Audit Preparation Checklist

Confirm whether this is a Model Audit Rule (MAR) financial audit, a state DOI market-conduct exam, a SOC 2 Type II review, or an internal audit. Each has different scope, evidence expectations, and statutory deadlines — getting this wrong upstream means producing the wrong workpapers.

Map each item on the auditor's prepared-by-client (PBC) list to a named owner — finance, claims, underwriting, IT, legal. Set internal due dates two weeks ahead of the auditor's deadline so reviewers have buffer.

Pull the balance sheet, income statement, cash flow statement, and statutory annual statement (Schedules F, P, and T for P&C carriers) covering the full audit period. Include comparative prior-year figures and tie-outs to the trial balance.

Reconcile every premium-trust, claims, and operating account through the audit period-end. Document any reconciling items older than 30 days — stale items are a recurring auditor finding and a state DOI premium-trust concern.

Reconcile written-premium and earned-premium balances between the GL and the policy admin system (Guidewire PolicyCenter, Duck Creek, or Applied Epic). Variances over the carrier's materiality threshold need a written explanation before the auditor sees them.

Summarize case reserves, IBNR, and ALAE/ULAE by line of business, with the actuarial memo supporting the booked reserve. Include the prior-year development triangle — auditors will compare booked reserves to actuarial central estimate and flag any material divergence.

Document recoverables by reinsurer with A.M. Best ratings and any disputed balances. Treaty cessions should tie to the cedant's underwriting and claim records — following-form mismatches are a common Schedule F adjustment.

Run a NIPR report for every producer who bound business during the audit period. Confirm NPN, resident-state license, non-resident appointments in every state where the producer bound, and current CE. Lapsed CE means unauthorized transactions during the lapse window.

For every state and line written, confirm the filing posture (prior approval, file-and-use, use-and-file) and that the implemented rates/forms match what's on file in SERFF. A rate change pushed live before PA-state approval is the classic market-conduct finding.

Any Covered Entity doing insurance business in NY needs the CISO certification, MFA evidence, biennial risk assessment, and vendor risk program documentation ready. Determine whether Part 500 is in scope before deciding which artifacts to assemble in the next step.

Pull the most recent CISO report to the board, biennial risk assessment, annual penetration test, MFA enforcement evidence (including third-party VPN access under §500.12), and the vendor risk inventory under §500.11. Include the 72-hour incident notification log even if empty.

Include the current written information security program, the most recent annual privacy notice mailing, and state-specific opt-out handling — Vermont opt-in, California CCPA/CPRA disclosures for personal lines.

Provide outside counsel's audit response letter, a schedule of pending bad-faith and coverage suits, and any open ROR letters. Tie reserved amounts back to the GL.

Sample 25 bound policies across the audit period and trace each to the producer's binding-authority document — line of business, hazard grade, limit, and premium size. Out-of-authority binds are the most common UW control finding.

Sample open and closed claims to confirm reserves were updated on the carrier's 30/60/90-day cadence and that settlement payments were within the assigned adjuster's authority. Document any Texas Chapter 542 prompt-payment exceptions.

The person who sets up a payee should not be the person who approves the payment. Pull the system access matrix and flag any user who has both. This is a top-five SOX/MAR finding when missed.

Many carriers screen at policy issuance but skip claim-payment screening. Pull the OFAC scan log for a sample of claim payees and confirm SDN-list checks ran within 24 hours of payment release.

NY, CA, FL, NJ, OH, NM, KY, LA, and MN all require periodic Anti-Fraud Plan filings. Confirm the most recent filing matches the SIU's actual operating procedures — acquired books often inherit unfiled or stale plans.

Provide evidence of a successful backup restore test within the audit period and the most recent quarterly access review for PolicyCenter, ClaimCenter, and the AMS. Untested backups and stale terminated-employee accounts are recurring SOC 2 and Part 500 findings.

Walk the CFO, General Counsel, and CISO through the assembled package. Surface any known issues now — auditors respond better to a self-disclosed weakness with a remediation plan than to one they discover.