Insurance Company Audit Requirements

Insurance companies operating in the United States face a layered audit landscape shaped by state insurance departments, the National Association of Insurance Commissioners (NAIC), and federal statutes that intersect with state-based solvency regulation. Audit obligations vary by entity type — life, property-casualty, health — as well as by premium volume, licensing status, and whether the insurer is publicly traded. This page covers the definition and scope of insurance company audit requirements, the procedural mechanics of how those audits are conducted, common triggering scenarios, and the classification boundaries that distinguish one audit type from another.

Definition and scope

Insurance company audit requirements refer to the mandatory independent examinations that insurers must undergo to verify financial solvency, reserving accuracy, statutory compliance, and internal control integrity. Unlike most other financial institutions, insurers are primarily regulated at the state level under the McCarran-Ferguson Act (15 U.S.C. §§ 1011–1015), which reserves the business of insurance to state jurisdiction. This means that audit requirements are not imposed by a single federal regulator but instead arise from a patchwork of state insurance codes, each modeled to varying degrees on NAIC model laws.

The two foundational audit instruments in insurance regulation are:

1. Annual Statement Audit (CPA Audit): An independent audit of the statutory financial statements filed with state insurance departments, conducted by a licensed CPA firm. The NAIC's Annual Financial Reporting Model Regulation (Model #205) establishes the baseline framework, requiring an audited annual statement from insurers with direct written premiums above amounts that vary by jurisdiction or holding company groups above amounts that vary by jurisdiction (NAIC Model #205).

2. Market Conduct Examination: A regulatory examination focused on policyholder treatment, claims handling, underwriting practices, and marketing compliance — distinct from the financial solvency audit and governed by NAIC Market Regulation Handbook standards.

For publicly traded insurance holding companies, the financial statement audit must also comply with PCAOB Standards for Financial Audits and SEC reporting rules under the Securities Exchange Act of 1934, adding an additional layer of audit obligation beyond what state insurance departments require.

How it works

The annual CPA audit of an insurer's statutory financial statements follows a structured sequence governed by both GAAS (Generally Accepted Auditing Standards) and NAIC-specific requirements for statutory accounting principles (SAP). Statutory accounting differs materially from GAAP: it applies a more conservative balance sheet treatment, restricts the recognition of certain assets, and requires explicit reserve adequacy testing.

The audit process for a typical domiciliary insurer proceeds through these phases:

1. Auditor Appointment and Independence Review: NAIC Model #205 requires the insurer's audit committee (or board if no audit committee exists) to appoint the CPA firm and assess auditor independence. The Audit Committee Role in Financial Services governs oversight responsibilities at this stage.

2. Risk Assessment and Planning: The auditor identifies material financial statement risks, including reserve adequacy for loss and loss adjustment expense, premium recoverability, and reinsurance collectability. Reinsurance assets are particularly scrutinized because they represent contingent recoveries.

3. Testing of Reserves: Actuarial reserve estimates are a central audit area. For property-casualty insurers, IBNR (incurred but not reported) reserves routinely constitute the largest liability line. CPA auditors rely on the work of qualified actuaries under Actuarial Standards of Practice (ASOP) issued by the Actuarial Standards Board.

4. Internal Control Assessment: NAIC Model #205 requires a Management's Report of Internal Control over Financial Reporting for larger insurers (those with premiums above amounts that vary by jurisdiction). This requirement parallels Sarbanes-Oxley Section 404 for public companies but applies to privately held insurers above the threshold under state law.

5. Issuance of Audit Report: The CPA issues a report expressing an opinion on whether the statutory financial statements present fairly, in all material respects, the insurer's financial position in conformity with SAP. Possible opinion types — unqualified, qualified, adverse, or disclaimer — carry regulatory consequences explored in Qualified vs Unqualified Audit Opinion.

