HomeServicesAudit & AssuranceConcurrent, Operational & Process Audit

Audit & Assurance · Internal & Operational Audits

Concurrent, Operational & Process Audit

A statutory audit tells you whether last year's financial statements were true and fair.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

A statutory audit tells you whether last year's financial statements were true and fair. It does not tell you whether today's purchase approvals are being bypassed, whether your warehouse dispatch process leaks stock, or whether a bank branch's daily transactions actually comply with RBI norms in real time. That is the gap concurrent, operational, and process audits close. PNPC Global has performed internal and operational audit assignments for manufacturing units, NBFCs, bank branches, trading houses, and service businesses since 1986 — reviewing not just whether numbers add up at year end, but whether the processes generating those numbers are sound, controlled, and efficient, month after month.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Concurrent, Operational & Process Audit is

Concurrent, operational, and process audits are a family of internal-assurance engagements that examine how a business actually functions — its processes, controls, and operational efficiency — as distinct from the year-end statutory audit, which examines whether the resulting financial statements present a true and fair view. A concurrent audit is a near-real-time, transaction-level review typically performed daily, weekly, or fortnightly, most commonly mandated by the Reserve Bank of India for bank branches, currency chests, and certain NBFC operations, where transactions are checked as they happen rather than months later. An operational audit examines the efficiency and effectiveness of a specific function or department — procurement, production, inventory, dispatch, HR, treasury — measuring it against defined process standards, industry benchmarks, and the organisation's own stated policies. A process audit is narrower still: it verifies that a specific documented Standard Operating Procedure (SOP) is actually being followed on the ground, step by step, and flags deviations before they compound into losses or control failures.

These engagements sit within the broader discipline of internal audit, governed in India by the Standards on Internal Audit (SIA) issued by the Institute of Chartered Accountants of India (ICAI), and — for companies falling within the prescribed class under Section 138 of the Companies Act 2013 read with Rule 13 of the Companies (Accounts) Rules, 2014 — internal audit itself becomes a statutory requirement based on turnover, borrowings, deposits, or paid-up capital thresholds. Concurrent, operational, and process audits are typically structured as internal audit sub-engagements or as standalone management-commissioned reviews; they report to the Audit Committee, the Board, or senior management rather than to shareholders, and their output is an internal management tool, not a public filing.

What distinguishes these audits from a statutory audit is timing, scope, and audience. A statutory audit is retrospective — it examines a full financial year after it has closed, and reports to shareholders and the RoC. A concurrent audit is contemporaneous — it examines transactions within days of occurrence, catching errors and control breaches while they are still correctable, and reports internally, often to a bank's Head Office Inspection department or an NBFC's Audit Committee. An operational or process audit can be commissioned at any point in the year, on any function, at any frequency the Board or management decides — quarterly stock audits, annual procurement process reviews, or a one-time deep-dive into a specific department after a suspected control failure. None of these substitute for the statutory audit; all of them materially reduce the surprises the statutory auditor — and the business itself — encounters at year end.

For RBI-regulated entities specifically, concurrent audit is not optional. RBI's Master Direction on concurrent audit prescribes minimum coverage — a defined percentage of business (advances, deposits, non-fund exposures) — that must be brought under concurrent audit at scheduled commercial banks, and similarly prescribes concurrent audit requirements for currency chests and, in a modified form, for large NBFCs under the RBI's internal audit framework applicable to NBFCs (the Risk Based Internal Audit, or RBIA, framework). For manufacturing and trading businesses, operational and process audits are contractual engagements — commissioned by promoters, the Board, or an Audit Committee — that exist because the cost of a broken process discovered in month three is a fraction of the cost of the same process broken for twelve months and only discovered at year-end audit.

When a concurrent, operational, or process audit adds real value

Bank branches, currency chests, and treasury operations of banks and large NBFCs — where concurrent audit is mandated by RBI's Master Direction on concurrent audit and non-compliance attracts regulatory action against the entity

NBFCs required to implement a Risk Based Internal Audit (RBIA) framework under RBI's internal audit guidelines for NBFCs, where operational process reviews form a core input to the risk-based audit plan

Manufacturing businesses with material inventory, multi-location stock, or complex procurement cycles — where a monthly or quarterly operational audit of the purchase-to-pay and inventory cycle catches leakage long before the annual stock count

Companies falling within Section 138's prescribed class (based on turnover, borrowings, deposits, or paid-up capital thresholds) that need a structured internal audit programme — of which operational and process audits of specific functions form the working components

Businesses that have grown quickly and suspect their original SOPs — written when the company was a fraction of its current size — are no longer being followed consistently across locations or teams

Promoters or Boards who have delegated day-to-day operations to a growing management team and want independent, periodic verification that controls are operating as designed — not just as documented

Businesses preparing for a fundraise, sale, or franchise expansion, where investors or franchisees will scrutinise process discipline and internal controls as part of operational due diligence

Organisations that have experienced a fraud, stock shortage, or process failure and need a structured root-cause review — not just a one-time investigation, but a redesigned audit cadence that prevents recurrence

Multi-location businesses — retail chains, distribution networks, branch-based service businesses — where head office needs assurance that the same process is being followed consistently at every location

What this engagement is not, and where a different service fits better

Not a substitute for the statutory audit under the Companies Act — every company still needs its annual Section 143 audit regardless of how robust its internal/operational audit programme is; the two are complementary, not interchangeable

Not the same as a forensic audit — a forensic audit is investigative, evidence-driven, and typically triggered by a specific suspected fraud or dispute with a view to legal or disciplinary action; an operational audit is a routine, forward-looking process review, not a fraud investigation (though it can surface red flags that trigger one)

Not required by law for most private businesses below the Section 138 thresholds — for a small company with a simple, single-location operation and an engaged owner-manager, a lighter periodic management review may be more proportionate than a formal concurrent audit programme

Not a one-time engagement that produces lasting assurance — concurrent audit in particular loses its value if not sustained at the mandated frequency; a single quarter of concurrent audit coverage does not satisfy an annual RBI mandate

