Audit & Assurance · Internal & Operational Audits
Concurrent, Operational & Process Audit
A statutory audit tells you whether last year's financial statements were true and fair.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
A statutory audit tells you whether last year's financial statements were true and fair. It does not tell you whether today's purchase approvals are being bypassed, whether your warehouse dispatch process leaks stock, or whether a bank branch's daily transactions actually comply with RBI norms in real time. That is the gap concurrent, operational, and process audits close. PNPC Global has performed internal and operational audit assignments for manufacturing units, NBFCs, bank branches, trading houses, and service businesses since 1986 — reviewing not just whether numbers add up at year end, but whether the processes generating those numbers are sound, controlled, and efficient, month after month.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
Concurrent, operational, and process audits are a family of internal-assurance engagements that examine how a business actually functions — its processes, controls, and operational efficiency — as distinct from the year-end statutory audit, which examines whether the resulting financial statements present a true and fair view. A concurrent audit is a near-real-time, transaction-level review typically performed daily, weekly, or fortnightly, most commonly mandated by the Reserve Bank of India for bank branches, currency chests, and certain NBFC operations, where transactions are checked as they happen rather than months later. An operational audit examines the efficiency and effectiveness of a specific function or department — procurement, production, inventory, dispatch, HR, treasury — measuring it against defined process standards, industry benchmarks, and the organisation's own stated policies. A process audit is narrower still: it verifies that a specific documented Standard Operating Procedure (SOP) is actually being followed on the ground, step by step, and flags deviations before they compound into losses or control failures.
These engagements sit within the broader discipline of internal audit, governed in India by the Standards on Internal Audit (SIA) issued by the Institute of Chartered Accountants of India (ICAI), and — for companies falling within the prescribed class under Section 138 of the Companies Act 2013 read with Rule 13 of the Companies (Accounts) Rules, 2014 — internal audit itself becomes a statutory requirement based on turnover, borrowings, deposits, or paid-up capital thresholds. Concurrent, operational, and process audits are typically structured as internal audit sub-engagements or as standalone management-commissioned reviews; they report to the Audit Committee, the Board, or senior management rather than to shareholders, and their output is an internal management tool, not a public filing.
What distinguishes these audits from a statutory audit is timing, scope, and audience. A statutory audit is retrospective — it examines a full financial year after it has closed, and reports to shareholders and the RoC. A concurrent audit is contemporaneous — it examines transactions within days of occurrence, catching errors and control breaches while they are still correctable, and reports internally, often to a bank's Head Office Inspection department or an NBFC's Audit Committee. An operational or process audit can be commissioned at any point in the year, on any function, at any frequency the Board or management decides — quarterly stock audits, annual procurement process reviews, or a one-time deep-dive into a specific department after a suspected control failure. None of these substitute for the statutory audit; all of them materially reduce the surprises the statutory auditor — and the business itself — encounters at year end.
For RBI-regulated entities specifically, concurrent audit is not optional. RBI's Master Direction on concurrent audit prescribes minimum coverage — a defined percentage of business (advances, deposits, non-fund exposures) — that must be brought under concurrent audit at scheduled commercial banks, and similarly prescribes concurrent audit requirements for currency chests and, in a modified form, for large NBFCs under the RBI's internal audit framework applicable to NBFCs (the Risk Based Internal Audit, or RBIA, framework). For manufacturing and trading businesses, operational and process audits are contractual engagements — commissioned by promoters, the Board, or an Audit Committee — that exist because the cost of a broken process discovered in month three is a fraction of the cost of the same process broken for twelve months and only discovered at year-end audit.
