What is a corporate insurance audit?

A corporate insurance audit is an independent review of a company's existing insurance policies against its actual risk exposures. It identifies coverage gaps (risks that are uninsured or underinsured), overlaps (duplicate covers), sum insured inadequacy, policy exclusions that contradict the company's risk assumptions, and opportunities to optimise the insurance spend. It is distinct from an audit of an insurance company — this is an audit of the corporate buyer's insurance programme.

How common is underinsurance among Indian corporates?

Underinsurance is widespread among Indian corporates, particularly in property and business interruption covers. Many companies have not updated their sum insured for asset inflation since the original policy was taken out. The average clause in Indian fire policies means that partial claims are also settled proportionately — so a company insured for 60% of its true asset value will receive only 60% of any valid claim.

How often should a corporate insurance audit be done?

An insurance audit should be done at least every 3 years, and at every significant business event — acquisition, new plant or facility, entry into a new market, major change in headcount, or after a claim. Annual policy renewals are a natural trigger for at least a lighter-touch coverage review.

Corporate Insurance Audit — Identifying Coverage Gaps Before a Claim Does

A corporate buys insurance to transfer risk. But between the moment a policy is purchased and the moment a claim is made, something often goes quietly wrong: the business grows, assets appreciate, new risks emerge, a key exclusion is missed at renewal, and the sum insured drifts away from reality. When the claim finally arrives, the payout falls materially short of the loss — not because the insurer acted in bad faith, but because the policy no longer reflected the risk it was meant to cover.

This is the problem a corporate insurance audit is designed to prevent. It is not an audit of an insurance company — it is an independent, structured review of the corporate buyer's insurance programme: the policies held, the risks faced, and the gap between them.

The scale of the problem in India: India's non-life insurance penetration among corporates is significantly below global benchmarks. A 2025 EY analysis of global protection gaps found that 60% of economic losses from significant events are uninsured. For Indian corporates, the figure is likely higher — driven by a combination of sum insured stagnation, inadequate business interruption covers, and systemic underestimation of liability exposures.

What a Corporate Insurance Audit Is — and Is Not

The term "insurance audit" is used in two completely different contexts in India, and the distinction matters:

Context	What it means	Who does it
Audit of an insurance company	Statutory financial audit, actuarial reserving review, IRDAI compliance — examining the insurer's accounts	Statutory auditor, appointed actuary
Corporate insurance audit (this article)	Independent review of a corporate's own insurance portfolio against its risk profile — examining the buyer's cover adequacy	Risk manager, independent insurance adviser, actuary

The corporate insurance audit is a buy-side exercise. The corporate is the client; the insurer's adequacy is not in question. What is being tested is whether the corporate's insurance programme — the collection of policies it has purchased — adequately covers the risks it actually faces.

Why Most Indian Corporates Need One

Several structural features of how insurance is bought in India create systematic gaps:

1. Policies are renewed, not redesigned

The majority of corporate insurance in India is renewed annually with minimal review. The broker sends a renewal notice; the finance team approves the premium; the policy continues on the same terms as the prior year — sometimes for a decade. Meanwhile, the business has grown, added facilities, entered new markets, changed its liability profile, and taken on new contractual obligations. The policy has not kept pace.

2. Sum insured stagnation

Property, plant, and equipment values change with inflation and capital expenditure. A factory valued at ₹50 crore in 2015 may cost ₹90 crore to replace in 2026 — but the fire policy may still show a sum insured of ₹55 crore, last updated in 2018. This is underinsurance, and it has direct legal consequences under the average clause.

The Average Clause (Condition of Average): Most Indian fire and property policies include a condition that where the sum insured is less than the actual value at risk, claims are settled proportionately. A company with assets worth ₹100 crore insured for ₹60 crore will receive only 60% of any valid claim — regardless of the claim amount. A ₹30 crore loss becomes a ₹18 crore recovery. The ₹12 crore shortfall falls on the company's own balance sheet, unbudgeted and unplanned.

