Risk-Based Internal Audit and Insurance Alignment: A Practical Guide for Indian Businesses

In most Indian companies, the internal audit function and the insurance buying function report to different people, use different risk vocabularies, and rarely exchange information in a structured way. The Chief Audit Executive reports to the Audit Committee, while insurance procurement sits with the CFO's office, a general administration team, or in many mid-market companies, the founder's personal assistant. The result is a persistent disconnect: the internal audit team identifies operational risks, process failures, and control weaknesses through its annual audit plan, but this intelligence almost never feeds into insurance programme design. Conversely, claims experience data and surveyor observations that would be valuable to internal auditors remain locked inside insurance files.

This disconnect has measurable financial consequences. When internal audit identifies a fire safety gap at a warehouse but the insurance buyer is unaware of it, the company continues paying premium on the assumption that all fire safety controls are in place. If a fire occurs, the surveyor discovers the control deficiency, and the insurer invokes the warranty breach clause or applies a co-insurance penalty. The claim payout shrinks, sometimes dramatically, while the company has been paying full premium for protection it never actually had.

The reverse scenario is equally damaging. The insurance broker's risk engineer visits a manufacturing plant and notes that the ammonia refrigeration system lacks an automated leak detection mechanism. This observation appears in the risk improvement report attached to the policy, but the internal audit team never receives a copy. The audit plan for the year proceeds without examining refrigeration safety controls, and the risk remains unaddressed until an incident forces attention.

Indian regulatory frameworks actually contemplate this integration. Section 138 of the Companies Act 2013, which mandates internal audit for prescribed classes of companies, requires the internal auditor to evaluate the adequacy and effectiveness of the risk management framework. The SEBI LODR Regulations, applicable to listed entities, require the Audit Committee to review the functioning of the risk management system. Insurance is, by definition, a risk financing mechanism. Yet the regulations stop short of explicitly requiring the internal audit function to evaluate insurance programme adequacy, leaving the connection to be made voluntarily by companies with mature risk governance.

Understanding the regulatory architecture is essential before attempting to align internal audit with insurance, because the legal obligations define both the floor of acceptable practice and the governance structure through which alignment must operate.

Section 134(3)(n) of the Companies Act 2013 requires the Board's Report to include a statement on the development and implementation of a risk management policy, identifying the elements of risk that the Board considers may threaten the company's existence. Section 177(4)(vii) assigns the Audit Committee the responsibility for evaluation of internal financial controls and risk management systems. Section 138 mandates internal audit for every listed company, every unlisted public company meeting prescribed turnover or borrowing thresholds, and every private company meeting similar thresholds. The internal auditor, whether an in-house team or an external firm, must evaluate risk management processes as part of the audit scope.

For listed companies, SEBI LODR Regulation 21 mandates a Risk Management Committee (RMC) with specific responsibilities including framing, implementing, and monitoring the risk management plan. Regulation 17(8) requires the CEO and CFO to certify that they have evaluated the effectiveness of internal controls. Schedule II, Part C requires the Audit Committee to review the adequacy of internal audit function, including its coverage and frequency. The 2021 amendments to LODR expanded the RMC's mandate to include monitoring and reviewing the risk management plan, with the RMC required to meet at least twice a year.

On the insurance side, IRDAI does not directly regulate corporate policyholders, but its guidelines on commercial insurance products, claims settlement, and intermediary conduct create an implicit framework. The IRDAI (Insurance Surveyors and Loss Assessors) Regulations 2024 prescribe the surveyor's obligation to verify policy conditions, warranties, and risk improvement compliance at the time of a claim. This means any control weakness identified by the internal auditor but not remediated before a loss becomes a potential claims liability.

The practical intersection of these regulations is the Audit Committee. It oversees internal audit, reviews risk management, and (in well-governed companies) receives periodic reports on insurance programme adequacy. The Audit Committee is the natural governance node where internal audit findings and insurance programme decisions should converge. Companies that route both information streams through the Audit Committee create an institutional mechanism for alignment, rather than relying on ad hoc coordination between departments.

A risk-based internal audit (RBIA) plan prioritises audit engagements based on the significance and likelihood of risks, rather than cycling mechanically through departments or processes on a fixed rotation. The Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing require the Chief Audit Executive to develop a risk-based plan that aligns with the organisation's priorities. When insurance is incorporated into this risk-based planning process, the audit plan gains a dimension that most organisations currently ignore.