When a concurrent, operational, or process audit adds real value
Bank branches, currency chests, and treasury operations of banks and large NBFCs — where concurrent audit is mandated by RBI's Master Direction on concurrent audit and non-compliance attracts regulatory action against the entity
NBFCs required to implement a Risk Based Internal Audit (RBIA) framework under RBI's internal audit guidelines for NBFCs, where operational process reviews form a core input to the risk-based audit plan
Manufacturing businesses with material inventory, multi-location stock, or complex procurement cycles — where a monthly or quarterly operational audit of the purchase-to-pay and inventory cycle catches leakage long before the annual stock count
Companies falling within Section 138's prescribed class (based on turnover, borrowings, deposits, or paid-up capital thresholds) that need a structured internal audit programme — of which operational and process audits of specific functions form the working components
Businesses that have grown quickly and suspect their original SOPs — written when the company was a fraction of its current size — are no longer being followed consistently across locations or teams
Promoters or Boards who have delegated day-to-day operations to a growing management team and want independent, periodic verification that controls are operating as designed — not just as documented
Businesses preparing for a fundraise, sale, or franchise expansion, where investors or franchisees will scrutinise process discipline and internal controls as part of operational due diligence
Organisations that have experienced a fraud, stock shortage, or process failure and need a structured root-cause review — not just a one-time investigation, but a redesigned audit cadence that prevents recurrence
Multi-location businesses — retail chains, distribution networks, branch-based service businesses — where head office needs assurance that the same process is being followed consistently at every location
What this engagement is not, and where a different service fits better
Not a substitute for the statutory audit under the Companies Act — every company still needs its annual Section 143 audit regardless of how robust its internal/operational audit programme is; the two are complementary, not interchangeable
Not the same as a forensic audit — a forensic audit is investigative, evidence-driven, and typically triggered by a specific suspected fraud or dispute with a view to legal or disciplinary action; an operational audit is a routine, forward-looking process review, not a fraud investigation (though it can surface red flags that trigger one)
Not required by law for most private businesses below the Section 138 thresholds — for a small company with a simple, single-location operation and an engaged owner-manager, a lighter periodic management review may be more proportionate than a formal concurrent audit programme
Not a one-time engagement that produces lasting assurance — concurrent audit in particular loses its value if not sustained at the mandated frequency; a single quarter of concurrent audit coverage does not satisfy an annual RBI mandate
Not a replacement for the statutory tax audit required under income-tax law for businesses/professionals crossing prescribed turnover or receipts thresholds, a GST audit/reconciliation, or a stock audit specifically commissioned by a bank as a condition of a working capital facility — those are distinct, separately scoped engagements even though they may overlap in the areas examined
Not appropriate as a stand-alone control mechanism for a business with severely inadequate basic bookkeeping — process audit assumes there is a process to audit; a business without basic accounting discipline needs bookkeeping and accounting system setup first
Concurrent / Operational / Process Audit vs other audit and assurance engagements
| Feature | Concurrent Audit | Operational Audit | Process Audit | Statutory Audit (Companies Act) | Internal Audit (Sec 138) | Forensic Audit |
|---|---|---|---|---|---|---|
| Primary objective | Real-time transaction compliance check | Efficiency & control review of a function | SOP adherence verification | True-and-fair opinion on financial statements | Systematic risk-based control review | Investigate suspected fraud/irregularity |
| Typical mandate | RBI Master Direction (banks/NBFCs); contractual for others | Contractual — Board/management commissioned | Contractual — Board/management commissioned | Companies Act 2013, Section 143 — mandatory | Companies Act 2013, Section 138 (class-based) | Contractual — triggered by suspicion or dispute |
| Frequency | Daily / weekly / fortnightly — near real-time | Periodic — monthly, quarterly, or annual per plan | Periodic or ad hoc, per SOP review cycle | Annual, after year-end | Annual, per Board-approved risk-based plan | One-time, triggered by an event |
| Reports to | Head Office / Audit Committee / RBI-mandated reporting line | Management / Audit Committee / Board | Department head / Audit Committee | Shareholders (via AGM) and RoC | Audit Committee / Board | Board / Audit Committee / legal counsel |
| Governing standard | RBI Master Direction on concurrent audit | ICAI Standards on Internal Audit (SIA) | ICAI Standards on Internal Audit (SIA) | Standards on Auditing (SA) under Companies Act | ICAI Standards on Internal Audit (SIA) | No single mandatory standard; ICAI forensic guidance notes |
| Output | Concurrent audit reports, exception reports | Operational audit report with recommendations | SOP-compliance report with deviation log | Auditor's Report under Sec 143 + CARO 2020 | Internal audit report to Audit Committee | Forensic investigation report, often litigation-ready |
| Filed with regulator/RoC | No — internal / RBI-facing for regulated entities | No — internal management document | No — internal management document | Yes — annexed to AOC-4 filed with RoC | No — internal Board/Audit Committee record | No — internal, unless referred to authorities |
| Typical trigger | RBI regulatory mandate for banks/NBFCs | Growth, process risk, or promoter request | SOP just implemented, or deviations suspected | Statutory obligation, every financial year | Turnover/borrowing/deposit/capital threshold crossed | Whistle-blower complaint, stock shortage, dispute |
These engagements are complementary, not competing — a well-run mid-size company typically has a statutory audit every year, an internal/operational audit programme covering key functions through the year, and commissions a forensic audit only if a specific red flag emerges. RBI-regulated entities additionally carry a concurrent audit obligation that exists independently of all of the above. PNPC scopes the right combination for your entity type and regulatory status during the initial consultation — do not assume any one engagement covers the ground the others are designed for.