Not a replacement for the statutory tax audit required under income-tax law for businesses/professionals crossing prescribed turnover or receipts thresholds, a GST audit/reconciliation, or a stock audit specifically commissioned by a bank as a condition of a working capital facility — those are distinct, separately scoped engagements even though they may overlap in the areas examined

Not appropriate as a stand-alone control mechanism for a business with severely inadequate basic bookkeeping — process audit assumes there is a process to audit; a business without basic accounting discipline needs bookkeeping and accounting system setup first

Structure Comparison

Concurrent / Operational / Process Audit vs other audit and assurance engagements

FeatureConcurrent AuditOperational AuditProcess AuditStatutory Audit (Companies Act)Internal Audit (Sec 138)Forensic Audit
Primary objectiveReal-time transaction compliance checkEfficiency & control review of a functionSOP adherence verificationTrue-and-fair opinion on financial statementsSystematic risk-based control reviewInvestigate suspected fraud/irregularity
Typical mandateRBI Master Direction (banks/NBFCs); contractual for othersContractual — Board/management commissionedContractual — Board/management commissionedCompanies Act 2013, Section 143 — mandatoryCompanies Act 2013, Section 138 (class-based)Contractual — triggered by suspicion or dispute
FrequencyDaily / weekly / fortnightly — near real-timePeriodic — monthly, quarterly, or annual per planPeriodic or ad hoc, per SOP review cycleAnnual, after year-endAnnual, per Board-approved risk-based planOne-time, triggered by an event
Reports toHead Office / Audit Committee / RBI-mandated reporting lineManagement / Audit Committee / BoardDepartment head / Audit CommitteeShareholders (via AGM) and RoCAudit Committee / BoardBoard / Audit Committee / legal counsel
Governing standardRBI Master Direction on concurrent auditICAI Standards on Internal Audit (SIA)ICAI Standards on Internal Audit (SIA)Standards on Auditing (SA) under Companies ActICAI Standards on Internal Audit (SIA)No single mandatory standard; ICAI forensic guidance notes
OutputConcurrent audit reports, exception reportsOperational audit report with recommendationsSOP-compliance report with deviation logAuditor's Report under Sec 143 + CARO 2020Internal audit report to Audit CommitteeForensic investigation report, often litigation-ready
Filed with regulator/RoCNo — internal / RBI-facing for regulated entitiesNo — internal management documentNo — internal management documentYes — annexed to AOC-4 filed with RoCNo — internal Board/Audit Committee recordNo — internal, unless referred to authorities
Typical triggerRBI regulatory mandate for banks/NBFCsGrowth, process risk, or promoter requestSOP just implemented, or deviations suspectedStatutory obligation, every financial yearTurnover/borrowing/deposit/capital threshold crossedWhistle-blower complaint, stock shortage, dispute

These engagements are complementary, not competing — a well-run mid-size company typically has a statutory audit every year, an internal/operational audit programme covering key functions through the year, and commissions a forensic audit only if a specific red flag emerges. RBI-regulated entities additionally carry a concurrent audit obligation that exists independently of all of the above. PNPC scopes the right combination for your entity type and regulatory status during the initial consultation — do not assume any one engagement covers the ground the others are designed for.

How it works
#Stage & What PNPC DoesCA Advice Portals Never GiveTimeline
1Scoping Consultation — Understanding what actually needs auditingWe start by asking what a generic quote never asks: is this a regulatory mandate (RBI concurrent audit) or a management-commissioned review? Which functions carry the highest risk in your specific business — cash handling, inventory, procurement, payroll, treasury? Has there been a prior incident that triggered this request? The answers determine whether you need concurrent audit, a broad operational audit, or a narrow process audit of one SOP.Week 1
2Regulatory Applicability Check — RBI concurrent audit coverage requirementsFor banks and NBFCs, we check current RBI Master Direction coverage norms — the minimum percentage of advances, deposits, and non-fund business that must be brought under concurrent audit — and confirm whether your entity's existing coverage meets the mandated threshold. Portals do not check regulatory coverage norms; they quote a generic 'audit package'.Week 1
3Risk Assessment & Audit Universe MappingBefore fieldwork, we map every function/process in scope against likelihood and impact of failure — not a template checklist applied uniformly. A trading company's highest risk is usually inventory and receivables; a services company's is usually billing accuracy and vendor payments; a bank branch's is cash, KYC, and loan sanction compliance. The audit plan is built around your actual risk profile.Week 1–2
4SOP & Policy Document Review — Baseline before fieldwork beginsWe first read your existing SOPs, delegation of authority matrix, and approval workflows — because a process audit tests adherence to a documented standard, and you cannot test adherence to a standard that does not exist or is out of date. Where SOPs are missing or stale, we flag this as a Day 1 finding rather than silently testing against an assumed standard.Week 2
5Walkthroughs & Control Testing — Observing the process as it actually runsWe physically walk the process — warehouse dispatch, purchase approval chain, cash counter, loan sanction file — rather than relying solely on management's description of how it is supposed to work. This is where the gap between documented policy and actual practice becomes visible; it is the single most common source of findings in operational audits.Week 2–4
6Transaction Sampling & Exception TestingSample sizes and testing depth are sized to actual risk and transaction volume for your business — not a fixed percentage applied regardless of context. For concurrent audit specifically, sampling frequency follows the RBI-mandated cadence; for operational/process audits, we size samples using professional judgement calibrated to materiality and control risk.Week 3–5, or ongoing for concurrent audit
7Interim Findings Discussion with Process OwnersWe share findings with the actual department head or process owner before finalising the report — not just with the CFO or promoter after the fact. This surfaces context we might be missing and gives the process owner a chance to explain or correct before the finding is formally recorded, which produces a more accurate report and faster remediation buy-in.Ongoing, throughout fieldwork
8Root Cause Analysis — Beyond 'what went wrong' to 'why it keeps happening'A generic audit lists deviations. We trace each significant deviation to its root cause — is it a training gap, a system limitation, an incentive misalignment, or a genuine control override? A purchase approval bypass repeated across three locations usually has a systemic cause, not three unrelated lapses. Recommendations addressing root cause prevent recurrence; recommendations addressing symptoms do not.Week 4–5
9Draft Report & Management ResponseWe share a draft report with management before finalisation, inviting a formal management response to each finding — action taken, action planned, or reasoned disagreement. This response is built into the final report, giving the Audit Committee or Board a complete picture, not just an auditor's one-sided narrative.Week 5–6
10Final Report & Audit Committee / Board PresentationFor companies with an Audit Committee, PNPC presents findings directly — walking through risk-rated observations, root causes, and recommended actions, and fielding questions in real time. This is materially different from emailing a PDF report and moving to the next client.Week 6
11Corrective Action Tracking — Closing the loop, not just opening findingsAn audit finding that is never tracked to closure is of limited value. PNPC maintains an action tracker against every finding, with target closure dates agreed with management, and follows up at the next audit cycle to verify whether corrective action was actually implemented — not just promised.Ongoing, each subsequent cycle
12Concurrent Audit — Ongoing Cycle (for RBI-mandated engagements)For concurrent audit specifically, this is not a one-time project — it is a recurring cycle at the RBI-mandated frequency (daily, weekly, or fortnightly depending on the area), with monthly or quarterly consolidated reporting to the bank's Head Office Inspection department or the NBFC's Audit Committee, year-round.Continuous — daily/weekly/fortnightly per RBI norms
13Annual Programme Review & Re-ScopingAt year end, we review the entire audit programme with the client — which areas showed consistent findings and need deeper focus next year, which have stabilised and can move to a lighter review cycle, and whether new functions (a new product line, a new location, a new system) need to be added to the audit universe.Annually, ahead of the next audit cycle

