Audit & Assurance · Information Systems & IT Audit
Systems, ERP & Application Audit
Your ERP is where every financial transaction, every approval, and every control in your organisation actually lives — and most managements have never had it independently examined.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Your ERP is where every financial transaction, every approval, and every control in your organisation actually lives — and most managements have never had it independently examined. PNPC Global's Systems, ERP & Application Audit tests whether the access controls, workflow approvals, interfaces, and data integrity checks inside SAP, Oracle, Microsoft Dynamics, Tally, Zoho, or any other business application are actually doing what management believes they are doing. We combine the Chartered Accountant's understanding of financial controls with hands-on IT audit technique — access reviews, configuration testing, interface reconciliation, and data analytics — to give the Board and Audit Committee independent assurance that the system underpinning every number in the financial statements is sound.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
A Systems, ERP & Application Audit is an independent examination of the Enterprise Resource Planning (ERP) system or other core business application an organisation relies on to record transactions, enforce approval workflows, and produce financial and operational reports. Unlike a general IT security audit, which focuses primarily on network perimeter and infrastructure, an ERP audit focuses on the application layer itself — user access and segregation of duties (SoD) within modules such as Finance, Procurement, Sales, and Inventory, configuration of automated controls (three-way match, approval hierarchies, tolerance limits), the integrity of interfaces between the ERP and satellite systems (payroll, banking, GST filing utilities, CRM), and the completeness and accuracy of data flowing from transaction entry through to the general ledger and financial statements.
In the Indian regulatory context, ERP and application controls sit at the heart of Internal Financial Controls over Financial Reporting (IFC-FR). For listed companies, the Board must include a statement on the adequacy and operating effectiveness of internal financial controls in its directors' responsibility statement under Section 134(5)(e) of the Companies Act 2013, and the statutory auditor of applicable companies must separately opine on IFC-FR under Section 143(3)(i) of the Companies Act 2013 (read with the Companies (Audit and Auditors) Rules, 2014) and the Guidance Note on Audit of Internal Financial Controls issued by ICAI — a distinct reporting requirement from the Companies (Auditor's Report) Order (CARO), which covers a separate set of matters such as fixed assets, inventory, loans and statutory dues. Certain private companies (based on turnover and borrowing thresholds) are exempt from the auditor's IFC reporting requirement under the applicable rules. A poorly configured or poorly access-controlled ERP is one of the most common root causes of an adverse or qualified IFC opinion — because journal entries can be posted outside approval workflows, users can hold conflicting access (creating a vendor and also approving payments to that vendor), and system-generated reports can silently misstate figures if the underlying configuration or master data is wrong. For companies using SAP, Oracle Fusion, Microsoft Dynamics 365, NetSuite, Tally Prime (with add-ons), or sector-specific ERPs, PNPC's audit approach is tailored to the specific application's control architecture rather than a generic checklist.
The audit methodology typically spans four control domains recognised under COBIT and ISO 27001-aligned IT audit frameworks, adapted for the Indian mid-market and enterprise context: (1) IT General Controls (ITGC) — user access management, change management for system configuration, and IT operations/backup controls; (2) Application/Automated Controls — the specific system-enforced rules such as approval matrices, tolerance limits, mandatory field validations, and automated three-way matching between purchase order, goods receipt, and invoice; (3) Interface Controls — reconciliation and completeness checks on data moving between the ERP and other systems, including bank feeds, payroll systems, e-invoicing/e-way bill utilities, and GST return preparation tools; and (4) Data Integrity & Reporting Controls — testing whether standard and custom reports pulled from the ERP tie back accurately to underlying transaction data, and whether master data (vendor, customer, chart of accounts, tax codes) is governed by a proper approval and maintenance process.
An ERP audit is distinct from an ERP implementation review (which tests whether a new system was configured correctly before go-live) and from a cybersecurity/VAPT engagement (which tests external attack surface and network security). It is also distinct from — though closely linked to — the IFC testing performed as part of statutory audit; many organisations commission a dedicated ERP/systems audit specifically because the statutory auditor's IFC testing surfaced application-control gaps that need a deeper, IT-audit-trained review to properly diagnose and remediate. For listed companies, companies preparing for an IPO, PE/VC-backed companies under investor governance covenants, and any organisation where the ERP has grown organically over several years with ad-hoc access grants and customisations, a periodic independent ERP audit is one of the highest-value assurance engagements a Board can commission.