3. The expectation vs. reality gap

This is the most insidious form of coverage gap. A company's board believes it is covered for a specific risk. Its insurance certificate says it holds a policy of that type. But the actual policy wording contains exclusions, sub-limits, or conditions that mean the specific loss event the board imagined is not, in fact, covered. Common examples in India:

A company holds a Directors & Officers (D&O) policy but the policy excludes claims by regulators — the most common source of D&O claims in India
A manufacturing company holds a product liability policy but the policy excludes recall costs — the most expensive component of a product liability event
A logistics company holds a cargo policy that excludes unexplained shortage — the most common cargo claim
A company holds a business interruption (BI) policy but the indemnity period is 3 months — while its actual recovery time for a major loss is 18 months

4. New risks with no corresponding cover

Risk profiles evolve faster than insurance programmes. Cyber risk is the clearest example: most Indian corporates adopted digital infrastructure aggressively through 2020–2024, but cyber insurance penetration among Indian companies remains below 15% as of 2026. Similarly, companies that have expanded into international markets may have liability exposures in foreign jurisdictions that are entirely uncovered under their India-only policies.

The Eight Categories an Insurance Audit Examines

Property & Assets — Sum Insured Adequacy

Critical

The audit compares the declared sum insured for buildings, plant, machinery, and stocks against current reinstatement values. For buildings, this requires a current construction cost estimate (Rs. per sq. ft., current market, not book value). For plant and machinery, replacement cost at current import and installation costs. For stocks, peak-season values — not year-end averages, which systematically understate exposure for seasonal businesses. Finding underinsurance here has the most immediate financial impact because the average clause applies to partial claims, not just total losses.

Business Interruption — Indemnity Period & Basis of Cover

Critical

Business interruption insurance is the most commonly misunderstood cover in India. The two critical parameters are the indemnity period (how long after the loss event the insurer will pay) and the basis of cover (gross profit, revenue, or standing charges). Most Indian corporates choose a 3 or 6-month indemnity period to save premium. But rebuilding a manufacturing facility from scratch — including regulatory approvals, equipment lead times, recommissioning, and customer re-engagement — commonly takes 18–36 months. The gap between the indemnity period and the actual recovery timeline is entirely uninsured. The loss of income during the uninsured period falls directly on the company.

Liability Covers — Scope vs. Actual Exposure

High

The audit reviews Public Liability, Product Liability, Employers' Liability, and Professional Indemnity policies against the company's actual liability profile. Key questions: Are third-party contractual indemnities reflected in the limit? Does the product liability cover include recall costs, or only bodily injury and property damage? Are subsidiary companies in India and internationally all named insureds? Is the professional indemnity retroactive date far enough back to capture historical advice? Liability gaps tend to be invisible until a claim crystallises — then they can be company-threatening in scale.

Directors & Officers (D&O) — Adequacy and Regulatory Exclusions

High

D&O claims in India have risen sharply since 2018 — driven by SEBI enforcement actions, MCA prosecutions, and increasing shareholder litigation. The audit reviews whether the D&O limit is proportionate to the company's regulatory risk profile, whether the policy covers regulatory investigation costs (not just defence of civil claims), whether it covers Side B (company indemnification of directors) and Side C (entity securities coverage for listed companies), and whether independent directors and non-executive directors are properly included. Many Indian D&O policies exclude claims arising from prior acts or known circumstances at inception — a critical gap for companies that acquire regulated businesses.

Cyber Risk — The Most Commonly Absent Cover

Critical

Cyber insurance covers first-party losses (system restoration, business interruption from a cyber event, data recovery, extortion payments) and third-party liability (breach of customer data, regulatory fines, notification costs). Most standard commercial policies explicitly exclude cyber events. Indian corporates that process customer data, operate digital infrastructure, or are connected to global supply chains carry this exposure regardless of whether they have a dedicated cyber policy. The insurance penetration for this risk is below 15%. For any company with material digital operations, the absence of standalone cyber cover is an unacceptable gap.