Concurrent audit for RBI-regulated entities runs on a continuous, regulator-mandated cadence with no natural 'completion' date — it is a permanent feature of the control environment for as long as the entity is regulated. Operational and process audits are typically structured as a recurring annual programme with 2–4 audit cycles per function per year, though a first-time engagement or a targeted investigation into a specific concern can be scoped as a single standalone assignment of 4–8 weeks.

Document Checklist
Entity & Governance Documents

Certificate of Incorporation / registration and latest MoA-AoA, or bank/NBFC licence and RBI registration certificate where applicable

Board-approved internal audit charter or Audit Committee terms of reference, where one exists

Organisation chart showing reporting lines for the functions/departments to be audited

Delegation of Authority (DoA) matrix — approval limits by designation for purchases, payments, discounts, write-offs, and other key decisions

Minutes of the last 2–3 Audit Committee or Board meetings where internal control matters were discussed

Prior internal audit, statutory audit, and (where applicable) RBI inspection reports for the last 2–3 cycles, along with management's responses

Process Documentation & SOPs

Standard Operating Procedures for each function in scope — procurement, inventory, dispatch, sales, cash handling, payroll, IT access, as relevant

Process flowcharts or narrative descriptions of key transaction cycles, if SOPs are not formally documented

Policy documents — credit policy, discount policy, expense reimbursement policy, vendor empanelment policy, as applicable to the scope

IT system access matrix — who has access to what modules in the ERP/accounting system, and whether segregation of duties is built into system access

List of all locations/branches in scope, with the function/process performed at each

Transaction & Financial Records

Trial balance and general ledger extracts for the period under review

Purchase orders, goods received notes, and vendor invoices for the sample period — for procurement/inventory audits

Sales orders, dispatch records, and customer invoices for the sample period — for sales/dispatch audits

Bank statements and cash book/petty cash register for the period — for cash and treasury audits

Payroll register, attendance/biometric records, and statutory deduction proof (PF, ESI, PT, TDS) — for payroll process audits

Stock registers, physical verification reports, and stock reconciliation statements — for inventory audits

For Concurrent Audit (RBI-Regulated Entities)

Daily/weekly transaction registers for the branch or business line under concurrent review — advances sanctioned, deposits accepted, remittances processed

KYC documentation for a sample of accounts opened or transactions processed in the period

Loan sanction files with supporting credit appraisal documentation, for advances-related concurrent audit coverage

Currency chest records, cash retention limits, and insurance documentation, where the concurrent audit covers a currency chest

RBI Master Direction coverage tracker — current percentage of business under concurrent audit versus the mandated minimum

Previous concurrent audit reports and the compliance/rectification status of prior observations

For Fraud-Triggered or Investigative Scoping

Written summary of the specific concern, complaint, or anomaly that triggered the review, including dates, individuals, and amounts where known

Access to relevant email correspondence, system logs, and CCTV footage retention (where legally permissible and within company policy) for the period under review

List of individuals with access to the systems, assets, or approval authority relevant to the suspected irregularity

Any preliminary internal enquiry notes or HR records already gathered before PNPC's engagement began

Engagement & Reporting Preferences

Preferred audit frequency and reporting cadence — monthly, quarterly, or per RBI-mandated schedule

Names and contact details of process owners/department heads who will support fieldwork access

Preferred format and audience for the final report — Audit Committee presentation, written report only, or both

Any specific areas management wants prioritised in this cycle, beyond the standard risk-based scope