When a Systems, ERP & Application Audit is the right engagement
Your statutory auditor has flagged IFC-FR deficiencies, CARO observations, or management letter points relating to access control, segregation of duties, or system-generated report accuracy
The ERP has been live for several years with accumulated user access grants, role changes from employee transfers, and ad-hoc configuration changes that have never been independently reviewed
You are preparing for an IPO, a PE/VC fundraise, or an acquisition — and need to demonstrate that financial systems and controls will withstand due diligence and post-listing SOX-equivalent scrutiny
A recent ERP implementation, upgrade, or migration (on-premise to cloud, or one ERP to another) has just gone live and management wants independent assurance before relying on it for statutory reporting
Suspected or known instances of unauthorised transactions, duplicate vendor payments, ghost employees in payroll, or inventory discrepancies that point to an access or configuration gap rather than a one-off error
Segregation of duties concerns — for example, the same user can create a vendor master, raise a purchase order, and approve the payment — a classic fraud-enabling configuration that is easy to miss without a dedicated review
Investor, lender, or regulatory covenant requiring periodic independent IT/ERP control assurance as part of governance reporting
Multiple satellite systems (banking portals, payroll software, GST/e-invoicing tools, CRM) feed into or draw from the ERP, and management has no independent confirmation the interfaces are reconciled and complete
When a different engagement may fit better
You need an external network penetration test or vulnerability assessment of your IT infrastructure — a VAPT/cybersecurity engagement, not an ERP application audit, is the correct scope
The ERP has not yet gone live — a pre-go-live ERP implementation review (testing configuration and data migration before cutover) is more valuable than a post-implementation audit at this stage
Your only requirement is the standard IFC testing bundled within the statutory audit — if the statutory auditor's existing IFC procedures are adequate for your risk profile and no gaps have been flagged, a standalone ERP audit may not yet be necessary
You are a very small business on basic accounting software (simple Tally or Excel-based bookkeeping) with minimal user base and no segregation-of-duties complexity — a lighter-touch process review may be more proportionate than a full ERP audit methodology
The concern is a specific, already-identified fraud or irregularity — a forensic/investigative audit engagement, which uses different evidentiary standards and procedures, is the more appropriate response
You need help selecting or evaluating a new ERP vendor — that is an ERP selection/advisory engagement, distinct from an audit of an existing live system
Systems/ERP Audit vs other IT and assurance engagements
| Feature | Systems/ERP Audit | IFC Testing (Statutory Audit) | VAPT / Cybersecurity Audit | ERP Implementation Review | Forensic/IT Investigation |
|---|---|---|---|---|---|
| Primary objective | Assurance on ERP access, configuration, interface & data integrity controls | Opinion on whether IFC over financial reporting is adequate and operating effectively | Identify exploitable vulnerabilities in network/infrastructure | Confirm new ERP is correctly configured and data migrated before/at go-live | Investigate a specific suspected fraud or system irregularity |
| Governing/reference framework | COBIT, ISO 27001-aligned IT audit practice, ICAI Guidance Note on IFC | Section 134(5)(e) and Section 143(3)(i) Companies Act, Guidance Note on Audit of IFC | OWASP, ISO 27001, PCI-DSS where applicable | Project-specific test scripts, data migration reconciliation standards | Engagement-specific, often digital forensics standards |
| Who typically commissions it | Audit Committee / Board / CFO | Statutory auditor, as part of the audit | CISO / IT Head / Board | Project Steering Committee / CFO | Board, investor, or regulator on suspicion |
| Scope focus | Application-layer access, SoD, automated controls, interfaces, data integrity | Controls relevant to material financial statement line items only | Network perimeter, servers, endpoints, application vulnerabilities | Configuration accuracy, data migration completeness, UAT sign-off | Specific transactions, logs, and evidence tied to the allegation |
| Frequency | Periodic — typically annual or bi-annual, or triggered by a control concern | Every year, as part of the annual statutory audit cycle | Periodic — typically annual, or after major infrastructure change | One-time, timed around go-live | As triggered — not recurring by default |
| Depth of technical testing | Deep on application configuration and access; moderate on infrastructure | Limited to controls material to financial statements | Deep on infrastructure and network; limited on application business logic | Deep on configuration and data mapping for the specific implementation | As deep as required to support findings evidentially |
| Typical output | Findings report rated by severity with remediation roadmap | Management letter points / IFC opinion in the audit report | Vulnerability report with CVSS-style severity ratings | Go-live readiness report / sign-off memo | Investigation report, potentially for legal or disciplinary use |
| Overlap with statutory audit | Complements and often deepens statutory auditor's IFC work | Is itself part of the statutory audit | Generally independent of the statutory audit scope | Independent — precedes reliance for financial reporting | Independent — commissioned outside the regular audit cycle |
These engagements are frequently complementary rather than substitutable. Many PNPC clients commission a Systems/ERP Audit specifically because gaps surfaced during statutory audit IFC testing need a deeper, IT-audit-trained review. The right combination and scope for your organisation should be confirmed with a practising CA based on your ERP landscape, regulatory profile, and risk appetite.
