Why Written Workflows and Audits Go Together

Having written workflows is the starting point. Auditing is what verifies your staff are following those workflows.

When your agency documents its procedures, it raises the bar your staff is held to. A signed application on file, a coverage rejection form, a service summary row moved to the correct stage: these become expectations, not suggestions. That is a good thing.

The gap that creates exposure is implementing those standards without verifying they are being followed. Your E&O insurance carrier asks whether you have written procedures. Having them on paper but never checking compliance means you have documented a standard you cannot demonstrate you are meeting. That is a more exposed position than vague expectations.

The audit closes that gap. It converts your written workflows from documentation into a genuine, demonstrable standard.

E&O carriers treat a documented audit program as evidence of operational discipline, not just compliance intent. Several major association-backed E&O programs offer agencies meaningful premium credits for completing a formal agency audit and implementing its recommendations. The discount varies by program and carrier, but the existence of the incentive reflects how underwriters actually view audit practice: as a concrete risk reduction factor.

Monitoring and Auditing Are Not the Same Thing

The ongoing monitoring layer and the account-level audit are not the same thing.

Ongoing monitoring is what you do continuously in Epic through reports. Service Summary Row Stages sitting too long In Process. Overdue activities. Policies past their expiration date with no status change. Commission discrepancy reports. This is maintenance work. It catches things falling through the cracks in real time.

The account-level audit is a deliberate, scheduled review of how a specific account manager’s work holds up against your documented workflows. It is time-boxed, it produces a score, and it feeds into performance management.

Treat them as two different rhythms. Monitoring is ongoing. The account-level audit is at least annual per person.

What the Ongoing Monitoring Layer Checks

These are the reports your operations manager or department supervisor should be running regularly, not just when something looks wrong.

Service Summary Row Stages

Once coverage is bound, the policy should move from In Process to Submitted. Once issued, it moves to Issued. Submitted means you have ordered the policy from the carrier. In Process means nothing definitive on its own.

Start by running reports for Service Summary Rows older than 7 days “In Process”, sorted by type: New Business, Renewal, Endorsement, Cancellation as well as a report looking for Service Summary Rows “Submitted” for longer than 60 days.

A separate flag worth watching is policies still sitting in Submitted stage beyond 90 days. Standard markets and most carriers typically issue policies well within that window. Anything sitting in submitted beyond 90 days is unusual enough to warrant a specific look: the policy has not been issued, and until it is, you cannot verify that the coverage matches what was bound.

Smaller agencies often leave policies In Process until they are forced to update the stage to issue a certificate or add a claim. That habit is worth correcting in training before it shows up as a pattern in the audit.

Overdue Activities

An Open Activity is a suspense item. Something is being waited on: a signed form, a policy document, a client response. When people close activities before that thing arrives, they lose the thread.

A cancellation request documented in November, followed up once in January, with no open activity after that and no signed cancellation release, means the policy is still technically in force months later. Nobody was tracking that the process was incomplete. Run overdue activity reports regularly. A pattern of closed activities with no resolution is both a training signal and an audit flag.

One caveat on overdue activity reports: some agencies extend follow-up dates on open activities rather than closing them prematurely. As long as the follow-up date keeps advancing, the activity never surfaces as overdue, even if it has been open for months.

If your team uses this approach, the overdue report will not catch aged items. The more reliable check is calculating the number of days between when an activity was entered and its current follow-up date, and filtering for activities where that span exceeds what is reasonable for the type of work that activity represents.

Overdue Activities

Any policy past its expiration date that has not been updated to Lapsed, Cancelled, or Non-Renewed is a gap. Someone should be reviewing that list on a regular schedule.

Commission Discrepancy Reports

Epic has two built-in transaction reports for commission gaps: one identifies discrepancies between transacted producer/broker commissions and the commission agreements on file, the other does the same for company commission agreements. Surprisingly often agencies do not run them.

The most common gap the first one surfaces is a commissionable producer shown as a servicing contact while the Pr/Br Commission tab on the policy still reflects the house account.

Download Error Log

This one is easy to miss entirely because most account managers do not know it exists. In Epic, under Procedures, Interface Management, and then Download Results, you can filter for errors across any date range going back up to 90 days.

Errors include carrier configurations where no NAIC code has been set up, broker download transactions where an NPN number is missing, and claims download not enabled for a specific issuing company. Each of those means a transaction was silently rejected: a policy that did not update, a commission that did not record, data that did not flow in.

