Expense Management Checklist

Retrieve the current E&O dec page from the agency's broker portal. Confirm per-claim and aggregate limits, retention, retroactive date, and prior acts coverage. Lapses in retro date are the most common gap discovered during a renewal review.

If the agency is a Part 500 Covered Entity, the cyber tower needs to absorb 72-hour notification costs, regulatory defense, and breach response. Compare current limits to the headcount-and-records exposure benchmarks the broker publishes. NYDFS-imposed penalties are typically excluded from standard cyber forms — verify the regulatory sublimit explicitly.

BOP general liability and professional E&O frequently overlap on personal injury and advertising injury. Map the coverage triggers side by side; when both respond, the agency pays two retentions. Note any redundant first-party endorsements that can be dropped at renewal.

New producers, new lines (especially surplus lines or program business), and acquired books all change the agency's risk profile. An acquired agency's prior acts often need to be scheduled onto the surviving E&O policy by endorsement, not assumed.

Map quarterly expenses to the agency's chart of accounts so commission expense, T&E, AMS subscriptions, NIPR fees, and CE reimbursements each land in their correct line. Misclassified producer reimbursements distort the loss-and-expense ratio reported to appointed carriers.

Pull the commission download from Applied Epic, AMS360, or HawkSoft and reconcile against the GL commission expense and producer payable accounts. Variances usually trace back to mid-term endorsements, NSF reversals, or carrier sweep timing — flag anything over the agency's materiality threshold.

Producer T&E and entertainment spend can implicate state anti-rebating statutes when tied to specific insureds. Cross-check expense reports against producer-of-record changes during the quarter and the gift-and-entertainment policy.

Set thresholds in QuickBooks, Sage Intacct, or whichever GL the agency runs for vendor spend, single-card transactions, and cumulative monthly category totals. The CFO or operations lead should receive alerts in real time, not at month-end close.

Capture every active vendor: AMS (Epic, AMS360, EZLynx), rating engine (TurboRater, PL Rating), e-signature (DocuSign), document management (ImageRight), NIPR, SERFF if the agency files directly, and any TPA or wholesale-broker portal subscriptions. Note auto-renewal cutoffs — most AMS contracts auto-renew on 60- or 90-day notice.

Section 500.11 covers anyone handling NPI — TPAs, claims vendors, document destruction firms, and printers, not just IT vendors. For each, confirm a current SOC 2 Type II or equivalent attestation, MFA on remote access, encryption commitments, and incident-notification timing in the contract.

Send the flagged vendor a written remediation request with a target close date and the specific control gap. Document the exchange in the vendor file — examiners reviewing Part 500 compliance will ask to see evidence of the corrective action loop, not just the assessment finding.

Even if a switch isn't realistic, a competing quote from a peer AMS sets the benchmark for the renewal negotiation. Migration cost and producer retraining time are the hidden expense — model them before treating a lower headline price as savings.

Most state DOIs require 5–7 years of agency records; workers comp documentation can require 10+ years given lifetime medical exposure. Premature destruction creates spoliation risk if a coverage dispute later turns on commission or expense records.

Sample 10–15% of transactions across categories. Test for proper approver, supporting receipt, accountable-plan compliance, and OFAC screening of any new payee. Document the sample methodology so the same population can be re-pulled if a market-conduct exam asks.

Request the most recent SOC 2 Type II from every cloud vendor touching NPI — AMS, rater, e-sig, document storage, payroll. Read the exceptions section, not just the cover page; carve-outs to subservice organizations frequently shift control responsibility back to the agency.

The GLBA Safeguards Rule WISP needs to name the approver structure for vendor onboarding and payment changes. Refresh the approver list whenever roles change; social-engineering payment-change fraud succeeds on stale approver lists more often than on technical compromise.