| # | Stage & What PNPC Does | What Generic IT Auditors Skip | Timeline |
|---|---|---|---|
| 1 | Scoping & ERP Landscape Assessment | We map every application in scope — the core ERP plus satellite systems (payroll, banking portals, e-invoicing/GST utilities, CRM) — and agree the modules and locations to be covered. A generic IT auditor without CA-level financial control understanding often scopes only the technical infrastructure and misses the finance-process-critical application controls. | Week 1 |
| 2 | Risk Assessment & Control Objective Mapping | We identify the financial and operational risks your specific ERP configuration creates — segregation of duties conflicts, manual workaround risk, interface reconciliation risk — and map each to a testable control objective, rather than running a generic checklist unrelated to your actual risk profile. | Week 1–2 |
| 3 | Audit Charter & Access Rights for the Audit Team | We formalise scope, data access requirements, and confidentiality terms, and obtain read-only access to the ERP's user administration and configuration tables needed for independent testing — without requiring any change to production access. | Week 2 |
| 4 | IT General Controls (ITGC) Review | User access provisioning/de-provisioning process, periodic access recertification, change management for configuration changes, and backup/DR controls are tested — including whether exited employees' ERP access was actually revoked, a control gap we find in the large majority of first-time ERP audits. | Week 2–4 |
| 5 | Segregation of Duties (SoD) Analysis | We run a systematic SoD conflict analysis across the user base — flagging users who can both create and approve, both post and reconcile, or both raise a purchase order and approve the corresponding payment. This is typically the single highest-value output of the entire engagement and the one most frequently skipped by low-cost providers who lack access-matrix tooling. | Week 3–5 |
| 6 | Automated/Application Control Testing | Approval workflow configuration, tolerance limits, three-way match (PO–GRN–Invoice) enforcement, mandatory field validations, and system-enforced numbering/sequencing are independently tested against what the process documentation claims should happen. | Week 4–6 |
| 7 | Interface & Data Flow Testing | We reconcile data moving between the ERP and satellite systems — bank statement feeds, payroll postings to the GL, GSTR-1/GSTR-3B data pulled from the ERP for return preparation, e-invoice/e-way bill generation — to confirm completeness and accuracy of the interface, not just that it exists. | Week 5–7 |
| 8 | Master Data & Configuration Review | Vendor master, customer master, chart of accounts, and tax code configuration are reviewed for duplicate records, dormant-but-active vendors, and unauthorised or undocumented configuration changes — common vectors for both error and fraud that pure infrastructure audits do not test. | Week 6–7 |
| 9 | Data Analytics on Full Transaction Populations | Where feasible, we run data analytics across full transaction populations — not a token sample — to flag duplicate payments, round-tripping, journal entries posted outside business hours or by unauthorised users, and other statistical outliers. | Week 6–8 |
| 10 | Findings Rating & Draft Report | Every finding is rated by severity (Critical/High/Medium/Low), linked to the specific control objective and risk, and accompanied by a practical, system-configurable recommendation — not a generic 'tighten access' comment. Draft findings are shared with the IT and process owners for factual validation. | Week 8–9 |
| 11 | Management Response & Remediation Roadmap | We require a documented management response — agree, partially agree, or disagree with reasons — and a committed remediation owner and timeline for every accepted finding, converting the report into an actionable governance document rather than a static PDF. | Week 9–10 |
| 12 | Audit Committee / Board Presentation | Findings, ratings, and the remediation roadmap are presented directly to the Audit Committee or Board by the engagement CA — in plain-language terms a non-technical director can act on — not left as a purely technical document circulated by email. | Week 10 |
| 13 | Follow-Up Validation Cycle | On a subsequent visit (typically the next audit cycle, or sooner for Critical findings), we independently verify that remediation was actually implemented — not merely marked closed in a tracker — closing the loop that many one-time ERP audits leave open. | Next cycle, or as agreed |
Realistic end-to-end timeline for a first ERP/systems audit of a mid-sized single-ERP organisation: 8–10 weeks from kickoff to Board presentation, depending on the number of modules, locations, and satellite system interfaces in scope. Multi-entity or multi-ERP groups, and organisations with significant customisation, typically require a longer first cycle; subsequent annual cycles are faster once baseline documentation exists.