Employee Benefits — Adequacy vs. Regulatory Minimum

High

The audit reviews group health insurance (whether covers, sum insured, and network adequacy match the company's talent strategy and employee profile), group personal accident (whether limits are proportionate to actual salary levels and contractual obligations), and WICA / Workmen's Compensation (whether it covers all categories of employees, including contract workers and gig workers where applicable). Many companies maintain group health policies at limits set years ago — ₹3 lakh per employee when medical inflation in India has been running at 12–15% per year. The gap between the insured limit and an actual hospitalisation cost is paid by the employee — creating a retention and morale risk that the CFO may not be aware of.

Marine & Transit — Basis of Valuation and Geographic Scope

Medium

Marine policies are frequently undervalued because they are based on invoice value rather than CIF plus a standard uplift (typically 10–15%) to cover consequential costs. Policies may also have geographic restrictions that do not match the company's actual supply chain — an inland transit policy may exclude interstate highways, or a marine open cover may exclude certain ports or carrier categories. The audit reviews both the adequacy of sums and the completeness of geographic and operational scope.

Overlaps, Redundancies & Inefficient Premium Spend

Medium

Insurance programmes that have grown organically over many years often contain duplicate covers — the same risk covered under two separate policies, with recovery limited to actual loss under both. This wastes premium without providing additional protection. Common duplications: public liability cover under both a standalone policy and a contractor's policy; directors covered under both a group D&O and an individual policy; property covered under both a fire policy and an industrial all-risk policy with overlapping scope. Eliminating redundancies often funds the purchase of genuinely absent covers on a cost-neutral basis.

The Role of Actuarial Analysis in an Insurance Audit

An insurance broker can identify policy gaps through document review. An actuary adds a quantitative dimension that changes the nature of the exercise from qualitative identification to risk-based prioritisation and capital allocation.

Quantifying the uninsured exposure

For each identified gap, the actuary estimates the probable maximum loss (PML) — the realistic worst-case financial exposure the company faces from that uninsured or underinsured risk. This transforms the gap from a narrative concern into a number that the CFO and board can evaluate: "Our business interruption gap exposes us to a potential uninsured loss of ₹35–45 crore over an 18-month recovery period." That number then drives a rational decision — purchase an extended indemnity period policy, self-insure through a captive reserve, or accept the risk.

Risk ranking and capital allocation

Not every gap is equally important. The actuary constructs a prioritised risk matrix — scoring each gap on severity (the financial magnitude of the uninsured loss if it occurs) and frequency (the probability of it occurring in any given year). This produces a rational ordering of corrective actions and allows the insurance budget to be allocated to the highest-impact gaps first.

INSURE IMMEDIATELY

Business interruption gap, major property underinsurance. Transfer to insurer — cost of self-insuring is prohibitive.

MANAGE & MONITOR

Small transit losses, minor stock variances. Consider higher excess (deductible) — frequent small claims inflate premiums.

REVIEW & DECIDE

Cyber, D&O, product recall. Quantify PML; decision depends on company's risk tolerance and financial resilience.

SELF-INSURE

Low-severity, rare events. Insurance premium may exceed expected loss — retain on balance sheet.

Corrective action options

Once gaps are identified and quantified, the corrective response is not always "buy more insurance." The actuary and risk manager together consider four options for each identified gap:

Purchase additional or extended cover — the most straightforward response; appropriate where the PML is large and the premium is proportionate
Increase the sum insured — for underinsurance in existing policies; removes the average clause exposure without changing the policy structure
Self-insurance / captive reserve — where the risk is too frequent, too specific, or too unusual for the commercial market to price efficiently; the company maintains an internal reserve funded by the premium it would have paid
Risk mitigation — address the root cause rather than the financial consequence; sprinkler installation, cybersecurity controls, supplier diversification. Mitigation reduces both the probability of loss and the insurance premium.