The first step is to integrate the insurance programme's risk profile into the audit universe. The audit universe is the complete catalogue of auditable entities: locations, processes, business units, and functions. Overlay this catalogue with the company's insurance portfolio. For each auditable entity, map the applicable insurance policies, noting the specific perils covered, warranties and conditions imposed, sum insured adequacy, and any risk improvement recommendations from the insurer's surveyor or the broker's risk engineer. This mapping creates a direct link between what the internal auditor examines and what the insurer expects.

For example, consider a listed Indian pharmaceutical manufacturer with multiple factory locations, warehouses, and R&D centres. The audit universe includes these locations as separate auditable entities. The insurance programme includes a Standard Fire and Special Perils policy covering all locations, a Marine Cargo policy for raw material and finished goods movement, a Product Liability policy, and a Directors and Officers policy. By mapping policies to locations and processes, the audit plan can prioritise engagements where insurance risk is highest: the factory with the largest sum insured, the warehouse storing the highest-value inventory, the export process where marine cargo claims have historically been frequent.

The second step is to incorporate insurer-imposed conditions into audit procedures. Insurance policies for commercial risks in India routinely impose warranties relating to fire protection systems, security arrangements, housekeeping standards, and maintenance schedules. A warranty that the insured premises will maintain a functional fire hydrant system with quarterly testing is not just an insurance condition; it is a testable control that the internal auditor can verify. When the audit plan includes verification of insurance warranty compliance alongside financial and operational controls, it creates a dual-purpose assurance: the Audit Committee receives confirmation that controls are working, and the insurance function receives confirmation that warranty conditions are being met, reducing the risk of claims disputes.

The third step is to use claims history as an input to risk assessment. Every claim the company has filed reveals a risk that materialised. Analysing three to five years of claims data, including denied or partially settled claims, provides direct evidence of where controls failed, where coverage was inadequate, and where documentation was insufficient. The internal audit plan should target these areas for deeper examination.

Insurance warranties are perhaps the single most important area where internal audit and insurance intersect, and where audit failure has the most direct financial consequence. In Indian commercial insurance, a warranty is a condition that the policyholder must continuously satisfy throughout the policy period. Breach of a warranty, even if unrelated to the loss, can give the insurer grounds to deny or reduce the claim. The Insurance Act, 1938 and judicial interpretation by Indian courts have generally upheld the strict enforcement of warranties, though the trend in recent NCDRC and High Court rulings has been towards requiring the insurer to demonstrate a causal connection between the warranty breach and the loss.

Typical warranties in Indian commercial property policies include: the insured premises will maintain an operational automatic sprinkler system tested quarterly; the insured will employ a minimum number of security guards on a 24-hour basis; flammable materials will be stored in a dedicated, fire-rated storage area separated from the main production facility by a minimum distance; electrical installations will be inspected and certified by a licensed contractor at specified intervals; and the insured will maintain a hot work permit system for all welding, cutting, and grinding operations.

Each of these warranties defines a testable control. Internal audit can, and should, include warranty compliance verification in its audit procedures for relevant locations. The audit approach is straightforward: obtain the current insurance policy, extract all warranties and conditions, develop an audit checklist for each warranty, and test compliance during scheduled site visits. The audit working papers should document the specific warranty language, the evidence examined, the compliance status, and any exceptions noted.

When the internal audit identifies a warranty breach, the response protocol must be clearly defined. The finding should be reported simultaneously to the operational manager responsible for remediation, the insurance buyer or risk manager who needs to assess the coverage implication, and the Audit Committee through the standard audit reporting process. If the warranty breach cannot be remediated immediately, the insurance buyer should notify the insurer or broker and negotiate a temporary modification, endorsement, or additional premium to maintain coverage validity during the remediation period. Failing to disclose a known warranty breach and then filing a claim creates both a contractual problem and a potential fraud risk.

The frequency of warranty compliance audits should align with the warranty terms. If a warranty requires quarterly testing of fire protection systems, the internal audit should include at least one independent verification per year, timed to complement rather than duplicate the operational testing schedule. For high-value locations or where claims history indicates recurring warranty issues, more frequent audit verification is warranted.

Underinsurance is one of the most persistent problems in Indian commercial insurance. When the declared sum insured is less than the actual value at risk, the average clause (also called the condition of average) reduces the claim payout proportionally. A factory with assets worth INR 50 crore that declares a sum insured of INR 35 crore is underinsured by 30%. If a fire causes damage of INR 10 crore, the average clause reduces the payout to INR 7 crore. The policyholder absorbs INR 3 crore of the loss despite having paid premium and believing it was adequately covered.