Because the log only goes back 90 days, this is not something you can review once a quarter and catch up. Someone needs to be checking it regularly. In larger agencies, download processing is a dedicated role. In smaller agencies it is often nobody’s explicit responsibility, which is how errors accumulate unnoticed until a commission reconciliation or a carrier inquiry surfaces them.

One Thing Monitoring Cannot Expose

Whether someone is composing emails from within Epic or writing them externally and dragging them in looks identical in the data. The only way to know is direct observation.

Report-based monitoring has a ceiling, and the account-level audit is where those behavioral gaps surface. While composing emails outside of Epic is not technically incorrect, it does add additional steps to make sure the communication is documented per your workflows in Epic.

For more on Office 365 integration, email templates, and other high-impact Epic items, see our Applied Epic Optimization Guide.

decor - close-up of a microscope in a bright lab-like lighting, hand in a glove adjusting lens, representing preparing for insurance agency audit

 

Setting Up the Account-Level Audit to Actually Work

Three things have to be in place before the first account is reviewed.

Written Workflows Come First

The audit checklist is built directly from your documented workflows, step by step. Without them, there is no agreed standard to measure against. Without a standard, the audit reflects whoever is doing the looking as much as the work being reviewed.

What are you auditing without documented workflows? You’re auditing on the mood. Audits are meant to be objective. They need replicable and clear criteria.

If your agency is using Applied’s default boilerplate workflows, those still define a standard. The checklist is built from whatever steps your agency has committed to, whether you wrote them from scratch or adopted them at go-live. What matters is that they exist in writing, and that your staff knows they are the expected standard.

The structure of the checklist is something each agency needs to work out for itself. At minimum it should reflect which steps carry the most weight for E&O exposure, which steps belong to which role, and a scoring approach that makes findings objective rather than impressionistic.

The goal is that two different auditors reviewing the same account arrive at the same result. That is what makes findings defensible in a performance conversation.

Who Conducts Account-Level Audits

A dedicated auditor whose only job is auditing produces the most objective results. No divided attention, no personal relationship to protect. This is the best-case option and also the rarest. Training and auditing roles are not seen as revenue generators, and they are the first positions cut when budgets tighten.

A supervisor, manager, or trainer taking on auditing as an additional responsibility is what most agencies actually do. The trainer is worth considering specifically: someone without a personal book has workflow knowledge, independence from the team being audited, and time not tied to client servicing.

Peer review is consistently underestimated. One account manager audits another’s work using the same checklist. It reinforces workflows and produces genuine learning: seeing how a colleague handled a situation you have been handling differently is oftentimes more instructive than a training session.

The risk with peer review runs in both directions. Without a scored checklist, someone auditing a colleague they dislike will find problems everywhere. Someone auditing a friend will find very few. The checklist removes personality from the exercise because the question is never “does this seem adequate” but simply “did this step occur”.

Peer review works best as a complement to manager-led auditing, not a standalone replacement. It gives you volume and reinforcement without placing the full weight of a formal performance finding on a colleague relationship.

What Employees Should and Should Not Know

These are two separate and intentional things.

What employees should know. From the moment someone completes training and acknowledges the workflows they are expected to follow, every part of those workflows is open to audit. That framing belongs in the training acknowledgment itself. An employee who knows they may be audited at any point has a reason to follow the workflow on every account. It is a stated standard, not surveillance.

What employees should not know. Which specific accounts are currently selected for review. If people know which accounts are under scrutiny, they will go into Epic and fix things before you look. The audit measures what actually happened, not what gets reconstructed after the fact.

Transparency about the existence and purpose of auditing is a feature. Transparency about which accounts are currently open is a risk.

Selecting the Right Accounts

The instinct is to audit your largest accounts. They carry the most revenue and the most visible downside. That instinct points in the wrong direction.

Large accounts get attention. Staff document them more carefully and follow up more consistently because the stakes feel high. Large clients are also more likely to have a risk manager on their side who notices discrepancies. The agency is not the only set of eyes on those accounts.

Smaller accounts are where gaps accumulate. They receive less attention precisely because they feel lower-stakes. The client potentially has minimal to no internal insurance expertise and depends entirely on your agency. If documentation is thin on a small account, nobody notices until there is a claim. This is your largest surface

When auditing 10 accounts, take 5 from the top of the book by commission and 5 from the smaller end. You are testing the full range of how someone works.