The Audit Process — Four Phases

Risk inventory and policy collection

Compile all current policies with schedules, wordings, endorsements, and renewal terms. Map the organisational structure — all entities, locations, and operations covered. Identify all contractual insurance obligations (from customer contracts, lease agreements, lender covenants). This phase establishes the baseline: what is held.

Risk exposure assessment

Document all material risks faced by the business — property values at all locations (current reinstatement basis), revenue and gross profit figures for BI calculation, headcount and payroll for employer liability limits, contractual liability obligations, data volumes and cyber infrastructure, product liability profile. This establishes what the policies should cover.

Gap analysis and PML quantification

Compare the exposure map against the policy portfolio. For each identified gap — missing cover, inadequate sum insured, problematic exclusion, insufficient indemnity period — quantify the probable maximum loss. Rank by severity and frequency to produce the prioritised gap register.

Corrective action plan and implementation

For each priority gap, specify the corrective action: policy endorsement, sum insured revision, new policy placement, self-insurance reserve, or risk mitigation. Produce a cost estimate for each remediation. Present to the CFO and board with a phased implementation timeline, prioritised by risk severity. Track implementation through to the next renewal cycle.

When Should a Corporate Commission an Insurance Audit?

In our view, every three years. Additionally, an audit or at minimum a targeted coverage review is warranted at:

Acquisition or merger — the acquired entity's risk profile, policies, and claims history must be assessed and integrated
New facility, plant, or warehouse — new assets create new fire, liability, and BI exposures not in the existing programme
Entry into a new market or geography — international operations, new product lines, or new customer segments change the liability profile
Major capex — significant equipment purchases or construction projects require temporary works cover and post-completion sum insured updates
Significant headcount change — particularly in employee benefits covers, where sum insured adequacy and network coverage are headcount-sensitive
After a claim — a loss event reveals which covers performed as expected and which did not; the post-claim audit is the most instructive of all
Change in lender or listing status — banks and institutional lenders often have insurance covenant requirements that require verification; pre-IPO companies face enhanced D&O and professional indemnity needs

What the Audit Does Not Do

A corporate insurance audit does not select insurers, negotiate premiums, or place policies — those are broker functions. The audit is an independent advisory exercise: it tells the company what it should have, quantifies what it currently lacks, and recommends corrective action. Implementation is then executed through the company's broker and insurance relationships. The independence of the audit from placement is what gives its findings credibility with the board and lenders.

Key Takeaways

A corporate insurance audit reviews the buyer's coverage adequacy — it is entirely distinct from auditing an insurance company's financials
The average clause means underinsurance affects partial claims, not just total losses — a 40% underinsurance gap costs 40% of every claim
Business interruption indemnity periods are consistently too short; recovery timelines of 18–36 months are common but 3–6 month policies are standard
Cyber risk is the largest uninsured exposure for most Indian corporates and is explicitly excluded from standard commercial policies
Actuarial analysis quantifies the probable maximum loss for each gap, enabling rational prioritisation and capital allocation rather than intuition-based decisions
Corrective action is not always "buy insurance" — self-insurance reserves, risk mitigation, and policy restructuring are often more efficient responses to specific gaps
Conduct a full audit every three years and at every material business event — M&A, new facility, new market, major capex

Is your insurance programme keeping pace with your business?

Kapadia & Kochrekar provides independent insurance audit services for corporates — combining policy analysis with actuarial quantification of uninsured exposures. We produce a prioritised gap register with probable maximum loss estimates for each identified risk, and a corrective action plan with cost-benefit analysis. Our work is independent of insurance placement — we have no interest in which insurer or policy you choose, only in ensuring your programme accurately reflects your risk.

Commission an Insurance Audit arrow_forward

library_books Read Other Articles

K&K

Kapadia & Kochrekar, Actuaries & Consultants

Published: 21 May 2026 · kacindia.com/knowledge/