The internal audit function is uniquely positioned to detect and prevent underinsurance because it already audits fixed asset registers, inventory records, and capital expenditure processes. By extending existing audit procedures to include a sum insured adequacy check, the internal auditor can identify discrepancies between book values (which drive the insurance declaration) and replacement or reinstatement values (which determine actual recovery in the event of a claim).

The audit procedure involves several steps. First, compare the sum insured declared in the current policy schedule against the fixed asset register. Identify assets that have been added since the last declaration (new machinery, building extensions, renovations) but not yet included in the insurance sum insured. Second, for policies on a reinstatement value basis, verify that the declared values reflect current replacement costs, not historical acquisition costs or depreciated book values. The Companies Act 2013 requires assets to be carried at cost less depreciation in the financial statements, but insurance reinstatement values should reflect the current cost of rebuilding or replacing the asset to its original specification. These two numbers diverge significantly over time, particularly for buildings and specialised machinery. Third, check inventory values declared under stock policies against actual inventory levels. Many Indian businesses declare an estimated annual average stock value at policy inception, but seasonal inventory fluctuations can create periods of significant underinsurance. A textile manufacturer whose declared stock value is INR 8 crore but whose pre-festival inventory peaks at INR 15 crore faces severe underinsurance during the highest-risk period.

The internal audit report should flag underinsurance findings as a specific risk category, separate from financial reporting observations. The recommendation should include a quantified estimate of the underinsurance gap and the potential financial impact under the average clause. This finding should be communicated to the insurance buyer in time for the next policy renewal or, if the gap is severe, as a mid-term endorsement request.

IRDAI's guidelines on commercial insurance encourage insurers to verify sum insured adequacy through pre-acceptance surveys for large risks. However, for the vast majority of Indian commercial policyholders, no such verification occurs, and the insurer accepts the declared sum insured at face value. The responsibility for accuracy falls squarely on the policyholder, making the internal audit function's role in verifying declarations a critical control against financial loss.

The rigour that internal audit brings to documentation, evidence collection, and process verification is precisely the discipline that determines claims outcomes. Indian commercial insurance claims are frequently delayed, disputed, or reduced not because the loss was excluded under the policy, but because the policyholder could not produce the documentation the surveyor required to validate the claim.

IRDAI-appointed surveyors assessing commercial claims in India typically request the following documentation: fixed asset registers with acquisition dates and values, inventory records including stock movement data for the preceding 12 months, maintenance records for damaged machinery and equipment, building plans and municipal approvals, fire safety compliance certificates, electrical installation test reports, purchase invoices for claimed items, financial statements for the preceding three years (for business interruption claims), and evidence of the insured's compliance with policy warranties and conditions. Each of these documents is also something the internal audit function routinely examines or should be examining.

The alignment opportunity is to ensure that the documentation standards applied during internal audits meet the evidentiary requirements of a potential insurance claim. For instance, the internal audit of a manufacturing location should verify that fixed asset registers are updated within 30 days of any acquisition, disposal, or transfer. This is good audit practice and simultaneously ensures that in the event of a fire, the asset register accurately reflects what was on site at the time of loss. If the internal audit finds that asset registers are updated only quarterly or annually, the recommendation to improve update frequency serves both governance and insurance purposes.

Similarly, internal audit verification of inventory management processes, including cycle counts, stock-taking procedures, and reconciliation between physical counts and ERP records, directly supports the policyholder's ability to prove stock losses. The NCDRC has repeatedly emphasised that the burden of proving the quantum of loss rests with the policyholder, and inadequate stock records are one of the most common reasons for claims being settled at amounts significantly below the claimed figure.

A practical step that many Indian companies overlook is the annual photographic and video documentation of insured premises. The internal audit team, during site visits, can capture dated photographic evidence of the premises, equipment, safety systems, and storage arrangements. This evidence, maintained in a secure off-site repository, serves as baseline documentation that can be presented to the surveyor after a loss to establish the pre-loss condition of the property. Several Indian insurers have informally confirmed that photographic evidence significantly accelerates the claims assessment process and reduces disputes over pre-loss condition.

The internal audit function should also periodically test the company's claims notification process. Insurance policies universally require prompt notification of a loss, and delay in notification is a common ground for claim disputes. A tabletop exercise, where the audit team simulates a loss scenario and tests whether the relevant personnel know the notification procedure, the insurer's contact details, and the immediate steps required, provides valuable assurance that the company can respond effectively when an actual loss occurs.