List of all ERP modules in use (Finance, Procurement, Sales/Order Management, Inventory, Manufacturing, HR/Payroll, etc.) with the version and hosting model (on-premise, private cloud, SaaS/public cloud)
System architecture diagram or landscape document showing the ERP and every interfaced satellite system — banking, payroll, GST/e-invoicing utility, CRM, warehouse management
List of all legal entities, business units, and locations operating on the ERP, with any entity-specific configuration differences
Details of any recent ERP implementation, upgrade, or major configuration change in the last 24 months, including go-live dates and any post-go-live issues log
Complete current user access listing across all in-scope modules, including role/profile assigned to each user
User provisioning and de-provisioning (offboarding) policy/process document, including the standard turnaround time for revoking access on employee exit
HR exit list for the audit period, to be cross-checked against ERP access logs for timely de-provisioning
Details of any periodic user access recertification/review process currently performed, and evidence of the most recent review
List of users with superuser, system administrator, or configuration-change access, and the business justification for each
Documented approval matrix/delegation of authority for purchase orders, payments, journal entries, and master data creation, as configured in the system
Configuration documentation or screenshots for tolerance limits, three-way match settings, and mandatory field validations in the Procure-to-Pay and Order-to-Cash cycles
Change management log for configuration changes made to the ERP during the audit period, with approval evidence for each change
Numbering series/sequencing configuration for invoices, journal vouchers, and other statutory documents
Vendor master extract with creation date, last modified date, and the user who created/modified each record
Customer master extract with the same fields
Chart of accounts with mapping to financial statement line items, and any recent changes to account structure
GST/tax code master and its mapping to the applicable rates and HSN/SAC codes used in the system
Bank statement interface/reconciliation reports for the audit period, showing any unreconciled items
Payroll-to-GL posting reconciliation for the audit period
GST return data extract from the ERP or e-invoicing utility, for reconciliation against GSTR-1/GSTR-3B actually filed
Any manual journal entries posted outside standard system workflows during the audit period, with supporting approval
Prior year statutory auditor's management letter or IFC observations relating to IT/ERP controls, if any
Any previous internal audit, IT audit, or VAPT reports covering the ERP or related infrastructure
IT policy documents — access control policy, change management policy, backup and disaster recovery policy
Board/Audit Committee minutes referencing any known IT or ERP control issue during the audit period
Engagement letter and formal scope confirmation, including the modules, entities, and audit period covered
Read-only access request form for the audit team, routed through your IT department for provisioning
Non-disclosure and data confidentiality undertaking, executed before any access is granted
Findings tracker template circulated to process owners for management response collection
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Pre-Engagement Scoping | Decision to commission an ERP audit | Landscape mapping, risk assessment, and control objective agreement before any testing begins — ensures the audit targets your actual highest-risk areas, not a generic checklist. | Scope misaligned with real risk — critical SoD conflicts or interface gaps go untested while audit hours are spent on low-risk areas. |
| Fieldwork — ITGC & Access Testing | Audit kickoff | Independent testing of provisioning/de-provisioning, SoD conflicts, and change management — cross-checked against HR exit data and configuration change logs, not just policy documents. | Exited employees retaining active ERP access; unauthorised configuration changes going undetected; SoD conflicts enabling undetected fraud. |
| Fieldwork — Application Controls & Interfaces | Mid-engagement | Automated control testing (three-way match, tolerances, approval workflows) and interface reconciliation between ERP and satellite systems (banking, payroll, GST utilities). | System-generated financial reports silently misstating figures due to unreconciled interfaces or bypassed approval workflows. |
| Reporting & Audit Committee Presentation | Fieldwork complete | Severity-rated findings with practical, system-configurable remediation — presented directly to the Audit Committee in plain-language terms, with management response captured for each finding. | Findings buried in a technical report that management does not act on; no formal accountability or remediation ownership assigned. |
| Remediation Tracking | Findings accepted by management | Remediation roadmap with owner and timeline for every accepted finding, tracked to closure rather than left open indefinitely. | Findings repeat in the next audit cycle or surface as IFC deficiencies in the statutory audit, damaging the credibility of the governance process. |
| Statutory Audit Interface | Annual financial statement audit | Findings and remediation status shared with the statutory auditor (with management's consent) to support their IFC testing — reducing duplication and strengthening the overall control narrative for IFC reporting under Section 143(3)(i) and, where relevant, CARO observations. | Statutory auditor independently discovers the same gaps, potentially resulting in a qualified IFC opinion or a CARO observation that could have been pre-empted. |
| Follow-Up / Next Cycle | Subsequent audit period, or major system change | Independent validation that prior findings were genuinely remediated (not just marked closed), and re-scoping if the ERP landscape has changed — new modules, new entities, or a system migration. | Stale remediation status; new risk introduced by an unreviewed system change (upgrade, new interface, new business unit go-live) going untested until the next scheduled cycle, if any. |
| Fundraise / IPO / M&A Readiness | Investor or listing process initiated | ERP audit findings and remediation history packaged as part of the due diligence data room — demonstrating a mature, independently-tested control environment rather than an unaudited system. | Due diligence uncovers access and control gaps late in the process, triggering valuation adjustments, deal delays, or specific indemnities/escrow conditions. |
What exactly is a Systems, ERP & Application Audit — in plain terms?
