Auditing E-Policy Issuance Under IRDAI Rules in 2026: A Practical Framework for Brokers and Insurers

Electronic policy issuance has been the dominant mode of commercial policy delivery in India since 2020, accelerated by IRDAI's e-Insurance Account (eIA) mandate and the 2024 master circular requiring digital-by-default policy documentation for most commercial lines. The transition was driven by efficiency, but the unintended consequence has been an expansion of the surface area on which audit and inspection findings now concentrate. Where paper policies generated audit issues mostly around physical storage and signature integrity, e-policies generate issues around system-level controls, version traceability, stamp-duty compliance, and the integrity of policy-administration system (PAS) workflows.

IRDAI inspections in the 2024-2026 cycle have shifted in emphasis. Inspection teams now ask for system-level evidence: PAS audit logs, segregation-of-duty mappings, change-control records for wording libraries, and reconciliation reports between PAS-generated CSV exports and books-of-account. Brokers and insurers who treated digital policy issuance as a simple migration of paper workflows have encountered material deficiency findings, with several mid-market broker firms receiving formal observations during 2025 inspections.

The practical implication for both brokers and insurers is that e-policy issuance now requires a defined audit framework, not an ad-hoc operational practice. This post lays out the control gates, the stamp-duty mechanics, the wording-version traceability requirements, and the inspection patterns that an audit of e-policy issuance should cover for an Indian commercial insurance setting in 2026.

The stakes are material. A mid-market broker firm placing INR 200 crore of annual premium across multiple insurers and lines processes roughly 1,200 to 2,000 policies annually, plus a multiple of that in endorsements. Even a 2% error rate on policy-issuance controls translates into 25-40 problematic policies per year, any one of which can become a coverage dispute or a regulatory finding. The economics of investing in audit discipline are dominated by the avoidance of these tail outcomes, not by routine efficiency gains.

The PAS-CSV is the standard export format used by Indian insurers and brokers to extract policy issuance data from their policy administration systems for reconciliation, regulatory reporting, and audit. The export typically contains policy number, insured name, insurer, line of business, sum insured, premium, brokerage, GST, effective dates, intermediary code, and various status fields. The reliability of the audit framework depends on the integrity of this CSV and on the controls around the workflow that generates it.

The key control gates that an auditor should evaluate are:

1. Proposer-to-policy reconciliation. Every issued policy must trace back to an accepted proposal form with documented underwriting acceptance. Auditors should sample policies and confirm that the proposal-form-to-policy link is recorded in the PAS, with timestamps showing proposal acceptance preceded policy issuance. A common deficiency is policies issued before formal proposal acceptance, particularly for renewals where the previous-year proposal is treated as a continuing acceptance without explicit re-confirmation.
2. Premium-to-policy reconciliation. The premium recorded in the PAS for each policy must reconcile to actual premium received from the policyholder (or the broker's premium-receivables ledger for unremitted premium). The CSV should expose premium-receipt status and reconciliation flags. A common deficiency is policies issued and reported as in-force while the premium remains uncollected, which under IRDAI norms voids the policy unless the credit-period exception applies.
3. Wording-version assignment. Every policy must carry an explicit wording-version identifier linking it to a specific approved policy wording in the insurer's wording library. The CSV should expose the wording-version code, and the audit should verify that the version was current and approved at the time of issuance. A common deficiency is policies issued with deprecated wording versions, particularly after wording revisions are made mid-year.
4. Intermediary attribution. For broker-placed business, the PAS must record the IRDAI broker registration number, the specific broker handler, and the brokerage percentage applied. A common deficiency is intermediary attribution that does not reconcile with the broker's own records, leading to commission disputes.
5. Endorsement traceability. Every endorsement issued post-policy must be linked to the parent policy in the PAS, with a numbered sequence, timestamp, and reason code. A common deficiency is endorsements that exist in physical or PDF form but are not linked to the parent policy in the PAS, breaking the audit chain.