Aligning internal audit and insurance requires a governance structure that connects the right information to the right decision-makers at the right time. For listed companies subject to SEBI LODR, the governance infrastructure already exists in the form of the Audit Committee and Risk Management Committee. For unlisted companies, the Companies Act 2013 mandates an Audit Committee for public companies meeting prescribed thresholds, and good governance practice suggests establishing one even where not legally required.

The governance framework should operate on a defined calendar. At the start of the financial year, the Chief Audit Executive should present the risk-based internal audit plan to the Audit Committee, explicitly identifying audit engagements that include insurance-related procedures: warranty compliance checks, sum insured adequacy reviews, claims documentation readiness assessments, and verification of risk improvement implementation. The Audit Committee should confirm that the audit plan adequately covers insurance-related risks, drawing on input from the CFO or risk manager regarding the insurance programme's key exposures.

Quarterly, the internal audit function should report to the Audit Committee on findings from completed engagements, including any insurance-relevant observations. These observations should be categorised by their potential insurance impact: warranty breaches that could void coverage, underinsurance gaps that expose the company to the average clause, documentation deficiencies that could impede claims, and unimplemented risk improvements that affect the risk profile. The CFO or insurance buyer should be present for this agenda item to provide context on any corrective actions already undertaken or planned.

The Risk Management Committee, where it exists as a separate body, should receive a consolidated view of insurable risks at least twice a year. This report should cover the insurance programme structure, including coverage, limits, deductibles, and key exclusions; the status of risk improvement recommendations from insurers and brokers; claims experience for the preceding period; and internal audit findings that affect the risk or insurance profile. The RMC's role is strategic: it evaluates whether the insurance programme is aligned with the company's risk appetite, whether the total cost of risk is being managed efficiently, and whether emerging risks require new or modified coverage.

For private and mid-market companies without a formal RMC, the Audit Committee can absorb this function. The key is regularity and documentation. An annual insurance programme review, presented to the board or Audit Committee with supporting internal audit observations, transforms insurance from an administrative procurement activity into a governed risk management discipline. SEBI's 2021 amendments to LODR, which expanded the RMC's role and composition requirements, signal the regulator's intent that risk oversight, including insurance-related risk, receives board-level attention proportional to its financial significance.

Organisations that recognise the value of aligning internal audit with insurance but are unsure where to start need a phased implementation approach. The following 12-month roadmap is designed for a mid-market Indian company with an established internal audit function and an existing commercial insurance programme, but no current integration between the two.

Months 1-3: Foundation. The Chief Audit Executive and the insurance buyer (or broker) meet to exchange baseline information. The audit team receives copies of all current insurance policies, endorsements, and risk improvement reports. The insurance buyer receives copies of the most recent internal audit reports for all insured locations. Both parties jointly review the information, identifying areas of overlap and gaps. The output of this phase is a documented mapping of insurance policies to auditable entities and a list of insurance warranties and conditions that can be incorporated into audit procedures.

Months 4-6: Pilot Integration. Select two or three high-value locations for a pilot integration. The internal audit plan for these locations is expanded to include warranty compliance verification, sum insured adequacy checks, and claims documentation readiness assessments. The audit team conducts these procedures during scheduled site visits, using checklists developed jointly with the insurance buyer. Findings are reported through the standard audit reporting process, with insurance-relevant observations highlighted separately for the Audit Committee.

Months 7-9: Review and Refinement. The Audit Committee reviews the pilot results. Key questions: Did the integrated audit identify any warranty breaches or underinsurance gaps that were previously unknown? Were the additional audit procedures practical and proportionate in terms of time and cost? Based on the pilot experience, refine the audit procedures, update the checklists, and develop a training module for audit staff on insurance policy interpretation and warranty testing.

Months 10-12: Full Rollout. Extend the integrated audit approach to all material insured locations. Incorporate insurance-related audit procedures into the annual risk-based audit plan presented to the Audit Committee. Establish a quarterly information exchange between the internal audit function and the insurance buyer, with a standing agenda covering new audit findings, claims developments, policy renewal updates, and risk improvement status. Present the first annual integrated report to the Audit Committee or Board, documenting the insurance-related observations identified through internal audit and the corrective actions taken.

The cost of this integration is modest. No new systems or software are required in most cases. The primary investment is time: the Chief Audit Executive and insurance buyer each dedicate approximately 15-20 hours over the first year to establish the framework, and ongoing maintenance requires 3-5 hours per quarter for the information exchange. The return, measured in avoided claims disputes, corrected underinsurance, and remediated warranty breaches, typically exceeds the investment within the first policy year.