It is an independent check of whether the controls built into your ERP or core business application — who can do what, what approvals are required, how data moves between systems — actually work the way management believes they do. It goes beyond financial statement audit to test the system itself: user access, approval workflows, automated checks like three-way matching, and whether data flowing between your ERP and other systems (banking, payroll, GST tools) is complete and accurate.
Is a Systems/ERP Audit legally mandatory in India?
There is no standalone statute that mandates a periodic ERP audit by name. However, it is closely linked to obligations that are mandatory: the Board's certification of Internal Financial Controls over Financial Reporting under Section 134(5)(e) of the Companies Act 2013 (for listed companies), the statutory auditor's IFC opinion under Section 143(3)(i) for applicable companies, and, for certain regulated entities (banks, NBFCs, listed companies), specific regulator expectations around IT governance. In practice, an ERP audit is the mechanism by which the underlying application controls supporting IFC certification are actually tested at a level of technical depth the standard statutory audit procedures may not reach.
How is this different from the IT controls testing already done as part of the statutory audit?
The statutory auditor's IFC testing is scoped to controls material to the specific financial statement assertions and line items being audited — it is a subset, not a comprehensive review of the ERP. A dedicated Systems/ERP Audit goes deeper: full segregation-of-duties analysis across the user base, complete access recertification testing, interface reconciliation across all satellite systems, and master data integrity review — regardless of whether a specific control is deemed 'material' for the current year's financial statement opinion.
Which ERP systems does PNPC have experience auditing?
PNPC's IT-audit-trained team has experience across the ERP systems most commonly used by Indian mid-market and enterprise clients, including SAP (ECC and S/4HANA), Oracle (E-Business Suite and Fusion), Microsoft Dynamics 365, NetSuite, Tally Prime with add-on modules, and Zoho Books/Zoho One implementations. The audit methodology — ITGC, SoD, application controls, interface testing, data analytics — is consistent across platforms, but the specific configuration tables, role structures, and known risk areas we test are tailored to each application's architecture.
What is segregation of duties (SoD) and why does the audit focus so heavily on it?
Segregation of duties means no single user should be able to both execute and approve/control the same transaction end-to-end — for example, creating a vendor master record and also approving payments to that vendor, or raising a purchase order and approving the corresponding invoice. When SoD is violated, a single compromised or dishonest user can commit and conceal fraud without needing a second party's collusion. In ERP systems, SoD conflicts accumulate silently over time as employees change roles and IT grants incremental access without revoking the old access.
We recently went live on a new ERP. Should we get an audit now or wait?
For a system that has just gone live, the more relevant engagement in the first few months is often a post-implementation review focused on go-live readiness — confirming data migration completeness, initial access grants being appropriate, and configuration matching the approved design. A full-cycle Systems/ERP Audit as described here is typically most valuable once the system has been in live operation for at least one full reporting cycle (so there is a transaction history to test) and ideally after the first set of access changes from staff movement.
What access does the audit team need, and is there any risk to our live system?
The audit team requires read-only access to user administration tables, configuration settings, and transaction data extracts — no change or write access to your production environment is required or requested at any stage. Where direct system access is not feasible for security reasons, we work with your IT team to obtain the required data extracts on an agreed schedule instead.
How long does a typical ERP audit take?
For a mid-sized single-ERP organisation with a handful of modules and locations in scope, a realistic first-cycle timeline is 8–10 weeks from kickoff to Audit Committee presentation. Multi-entity groups, multiple ERPs, heavy customisation, or a larger number of interfaced satellite systems extend this. Subsequent annual cycles are typically faster once baseline documentation, the risk assessment, and the SoD matrix already exist from the prior cycle.
What does a finding actually look like, and how is severity decided?
Each finding documents the specific control gap identified (for example, '14 users hold both vendor-master-creation and payment-approval access'), the risk it creates, and a practical, system-configurable recommendation. Severity is rated Critical, High, Medium, or Low based on the combination of likelihood and potential financial or reputational impact — a Critical finding typically indicates an active exposure (for example, unrevoked access for an exited employee with payment authority), while a Low finding might be a documentation gap with no immediate transactional risk.