6. Regulatory Filing: The audited statutory financial statements, together with the CPA's report and actuarial opinion, are filed with the insurer's state of domicile — typically by June 1 for calendar-year filers under most state implementations of NAIC Model #205.

Common scenarios

New insurer licensing: A newly formed insurer applying for a certificate of authority must submit audited financial statements as part of the licensing application in most states. The audit typically covers the insurer's initial capitalization and organizational financials.

Run-off companies: Insurers in run-off — no longer writing new business but continuing to pay claims — remain subject to annual CPA audit requirements for as long as they hold statutory reserves. Run-off audits focus intensively on reserve adequacy and the collectability of reinsurance recoverables.

Health maintenance organizations (HMOs): HMOs licensed as insurers face dual audit exposure: state insurance department requirements for statutory financial statements, and — where they receive Medicare Advantage or Medicaid managed care payments — Centers for Medicare & Medicaid Services (CMS) program integrity audits. CMS Risk Adjustment Data Validation (RADV) audits are a distinct federal audit instrument separate from the state CPA audit.

Surplus lines insurers: Non-admitted carriers operating on a surplus lines basis face audit requirements from their state of domicile, but their policyholders' home states may also require financial condition evidence through the surplus lines association in that state.

Reinsurance companies: Assuming reinsurers, particularly alien reinsurers not licensed in the US, may be required to provide audited financial statements to cedents and state regulators as a condition of credit for reinsurance — a balance sheet treatment governed by the NAIC Credit for Reinsurance Model Law (#785).

Decision boundaries

The appropriate audit type and scope for an insurance entity depends on four primary classification variables:

Premium volume threshold: NAIC Model #205 triggers annual CPA audit requirements at amounts that vary by jurisdiction in direct written and assumed premiums. Below that threshold, some states permit an exemption or allow an audit waiver subject to commissioner approval.

Public vs. private holding company: Publicly traded insurance holding companies file with the SEC and must comply with PCAOB auditing standards, internal control attestation under Sarbanes-Oxley §404, and additional SEC Reporting and Audit Requirements. Privately held insurers above amounts that vary by jurisdiction in premiums face a parallel internal control reporting requirement under NAIC Model #205 without PCAOB jurisdiction.

Financial statement basis — SAP vs. GAAP: CPA audits filed with state insurance departments are conducted on a SAP basis. GAAP-basis consolidated audits may also be required for holding companies. These are distinct engagements with different materiality bases, different asset recognition rules, and potentially different auditor firms. The difference between these frameworks is a core topic in Financial Audit Types Explained.

Examination vs. audit — regulatory vs. independent: State insurance department financial examinations (conducted under NAIC Financial Condition Examiners Handbook standards by department examiners or contracted examiners) are not the same as the independent CPA audit. Financial examinations occur on a periodic basis — typically every 3 to 5 years for solvent insurers under NAIC standards — and carry direct regulatory authority, including the power to issue orders. Independent CPA audits occur annually and produce an auditor's report but do not carry direct regulatory enforcement authority. This distinction parallels the broader framework described in Bank Examination vs Financial Audit.

Federal program audit overlay: Insurers participating in federally facilitated programs — including the National Flood Insurance Program (NFIP), Medicare Advantage, or Federal Employees Health Benefits (FEHB) — face additional audit instruments from FEMA, CMS, or the Office of Personnel Management (OPM) respectively, which operate independently of state insurance department requirements.

References

• NAIC Annual Financial Reporting Model Regulation (Model #205)
• NAIC Financial Condition Examiners Handbook
• NAIC Market Regulation Handbook
• NAIC Credit for Reinsurance Model Law (#785)
• McCarran-Ferguson Act, 15 U.S.C. §§ 1011–1015
• Actuarial Standards Board — Actuarial Standards of Practice
• AICPA — Insurance Industry Audit and Accounting Guide
• SEC — Securities Exchange Act of 1934
• CMS — Risk Adjustment Data Validation (RADV)
• [PCAOB — Aud