial statements, tax returns, and a description of any revenue categories that should be excluded from the GL exposure base (such as inter-company sales, returns and allowances, or sales to named excluded classes).

Some GL policies exclude certain types of revenue from the audit base - read the premium development endorsement on the policy, not just the declarations page. Exposure bases are defined in the endorsement.

Audit Outcomes: Additional Premium, Return Premium, Cancellation

Additional premium: The most common outcome. The auditor finds actual exposure exceeded estimated exposure. The carrier issues a final earned premium statement and an additional premium billing. For WC, the additional premium is due immediately (or within the carrier's payment terms). Failure to pay additional premium on WC results in cancellation of the current policy.

Return premium: Actual exposure was lower than estimated. The carrier issues a return premium. Return premiums on auditable lines are typically applied as a credit to the renewal premium rather than returned in cash, unless the policy has expired without renewal.

Policy cancellation. If the audit reveals that the policy was written on materially incorrect information - wrong class codes, systematically underreported payroll, undisclosed operations - the carrier may cancel the policy and potentially seek rescission of coverage for the audit period. This is the worst-case outcome. It leaves the insured without coverage for the audit period and potentially liable for uninsured claims.

Restatement of experience modification. For workers compensation, if the audit produces substantially different payroll figures than reported, the NCCI will recalculate the experience modification factor for the affected policy years. A higher experience mod increases future WC premiums for 3 years. This downstream impact on premium is often larger than the immediate audit billing.

The Agency-Side Policy Audit: Compliance at Delivery

The carrier's audit operates on the insured's exposure data. The agency's own audit operates on the policy document.

Policy-checking at delivery means verifying that the policy document issued by the carrier matches: (1) the application submitted, (2) the proposal presented to the client, (3) any endorsements requested at binding, and (4) any special requirements in the client's contracts (additional insured designations, required limits, primary and non-contributory status).

Carrier-issued policies contain errors. ISO estimates a 3-5% policy error rate at binding for commercial accounts. Named insured errors, wrong effective dates, missing endorsements, and incorrect class codes are the most common. If the policy is delivered to the client without checking, those errors become E&O claims when a loss exposes them.

The business-owners-policy is particularly prone to classification errors. BOP eligibility depends on correct business description and class code. An insured placed in a BOP when their operations exceed BOP eligibility thresholds is a coverage rescission risk - the carrier may disclaim coverage on grounds that the risk was ineligible for the policy form.

BrokerageAudit's policy checker automates this verification by comparing each delivered policy against the application data and flagging discrepancies before the policy is sent to the client. For related compliance workflows, see #427 and #428.

Frequently Asked Questions

Can an insurance company audit you?

Yes. The right to audit is written into the policy conditions of every workers compensation policy and most commercial GL and commercial auto fleet policies. The standard NAIC workers comp form gives the carrier audit rights during the policy period and for 3 years after policy expiration. Cooperation with a carrier audit is a policy condition. Refusing to cooperate is a material breach that can result in cancellation of the current policy and an estimated additional premium calculated at the maximum possible exposure rate.

Can you fight an insurance audit?

Yes, and disputes are often successful when the insured has documentation. The most effective disputes challenge incorrect class code assignments with NCCI Basic Manual references, contest the inclusion of contractor payments where valid certificates of insurance exist, and correct payroll figures with payroll tax returns and time records. Submit disputes in writing to the carrier's audit supervisor within 30 days of receiving the audit statement. Escalate to the home office audit department if field-level review does not resolve the issue. An independent workers compensation classification consultant can prepare an expert opinion letter for complex disputes.

Do you have to do an insurance audit?

For premium audits on workers compensation, GL written on a variable basis, and commercial auto fleet: yes, cooperation is a policy condition. Refusing an audit violates the policy and can result in cancellation and an estimated worst-case premium. For compliance audits requested by lenders or contract counterparties: your obligation depends on the terms of the specific agreement. For agency-side policy audits - reviewing your own files for accuracy - there is no external compulsion, but the E&O protection justifies the practice.

How far back can an insurance company audit?

Standard premium audits: 3 years from policy expiration, as stated in the policy's audit clause. State fraud investigations and material misrepresentation cases: 5 to 7 years, depending on the state's statute of limitations and the carrier's right to rescind for fraud. Market conduct examinations of agencies by state insurance departments: typically 3 years under NAIC examination standards, extended to 5 years for suspected systemic violations. Retain all policy files and supporting records for a minimum of 7 years to cover the maximum potential audit window across all jurisdictions.

How far back can insurance companies audit for fraud?

When a carrier has evidence of intentional misrepresentation - systematically underreported payroll, deliberately wrong class codes, concealed operations - the audit window extends beyond the standard 3-year limit. California Insurance Code § 331 and New York Insurance Law § 3105 both permit rescission of policies obtained by material misrepresentation, with fraud providing an indefinite basis for action. In practice, fraud investigations typically go back 5 to 7 years, constrained by document availability and the practical limits of the evidence. A carrier that discovers fraud may also report the matter to the state DOI fraud unit and NICB, triggering a parallel regulatory investigation.

How long does an insurance audit take?

Workers compensation premium audits typically complete in 2 to 6 weeks for standard commercial accounts. Large accounts with complex payroll structures (multiple locations, many class codes, extensive contractor use) can take 3 to 6 months. Market conduct examinations of agencies by state insurance departments run 6 to 18 months from initiation to final examination report. Dispute processes for audit findings add 30 to 90 days depending on the carrier's procedures and the complexity of the disputed items. During an open audit dispute, most carriers hold the additional premium billing - confirm this in writing with the carrier's audit supervisor to avoid cancellation for nonpayment of a disputed amount.

---

Written by Javier Sanz, Founder of BrokerageAudit. Last updated April 2026.

The carrier audits the insured's payroll. Who audits the policy? BrokerageAudit's Policy Checker verifies every delivered policy against the application, proposal, and client requirements - catching carrier errors and mismatched endorsements before they become coverage disputes. See Policy Checker