Who receives the audit report, and is it shared with our statutory auditor?
The report and the Audit Committee/Board presentation are addressed to your organisation — typically the Audit Committee, CFO, and CISO/IT Head. Sharing the report with your statutory auditor is your decision; many clients choose to share it (with the engagement CA's involvement) because it strengthens the statutory auditor's own IFC evidence base and can reduce duplicated testing, but PNPC does not share it with any third party without your explicit consent.
Does this engagement double as a cybersecurity audit or penetration test?
No. A Systems/ERP Audit tests application-layer controls — access, configuration, workflows, interfaces, data integrity. It does not test network perimeter security, external attack surface, or infrastructure vulnerabilities, which require a dedicated VAPT (Vulnerability Assessment and Penetration Testing) engagement using different tools and methodology. The two engagements are complementary — an organisation with strong ERP application controls can still be exposed at the infrastructure layer, and vice versa.
What is IT General Controls (ITGC) testing, specifically?
ITGC covers the foundational controls that support every application control riding on top of the system: user access provisioning and de-provisioning, periodic access recertification, change management for any configuration or code change to the system, and IT operations controls such as backup and disaster recovery. If ITGC is weak — for example, exited employees are not promptly de-provisioned, or configuration changes are made without approval — then even a well-designed application control (like a three-way match) cannot be relied upon, because the environment around it is not controlled.
What is three-way match, and why does the audit test it specifically?
Three-way match is an automated control that verifies a vendor invoice against both the purchase order and the goods receipt note before allowing payment — ensuring the organisation only pays for what was ordered and actually received, at the agreed price. It is one of the most common automated controls configured in ERPs to prevent overpayment, duplicate payment, and payment for goods never received. We specifically test whether the configured tolerance limits (the permitted variance between PO, GRN, and invoice amounts) are reasonable and whether the control can be bypassed through manual override, and if so, by whom and how often.
Our ERP is heavily customised. Does that change the audit approach?
Yes. For heavily customised systems, we run a short discovery phase before finalising the detailed test plan — reviewing the specific customisations, custom workflows, and any bespoke reports or interfaces built on top of the standard ERP. Applying a generic, vendor-standard checklist to a heavily customised system typically produces findings that are either irrelevant (testing standard controls that were deliberately replaced) or that miss the actual risk (custom code or workflows that were never independently reviewed).
What is master data governance, and why does it matter for an ERP audit?
Master data — vendor records, customer records, chart of accounts, tax codes — is the foundational reference data that every transaction in the ERP draws upon. Poor master data governance (duplicate vendor records, dormant-but-active vendors, uncontrolled changes to bank account details on a vendor master) is a common vector for both genuine error and deliberate fraud, such as redirecting a payment to a fraudulently altered bank account. We test who can create or modify master data, whether changes require independent approval, and whether the master data itself contains anomalies like duplicate PANs or bank accounts shared across supposedly unrelated vendors.
How does PNPC test data flowing between the ERP and GST filing or e-invoicing systems?
We reconcile the transaction data extracted from the ERP (or the e-invoicing/e-way bill utility feeding off it) against the actual GSTR-1 and GSTR-3B returns filed for the corresponding period, checking for completeness (all applicable transactions captured), accuracy (correct HSN/SAC codes and tax rates applied by the system configuration), and timeliness. Where the ERP auto-generates e-invoices or e-way bills, we also test whether the interface between the ERP and the government's Invoice Registration Portal (IRP) or e-way bill portal is functioning without silent data loss or duplication.
What happens if the audit finds a Critical severity issue mid-engagement?
We do not wait for the final report to communicate a Critical finding — such as active, unrevoked payment-approval access for an employee who left the organisation months ago, or an unauthorised configuration change that bypasses an approval workflow. Critical findings are escalated to management (and, depending on severity, the Audit Committee Chair) immediately upon confirmation, so remediation can begin before the final report is even drafted.
How does this engagement support our IPO or fundraise due diligence?
Institutional investors and IPO due diligence teams routinely examine the maturity of financial systems and controls as part of their assessment — an unaudited ERP with unknown access risk and unreconciled interfaces is a red flag that can trigger valuation adjustments, specific indemnities, or deal delays. A completed ERP audit with a clean or well-remediated findings history is concrete, independently-verified evidence of control maturity that can be included directly in the data room.
Do you audit cloud-based/SaaS ERPs differently from on-premise systems?