Setting Realistic Expectations for Audits

Aim for 10% annually, either 10% of clients or 10% of policies depending on your book mix. The distinction matters: a commercial book with few clients but many policies per account is a different calculation than a personal lines book with many clients and one or two policies each.

20% is achievable but only with a dedicated auditor whose sole responsibility is auditing. For anyone carrying other duties, 10% is already a substantial time commitment.

Auditing every quarter is not realistic unless auditing is someone’s full-time role. The practical cadence is once per year per account manager, timed at least 6 months before performance reviews. That gives you room to find problems, communicate them, and re-audit before they are formally evaluated.

When to Pull the Accounts

Run a book of business report or expiration report for the account manager and filter for accounts 3 to 6 months past their effective date. Brand-new accounts do not have enough on file to audit meaningfully. Accounts close to renewal are too late to evaluate the new business workflow accurately.

Why here do these numbers come from? At 3 to 6 months, the file should show how quoting was documented, how binding was handled, how the policy was received and distributed, and the beginning of servicing activity: endorsements processed, certificates issued. That is a complete picture of how someone works.

A different approach entirely is running the Book of Business Report 60 to 120 days before expiration to review accounts approaching renewal before the renewal workflow begins. The goal is not performance measurement but renewal readiness: catching documentation gaps, incomplete service summary rows, or missing data before the account enters the renewal cycle rather than after.

Start with Reports, Not with Accounts

Before looking at any account in Epic directly, run four reports for the accounts you have selected.

Activities including Notes. Shows whether activities exist, whether they are open or closed, and whether the notes tell the story of what happened. Export to Excel and read it before opening anything in Epic.

Attachments list. Shows everything attached to the account, with document descriptions and filing locations. You can verify whether things were attached on or about the time they occurred without opening the account itself.

Anything client-related should be attached on or about the time it occurs. An account with only a policy document and a transmittal letter across six months of activity is a significant finding.

Service Summary Rows. Confirms whether stages moved correctly for every bound policy and endorsement. Rows sitting in process or submitted with no movement tell you where to go deeper.

Transactions and Production Report. Confirms invoicing happened, the policy was bound and recorded, and gives you a cross-reference against what the activities claim occurred.

Review all four before opening any account. Flag what the reports identify as needing investigation. Then go into those specific accounts to examine what the reports flagged. This keeps the audit grounded in evidence and prevents it from becoming a wandering inspection.

decor - two women sitting by a grey office table, taking notes, representing carrier audit

Audit Results, Performance Reviews, and the 6-Month Rule

Audit findings have no value unless they change behavior. That behavioral standard starts long before the first audit, in how you train and onboard staff in your Applied Epic. The audit measures whether that investment held.

You need to share audit results with the employee and their direct manager together. Document findings formally. For every deficiency, set a clear expectation for what correction looks like, a timeline for re-audit, and a written record that both parties have acknowledged the findings.

The audit should happen at least 6 months before annual reviews. The reason is structural. When deficiencies surface at the audit, you need time to communicate them constructively, give the employee a genuine opportunity to correct them, and re-audit before the performance review.

An employee who hears for the first time at their annual review that they have been skipping documentation steps for eleven months has been given no opportunity to address it. That is the worst version of this process.

Watch for pattern failures alongside total scores. An employee who clears the overall threshold but consistently misses a specific step has a training problem, not a performance problem. Consistent gaps on a single item need targeted retraining regardless whether they passed the audit.

A manager who says “your work has gaps” is making a judgment. A manager who says “across 10 accounts, this specific step was missing in 7 of them” is presenting findings. The employee can respond to the second in a way they cannot meaningfully dispute the first.

When the Carrier Audits Your Agency

Most agencies do not think about this until they are experiencing a carrier audit.

Your carrier agreement typically includes a clause, sometimes a vaguely broad one, giving the carrier the right to audit your agency. Carriers can physically come to your office, provide a list of accounts they want to review, and request a temporary login to your management system.

What triggers a carrier audit. It can be routine. More often there is a specific reason: an E&O dispute, a coverage question, an irregularity that surfaced through a claim. A single contested claim can trigger a carrier to audit everything you have written through them.

Carriers typically review the same core set of items. Signed applications on file, signed coverage rejection forms for coverages the client declined, current E&O coverage for your agency, producer licenses, and the carrier agreement itself. Most agencies attach that agreement to the carrier’s company or broker record in Epic, and it is a good place to keep it.