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Engagement ScopingDecision to commission an audit, or RBI mandate identifiedDefine objective (regulatory compliance vs management assurance), audit universe, frequency, and reporting line before any fieldwork begins. For RBI-regulated entities, confirm current concurrent audit coverage against the Master Direction's mandated minimum.Wrong scope wastes budget on low-risk areas while high-risk processes go unreviewed. RBI-regulated entities under-covering mandated business lines face regulatory exposure.
Baseline Fieldwork (First Cycle)Audit plan approvedSOP review, walkthroughs, and initial risk-rated findings. This first cycle typically surfaces the largest number of findings — it is establishing the baseline, not confirming an already-clean process.Skipping a proper baseline means every subsequent cycle is comparing against an unverified starting point, and systemic issues already present go undetected for another full cycle.
Recurring Cycles (Quarterly / Per RBI Cadence)Audit calendar / RBI-mandated frequencySustained testing at the agreed cadence, with root-cause analysis on repeat findings and a live corrective-action tracker reviewed each cycle. Concurrent audit specifically must run at the RBI-prescribed frequency without gaps.Gaps in concurrent audit coverage are themselves a compliance failure reportable to RBI. Gaps in operational audit cadence let unresolved control weaknesses persist and compound into larger losses.
Annual Audit Committee / Board ReportingFinancial year-end or Board calendarConsolidated summary of the year's findings, closure status of prior recommendations, and risk-rated priorities for the next cycle presented to the Audit Committee or Board — connecting operational audit output to governance oversight, not leaving it siloed with department heads.Audit Committees that never see consolidated operational audit findings lose visibility into control weaknesses that statutory audit alone will not surface, until they materialise as a financial or reputational loss.
Escalation on Significant FindingsA high-risk or repeat finding is identifiedSignificant findings — fraud indicators, repeated control overrides, material stock shortages — are escalated immediately to the Audit Committee or promoters, not held back for the routine quarterly report. Where warranted, PNPC recommends a scoped forensic review as a distinct, separately engaged exercise.Delayed escalation of a significant finding compounds the underlying loss and can expose directors to allegations that they knew, or should have known, and did not act.
Regulatory Inspection (RBI-Regulated Entities)RBI inspection or supervisory reviewConcurrent audit reports, exception logs, and rectification records form direct evidence for RBI inspectors of the entity's control discipline. PNPC ensures documentation is inspection-ready on an ongoing basis, not assembled reactively when an inspection is announced.Poorly documented or inconsistent concurrent audit trails invite adverse regulatory observations, supervisory action, and reputational consequences for the bank/NBFC.
Programme Review & Re-ScopingYear-end or major business change (new location, product, system)Annual review of the audit universe — adding new locations, functions, or risk areas, and right-sizing frequency for areas that have stabilised versus those still showing findings. An audit programme designed for a company at half its current size under-covers the business it has become.A static audit scope that never evolves with the business leaves new, higher-risk areas unreviewed while continuing to audit stable, low-risk areas at the same intensity — a poor use of assurance resources.
Frequently asked
What is the difference between a concurrent audit, an operational audit, and a process audit?

A concurrent audit is a near-real-time review of transactions as they occur — typically daily, weekly, or fortnightly — most commonly mandated by RBI for bank branches, currency chests, and certain NBFC business lines. An operational audit is a periodic review of how efficiently and effectively an entire function or department operates — procurement, inventory, dispatch, HR — measured against process standards and organisational objectives. A process audit is the narrowest of the three: it checks whether one specific, documented Standard Operating Procedure is actually being followed, step by step, on the ground. All three are internal-facing assurance tools, distinct from the year-end statutory audit.

Practitioner noteClients often ask for 'an audit' without specifying which of the three they actually need. We always start the engagement with a scoping conversation — the right engagement depends on whether this is a regulatory mandate, a growth-stage control check, or a targeted investigation into one process.
Is concurrent audit legally mandatory, and for whom?

Concurrent audit is mandatory for scheduled commercial banks and, in a defined form, for certain classes of NBFCs and currency chests, under the Reserve Bank of India's Master Direction on concurrent audit. The Master Direction prescribes a minimum percentage of business — advances, deposits, non-fund exposures — that must be brought under concurrent audit coverage. It is not a general legal mandate for all companies; for a manufacturing or trading business, an operational/process audit is a voluntary, management-commissioned engagement rather than a statutory requirement, unless the entity separately falls within the internal audit mandate under Section 138 of the Companies Act.

Practitioner noteWe always confirm current RBI coverage-percentage norms with the client at engagement start rather than relying on a remembered figure — RBI has revised these norms over time, and using an outdated percentage risks under-coverage.
Does every company need an operational audit, or only larger ones?

There is no universal legal requirement for every company to have an operational audit. Internal audit becomes mandatory under Section 138 of the Companies Act 2013 read with Rule 13 of the Companies (Accounts) Rules, 2014 only for companies meeting prescribed thresholds of turnover, outstanding loans/borrowings, outstanding deposits, or paid-up share capital — thresholds that differ for listed companies, unlisted public companies, and private companies. Below those thresholds, an operational or process audit is entirely a management or promoter choice — commonly adopted by growing businesses that want independent assurance beyond what the annual statutory audit provides.

Practitioner noteWe recommend clients check current Section 138 thresholds against their latest turnover, borrowing, deposit, and paid-up capital figures each year — a company can cross into mandatory internal audit territory without necessarily noticing, particularly after a funding round that increases paid-up capital or a working capital facility that increases borrowings.
How is a concurrent/operational/process audit different from the statutory audit we already have?

The statutory audit under the Companies Act examines whether your financial statements, taken as a whole, present a true and fair view — it is retrospective, covers a full financial year, and reports to shareholders via the AGM and to the RoC via AOC-4. A concurrent, operational, or process audit examines how well a specific process or transaction stream is being controlled, in near-real-time or periodically through the year, and reports internally to management, the Audit Committee, or the Board. The statutory audit is about the destination — the numbers at year end. These audits are about the journey — the process discipline that produces those numbers.

Practitioner noteA well-run operational audit programme through the year materially reduces surprises at statutory audit time — issues get caught and corrected mid-year rather than discovered as a qualification in March.
Can PNPC be both our statutory auditor and our internal/operational auditor?

Under Section 144 of the Companies Act 2013, a statutory auditor is prohibited from rendering certain specified services — including internal audit — to the company it statutorily audits, either directly or through a related entity, in order to preserve auditor independence. Where PNPC is engaged as statutory auditor for a company, we structure the internal, concurrent, or operational audit as a separate engagement, either through a different independent team within appropriate ethical walls or by recommending an alternative qualified provider, depending on the applicable independence rules for that entity's classification.

Practitioner noteWe raise this proactively at the scoping stage rather than waiting for it to surface as an audit-quality issue later. Independence questions are far cheaper to resolve before an engagement starts than after a report has been issued.
How often should an operational audit be conducted?