The core methodology — ITGC, SoD, application controls, interfaces, data integrity — is the same, but the specific testing approach differs. For SaaS ERPs (e.g., NetSuite, cloud SAP S/4HANA, Dynamics 365 Business Central), infrastructure-level controls like physical data centre security and underlying network security are the vendor's responsibility under the shared-responsibility model, so we focus our testing on the controls your organisation configures within the application — access, workflow, and configuration — rather than duplicating vendor-level infrastructure assurance (which is typically covered by the vendor's own SOC 2 or ISO 27001 certification, which we review as supporting evidence).
Can PNPC also help remediate the findings, or only report them?
PNPC's core deliverable is the independent audit and findings report. We do provide practical, implementable remediation recommendations for every finding, and we track remediation status through the follow-up validation cycle. Where a client wants hands-on support implementing a specific remediation (for example, redesigning the approval matrix or conducting a full access recertification exercise), we can scope that as a separate advisory engagement — kept distinct from the audit itself to preserve independence for the following audit cycle.
How often should a Systems/ERP Audit be repeated?
Most organisations benefit from an annual cycle, aligned with the statutory audit calendar so findings can inform (and be informed by) the year's IFC testing. Organisations with lower risk profiles, simpler ERP landscapes, and a clean prior-cycle result sometimes move to a bi-annual (every two years) cycle, supplemented by targeted reviews after any major system change (upgrade, new module go-live, new entity onboarding). Any major ERP change — migration, upgrade, new interface — should trigger an interim scoped review rather than waiting for the next scheduled full cycle.
What is the difference between this audit and a simple 'IT security checklist' some vendors offer?
A generic IT security checklist typically verifies presence/absence of policies and generic technical settings (password complexity, firewall presence) without testing whether financially significant application controls actually operate as designed on live transaction data. PNPC's Systems/ERP Audit is built by Chartered Accountants with IT audit training specifically to bridge financial control understanding with technical testing — we test actual SoD conflicts using real access data, actual three-way match enforcement using real transaction samples, and actual interface completeness using real reconciliations, not a checklist of yes/no policy questions.
Does PNPC audit ERPs for companies operating in both India and the UAE?
Yes. PNPC has operating offices in Chennai, Bangalore, Hyderabad, and Dubai. For groups running a single ERP instance across an Indian entity and a UAE entity — a common structure for cross-border businesses — we test the controls consistently across both entities' data and users within the same engagement, and factor in relevant differences such as UAE VAT/Corporate Tax reporting requirements alongside Indian GST requirements where the ERP handles both.
What qualifications does the team performing the audit hold?
PNPC's Systems/ERP Audit engagements are led by practising Chartered Accountants with specific information systems audit training and experience, supported by technical specialists with ERP-platform-specific configuration knowledge where the engagement requires it (for example, SAP Basis-level access review expertise for SAP engagements). The CA leadership ensures findings are interpreted through the lens of actual financial statement and governance risk, not purely technical IT risk in isolation.
What does a Systems, ERP & Application Audit cost with PNPC?
PNPC agrees a fixed, written fee for each ERP audit engagement, scoped to the specific number of modules, entities, locations, and interfaces in the audit's coverage. Fees depend materially on ERP complexity, the number of users and locations, the extent of customisation, and whether it is a first-cycle (baseline-building) engagement or a repeat annual cycle. We provide a written scope and fee proposal after the initial scoping discussion — before any fieldwork begins.
Why should we engage PNPC rather than a pure IT security firm or a generic 'compliance' vendor?
A pure IT security firm typically lacks the Chartered Accountant's grounding in financial statement risk, IFC requirements, and Companies Act governance obligations — they can tell you a password policy is weak but may not connect an SoD conflict to its financial reporting and fraud implications. A generic compliance vendor often runs a templated checklist regardless of your specific ERP configuration. PNPC combines practising CA judgment — the same judgment applied in statutory audit and IFC testing — with hands-on ERP-specific technical testing, and we are the same firm your Board can call on for the statutory audit, internal audit, and every other assurance need across the company's life.
What does the PNPC engagement actually include, end to end?
Landscape mapping and risk assessment; audit charter and access provisioning coordination; full ITGC review including access provisioning/de-provisioning testing; comprehensive segregation-of-duties analysis; automated/application control testing including three-way match and approval workflows; interface and reconciliation testing across satellite systems including GST/e-invoicing; master data governance review; data analytics on full transaction populations where feasible; severity-rated findings report; management response collection; Audit Committee/Board presentation; and a follow-up validation cycle to confirm remediation was genuinely implemented.
How does an ERP audit interact with Internal Audit if we already have that function?