| # | Stage & What PNPC Does | CA Advice Portals Never Give | Timeline |
|---|---|---|---|
| 1 | Scoping Consultation — Understanding what actually needs auditing | We start by asking what a generic quote never asks: is this a regulatory mandate (RBI concurrent audit) or a management-commissioned review? Which functions carry the highest risk in your specific business — cash handling, inventory, procurement, payroll, treasury? Has there been a prior incident that triggered this request? The answers determine whether you need concurrent audit, a broad operational audit, or a narrow process audit of one SOP. | Week 1 |
| 2 | Regulatory Applicability Check — RBI concurrent audit coverage requirements | For banks and NBFCs, we check current RBI Master Direction coverage norms — the minimum percentage of advances, deposits, and non-fund business that must be brought under concurrent audit — and confirm whether your entity's existing coverage meets the mandated threshold. Portals do not check regulatory coverage norms; they quote a generic 'audit package'. | Week 1 |
| 3 | Risk Assessment & Audit Universe Mapping | Before fieldwork, we map every function/process in scope against likelihood and impact of failure — not a template checklist applied uniformly. A trading company's highest risk is usually inventory and receivables; a services company's is usually billing accuracy and vendor payments; a bank branch's is cash, KYC, and loan sanction compliance. The audit plan is built around your actual risk profile. | Week 1–2 |
| 4 | SOP & Policy Document Review — Baseline before fieldwork begins | We first read your existing SOPs, delegation of authority matrix, and approval workflows — because a process audit tests adherence to a documented standard, and you cannot test adherence to a standard that does not exist or is out of date. Where SOPs are missing or stale, we flag this as a Day 1 finding rather than silently testing against an assumed standard. | Week 2 |
| 5 | Walkthroughs & Control Testing — Observing the process as it actually runs | We physically walk the process — warehouse dispatch, purchase approval chain, cash counter, loan sanction file — rather than relying solely on management's description of how it is supposed to work. This is where the gap between documented policy and actual practice becomes visible; it is the single most common source of findings in operational audits. | Week 2–4 |
| 6 | Transaction Sampling & Exception Testing | Sample sizes and testing depth are sized to actual risk and transaction volume for your business — not a fixed percentage applied regardless of context. For concurrent audit specifically, sampling frequency follows the RBI-mandated cadence; for operational/process audits, we size samples using professional judgement calibrated to materiality and control risk. | Week 3–5, or ongoing for concurrent audit |
| 7 | Interim Findings Discussion with Process Owners | We share findings with the actual department head or process owner before finalising the report — not just with the CFO or promoter after the fact. This surfaces context we might be missing and gives the process owner a chance to explain or correct before the finding is formally recorded, which produces a more accurate report and faster remediation buy-in. | Ongoing, throughout fieldwork |
| 8 | Root Cause Analysis — Beyond 'what went wrong' to 'why it keeps happening' | A generic audit lists deviations. We trace each significant deviation to its root cause — is it a training gap, a system limitation, an incentive misalignment, or a genuine control override? A purchase approval bypass repeated across three locations usually has a systemic cause, not three unrelated lapses. Recommendations addressing root cause prevent recurrence; recommendations addressing symptoms do not. | Week 4–5 |
| 9 | Draft Report & Management Response | We share a draft report with management before finalisation, inviting a formal management response to each finding — action taken, action planned, or reasoned disagreement. This response is built into the final report, giving the Audit Committee or Board a complete picture, not just an auditor's one-sided narrative. | Week 5–6 |
| 10 | Final Report & Audit Committee / Board Presentation | For companies with an Audit Committee, PNPC presents findings directly — walking through risk-rated observations, root causes, and recommended actions, and fielding questions in real time. This is materially different from emailing a PDF report and moving to the next client. | Week 6 |
| 11 | Corrective Action Tracking — Closing the loop, not just opening findings | An audit finding that is never tracked to closure is of limited value. PNPC maintains an action tracker against every finding, with target closure dates agreed with management, and follows up at the next audit cycle to verify whether corrective action was actually implemented — not just promised. | Ongoing, each subsequent cycle |
| 12 | Concurrent Audit — Ongoing Cycle (for RBI-mandated engagements) | For concurrent audit specifically, this is not a one-time project — it is a recurring cycle at the RBI-mandated frequency (daily, weekly, or fortnightly depending on the area), with monthly or quarterly consolidated reporting to the bank's Head Office Inspection department or the NBFC's Audit Committee, year-round. | Continuous — daily/weekly/fortnightly per RBI norms |
| 13 | Annual Programme Review & Re-Scoping | At year end, we review the entire audit programme with the client — which areas showed consistent findings and need deeper focus next year, which have stabilised and can move to a lighter review cycle, and whether new functions (a new product line, a new location, a new system) need to be added to the audit universe. | Annually, ahead of the next audit cycle |
Concurrent audit for RBI-regulated entities runs on a continuous, regulator-mandated cadence with no natural 'completion' date — it is a permanent feature of the control environment for as long as the entity is regulated. Operational and process audits are typically structured as a recurring annual programme with 2–4 audit cycles per function per year, though a first-time engagement or a targeted investigation into a specific concern can be scoped as a single standalone assignment of 4–8 weeks.