Auditors should sample at minimum 30 policies per quarter across multiple lines of business and run these five reconciliations end-to-end. Failures at any of the gates should be logged with severity classification: severity 1 (policy in-force with unresolved deficiency), severity 2 (documentation gap with no operational impact), severity 3 (procedural irregularity). Severity 1 findings should trigger an immediate remediation workflow.

The PAS-CSV format is not formally standardised across Indian insurers, which complicates broker-side reconciliation when policies are placed across multiple insurers. Brokers should map each insurer's CSV format to their internal canonical format and document the mapping, because IRDAI inspections increasingly ask for evidence of this reconciliation discipline at the broker level.

Stamp duty on insurance policies is governed by the Indian Stamp Act, 1899 as adapted by individual state legislatures, with significant variation in rates and procedural requirements across states. For e-policies, the stamping process has been digitalised through state-level e-stamping platforms (SHCIL, MGSTC, and state-specific equivalents), but compliance discipline lags the technological capability.

The core stamp-duty obligations for an Indian commercial insurance policy are:

• duty paid at the rate prescribed by the state of issuance (rates vary; commonly 0.04% to 0.1% of sum insured for property policies, with caps and minimums)
• duty paid on the original policy and on each endorsement that materially affects the contract (increase of sum insured, addition of locations, extension of period)
• duty evidence retained in a form admissible to the relevant state revenue authority and to IRDAI
• stamp paper or e-stamp certificate numbers recorded against the specific policy and endorsement in the PAS

The most common deficiencies identified in IRDAI and state-revenue inspections include:

1. Under-stamping: duty paid at a lower rate than applicable, often because the insurer or broker used a rate table that has been superseded by a state-level revision.
2. Missed endorsement stamping: endorsements processed without separate stamp-duty payment, particularly for incremental sum-insured increases.
3. Wrong-state stamping: duty paid in the state where the insurer's head office is located rather than the state where the policy is issued or the risk is located, depending on state law.
4. Untraceable stamp records: stamp payments made but not linked to specific policies in the PAS, making audit reconciliation impossible.
5. Late stamping: stamp duty paid weeks or months after policy issuance, creating a window during which the policy is technically inadmissible as evidence.

For brokers, the operational implication is that the broker's role in stamp-duty compliance must be clearly defined. Direct-broker arrangements typically place stamping responsibility on the insurer, but the broker should verify that stamping occurred before delivering the policy to the policyholder. Composite-broker arrangements involving reinsurance placement can place stamping responsibility on the broker for the reinsurance contract, particularly for facultative placements.

Auditors evaluating e-policy issuance should sample 25-50 policies per quarter for stamp-duty compliance, verify the rate applied against the current state schedule, confirm endorsement stamping, and reconcile stamp evidence to PAS records. The audit should flag any policy where stamp duty was paid more than seven days after policy issuance as a high-risk finding.

A secondary stamping issue affects multi-state risks. When a commercial policy covers locations across several states, some state stamp laws assert duty on the entire policy at the rate of the state where each location is situated, others on the head-office state of the insured, others on the issuance state. The variation is not academic; it has produced state-revenue demands on Indian insurers in past years. Brokers structuring multi-state placements should obtain a written stamping memo from the insurer documenting the stamping approach, particularly for industries like logistics, retail, and renewables where multi-state exposure is the norm.

Indian insurers maintain wording libraries containing the standard policy wordings used for each line of business. These wordings are filed with IRDAI under the File and Use framework and are updated periodically to reflect regulatory changes, market practice evolution, or insurer-specific underwriting policy. A wording library typically contains hundreds of variants across SFSP, fire, marine, engineering, liability, and group-health products.

For a specific issued policy to be defensible at claim time, the audit chain must demonstrate that:

• a specific wording-version identifier was assigned at issuance
• the wording was IRDAI-approved (under file-and-use or use-and-file regimes) at the time of issuance
• the wording text delivered to the policyholder matches the registered wording exactly
• any deviation from the standard wording was processed as a formal endorsement with separate approval

The most common breakdown is the second item: wording revisions made mid-year, with policies continuing to be issued using the deprecated version because the PAS configuration was not updated. Auditors find policies issued in October referencing a wording version that was superseded in July, creating coverage uncertainty when a claim later arises.

A second common breakdown is the third item: the wording document delivered to the policyholder (typically a PDF generated by the PAS) differs from the IRDAI-registered wording due to a templating error, a missing clause, or a typo introduced during PAS configuration. Discrepancies of even a few words can become material if those words affect coverage scope.

The audit approach for wording-version traceability involves:

1. extracting the wording-version identifier for each issued policy in the audit sample
2. cross-referencing each identifier against the insurer's IRDAI filing dates
3. fetching the PDF delivered to the policyholder and the IRDAI-registered text
4. running a textual diff to identify discrepancies
5. classifying discrepancies as immaterial (typography), material (clause language affecting interpretation), or critical (missing or added clauses)

Brokers can and should run wording-version checks on the policies they receive from insurers, particularly for large commercial placements where coverage disputes at claim time can run into multiple crore. A broker who identifies a wording-version discrepancy at policy issuance can have it corrected promptly; a broker who discovers it during a claim is in damage-control mode.

The IRDAI Use-and-File Framework introduced in 2022 simplified the filing of new products for most commercial lines, but it shifted more compliance burden to the insurer's internal wording-control function. Insurers without strong internal wording-governance practices generate more wording-version discrepancies, and brokers should treat wording-discrepancy frequency as an insurer-quality input alongside settlement-timeline metrics.

A related issue is wording customisation through endorsements. Indian commercial policies frequently carry endorsements that modify the standard wording (additional named insureds, extension of cover to specific perils, sub-limits adjustments, warranty wording changes). Each customisation endorsement must be traceable in the PAS, must reference a specific approved endorsement template where one exists, and must be presentable as a coherent contract when combined with the base wording. Auditors should examine a sample of customised policies and verify that the consolidated contract (base wording plus all endorsements) is coherent and free of contradiction. A common deficiency is endorsements that contradict the base wording or earlier endorsements, creating interpretive uncertainty that surfaces at claim time.

An audit of e-policy issuance must evaluate the access-control discipline around the PAS. The principle is that no single individual should be able to issue a policy, set the premium, assign the wording version, attribute the brokerage, and approve the issuance without independent oversight. Indian insurers and brokers vary substantially in how strictly this segregation is enforced.

The minimum control set that auditors should verify is:

1. Role-based access in the PAS: separate roles for proposal data entry, underwriting acceptance, premium calculation, wording assignment, policy issuance, and brokerage assignment. A single user account should not hold all of these roles simultaneously.
2. Maker-checker workflow for policy issuance: the user issuing a policy cannot be the same user who approves the issuance. The approval must be timestamped and logged.
3. Audit trail for changes: any modification to a policy record after issuance (premium adjustment, sum insured change, wording reassignment) must be logged with user, timestamp, before-state, and after-state. The audit log must be tamper-evident.
4. Privileged-access governance: PAS administrator accounts with rights to modify audit logs or system configuration must be tightly controlled, with usage logged and reviewed.
5. Periodic access review: user-access lists must be reviewed quarterly to confirm that access matches current role assignments, with departed users removed promptly.

IRDAI inspections increasingly probe these controls, particularly after the IRDAI (Information and Cyber Security) Guidelines 2023 elevated cyber-and-information-security expectations across the industry. Brokers and insurers without documented segregation-of-duties matrices and periodic access reviews are receiving inspection observations in this area.

Auditors evaluating segregation-of-duties should request:

• the current PAS role-permission matrix
• the user-access list with role assignments
• evidence of the most recent access review
• a sample of policy-issuance audit logs demonstrating maker-checker enforcement
• a sample of post-issuance change logs demonstrating tamper-evident logging

Findings should be classified by severity: ungoverned privileged access is a severity-1 finding requiring immediate remediation; missed quarterly access reviews are severity-2; isolated maker-checker bypasses are severity-2 or severity-3 depending on context.

IRDAI inspection patterns have become more predictable in their focus areas through the 2024-2026 cycle, which allows brokers and insurers to prepare specifically. Five themes recur in inspection observations against e-policy issuance:

First, reconciliation between PAS and books of account. IRDAI inspectors compare PAS-recorded premium with general-ledger-recorded premium and ask for an explanation of any variance. Variances above 1% of total premium typically trigger follow-up questions. Brokers and insurers should run this reconciliation monthly and retain reconciliation evidence with variance explanations.

Second, e-policy delivery confirmation. IRDAI requires that the policyholder receive the policy document within a defined window of issuance. Inspectors verify the delivery mechanism (email, downloaded portal access, postal courier), the delivery confirmation evidence (read receipts, courier POD), and the proportion of policies for which delivery confirmation is missing. Confirmation gaps above 5% of policies trigger inspection findings.

Third, endorsement processing discipline. Inspectors sample post-issuance endorsements and verify that each was processed with proposal documentation, premium adjustment, stamping (where applicable), wording-version verification, and delivery confirmation. Endorsements processed by email without structured documentation in the PAS are a frequent observation.

Fourth, agent and broker mapping integrity. Inspectors verify that every policy is mapped to an actively-licensed intermediary, that brokerage payments do not exceed the cap prescribed by the IRDAI (Payment of Commission, Expenses of Management) Regulations 2024, and that there are no policies attributed to expired or suspended licences. Commission cap variances are heavily scrutinised.

Fifth, complaint and grievance traceability. Inspectors ask for traceability between policyholder grievances received and the underlying policy in the PAS. Grievances filed against policies that cannot be quickly located in the PAS, or for which the policy detail in the PAS does not match the grievance record, generate observations.

A sixth recurring theme is e-Insurance Account (eIA) linkage. The IRDAI eIA mandate requires policies to be delivered into the policyholder's eIA where one exists, with linkage between the issued policy and the eIA reference number recorded in the PAS. Inspectors verify that policies issued during the inspection period were appropriately linked to eIAs for policyholders who hold one, and that there is a documented process for offering eIA opening to policyholders who do not.

A seventh, increasingly prominent theme is DPDP-aligned data handling. IRDAI inspections in 2025-2026 have begun probing how policy-issuance data is stored, who has access, where data is processed (particularly when third-party SaaS PAS vendors are used), and whether consent for data processing was obtained from the policyholder in accordance with the Digital Personal Data Protection Act, 2023. Brokers and insurers should document their data-flow architecture for policy-issuance data and retain evidence of policyholder consent.

Brokers and insurers preparing for IRDAI inspection should run an internal audit against these themes in the quarter preceding the expected inspection window, document remediation of any findings, and retain that audit-and-remediation evidence in a form readily available to inspectors. The posture of having self-audited and remediated is materially more defensible than the posture of being surprised by inspection findings.

A working audit programme for e-policy issuance can be stood up in 90 days at a mid-market broker or small-to-mid insurer. The programme has four phases:

Phase 1 (Days 1-30): scope and inventory. Document the PAS in use, the lines of business issued, the volume of policies per quarter, the broker firms or distribution channels involved, and the wording library structure. Build an inventory of audit-relevant data sources: PAS, accounting system, broker-management system, e-stamping evidence, wording library, grievance log. Define the canonical data format for the audit (typically a relational view layered on top of PAS extracts).

Phase 2 (Days 31-60): control mapping and sample design. Map each of the control gates (proposer-policy reconciliation, premium-policy reconciliation, wording version, intermediary attribution, endorsement traceability, stamp duty, segregation of duties) to specific data fields and tests. Design the sampling strategy: per quarter sample size, stratification across lines, and risk-weighted sampling for higher-value policies. Build the audit-test scripts (typically SQL queries or Python scripts against the canonical data view) that automate each test.

Phase 3 (Days 61-75): pilot audit on one quarter of data. Run the full audit programme against a recent completed quarter. Document findings by severity, validate the sampling assumptions, and refine the audit-test scripts based on pilot results. Engage with PAS-administration and operations teams to remediate findings and to refine future-quarter prevention.

Phase 4 (Days 76-90): operationalisation. Convert the pilot into a recurring quarterly audit with a named owner, a fixed calendar (audit completion two weeks after quarter-end), a defined reporting cadence to leadership and (where applicable) board audit committee, and a remediation tracker that monitors closure of findings. Codify the audit charter in a board-approved document specifying scope, materiality thresholds, escalation paths, and the relationship between internal audit, compliance, and the operations team responsible for remediation. The charter should also define how audit findings will be presented to clients on request, because sophisticated commercial clients increasingly ask for evidence of supplier-level audit hygiene when their own internal-control frameworks require it.

For brokers below INR 5 crore revenue, the full programme may be overkill; a simpler annual sample-based audit by an external auditor covering the same control points may be sufficient. For brokers above INR 25 crore revenue and for all insurers, the quarterly programme is increasingly the expected standard, and firms running it gain a material edge in IRDAI inspection outcomes.

The cost of running the programme is modest at the scales described. A mid-market broker can stand up the programme using one senior compliance person at roughly 30% of their time, supported by an analyst or developer at 50% of their time, and external review at INR 8-15 lakh annually for a tier-one assurance provider. The total annual cost lands at INR 25-45 lakh, which is recovered by the avoidance of even one severity-1 IRDAI finding that would otherwise require regulatory engagement, business restriction, or penalty exposure.

The most operationally mature brokers and insurers do not treat IRDAI inspection as an episodic event; they treat inspection-readiness as a continuous state. Three habits separate inspection-ready firms from firms that scramble each time inspection is announced.

The first habit is continuous documentation. Every operational decision that could attract inspection scrutiny is documented at the time of decision, not retrospectively. Policy-issuance exception handling, wording-version revisions, stamping arrangements with state authorities, brokerage-cap calculations, complaint-handling decisions: all should generate documentation as a default part of the workflow. The cost of continuous documentation is small; the cost of reconstructing it under inspection pressure is large.

The second habit is the quarterly self-audit. Run the audit programme described above against each completed quarter, distribute findings to firm leadership, track remediation, and retain evidence. The act of running the self-audit produces the documentation that inspectors look for. Firms that have remediated a finding before inspection are in a substantially stronger position than firms where the same finding is first identified by the inspector.

The third habit is the inspection rehearsal. At least once every 12 months, run a tabletop inspection rehearsal. Designate one or two senior staff to play the inspector role, give them an inspection brief modelled on actual IRDAI inspection scopes, and let them request documents and ask questions of operational and compliance staff. Identify the gaps revealed by the rehearsal and remediate before they become actual inspection findings.

These habits cost time and discipline but generate a compounding return. Brokers and insurers operating in this mode receive cleaner IRDAI inspection outcomes, encounter fewer regulatory issues, and build a track record that supports licence renewals, product approvals, and partnership conversations with insurers, reinsurers, and distribution partners. Inspection-readiness becomes a competitive advantage, not just a compliance burden.

For firm leadership weighing the investment, the framing should be that of strategic risk management, not operational housekeeping. Severity-1 IRDAI findings can trigger licence-related action, restrict the firm's authority to bind new business, and damage the firm's market reputation with insurers and clients. The annualised cost of a defensible audit programme is small relative to the value of avoiding even one such outcome, and that economic argument supports board-level sponsorship of inspection-readiness as a year-round operating discipline.