One detail is worth getting right on signed applications. Carriers want the client’s signature, not the producer’s. For most personal lines and smaller commercial accounts, a standard carrier may not require a signed app to bind coverage, but the agency should require one regardless. An e-signature is generally sufficient, though certain specialty and management liability coverages still require a wet signature. If there is any ambiguity about what a client agreed to at the time of binding, the signed app is your documentation.

Claim reporting compliance is worth understanding specifically. If a client tells you about a situation that could become a claim, your contractual obligation to report it to the carrier exists regardless of whether the client would prefer to handle it out of pocket. Not reporting a known potential loss is a separate contractual violation from the underlying claim.

The practical approach is to build your documentation standard to the most demanding carrier’s requirements and apply it uniformly. Your staff should not need to remember that one carrier requires signed exclusion forms and another does not. When the carrier audit comes, your documentation holds across the book because it was built that way.

decor - safe deposit lockers, 3 semi-open lockers, and a hand holding keys against a locker, representing insurance agency audit

What the Data Audit Actually Checks

Everything covered so far is about people: whether your staff are following documented procedures on actual accounts. The data audit asks a different question.

Is what is in Epic accurate at the configuration level, independent of what any individual account manager did?

These are systemic problems. They exist across hundreds or thousands of records simultaneously, usually tracing back to a single configuration decision made wrong at some point and never corrected.

Account Level

Done at the right cadence, the review becomes evidence-based. Servicing-related deficiencies were noted. The employee addressed them. Re-audit confirmed improvement. That is a meaningful evaluation.

The different basic question is whether required fields hold real data. Not placeholder entries, not fake phone numbers, not internal email addresses standing in for a missing client contact. Business accounts should have an individual primary contact, not just the business name.

Policy Level

Check that status has moved from Prospective to Contracted. Verify the correct ICO and PPE are assigned separately. Confirm Billing Type is accurately recorded, Commission percentage is entered, Servicing Contacts are populated as well as up-to-date, and the Pr/Br Commission tab is accurate for any commissionable producers/brokers.

Carrier Record Level

This is the admin audit rather than the end-user audit. Check for duplicate PPE entries for the same payable entity. An agency with four different Travelers PPE codes, each meaning the same thing, creates a situation where account managers do not know which one to choose… and production reports cannot aggregate correctly.

Check that every ICO record has an NAIC number assigned. The NAIC number is what outputs onto certificates, evidences of insurance, and auto ID cards. An ICO record without one, or one incorrectly flagged as a billing entity, means proofs issued through that record will not accurately reflect the Issuing Company.

The ICO is the subsidiary whose name appears on the policy document. The PPE is the entity you pay premiums to or who pays commissions out. Travelers alone may have around 25 ICO subsidiaries under a single PPE. When these are set up correctly and kept distinct, everything downstream works. When they are conflated or duplicated, downloads, commission matching, and proof generation will be broken.

One distinction that matters for reporting: Line Status Codes drive Book of Business Reports that look forward at your active policies. Transaction Codes drive Production Reports that look backward at invoiced activity. Both need to be accurate, but for different purposes and in different reports.

The Annual E&O Application as a Forcing Function

Every agency carries its own E&O coverage, and renewing it requires reporting your premium volume split by market type and by line of business. Standard versus surplus lines. Auto, GL, property, workers’ compensation, umbrella.

If your PPE records are duplicated or your surplus lines brokers are miscoded as Issuing Companies, Epic cannot produce clean premium volume by market. If your Policy Types are inconsistent or catch-all types have been used where specific ones should exist, the Line of Business totals are unreliable. Either way, the application requires manual correction before the numbers are credible enough to submit.

Agencies that have cleaned up their carrier records and policy type configuration discover the practical value of that work concretely at E&O renewal time.

A Note on Acquisitions

An agency migrating from AMS360 often brings as many as 15 duplicate entries for the same insurer because of how that system structured its carrier relationships. Worth checking after your conversion’s go-live, before anything stray surfaces in a commission reconciliation or affects how proofs are generated.

Converting data from an acquired Agency Management System comes with its own host of challenges and involves a lot of work. Very often, it’s hardly comprehensible to anyone outside your data conversion roles. Here are a few resources about this topic:

Security Configuration

The recommended method for managing user access in Epic is by utilizing Security Groups: each group defines what its members can see and do across the system. The correct practice is to manage all permissions at the group level and never assign rights directly to individual users. In reality, someone always does. An admin under time pressure cannot find the right group setting and grants the individual right instead. A quick fix that never gets cleaned up.