Certificate of Incorporation / registration and latest MoA-AoA, or bank/NBFC licence and RBI registration certificate where applicable
Board-approved internal audit charter or Audit Committee terms of reference, where one exists
Organisation chart showing reporting lines for the functions/departments to be audited
Delegation of Authority (DoA) matrix — approval limits by designation for purchases, payments, discounts, write-offs, and other key decisions
Minutes of the last 2–3 Audit Committee or Board meetings where internal control matters were discussed
Prior internal audit, statutory audit, and (where applicable) RBI inspection reports for the last 2–3 cycles, along with management's responses
Standard Operating Procedures for each function in scope — procurement, inventory, dispatch, sales, cash handling, payroll, IT access, as relevant
Process flowcharts or narrative descriptions of key transaction cycles, if SOPs are not formally documented
Policy documents — credit policy, discount policy, expense reimbursement policy, vendor empanelment policy, as applicable to the scope
IT system access matrix — who has access to what modules in the ERP/accounting system, and whether segregation of duties is built into system access
List of all locations/branches in scope, with the function/process performed at each
Trial balance and general ledger extracts for the period under review
Purchase orders, goods received notes, and vendor invoices for the sample period — for procurement/inventory audits
Sales orders, dispatch records, and customer invoices for the sample period — for sales/dispatch audits
Bank statements and cash book/petty cash register for the period — for cash and treasury audits
Payroll register, attendance/biometric records, and statutory deduction proof (PF, ESI, PT, TDS) — for payroll process audits
Stock registers, physical verification reports, and stock reconciliation statements — for inventory audits
Daily/weekly transaction registers for the branch or business line under concurrent review — advances sanctioned, deposits accepted, remittances processed
KYC documentation for a sample of accounts opened or transactions processed in the period
Loan sanction files with supporting credit appraisal documentation, for advances-related concurrent audit coverage
Currency chest records, cash retention limits, and insurance documentation, where the concurrent audit covers a currency chest
RBI Master Direction coverage tracker — current percentage of business under concurrent audit versus the mandated minimum
Previous concurrent audit reports and the compliance/rectification status of prior observations
Written summary of the specific concern, complaint, or anomaly that triggered the review, including dates, individuals, and amounts where known
Access to relevant email correspondence, system logs, and CCTV footage retention (where legally permissible and within company policy) for the period under review
List of individuals with access to the systems, assets, or approval authority relevant to the suspected irregularity
Any preliminary internal enquiry notes or HR records already gathered before PNPC's engagement began
Preferred audit frequency and reporting cadence — monthly, quarterly, or per RBI-mandated schedule
Names and contact details of process owners/department heads who will support fieldwork access
Preferred format and audience for the final report — Audit Committee presentation, written report only, or both
Any specific areas management wants prioritised in this cycle, beyond the standard risk-based scope
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Engagement Scoping | Decision to commission an audit, or RBI mandate identified | Define objective (regulatory compliance vs management assurance), audit universe, frequency, and reporting line before any fieldwork begins. For RBI-regulated entities, confirm current concurrent audit coverage against the Master Direction's mandated minimum. | Wrong scope wastes budget on low-risk areas while high-risk processes go unreviewed. RBI-regulated entities under-covering mandated business lines face regulatory exposure. |
| Baseline Fieldwork (First Cycle) | Audit plan approved | SOP review, walkthroughs, and initial risk-rated findings. This first cycle typically surfaces the largest number of findings — it is establishing the baseline, not confirming an already-clean process. | Skipping a proper baseline means every subsequent cycle is comparing against an unverified starting point, and systemic issues already present go undetected for another full cycle. |
| Recurring Cycles (Quarterly / Per RBI Cadence) | Audit calendar / RBI-mandated frequency | Sustained testing at the agreed cadence, with root-cause analysis on repeat findings and a live corrective-action tracker reviewed each cycle. Concurrent audit specifically must run at the RBI-prescribed frequency without gaps. | Gaps in concurrent audit coverage are themselves a compliance failure reportable to RBI. Gaps in operational audit cadence let unresolved control weaknesses persist and compound into larger losses. |
| Annual Audit Committee / Board Reporting | Financial year-end or Board calendar | Consolidated summary of the year's findings, closure status of prior recommendations, and risk-rated priorities for the next cycle presented to the Audit Committee or Board — connecting operational audit output to governance oversight, not leaving it siloed with department heads. | Audit Committees that never see consolidated operational audit findings lose visibility into control weaknesses that statutory audit alone will not surface, until they materialise as a financial or reputational loss. |
| Escalation on Significant Findings | A high-risk or repeat finding is identified | Significant findings — fraud indicators, repeated control overrides, material stock shortages — are escalated immediately to the Audit Committee or promoters, not held back for the routine quarterly report. Where warranted, PNPC recommends a scoped forensic review as a distinct, separately engaged exercise. | Delayed escalation of a significant finding compounds the underlying loss and can expose directors to allegations that they knew, or should have known, and did not act. |
| Regulatory Inspection (RBI-Regulated Entities) | RBI inspection or supervisory review | Concurrent audit reports, exception logs, and rectification records form direct evidence for RBI inspectors of the entity's control discipline. PNPC ensures documentation is inspection-ready on an ongoing basis, not assembled reactively when an inspection is announced. | Poorly documented or inconsistent concurrent audit trails invite adverse regulatory observations, supervisory action, and reputational consequences for the bank/NBFC. |
| Programme Review & Re-Scoping | Year-end or major business change (new location, product, system) | Annual review of the audit universe — adding new locations, functions, or risk areas, and right-sizing frequency for areas that have stabilised versus those still showing findings. An audit programme designed for a company at half its current size under-covers the business it has become. | A static audit scope that never evolves with the business leaves new, higher-risk areas unreviewed while continuing to audit stable, low-risk areas at the same intensity — a poor use of assurance resources. |
What is the difference between a concurrent audit, an operational audit, and a process audit?