There is no single fixed statutory frequency for operational or process audits outside of the RBI concurrent-audit mandate. The right cadence depends on transaction volume, risk, and the pace of change in the business — high-risk, high-volume functions (inventory, cash, procurement) are commonly reviewed quarterly; lower-risk, more stable functions may be reviewed annually. Where Section 138 internal audit applies, the Audit Committee or Board typically approves an annual internal audit plan specifying the frequency for each area based on a documented risk assessment.

Practitioner noteWe build the frequency into the audit plan explicitly during scoping — not as an afterthought — and revisit it every year, tightening the cycle for areas with recurring findings and loosening it for areas that have stabilised.
What does RBI's concurrent audit coverage requirement actually mean in practice?

RBI's Master Direction requires banks to bring a specified minimum percentage of their total business — typically measured across advances, deposits, and non-fund based business such as guarantees and letters of credit — under concurrent audit coverage. The exact percentage and the specific categories of business/branches that must be covered (large branches, treasury operations, forex transactions, currency chests) are set out in the current Master Direction and are reviewed periodically by RBI. Coverage is measured and reported, and a bank falling short of the mandated coverage is a supervisory concern that RBI inspectors will specifically examine.

Practitioner noteWe help client banks and NBFCs map their current coverage against the latest Master Direction requirements as a first step — coverage gaps are more common than institutions expect, particularly after a branch network expansion or a new business line launch that was not folded into the concurrent audit scope.
What kind of findings does a typical operational audit uncover?

Common findings include: approval limits in the Delegation of Authority matrix not being enforced in practice (purchases approved above authorised limits by a single signatory), stock discrepancies between physical count and system records, vendor payments processed without three-way matching of purchase order, goods received note, and invoice, segregation-of-duties gaps in system access (the same person able to raise and approve a payment), stale or unfollowed SOPs, and control overrides during peak business periods that become the de facto process rather than the documented exception.

Practitioner noteThe most valuable findings are rarely the dramatic ones. A recurring, low-value control override — repeated fifty times over a quarter — usually represents a larger cumulative risk than a single large anomaly, and points to a systemic process gap rather than an isolated lapse.
How does PNPC size the sample for transaction testing in an operational audit?

We do not apply a fixed percentage (such as 'test 10% of transactions') uniformly across every client and every process. Sample size is calibrated to the volume, value, and inherent risk of the specific process being tested — a high-value, low-volume process such as capital expenditure approvals may warrant near-100% testing, while a high-volume, low-value process such as petty cash disbursements is tested on a risk-based statistical or judgemental sample. This follows the risk-based approach set out in the ICAI's Standards on Internal Audit.

Practitioner noteClients sometimes ask for a specific sample percentage upfront, expecting a standardised answer. We explain that a rigid percentage applied without regard to risk either wastes audit effort on low-risk areas or under-tests high-risk ones — neither serves the client well.
What happens if an operational audit uncovers evidence of fraud?

If, during an operational or process audit, evidence emerges suggesting fraud rather than a routine process weakness, PNPC escalates the matter immediately to the Audit Committee, Board, or designated promoter contact — rather than folding it quietly into the routine quarterly report. Depending on the materiality and nature of the finding, we recommend the engagement of a dedicated forensic audit, which follows a different methodology (evidence preservation, chain of custody, interview protocols) suited to matters that may proceed to disciplinary action, recovery proceedings, or reporting to authorities.

Practitioner noteAn operational audit is not designed or resourced as a forensic investigation, and we are careful not to let a routine audit mandate substitute for a proper forensic engagement once fraud indicators appear — doing so can compromise evidence and weaken any subsequent legal or disciplinary action.
Do process audits apply only to manufacturing companies, or also to services businesses?

Process audits apply to any business with a documented or documentable process — manufacturing (procurement, production, quality, dispatch), trading (inventory, sales, logistics), and services businesses alike (client onboarding, billing accuracy, service delivery SLAs, timesheet-to-invoice reconciliation for professional services firms). The methodology is the same regardless of sector: identify the SOP, verify actual practice against it, document deviations, and recommend corrective action.

Practitioner noteWe have run process audits for IT services firms on their client billing and timesheet reconciliation processes just as often as for manufacturers on their shop-floor procedures. The discipline of checking documented policy against actual practice is sector-agnostic.
How is PNPC's operational audit report structured?

Our reports are structured around risk-rated findings — each observation is classified by severity (typically high/medium/low, or a similar risk grading), accompanied by the root cause, the potential financial or operational impact, a specific recommendation, and a management response with an agreed target closure date. This differs from a narrative-style report that simply lists observations without prioritisation — a risk-rated structure lets the Audit Committee or Board focus limited attention on what matters most first.

Practitioner noteWe have seen operational audit reports from other providers that run to eighty pages of undifferentiated observations, leaving management unsure what to act on first. A report the Board will not act on is not adding value, regardless of how thorough the fieldwork was.
What is the difference between an operational audit and a stock audit conducted for a bank?

A stock audit is a narrower, specific engagement commissioned by a bank (often as a condition of a working capital facility) to independently verify the quantity, condition, and value of inventory pledged as security — it focuses almost entirely on inventory existence and valuation. An operational audit of the inventory function is broader — it examines the entire inventory management process (procurement planning, storage, movement, obsolescence policy, physical verification discipline), not just a point-in-time stock count for a lender's comfort. PNPC performs both, and the scope and deliverable differ accordingly.

Practitioner noteBusinesses sometimes assume a bank-mandated stock audit substitutes for a broader operational review of their inventory process. It does not — the bank's stock audit report is narrowly scoped to what the lender needs and is not a diagnostic of underlying process weaknesses.
Can an operational audit help before we raise institutional funding?

Yes. Investors conducting operational due diligence before a fundraise commonly look for evidence of process discipline — documented SOPs, functioning approval controls, clean segregation of duties, and a track record of internal review. A recent, well-documented operational audit with a tracked closure record of prior findings is tangible evidence of operational maturity that strengthens a company's position in diligence, and surfaces (and lets you fix) weaknesses before an investor's own diligence team finds them first.

Practitioner noteWe have run pre-fundraise operational reviews specifically framed around what institutional investors typically probe in operational due diligence — it is a different lens from a routine internal audit cycle, and worth scoping as a distinct pre-fundraise exercise if a round is imminent.
How does PNPC handle multi-location operational audits?

For businesses with multiple branches, warehouses, or plants, we design a rotational or risk-based coverage plan — auditing every location over a defined cycle (annually or across a 2-year rotation, depending on risk) rather than only ever auditing head office or the largest location. High-risk or historically problematic locations are prioritised for more frequent coverage. Findings are consolidated across locations to identify whether an issue is a single-site lapse or a systemic gap in the SOP or training that repeats across the network.

Practitioner noteA finding that repeats identically at four out of six branches is a process design or training issue, not four unrelated local failures — and needs a head-office-level fix, not four separate local corrective actions. We flag this distinction explicitly in multi-location reports.
What documents does PNPC need to start an operational audit?

At minimum: the organisation chart and Delegation of Authority matrix for the function in scope, existing SOPs or policy documents (or confirmation that none exist, which is itself a Day 1 finding), a sample period of transaction records relevant to the process being tested, and access to the process owner for walkthroughs. For concurrent audit specifically, daily transaction registers and, for RBI-regulated coverage, KYC and sanction documentation are required on an ongoing basis for the duration of the engagement.

Practitioner noteThe single most common delay at engagement start is the absence of a current organisation chart or DoA matrix — many growing companies are operating on an informal, undocumented authority structure that has drifted from what was originally agreed. We treat producing an accurate current DoA as a prerequisite deliverable if one does not already exist.
Is an operational audit report confidential, or does it need to be shared with regulators or shareholders?

An operational, process, or (for non-RBI-regulated entities) internal audit report is an internal management document — it is addressed to the Audit Committee, Board, or promoters, and there is no general statutory requirement to file it with the RoC or share it with shareholders or the public. For RBI-regulated entities, concurrent audit reports and consolidated summaries are shared with the entity's own Head Office Inspection function and may be reviewed by RBI supervisors during an inspection, but they are not public filings in the way AOC-4 financial statements are.

Practitioner noteSome Boards choose to summarise key internal audit themes (without granular detail) in their Board's Report or Corporate Governance disclosures where listing regulations or good governance practice call for it — but the underlying detailed report itself remains an internal document.
How long does a first operational audit engagement typically take?

A first-cycle operational audit of a single function at a single location typically runs 4–6 weeks from scoping to final report — covering SOP review, walkthroughs, transaction testing, and reporting. A broader, multi-function or multi-location engagement, or a first-time internal audit programme covering an entire Section 138-mandated audit universe, is scoped as a longer engagement with a phased plan across the financial year rather than a single sprint.

Practitioner noteWe deliberately avoid compressing a first-cycle audit into an unrealistically short timeframe — the first cycle is where the baseline is established, and rushing it produces a superficial review that misses the process weaknesses the audit exists to find.
What is a Risk Based Internal Audit (RBIA) framework, and does it apply to us?

Risk Based Internal Audit is the framework mandated by RBI for banks and, in a scaled form, applicable to certain categories of NBFCs, requiring the internal audit function to prioritise audit coverage and frequency according to a documented risk assessment of each business area, rather than auditing everything with equal intensity. For a non-RBI-regulated company, RBIA is not a mandatory framework by name, but its underlying principle — risk-based rather than uniform audit coverage — is the same approach PNPC applies when designing an operational audit plan for any client, RBI-regulated or not.

Practitioner noteWe borrow the RBIA principle of risk-weighting audit frequency for all our operational audit clients, not just banks and NBFCs — it is simply good audit-resource allocation, regardless of whether a regulator formally mandates it for a given entity.
Can process audits be used to prepare a company for ISO certification or similar quality standards?

Process audit methodology — verifying that documented procedures are actually followed — overlaps significantly with the internal audit requirements built into quality management standards such as ISO 9001, which itself requires periodic internal audits as part of its certification and surveillance cycle. PNPC's process audits are financial/operational-control focused rather than a formal ISO internal audit in themselves, but the discipline of SOP-versus-practice verification is directly complementary, and findings from our process audits often feed usefully into a client's broader quality management system work.

Practitioner noteWe are not an ISO certification body and do not issue ISO certificates — clients pursuing ISO 9001 or similar certification engage a separate accredited certification body for that specific process, while PNPC's process audit strengthens the underlying control discipline that supports it.
How much does an operational, process, or concurrent audit engagement cost?

PNPC quotes a fixed, scope-based fee agreed in writing before fieldwork begins — driven by the number of functions/locations in scope, transaction volume, and audit frequency. Concurrent audit engagements for RBI-regulated entities are typically priced on an ongoing retainer basis reflecting the continuous, year-round nature of the mandate; operational and process audits are typically priced per cycle or as an annual programme fee covering an agreed number of cycles. We are not the lowest-cost provider in the market — our differentiation is in the depth of root-cause analysis and the corrective-action tracking discipline that a lower-cost, checklist-driven audit typically does not provide.

Practitioner noteAsk for a written scope and fee letter before any engagement begins — we provide one as standard. A vague verbal quote for 'an operational audit' without a defined scope, sample approach, and deliverable is difficult to hold either party accountable to.
Why should we engage PNPC rather than build an in-house internal audit team?

An in-house team has deep institutional knowledge but can face independence pressure — reporting to the same management whose processes they are reviewing creates a structural conflict that an external, independent auditor does not face. External engagement also brings cross-industry pattern recognition — PNPC's audit teams see recurring control weaknesses across dozens of client businesses and bring that experience to your specific engagement, rather than benchmarking only against your own history. Many mid-size businesses use a hybrid model: a lean in-house compliance function supported by PNPC for the independent, periodic operational/concurrent audit cycles.

Practitioner noteWe do not push every client toward full outsourcing — for some larger clients, we recommend a co-sourced model where PNPC handles the higher-risk, judgement-intensive areas and an in-house team handles routine, lower-risk recurring checks under our methodology. The right model depends on scale and in-house capability, and we say so honestly rather than defaulting to a one-size answer.
What is the ICAI's role in governing these audits?

The Institute of Chartered Accountants of India (ICAI) issues the Standards on Internal Audit (SIA), a series of standards covering planning, risk assessment, documentation, reporting, and quality control for internal audit engagements — including the operational and process audit work that typically forms part of an internal audit programme. ICAI has been rolling out mandatory compliance with the SIAs in a phased manner — starting with internal audit engagements for listed companies and progressively extending to other companies — for every ICAI member conducting an internal audit, regardless of whether internal audit is a statutory requirement for that particular entity under Section 138. PNPC applies the same disciplined SIA-based methodology to voluntary, management-commissioned operational and process audits as well, rather than using a lighter, non-standard approach for non-mandatory engagements.

Practitioner noteApplying the same rigour to voluntary engagements as to statutory ones is a deliberate choice on our part — clients who commission a 'lighter' voluntary audit still deserve findings they can actually rely on, not a diluted version of the real methodology.
Does an operational audit review IT systems and cybersecurity controls too?

A standard operational or process audit typically covers system-embedded process controls relevant to the function in scope — for example, whether the ERP enforces segregation of duties between purchase requisition, approval, and payment. It is not, by default, a full IT general controls (ITGC) audit or a cybersecurity/penetration-testing engagement, which are specialised assessments requiring different expertise and are scoped separately. Where a client's risk profile calls for it, PNPC scopes a dedicated IT controls review alongside the operational audit rather than folding a specialist exercise into a general process review superficially.

Practitioner noteWe are explicit with clients about this boundary — a general operational audit finding that 'IT access controls need review' is a flag to commission a proper IT controls assessment, not a substitute for one.
What is the role of the Audit Committee in relation to these audits?

For companies required to constitute an Audit Committee under Section 177 of the Companies Act (applicable to listed companies and certain classes of public companies) or as a matter of good governance practice for others, the Audit Committee typically approves the internal/operational audit plan, reviews significant findings, monitors the closure of corrective actions, and evaluates the effectiveness and independence of the internal audit function itself, including any external provider such as PNPC. Where no formal Audit Committee exists, this oversight role is typically performed by the Board directly or by designated promoters/directors.

Practitioner noteWe recommend even non-mandated private companies establish at least an informal audit oversight process — even two directors reviewing findings quarterly — rather than having operational audit reports sit unreviewed on a CFO's desk. A report nobody with authority reviews rarely drives change.
How does a process audit differ from simply asking department heads if procedures are being followed?

Asking a department head relies on self-reported compliance, which is subject to unconscious bias, incomplete visibility into what actually happens at the transaction level, and — in some cases — a direct incentive to understate deviations. A process audit independently verifies actual practice through documentary evidence, transaction sampling, and direct observation, rather than relying on a verbal or written assertion from the person whose own performance the process reflects. This independence is the entire value proposition of the engagement.

Practitioner noteThe most revealing findings often emerge from comparing what a department head describes in the initial walkthrough interview against what the transaction sample actually shows — the gap between the two is itself diagnostic information.
Can PNPC conduct a one-time targeted audit if we suspect a problem in one specific area, without committing to a full annual programme?

Yes. Not every engagement needs to be a recurring annual programme. PNPC scopes standalone, targeted operational or process audits — for example, a focused review of one branch's cash handling after an anomaly, or a single deep-dive into the procurement function following a vendor complaint — as a self-contained engagement with its own defined start, fieldwork, and report, independent of any broader audit calendar.

Practitioner noteA targeted, well-scoped one-time review is often the right first step when a specific concern has been raised — it lets us establish whether the issue is isolated or systemic before recommending (or not recommending) a broader recurring programme.
What happens after the audit report is issued — does PNPC's involvement end there?

No. PNPC maintains an action tracker for every finding raised, with agreed target closure dates from management, and formally follows up on closure status at the next audit cycle — verifying, not just noting, whether corrective action was actually implemented. A finding that recurs unaddressed across two or three consecutive audit cycles is itself escalated as a distinct governance concern to the Audit Committee or Board, since it indicates either an unresolved root cause or inadequate management follow-through.

Practitioner noteWe consider a finding 'closed' only when we have independently verified the corrective action in a subsequent cycle — not when management simply reports that it has been addressed. This distinction matters; self-reported closure without independent verification is a common way audit programmes lose their teeth over time.
Is concurrent audit the same as a bank's own internal inspection?

They are related but distinct. Concurrent audit, as mandated by RBI, is typically performed by an external chartered accountant firm (or, for very large banks, sometimes an internal team functioning with concurrent-audit-level independence and reporting lines) reviewing transactions at or near the point of occurrence. A bank's own internal inspection department conducts periodic, broader inspections of a branch or function — covering areas beyond what concurrent audit typically examines, and often at a lower frequency (annual or bi-annual) than the near-continuous concurrent audit cycle. Both feed into the bank's overall control assurance framework but serve different purposes and cadences.

Practitioner noteWe coordinate closely with a client bank's internal inspection function where we serve as their concurrent auditor, to avoid duplicated fieldwork and to ensure findings from both streams are consolidated for the Audit Committee rather than sitting in two disconnected silos.
Do NBFCs need concurrent audit, or only banks?

Concurrent audit in its full, branch-level form under the RBI Master Direction has historically been most directly associated with scheduled commercial banks. For NBFCs, RBI's regulatory framework instead centres on the Risk Based Internal Audit (RBIA) requirement, applicable to specified categories and sizes of NBFCs, which mandates a structured, risk-prioritised internal audit function rather than the identical concurrent-audit branch-coverage model used for banks. The precise applicability depends on the NBFC's asset size classification and current RBI directions, which PNPC confirms against the client's specific classification at engagement scoping rather than assuming uniform applicability across all NBFCs.

Practitioner noteNBFC regulatory classification (base layer, middle layer, upper layer under RBI's scale-based regulatory framework) has a direct bearing on which internal audit obligations apply — we always confirm current classification and the correspondingly applicable requirement before scoping, since it materially changes the engagement design.
How does PNPC ensure objectivity when the same firm has performed multiple audit cycles for the same client over several years?

Familiarity risk — where long-tenured auditors become less critical over time — is a recognised risk in any recurring assurance relationship. PNPC addresses this through periodic rotation of the engagement team (not necessarily the client relationship partner) across audit cycles, fresh risk assessment at the start of each cycle rather than simply repeating the prior year's programme, and an internal quality review process on our own audit files. We also actively look for evidence that our own prior-cycle recommendations were followed — testing our own work's effectiveness, not only the client's compliance.

Practitioner noteWe treat 'we always find the same three issues every year and nothing changes' as a red flag about the audit programme's effectiveness, not a routine observation — if findings repeat identically cycle after cycle, either our recommendations are not being implemented, or they are not addressing the actual root cause, and we say so directly to the Audit Committee.
Can operational audit findings be used as evidence in a legal or disciplinary proceeding against an employee?

A standard operational or process audit report can provide supporting evidence of a control weakness or deviation, but it is not designed, from a documentation and evidentiary standpoint, to meet the standards required for disciplinary action or legal proceedings against a specific individual — that requires the more rigorous evidence-handling, chain-of-custody, and interview protocols of a proper forensic audit or investigation. Where an operational audit finding raises a serious enough concern that disciplinary or legal action against an individual becomes a realistic possibility, we recommend commissioning a dedicated forensic review rather than relying on the operational audit report alone.

Practitioner noteWe have seen management attempt to rely on a routine operational audit report as the sole basis for terminating an employee for cause, only to find the documentation inadequate when challenged. If the stakes rise to that level, the right response is a properly scoped forensic engagement, not stretching a process audit beyond its intended purpose.
How does PNPC coordinate an operational audit with our statutory auditor, if they are a different firm?

Where PNPC performs the internal/operational audit and a different firm serves as statutory auditor, we coordinate through the Audit Committee — sharing relevant operational audit findings that could have financial statement implications (such as inventory discrepancies, revenue recognition process weaknesses, or control gaps around related party transactions) so the statutory auditor can factor them into their own risk assessment and audit approach, subject to the client's consent and the Audit Committee's coordination protocol.

Practitioner noteGood coordination between internal and statutory auditors, facilitated by the Audit Committee, generally makes both audits more efficient and reduces duplicated fieldwork requests to the same department heads — we proactively suggest this coordination model to clients where the two roles sit with different firms.
Why PNPC Global
FeatureGeneric Audit ProviderIn-House Compliance Team OnlyPNPC Global
Risk-based scopingOften a fixed checklist applied uniformly to every clientDepends entirely on in-house team's own risk awarenessRisk assessment specific to your business, revisited every cycle, calibrated to actual transaction volume and materiality
Root-cause analysisLists deviations without probing why they recurMay lack the cross-industry pattern recognition to spot systemic causesEvery significant finding traced to root cause — training gap, system limitation, or incentive misalignment — not just symptom-level reporting
RBI concurrent audit expertiseGeneric audit firms may not track current Master Direction coverage norms closelyNot applicable — internal teams are not independent for this purposeCurrent RBI Master Direction coverage confirmed at scoping; ongoing cycle managed to the mandated cadence
IndependenceVariable — some providers also handle bookkeeping for the same client without addressing conflictsStructurally compromised — reports to the same management whose processes are reviewedSection 141/144-aware engagement structuring; independence protected even where PNPC serves other roles for the group
Corrective action trackingOften ends at report deliveryMay track informally, without independent verificationFormal action tracker with independent verification of closure at the next cycle — not just self-reported closure
Escalation of serious findingsMay hold findings for the routine periodic reportDiscretion of internal team, which may hesitate to escalate on peers/superiorsSignificant or fraud-indicative findings escalated immediately to the Audit Committee/Board, with a recommendation for forensic review where warranted
Multi-jurisdiction coordinationIndia-only, or UAE-only, coordinationLimited to wherever the in-house team is basedChennai, Bangalore, Hyderabad, and Dubai offices — single coordinated team for India-UAE group structures
Presentation to Audit Committee/BoardReport emailed with limited discussionPresented internally, without independent perspectivePNPC presents findings directly to the Audit Committee or Board, fielding questions and providing an independent professional view

What the PNPC package includes

  1. 01

    Scoping consultation to determine whether concurrent, operational, or process audit (or a combination) fits your regulatory status and risk profile

  2. 02

    RBI Master Direction concurrent-audit coverage assessment for banks and NBFCs, against current mandated minimums

  3. 03

    Risk-based audit universe mapping and annual audit plan, calibrated to your actual transaction volume and functional risk

  4. 04

    SOP and policy gap review — flagging missing or stale documented procedures before fieldwork begins

  5. 05

    On-site walkthroughs and independent transaction sampling, sized to materiality rather than a fixed generic percentage

  6. 06

    Root-cause analysis on every significant finding — not just a list of deviations

  7. 07

    Risk-rated audit report with management response and agreed corrective-action closure dates

  8. 08

    Direct presentation of findings to your Audit Committee or Board, with a named engagement CA fielding questions

  9. 09

    Independent verification of corrective-action closure at the next audit cycle — not reliance on self-reported closure

  10. 10

    Coordination with your statutory auditor (where a different firm) via the Audit Committee to avoid duplicated fieldwork

  11. 11

    India-UAE coordinated coverage for group structures with operations or branches in both jurisdictions

  12. 12

    Escalation protocol for fraud-indicative findings, with a scoped forensic audit recommendation where warranted

Speak directly with a PNPC Chartered Accountant about your concurrent, operational, or process audit needs — not a call-centre intake process. A practising CA who will scope the right engagement for your regulatory status and risk profile, sit through the fieldwork, and present the findings to your Audit Committee in person.

← Back to Audit & Assurance
Talk to a CA