Mid-Year Compliance Audit Template for Insurance Agencies

The audit lens

Why Mid-Year, Why Now

CMS does not announce its audit calendar; the regulator picks an agency, sends the letter, and expects the artifacts within a tight window. Per the CMS compliance program guidance, agencies are expected to maintain ongoing self-monitoring rather than reactive readiness. NAIC's market-conduct exam framework similarly assumes that the producer has identified and remediated its own issues before the examiner walks in. Mid-year is the only realistic window because Q1 still has OEP cleanup, Q4 is AEP, and Q2/Q3 are the months when the agency can dedicate compliance resources to looking inward.

The other operational reason is timing. Findings discovered in July can be remediated by AEP open on October 15. Findings discovered in October cannot. The cost of a finding multiplies when remediation must happen during peak production with insufficient time and stretched supervisory attention.

Domain 1: Licensing and Appointment Status

Pull the full agent roster and validate three things on every name: state license status (active, in good standing, with no pending disciplinary action), AHIP certification for the current plan year for every Medicare-selling agent, and carrier appointment status across every carrier the agent quotes. The last one is where principals find surprises — an agent whose carrier appointment lapsed in May is selling that carrier's plans illegally in July, and the agency's record gets the finding.

The artifact: a single spreadsheet with one row per agent and one column per requirement, dated as of the audit run. Anything red gets a remediation owner and a 30-day close-by date. As we discussed in our AEP preparation checklist, this is the single compliance artifact that closes the most regulatory exposure for the lowest hours invested.

Domain 2: Recording Capture Completeness

Every CMS-regulated call must be recorded and retained per CMS retention requirements (typically 10 years for Medicare). The audit question is not "do we record" but "did we record every call." Sample 50 dispositioned Medicare calls from the prior 90 days and check: is there a recording, is it audible end-to-end, did it capture both sides, and does the recording length match the disposition's call length? Any gaps are a finding.

Domain 3: Disclosure-Rate Sampling

CMS marketing rules require specific disclosures on Medicare sales calls — "this is an advertisement," "we do not offer every plan available in your area," and the carrier-required language for the specific product. Sample 30 to 50 calls per agent across the prior 90 days and score them against the disclosure rubric. Compute a disclosure rate per agent, per queue, and per month; flag any agent below 95 percent for coaching, and any agent below 85 percent for immediate intervention.

AI compliance scoring makes this domain dramatically cheaper to audit than human sampling. Where a human reviewer takes 20 minutes per call, AI scoring across the entire 90-day call set produces a per-agent disclosure-rate report in seconds. The audit question shifts from "do we have a representative sample" to "do we trust the AI rubric to match human reviewer judgment" — a calibration exercise that is itself an audit artifact. As covered in our piece on AI versus human call monitoring, the right answer is calibrated AI scoring with human spot-checks for ambiguous cases.

Domain 4: SOA, PTC, and Consent Documentation

Medicare Scope of Appointment forms, Permission to Contact records, and TCPA written-consent capture are the three documentation artifacts that auditors ask for first. The audit question: pull 30 SOAs, 30 PTC records, and 30 consent records from the prior 90 days. Every one must be findable in seconds, complete, and tied to the specific call it authorized. Missing artifacts are findings; mismatched artifacts (the PTC was for Medicare Advantage but the agent quoted Medicare Supplement) are bigger findings.

The remediation is process, not paperwork. If 5 of 30 SOAs are missing or incomplete, the workflow that captures SOAs has a hole, and patching individual records does not fix the next 100 calls. Trace the failure back to the agent workflow, the platform tooling, or the supervisor enforcement, and close it there.

Domain 5: TCPA and Outbound Practices

The TCPA and FCC abandonment-rate rule cap dropped calls at 3 percent of live answers per FTC Telemarketing Sales Rule (16 CFR 310.4(b)(4)). The audit pulls 90 days of dialing data, computes abandonment rate per dialer, queue, and time-of-day, and flags any window where the agency exceeded the threshold. DNC scrubbing logs are checked for completeness; manual exception lists (carrier-approved suppress lists, customer opt-outs, internal DNC) are spot-validated against actual dial activity.

Agencies that run agent-initiated click-to-call instead of multi-line predictive dialing rarely have a finding here, and the audit becomes a confirmation rather than an investigation. Agencies that still run predictive should treat this domain with extra rigor — this is the area where a single TCPA class action can exceed years of efficiency gains.

Domain 6: Recording Retention and Access Control

Recordings are PHI when they discuss enrollment in Medicare or other regulated products. The audit confirms three things: retention schedule matches the regulatory minimum (10 years for Medicare; varies by state and product otherwise); access is role-restricted with an audit log; and disposal of recordings beyond retention is itself logged. NAIC market-conduct examiners have asked for these audit logs in recent exams; agencies that cannot produce them have a finding.

Domain 7: Marketing Material Inventory

Every piece of carrier-supplied or agency-produced marketing material in current use must be inventoried. CMS-required materials must be the current plan-year version; carrier-required disclaimers must be present; agency-produced materials must be carrier-reviewed and on file. The mid-year audit catches the August surprise where last year's flyer is still on the website with last plan year's premium and last plan year's required disclosures.

This domain extends to digital channels. Inbound web forms, email sequences, SMS templates, and social media ads all qualify as marketing material under CMS rules. Pull a representative sample of each and verify against the current plan-year disclosure requirements. As covered in our CMS marketing guidelines for 2026, the digital surface area is where most agencies have stale material that nobody has touched in 18 months.

The 30-Day Audit Calendar

The Findings Memo

The audit produces a single document the principal signs: a findings memo with three sections. Critical findings (anything a CMS or NAIC examiner would flag immediately) get a 30-day close. High findings get 60 days. Medium findings get 90 days, with the principal explicitly accepting that those will close before AEP open. Anything below medium is documented as "monitored" rather than left undocumented — auditors prefer a transparent risk register to a clean memo that ignored 12 known issues.

Each finding has an owner, a remediation step, a target close date, and a verification method. Critical and high findings have the principal's signature; medium findings can be signed by the COO or compliance director. The signed memo is itself an audit artifact: it shows that the agency identified its own issues, prioritized them, and held leadership accountable.

Key Takeaways for Agency Operators

The mid-year self-audit is what separates agencies that pass CMS audits from agencies that get sanctioned by them. The work is not glamorous, the findings are sometimes embarrassing, and the principal who signs the memo is exposed in a way that "we did not run an audit" never gets exposed in court. That exposure is precisely the point. The agencies that own their compliance posture proactively are the agencies still selling Medicare in 2030; the agencies that hope nobody asks are the cautionary tales their competitors point to.