A concurrent audit is a near-real-time review of transactions as they occur — typically daily, weekly, or fortnightly — most commonly mandated by RBI for bank branches, currency chests, and certain NBFC business lines. An operational audit is a periodic review of how efficiently and effectively an entire function or department operates — procurement, inventory, dispatch, HR — measured against process standards and organisational objectives. A process audit is the narrowest of the three: it checks whether one specific, documented Standard Operating Procedure is actually being followed, step by step, on the ground. All three are internal-facing assurance tools, distinct from the year-end statutory audit.
Is concurrent audit legally mandatory, and for whom?
Concurrent audit is mandatory for scheduled commercial banks and, in a defined form, for certain classes of NBFCs and currency chests, under the Reserve Bank of India's Master Direction on concurrent audit. The Master Direction prescribes a minimum percentage of business — advances, deposits, non-fund exposures — that must be brought under concurrent audit coverage. It is not a general legal mandate for all companies; for a manufacturing or trading business, an operational/process audit is a voluntary, management-commissioned engagement rather than a statutory requirement, unless the entity separately falls within the internal audit mandate under Section 138 of the Companies Act.
Does every company need an operational audit, or only larger ones?
There is no universal legal requirement for every company to have an operational audit. Internal audit becomes mandatory under Section 138 of the Companies Act 2013 read with Rule 13 of the Companies (Accounts) Rules, 2014 only for companies meeting prescribed thresholds of turnover, outstanding loans/borrowings, outstanding deposits, or paid-up share capital — thresholds that differ for listed companies, unlisted public companies, and private companies. Below those thresholds, an operational or process audit is entirely a management or promoter choice — commonly adopted by growing businesses that want independent assurance beyond what the annual statutory audit provides.
How is a concurrent/operational/process audit different from the statutory audit we already have?
The statutory audit under the Companies Act examines whether your financial statements, taken as a whole, present a true and fair view — it is retrospective, covers a full financial year, and reports to shareholders via the AGM and to the RoC via AOC-4. A concurrent, operational, or process audit examines how well a specific process or transaction stream is being controlled, in near-real-time or periodically through the year, and reports internally to management, the Audit Committee, or the Board. The statutory audit is about the destination — the numbers at year end. These audits are about the journey — the process discipline that produces those numbers.
Can PNPC be both our statutory auditor and our internal/operational auditor?
Under Section 144 of the Companies Act 2013, a statutory auditor is prohibited from rendering certain specified services — including internal audit — to the company it statutorily audits, either directly or through a related entity, in order to preserve auditor independence. Where PNPC is engaged as statutory auditor for a company, we structure the internal, concurrent, or operational audit as a separate engagement, either through a different independent team within appropriate ethical walls or by recommending an alternative qualified provider, depending on the applicable independence rules for that entity's classification.
How often should an operational audit be conducted?
There is no single fixed statutory frequency for operational or process audits outside of the RBI concurrent-audit mandate. The right cadence depends on transaction volume, risk, and the pace of change in the business — high-risk, high-volume functions (inventory, cash, procurement) are commonly reviewed quarterly; lower-risk, more stable functions may be reviewed annually. Where Section 138 internal audit applies, the Audit Committee or Board typically approves an annual internal audit plan specifying the frequency for each area based on a documented risk assessment.
What does RBI's concurrent audit coverage requirement actually mean in practice?
RBI's Master Direction requires banks to bring a specified minimum percentage of their total business — typically measured across advances, deposits, and non-fund based business such as guarantees and letters of credit — under concurrent audit coverage. The exact percentage and the specific categories of business/branches that must be covered (large branches, treasury operations, forex transactions, currency chests) are set out in the current Master Direction and are reviewed periodically by RBI. Coverage is measured and reported, and a bank falling short of the mandated coverage is a supervisory concern that RBI inspectors will specifically examine.
What kind of findings does a typical operational audit uncover?
Common findings include: approval limits in the Delegation of Authority matrix not being enforced in practice (purchases approved above authorised limits by a single signatory), stock discrepancies between physical count and system records, vendor payments processed without three-way matching of purchase order, goods received note, and invoice, segregation-of-duties gaps in system access (the same person able to raise and approve a payment), stale or unfollowed SOPs, and control overrides during peak business periods that become the de facto process rather than the documented exception.
How does PNPC size the sample for transaction testing in an operational audit?