There is no easy way to identify who has deviated from their Security Group’s standard configuration. You cannot see individual deviations from a group report. The only way to check is to run a per-person security report, which runs to dozens of pages per person and must be reviewed one employee at a time.

In an agency of any size, that is not a review that happens regularly or at all. Rights accumulate, access expands quietly, and nobody has a current picture of who can actually do what inside Epic.

This is a potential security risk that persists invisibly because reviewing it one record at a time is not practical, and there is no way to track when individual rights were granted.

Where the Data Audit Leads

The workflow audit is account-by-account by design. That is the right scope for measuring whether your servicing staff followed a procedure on a specific account. It is not the right scope for fixing what the data audit finds.

The problems described in this section share a characteristic. They are not isolated to one account or one producer. Duplicate PPE entries, missing NAIC numbers, ICO misconfigurations, gaps in producer commission assignments: these exist across your whole dataset simultaneously, usually because a configuration decision was made wrong at some point and never corrected. Finding them is one step. Correcting them is another entirely.

Producer commission data is a specific example worth understanding. The commission agreement checkbox on a policy’s Pr/Br Commission tab is not a required field in Epic. You cannot make it required. In a busy agency, policies get created without it routinely, across hundreds of accounts, and nobody notices until a discrepancy report surfaces the gap.

When a producer leaves and a new one takes over, commission agreements need to be reassigned across every affected policy. When an acquisition brings in a Book of Business, the incoming producers were not on any Pr/Br Commission tabs during migration and every policy needs to be updated retroactively.

Epic has a native Producer/Broker Reassignment Utility for this. It works, but it has no undo. Run it incorrectly and every affected policy requires manual correction. Admins who have learned this the hard way approach it with caution, which means corrections that should take a day get deferred for weeks. The same logic applies to Carrier record normalization, Structure Group changes, and Employee Configuration updates: the scale of the correction is what makes it hard, not the complexity of any individual fix.

This is Enterprise Admin work, not servicing work. The account managers who follow workflows on individual accounts are not the people who fix systemic data problems across the book. These operate at different levels of the system. The data audit identifies which level has the problem. Fixing it requires operating across records in bulk.

Moving From Finding Data Problems to Fixing Them

Epic is designed for one-at-a-time human operation. That design serves your producers and account managers exceptionally well. For Enterprise Admins; working across hundreds or thousands of records, that same design creates a volume problem.

Yes, they can look up and enter every record, and fix the fields. Yet this is far from what they need to fix issues at scale fast. It can take several or dozens of clicks to fix just one record, which adds up when multiplied by the number of items.

Correcting ICO records across hundreds of policies, updating Pr/Br Commission tab across a book, configuring Employees after an acquisition, moving accounts between branches, changing Profit Centers. Many admin operations require opening each record individually in Epic’s native interface. The manual approach can consume days or weeks of staff time depending on the scale. That cost repeats every time a similar operation comes up.

RecordLinker gives your Enterprise Admins bulk-friendly controls for exactly this work, with the ability to review and approve changes before anything syncs to your Applied Epic. Specifically:

  • Carrier records – normalize ICO and PPE configurations, add missing NAIC numbers, find duplicates, compare your carriers against AM Best Tree
  • Policy and Line-Level Operations – update line-level fields in bulk or review policy-level settings affecting top-level reporting and data quality
  • Pr/Br Commissions – reassign and correct commission settings on a set of policies with selected employees
  • Workload Reassignments – reassign an entire servicing team when a producer retires or changes role, split reassignments across multiple producers, and review exactly what changes before it syncs
  • Structure Group Management – centrally review and bulk-edit agency’s structures, and spot employees whose settings deviate from your presets without checking individual records
  • Employee Configurations – bulk-create or edit employees, configure settings across hundreds of records in one pass instead of tab by tab
  • View Others Permissions – build and push configurations across your full team in a single operation

This is the work that determines whether your top-level reporting is accurate, your commission reconciliation closes cleanly, and your ongoing data accuracy drift stays manageable.

Request a Demo

More Reading About Applied Epic and Data in Insurance

Visit these pages to learn more about common data challenges and our solutions: