Insurance Audit Readiness for Indian Enterprises: What Internal Auditors Check and How to Prepare

Internal audit functions at Indian enterprises are expanding their scope beyond traditional financial controls to include operational risk management, and insurance programme adequacy has become a priority audit area. Several developments explain this shift.

First, the Companies Act 2013, particularly Section 134(3)(n) which requires the board's report to include a statement on risk management, has elevated risk management to a board-level concern. Insurance is the most visible and expensive risk mitigation mechanism at most Indian companies, and the board expects assurance that it is effective. Internal audit, as the board's assurance function, is the natural vehicle for providing this assessment.

Second, the Securities and Exchange Board of India (SEBI) Listing Obligations and Disclosure Requirements (LODR) Regulations require listed companies to maintain a risk management framework that identifies, assesses, monitors, and mitigates risks. The audit committee, which oversees internal audit, is specifically tasked with reviewing the risk management system's effectiveness. Insurance gaps, inadequate sum insured declarations, and lapsed policies all represent failures in the risk management framework that the audit committee expects internal audit to identify.

Third, the increasing frequency and severity of commercial losses in India, major fires at manufacturing facilities, cyclone damage to coastal operations, cyber incidents affecting IT companies, and supply chain disruptions, have created real-world consequences of insurance programme inadequacy. When a company suffers a loss and discovers that its insurance coverage is insufficient (due to under-insurance, excluded perils, or lapsed policies), the board and audit committee want to know why, and whether the internal audit function should have identified the gap before the loss occurred.

For risk managers, this means that the insurance programme is no longer a back-office administrative function that operates below the audit radar. It is subject to the same scrutiny that internal audit applies to financial controls, procurement processes, and IT governance. Risk managers who understand what auditors look for, and who prepare proactively for insurance audits, reduce the friction of the audit process and, more importantly, identify and remediate coverage gaps before they become claims problems.

The audit frequency for insurance programmes varies by company. Large listed companies with dedicated risk management functions may undergo annual insurance audits. Mid-sized companies may include insurance in a broader operational risk audit cycle, with full insurance audits occurring every two to three years. The SEBI LODR requirement for risk management framework review ensures that, at a minimum, the insurance programme is subject to periodic audit committee oversight.

Drawing from the experience of internal auditors and risk management consultants at Indian enterprises, the most common insurance audit findings fall into a predictable pattern. Risk managers who address these proactively eliminate the majority of adverse audit observations.

1. Inadequate sum insured. The declared sum insured under property policies does not reflect the current replacement value of assets, often because the last valuation was conducted three to five years ago and has not been updated for inflation, capital additions, or changes in reconstruction costs. Under-insurance exposes the company to average clause application, where the claim payout is reduced proportionally to the degree of under-insurance.

2. Coverage gaps between policies. The fire policy covers factory buildings and machinery, but raw materials in transit are not covered (marine transit policy was not purchased), or stock at a temporary warehouse location is not included in the fire policy schedule. These gaps often arise from organisational growth outpacing insurance programme updates.

3. Expired or lapsed policies. One or more policies have expired without renewal, sometimes due to administrative oversight (the renewal notice was missed) and sometimes due to a conscious decision to reduce costs that was not properly authorised. Section 64VB compliance requires premium payment before risk inception, and any gap in coverage represents uninsured exposure.

4. Inconsistent risk information across documents. The sum insured in the policy schedule does not match the asset register maintained by the finance department. The list of insured locations in the fire policy does not match the company's actual operating locations. The number of vehicles in the motor fleet policy does not match the vehicle register.

5. Unimplemented risk improvement recommendations. Surveyor reports from previous years contain risk improvement recommendations (install fire detection system, upgrade electrical wiring, improve housekeeping in storage areas) that have not been implemented. Unimplemented recommendations may give the insurer grounds to restrict coverage or dispute claims.

6. Inadequate claims documentation. Claims files are incomplete, with missing correspondence, unsupported quantum calculations, or unclear records of the settlement rationale. This is particularly common for smaller claims that were handled informally.

7. No formal insurance policy register. The company does not maintain a single, complete register of all insurance policies showing policy number, insurer, class, sum insured, premium, inception and expiry dates, and key terms. Policies are scattered across departments without centralised tracking.

8. Broker appointment without formal agreement. The insurance broker operates without a formal letter of appointment or service level agreement (SLA), making it impossible to hold the broker accountable for service quality.

9. No periodic review of insurance programme adequacy. The insurance programme is renewed on an 'as-is' basis each year without a formal review of whether coverage, limits, and deductibles remain appropriate for the company's current risk profile.

10. Non-compliance with policy conditions. The company is not meeting policy conditions (such as maintaining fire protection systems in working order, conducting periodic electrical inspections, or maintaining watchman services as declared in the proposal form), which could void coverage in the event of a claim.

Understanding the internal audit process for insurance reviews allows risk managers to prepare effectively and engage constructively with the audit team.

The audit typically begins with a documentation request. The audit team will request copies of all current insurance policies (including endorsements and add-on covers), the insurance register or schedule, the broker's letter of appointment and terms of engagement, the most recent risk engineering survey reports, claims registers or bordereaux for the past three to five years, premium payment records, minutes of any insurance committee or risk committee meetings, and the asset register or valuation reports used to determine the sum insured.

The audit team then conducts a coverage mapping exercise. They compare the company's risk register (if one exists) against the insurance policies to identify risks that are identified but not insured, risks that are insured but with potentially inadequate limits, and insurance policies that do not correspond to any identified risk (indicating either over-insurance or a risk register that is incomplete). This coverage mapping is the most valuable part of the audit from the risk manager's perspective, as it provides an independent assessment of programme adequacy.

Document verification involves cross-checking the insurance register against the actual policy documents, verifying that the sum insured in each policy matches the company's asset records (adjusted for inflation and recent capital additions), confirming that all locations listed in the policy schedule match the company's actual operating locations, and verifying that premium payments were made within the Section 64VB timeline.

Claims review involves examining a sample of claims from the past three to five years to assess whether claims were intimated promptly (most policies require notification within 14 to 30 days of loss), whether claims documentation was complete and supported the claimed amount, whether settled claims were reasonable relative to the loss (or whether the insurer applied significant reductions that may indicate coverage issues), and whether claim rejections were justified or indicate gaps in coverage that should be addressed.

The audit team may also interview the risk manager, the CFO, plant managers at key locations, and the insurance broker to understand the insurance decision-making process, the rationale for coverage choices, and the level of insurance awareness at different levels of the organisation.

The audit culminates in a report to the audit committee, categorising findings by severity (high, medium, low) and recommending corrective actions with timelines. The risk manager is typically asked to respond to each finding with an action plan and implementation date. Follow-up audits may be scheduled to verify implementation of corrective actions for high-severity findings.

Proactive preparation transforms the insurance audit from an adversarial exercise into a collaborative review. Risk managers who maintain audit-ready documentation throughout the year, rather than scrambling when the audit is announced, face fewer findings and demonstrate the maturity of the risk management function to the audit committee.

Document organisation checklist. Maintain a centralised insurance file (physical or digital) containing: the master insurance register with all policy details, current policy documents with all endorsements, the broker's appointment letter and service agreement, premium payment receipts cross-referenced to policy numbers, the most recent risk engineering survey reports with the implementation status of each recommendation, claims bordereaux from each insurer (updated quarterly), and minutes of insurance-related meetings or decisions.

Sum insured adequacy checklist. Ensure that property sum insured declarations reflect current replacement values by conducting a formal valuation of fixed assets at least every three years (engage a registered valuer for large portfolios), updating the sum insured annually between formal valuations using the Reserve Bank of India's Wholesale Price Index (WPI) or a construction cost index, maintaining a record of capital additions made during the policy year that need to be added to the sum insured, and confirming that the BI sum insured (if applicable) reflects the current annual gross profit plus any anticipated growth.

Coverage completeness checklist. Map every significant risk in the company's risk register to a specific insurance policy. Verify that: all operating locations are listed in the property insurance schedule (including temporary or seasonal locations), all vehicle categories are covered in the motor fleet policy, all directors and officers are covered under the D&O policy, all employees are covered under the group health and personal accident policies, and any new activities, products, or operations commenced during the year are covered under the relevant policy.

Claims management checklist. For all open claims, maintain a file with: the first notification of loss, the insurer's acknowledgment, the surveyor's appointment letter, all correspondence with the insurer and surveyor, the claim quantification with supporting documents, and the current status and expected settlement timeline. For settled claims, retain the settlement letter, the payment receipt, and a brief note explaining the settlement rationale (particularly if the settlement was lower than the claimed amount).

Compliance checklist. Verify that: all premium payments were made before or on the date of risk inception (Section 64VB), all policy conditions (fire protection maintenance, electrical inspection, security arrangements) are being met and documented, all declarations under open policies (marine, money insurance) are submitted within the required timelines, and the broker's license is current and the broker has IRDAI registration for the relevant category.

Risk improvement implementation checklist. For each risk improvement recommendation from surveyor reports, record: the recommendation, the date it was issued, the implementation status (completed, in progress, not started, rejected with justification), the completion date or expected completion date, and the cost incurred. Present this as a tracker showing percentage completion of all outstanding recommendations.

Under-insurance, where the declared sum insured is less than the actual value at risk, is consistently the most consequential audit finding because its financial impact is immediate and quantifiable. When a loss occurs and the sum insured is inadequate, the average clause (also called the condition of average) applies, reducing the claim payout proportionally.

The average clause works as follows: if the sum insured represents 60% of the actual replacement value, the claim is paid at 60% of the assessed loss. For a loss of INR 5 crore on a property with a sum insured of INR 30 crore but an actual replacement value of INR 50 crore, the payout is INR 3 crore (60% of INR 5 crore), not INR 5 crore. The policyholder bears INR 2 crore out of pocket, effectively acting as an unintended co-insurer for 40% of the risk.

Under-insurance in India is widespread. A 2023 industry survey indicated that over 60% of Indian commercial fire policies have sum insured declarations that are 20% or more below the estimated replacement value. The causes are systemic: asset registers are maintained at book value (depreciated historical cost) rather than replacement value, new capital additions are not communicated to the insurer during the policy year, inflation erodes the real value of the sum insured annually (India's construction cost inflation has averaged 6-8% per annum over the past decade), and cost-conscious companies deliberately under-declare to reduce premium costs, sometimes without understanding the average clause consequences.

Internal auditors assess under-insurance by comparing the declared sum insured against two benchmarks. First, the company's fixed asset register (at replacement value, not book value): are the assets listed in the insurance schedule consistent with the asset register, and are the values current? Second, a reasonableness test: is the declared sum insured consistent with the cost of rebuilding the insured property at today's construction and equipment costs?

Remediation requires a systematic revaluation exercise. Engage a registered valuer (or an experienced insurance broker with valuation capability) to assess the replacement value of all insured assets. For buildings, use current construction cost per square foot for the relevant building class (RCC frame, steel structure, pre-engineered building) in the relevant city. For plant and machinery, obtain current replacement quotations for major items and apply index-based adjustments for minor items. For stock, use the maximum stock value at any point during the policy year, not the average or year-end value.

The premium increase from correcting under-insurance may be significant, but it is essential to frame this correctly for management. The choice is not between paying more premium and saving money. The choice is between paying the correct premium for full coverage and paying a lower premium for coverage that will be reduced by the average clause in the event of a claim. A 30% increase in premium to correct under-insurance costs far less than the 30% reduction in claim payout that the average clause would impose on a major loss.

A well-conducted insurance audit does more than identify deficiencies. It provides a roadmap for strengthening the overall risk management framework. Risk managers who treat audit findings as improvement opportunities, rather than criticisms to be defended against, build a more resilient insurance programme and earn credibility with the board and audit committee.

Establish an insurance governance structure. If the company does not have a formal process for insurance decision-making, create one. A quarterly insurance review meeting, attended by the risk manager, CFO, and senior representatives from operations and legal, provides a regular forum for discussing coverage adequacy, claims experience, market developments, and renewal strategy. Documenting these meetings creates an audit trail of insurance governance that auditors value.

Create an insurance policy register and keep it current. The register should be a living document, updated within 48 hours of any policy issuance, renewal, cancellation, or endorsement. Assign ownership of the register to a specific individual (the risk manager or a designated team member) and include register maintenance in their performance objectives.

Implement a sum insured review protocol. Formally review the sum insured for all property policies at least annually, using the company's capital expenditure records, asset disposal records, and an appropriate inflation index. Schedule full revaluations every three years. Document the review process and the rationale for any changes (or the decision not to change) as evidence of active management.

Build a risk improvement tracking system. Create a centralised tracker for all risk improvement recommendations from insurer surveys, broker assessments, and internal risk reviews. Assign implementation responsibility, set target completion dates, and track progress monthly. Share the tracker with the insurer at renewal to demonstrate that recommendations are being addressed.

Develop a claims management protocol. Document the process for reporting losses, maintaining claims files, engaging with surveyors, and tracking settlements. Ensure that the protocol is communicated to relevant staff at all locations (not just the head office) and that location-level managers know how to report a loss and what initial documentation to preserve.

Bridge the gap between the risk register and the insurance programme. The company's enterprise risk register identifies risks. The insurance programme mitigates a subset of those risks through risk transfer. If these two documents are not linked, there is no way to verify that insurance coverage is aligned with identified risks. Create an explicit mapping between each significant risk in the register and the corresponding insurance policy (or the deliberate decision to retain the risk without insurance).

Finally, engage the internal audit function as a partner, not an adversary. Invite the internal audit team to attend (as observers) the annual insurance renewal meeting and the pre-renewal strategy discussion. Share the insurance MIS data with audit proactively. When audit findings are issued, respond with specific, time-bound action plans rather than defensive justifications. A risk manager who demonstrates openness to audit scrutiny and commitment to continuous improvement earns the audit committee's confidence and, ultimately, the management support and budget needed to build a best-practice insurance programme.

Indian enterprises with multiple locations, subsidiaries, or group companies face additional audit complexity that single-location companies do not encounter. Internal auditors focus on several areas specific to multi-entity structures.

Consistency of coverage across locations is a primary concern. The audit team checks whether all locations are covered under the group's umbrella policies, or whether some locations have standalone policies with different terms, limits, and insurers. Inconsistency creates risk: a subsidiary that carries a INR 10 lakh deductible while the rest of the group has a INR 50 lakh deductible may not be making a cost-optimal retention decision, or it may be operating under legacy terms that were never harmonised after an acquisition.

Inter-company asset transfers and their insurance implications are frequently overlooked. When assets are transferred between group entities (common in reorganisation exercises), the sum insured in the transferring entity's policy should decrease and the receiving entity's policy should increase. Auditors check whether these transfers were communicated to the insurer and the sum insured adjusted accordingly.

Captive risk retention vs. Insurance purchase decisions deserve audit scrutiny in larger groups. Some Indian conglomerates maintain group insurance pools or self-insured retention programmes where certain risks are retained at the group level rather than insured externally. Auditors verify that these arrangements are formally documented, appropriately funded (with adequate reserves or bank guarantees), and authorised by the board. An informal self-insurance arrangement, where a subsidiary simply does not purchase coverage because the parent has 'agreed to cover any losses,' is a governance failure that auditors will flag.

M&A integration is a common source of insurance gaps. When an Indian company acquires a business, the acquired entity's insurance programme may not be integrated into the acquirer's programme for months or even years. During this transition period, the acquired entity may continue under its legacy policies (which may not meet the acquirer's coverage standards), or its policies may lapse without renewal because the legacy broker was not engaged in the renewal process. Auditors check whether acquired entities are covered under the group programme or have their own current policies.

Cross-border operations add another layer. Indian companies with operations or subsidiaries in other countries must ensure that those operations are covered either under the Indian master policy (with appropriate territorial extensions) or under local policies in each country. Insurance regulations vary by jurisdiction, and some countries (particularly in the Middle East and certain ASEAN markets) require locally admitted insurance, meaning the risk must be insured with a locally licensed insurer regardless of whether a global master policy exists.

For group companies, the internal audit function should include insurance programme review as part of its entity-level audit programme, ensuring that each subsidiary or location is assessed at least once in the audit cycle. A group-level insurance audit, conducted every two to three years, should assess the overall programme structure, evaluate inter-company consistency, and verify that the total group sum insured and premium are appropriate for the consolidated risk profile.