We do not apply a fixed percentage (such as 'test 10% of transactions') uniformly across every client and every process. Sample size is calibrated to the volume, value, and inherent risk of the specific process being tested — a high-value, low-volume process such as capital expenditure approvals may warrant near-100% testing, while a high-volume, low-value process such as petty cash disbursements is tested on a risk-based statistical or judgemental sample. This follows the risk-based approach set out in the ICAI's Standards on Internal Audit.
What happens if an operational audit uncovers evidence of fraud?
If, during an operational or process audit, evidence emerges suggesting fraud rather than a routine process weakness, PNPC escalates the matter immediately to the Audit Committee, Board, or designated promoter contact — rather than folding it quietly into the routine quarterly report. Depending on the materiality and nature of the finding, we recommend the engagement of a dedicated forensic audit, which follows a different methodology (evidence preservation, chain of custody, interview protocols) suited to matters that may proceed to disciplinary action, recovery proceedings, or reporting to authorities.
Do process audits apply only to manufacturing companies, or also to services businesses?
Process audits apply to any business with a documented or documentable process — manufacturing (procurement, production, quality, dispatch), trading (inventory, sales, logistics), and services businesses alike (client onboarding, billing accuracy, service delivery SLAs, timesheet-to-invoice reconciliation for professional services firms). The methodology is the same regardless of sector: identify the SOP, verify actual practice against it, document deviations, and recommend corrective action.
How is PNPC's operational audit report structured?
Our reports are structured around risk-rated findings — each observation is classified by severity (typically high/medium/low, or a similar risk grading), accompanied by the root cause, the potential financial or operational impact, a specific recommendation, and a management response with an agreed target closure date. This differs from a narrative-style report that simply lists observations without prioritisation — a risk-rated structure lets the Audit Committee or Board focus limited attention on what matters most first.
What is the difference between an operational audit and a stock audit conducted for a bank?
A stock audit is a narrower, specific engagement commissioned by a bank (often as a condition of a working capital facility) to independently verify the quantity, condition, and value of inventory pledged as security — it focuses almost entirely on inventory existence and valuation. An operational audit of the inventory function is broader — it examines the entire inventory management process (procurement planning, storage, movement, obsolescence policy, physical verification discipline), not just a point-in-time stock count for a lender's comfort. PNPC performs both, and the scope and deliverable differ accordingly.
Can an operational audit help before we raise institutional funding?
Yes. Investors conducting operational due diligence before a fundraise commonly look for evidence of process discipline — documented SOPs, functioning approval controls, clean segregation of duties, and a track record of internal review. A recent, well-documented operational audit with a tracked closure record of prior findings is tangible evidence of operational maturity that strengthens a company's position in diligence, and surfaces (and lets you fix) weaknesses before an investor's own diligence team finds them first.
How does PNPC handle multi-location operational audits?
For businesses with multiple branches, warehouses, or plants, we design a rotational or risk-based coverage plan — auditing every location over a defined cycle (annually or across a 2-year rotation, depending on risk) rather than only ever auditing head office or the largest location. High-risk or historically problematic locations are prioritised for more frequent coverage. Findings are consolidated across locations to identify whether an issue is a single-site lapse or a systemic gap in the SOP or training that repeats across the network.
What documents does PNPC need to start an operational audit?
At minimum: the organisation chart and Delegation of Authority matrix for the function in scope, existing SOPs or policy documents (or confirmation that none exist, which is itself a Day 1 finding), a sample period of transaction records relevant to the process being tested, and access to the process owner for walkthroughs. For concurrent audit specifically, daily transaction registers and, for RBI-regulated coverage, KYC and sanction documentation are required on an ongoing basis for the duration of the engagement.
Is an operational audit report confidential, or does it need to be shared with regulators or shareholders?
An operational, process, or (for non-RBI-regulated entities) internal audit report is an internal management document — it is addressed to the Audit Committee, Board, or promoters, and there is no general statutory requirement to file it with the RoC or share it with shareholders or the public. For RBI-regulated entities, concurrent audit reports and consolidated summaries are shared with the entity's own Head Office Inspection function and may be reviewed by RBI supervisors during an inspection, but they are not public filings in the way AOC-4 financial statements are.
How long does a first operational audit engagement typically take?
A first-cycle operational audit of a single function at a single location typically runs 4–6 weeks from scoping to final report — covering SOP review, walkthroughs, transaction testing, and reporting. A broader, multi-function or multi-location engagement, or a first-time internal audit programme covering an entire Section 138-mandated audit universe, is scoped as a longer engagement with a phased plan across the financial year rather than a single sprint.
What is a Risk Based Internal Audit (RBIA) framework, and does it apply to us?
Risk Based Internal Audit is the framework mandated by RBI for banks and, in a scaled form, applicable to certain categories of NBFCs, requiring the internal audit function to prioritise audit coverage and frequency according to a documented risk assessment of each business area, rather than auditing everything with equal intensity. For a non-RBI-regulated company, RBIA is not a mandatory framework by name, but its underlying principle — risk-based rather than uniform audit coverage — is the same approach PNPC applies when designing an operational audit plan for any client, RBI-regulated or not.
Can process audits be used to prepare a company for ISO certification or similar quality standards?
Process audit methodology — verifying that documented procedures are actually followed — overlaps significantly with the internal audit requirements built into quality management standards such as ISO 9001, which itself requires periodic internal audits as part of its certification and surveillance cycle. PNPC's process audits are financial/operational-control focused rather than a formal ISO internal audit in themselves, but the discipline of SOP-versus-practice verification is directly complementary, and findings from our process audits often feed usefully into a client's broader quality management system work.
How much does an operational, process, or concurrent audit engagement cost?
PNPC quotes a fixed, scope-based fee agreed in writing before fieldwork begins — driven by the number of functions/locations in scope, transaction volume, and audit frequency. Concurrent audit engagements for RBI-regulated entities are typically priced on an ongoing retainer basis reflecting the continuous, year-round nature of the mandate; operational and process audits are typically priced per cycle or as an annual programme fee covering an agreed number of cycles. We are not the lowest-cost provider in the market — our differentiation is in the depth of root-cause analysis and the corrective-action tracking discipline that a lower-cost, checklist-driven audit typically does not provide.
Why should we engage PNPC rather than build an in-house internal audit team?
An in-house team has deep institutional knowledge but can face independence pressure — reporting to the same management whose processes they are reviewing creates a structural conflict that an external, independent auditor does not face. External engagement also brings cross-industry pattern recognition — PNPC's audit teams see recurring control weaknesses across dozens of client businesses and bring that experience to your specific engagement, rather than benchmarking only against your own history. Many mid-size businesses use a hybrid model: a lean in-house compliance function supported by PNPC for the independent, periodic operational/concurrent audit cycles.
What is the ICAI's role in governing these audits?
The Institute of Chartered Accountants of India (ICAI) issues the Standards on Internal Audit (SIA), a series of standards covering planning, risk assessment, documentation, reporting, and quality control for internal audit engagements — including the operational and process audit work that typically forms part of an internal audit programme. ICAI has been rolling out mandatory compliance with the SIAs in a phased manner — starting with internal audit engagements for listed companies and progressively extending to other companies — for every ICAI member conducting an internal audit, regardless of whether internal audit is a statutory requirement for that particular entity under Section 138. PNPC applies the same disciplined SIA-based methodology to voluntary, management-commissioned operational and process audits as well, rather than using a lighter, non-standard approach for non-mandatory engagements.
Does an operational audit review IT systems and cybersecurity controls too?
A standard operational or process audit typically covers system-embedded process controls relevant to the function in scope — for example, whether the ERP enforces segregation of duties between purchase requisition, approval, and payment. It is not, by default, a full IT general controls (ITGC) audit or a cybersecurity/penetration-testing engagement, which are specialised assessments requiring different expertise and are scoped separately. Where a client's risk profile calls for it, PNPC scopes a dedicated IT controls review alongside the operational audit rather than folding a specialist exercise into a general process review superficially.
What is the role of the Audit Committee in relation to these audits?
For companies required to constitute an Audit Committee under Section 177 of the Companies Act (applicable to listed companies and certain classes of public companies) or as a matter of good governance practice for others, the Audit Committee typically approves the internal/operational audit plan, reviews significant findings, monitors the closure of corrective actions, and evaluates the effectiveness and independence of the internal audit function itself, including any external provider such as PNPC. Where no formal Audit Committee exists, this oversight role is typically performed by the Board directly or by designated promoters/directors.
How does a process audit differ from simply asking department heads if procedures are being followed?
Asking a department head relies on self-reported compliance, which is subject to unconscious bias, incomplete visibility into what actually happens at the transaction level, and — in some cases — a direct incentive to understate deviations. A process audit independently verifies actual practice through documentary evidence, transaction sampling, and direct observation, rather than relying on a verbal or written assertion from the person whose own performance the process reflects. This independence is the entire value proposition of the engagement.
Can PNPC conduct a one-time targeted audit if we suspect a problem in one specific area, without committing to a full annual programme?
Yes. Not every engagement needs to be a recurring annual programme. PNPC scopes standalone, targeted operational or process audits — for example, a focused review of one branch's cash handling after an anomaly, or a single deep-dive into the procurement function following a vendor complaint — as a self-contained engagement with its own defined start, fieldwork, and report, independent of any broader audit calendar.
What happens after the audit report is issued — does PNPC's involvement end there?
No. PNPC maintains an action tracker for every finding raised, with agreed target closure dates from management, and formally follows up on closure status at the next audit cycle — verifying, not just noting, whether corrective action was actually implemented. A finding that recurs unaddressed across two or three consecutive audit cycles is itself escalated as a distinct governance concern to the Audit Committee or Board, since it indicates either an unresolved root cause or inadequate management follow-through.