Where a client already has an internal audit function (in-house or outsourced, including PNPC's own Internal Audit service), the Systems/ERP Audit is typically either commissioned as a specific cycle within the broader internal audit plan, or run as a standalone deep-dive that feeds findings into the internal audit's overall risk register. We coordinate scope with the existing internal audit function to avoid duplicated testing and to ensure IT/ERP risk is properly represented in the annual risk assessment that drives the broader internal audit plan.
What if we don't have a formal Audit Committee — can we still commission this audit?
Yes. While the ideal reporting line for ERP audit findings is a formally constituted Audit Committee (mandatory for listed companies and certain classes of public companies under Section 177 of the Companies Act), many private companies without a mandatory Audit Committee still commission ERP audits and receive findings directly through the Board or a designated senior management sponsor (typically the CFO). The value of the audit itself is not diminished by the absence of a formal committee structure, though we do recommend at least a Board-level briefing for any Critical or High findings.
Is this audit relevant for NBFCs, banks, or other RBI-regulated entities with additional IT governance requirements?
Yes, and it is often more directly relevant for such entities. RBI has issued specific IT governance, risk, and control guidelines for banks and NBFCs (including master directions on IT governance and cybersecurity), and core banking or lending management systems fall squarely within scope of the same ITGC, application control, and data integrity testing methodology used for any ERP. For regulated entities, we align the audit scope and reporting format to the specific regulatory guideline in force, in addition to the general Companies Act and IFC considerations relevant to any company.
What happens after the audit — does PNPC just hand over a report and leave?
No. The engagement includes the formal Audit Committee/Board presentation, a management response collection process, and a follow-up validation cycle in the subsequent period to independently confirm remediation actually happened. PNPC remains available for clarification questions on findings throughout the remediation period at no additional charge within the engagement, consistent with our approach across every PNPC service — we do not consider the engagement complete until the findings have been acted upon, not merely delivered.
| Feature | Generic IT Security Vendor | Pure Compliance Checklist Provider | PNPC Global |
|---|---|---|---|
| Financial risk translation | Limited — technical findings without financial statement context | Minimal — checklist scored yes/no without risk narrative | Every finding linked to its financial reporting, IFC, and fraud risk implication by a practising CA |
| Segregation of duties analysis | Sometimes covered at a surface level | Rarely covered in depth | Systematic SoD conflict analysis across the full user base — our highest-value finding category |
| ERP-specific technical depth | Variable — depends on vendor's platform specialisation | Low — generic checklist regardless of platform | Testing tailored to your specific ERP's configuration architecture (SAP, Oracle, Dynamics, NetSuite, Tally, Zoho) |
| Interface & GST/e-invoicing reconciliation | Not typically in scope | Not typically in scope | Explicitly tested — ERP to bank, payroll, and GST/e-invoicing utility reconciliation |
| Audit Committee presentation | Rarely offered directly | Not offered | Findings presented directly to the Audit Committee/Board by the engagement CA in plain-language terms |
| Follow-up validation of remediation | Rarely included | Not included | Independent follow-up cycle to confirm remediation genuinely happened, not just marked closed |
| Continuity across other assurance needs | Single-purpose engagement, no broader relationship | Single-purpose engagement | Same firm available for statutory audit, internal audit, IFC advisory, and every other assurance need across your company's life |
| India-UAE cross-border ERP coverage | Rarely offered | Not offered | Chennai/Bangalore/Hyderabad and Dubai offices — single team for groups running one ERP across both jurisdictions |
What the PNPC package includes
- 01
ERP landscape mapping and risk-based scoping across all in-scope modules, entities, and locations
- 02
Full IT General Controls (ITGC) review — access provisioning/de-provisioning, change management, backup/DR controls
- 03
Comprehensive segregation-of-duties (SoD) conflict analysis across the entire user base
- 04
Automated/application control testing — three-way match, approval workflows, tolerance limits, mandatory validations
- 05
Interface and reconciliation testing — ERP to banking, payroll, GST/e-invoicing utilities, and other satellite systems
- 06
Master data governance review — vendor, customer, chart of accounts, and tax code integrity
- 07
Data analytics across full transaction populations where feasible, not token sampling
- 08
Severity-rated findings report (Critical/High/Medium/Low) with practical, system-configurable recommendations
- 09
Management response collection and remediation roadmap with named owners and timelines
- 10
Direct Audit Committee/Board presentation by the engagement Chartered Accountant
- 11
Follow-up validation cycle to independently confirm remediation was genuinely implemented
- 12
Coordination with your statutory auditor's IFC testing, with your consent, to strengthen the overall control narrative
Speak directly with a PNPC Chartered Accountant trained in IT and ERP audit — not a call-centre technician reading from a checklist. Someone who understands both how your ERP is configured and what that configuration means for your financial statements, your IFC certification, and your Board's governance obligations.