Is concurrent audit the same as a bank's own internal inspection?
They are related but distinct. Concurrent audit, as mandated by RBI, is typically performed by an external chartered accountant firm (or, for very large banks, sometimes an internal team functioning with concurrent-audit-level independence and reporting lines) reviewing transactions at or near the point of occurrence. A bank's own internal inspection department conducts periodic, broader inspections of a branch or function — covering areas beyond what concurrent audit typically examines, and often at a lower frequency (annual or bi-annual) than the near-continuous concurrent audit cycle. Both feed into the bank's overall control assurance framework but serve different purposes and cadences.
Do NBFCs need concurrent audit, or only banks?
Concurrent audit in its full, branch-level form under the RBI Master Direction has historically been most directly associated with scheduled commercial banks. For NBFCs, RBI's regulatory framework instead centres on the Risk Based Internal Audit (RBIA) requirement, applicable to specified categories and sizes of NBFCs, which mandates a structured, risk-prioritised internal audit function rather than the identical concurrent-audit branch-coverage model used for banks. The precise applicability depends on the NBFC's asset size classification and current RBI directions, which PNPC confirms against the client's specific classification at engagement scoping rather than assuming uniform applicability across all NBFCs.
How does PNPC ensure objectivity when the same firm has performed multiple audit cycles for the same client over several years?
Familiarity risk — where long-tenured auditors become less critical over time — is a recognised risk in any recurring assurance relationship. PNPC addresses this through periodic rotation of the engagement team (not necessarily the client relationship partner) across audit cycles, fresh risk assessment at the start of each cycle rather than simply repeating the prior year's programme, and an internal quality review process on our own audit files. We also actively look for evidence that our own prior-cycle recommendations were followed — testing our own work's effectiveness, not only the client's compliance.
Can operational audit findings be used as evidence in a legal or disciplinary proceeding against an employee?
A standard operational or process audit report can provide supporting evidence of a control weakness or deviation, but it is not designed, from a documentation and evidentiary standpoint, to meet the standards required for disciplinary action or legal proceedings against a specific individual — that requires the more rigorous evidence-handling, chain-of-custody, and interview protocols of a proper forensic audit or investigation. Where an operational audit finding raises a serious enough concern that disciplinary or legal action against an individual becomes a realistic possibility, we recommend commissioning a dedicated forensic review rather than relying on the operational audit report alone.
How does PNPC coordinate an operational audit with our statutory auditor, if they are a different firm?
Where PNPC performs the internal/operational audit and a different firm serves as statutory auditor, we coordinate through the Audit Committee — sharing relevant operational audit findings that could have financial statement implications (such as inventory discrepancies, revenue recognition process weaknesses, or control gaps around related party transactions) so the statutory auditor can factor them into their own risk assessment and audit approach, subject to the client's consent and the Audit Committee's coordination protocol.
| Feature | Generic Audit Provider | In-House Compliance Team Only | PNPC Global |
|---|---|---|---|
| Risk-based scoping | Often a fixed checklist applied uniformly to every client | Depends entirely on in-house team's own risk awareness | Risk assessment specific to your business, revisited every cycle, calibrated to actual transaction volume and materiality |
| Root-cause analysis | Lists deviations without probing why they recur | May lack the cross-industry pattern recognition to spot systemic causes | Every significant finding traced to root cause — training gap, system limitation, or incentive misalignment — not just symptom-level reporting |
| RBI concurrent audit expertise | Generic audit firms may not track current Master Direction coverage norms closely | Not applicable — internal teams are not independent for this purpose | Current RBI Master Direction coverage confirmed at scoping; ongoing cycle managed to the mandated cadence |
| Independence | Variable — some providers also handle bookkeeping for the same client without addressing conflicts | Structurally compromised — reports to the same management whose processes are reviewed | Section 141/144-aware engagement structuring; independence protected even where PNPC serves other roles for the group |
| Corrective action tracking | Often ends at report delivery | May track informally, without independent verification | Formal action tracker with independent verification of closure at the next cycle — not just self-reported closure |
| Escalation of serious findings | May hold findings for the routine periodic report | Discretion of internal team, which may hesitate to escalate on peers/superiors | Significant or fraud-indicative findings escalated immediately to the Audit Committee/Board, with a recommendation for forensic review where warranted |
| Multi-jurisdiction coordination | India-only, or UAE-only, coordination | Limited to wherever the in-house team is based | Chennai, Bangalore, Hyderabad, and Dubai offices — single coordinated team for India-UAE group structures |
| Presentation to Audit Committee/Board | Report emailed with limited discussion | Presented internally, without independent perspective | PNPC presents findings directly to the Audit Committee or Board, fielding questions and providing an independent professional view |
What the PNPC package includes
- 01
Scoping consultation to determine whether concurrent, operational, or process audit (or a combination) fits your regulatory status and risk profile
- 02
RBI Master Direction concurrent-audit coverage assessment for banks and NBFCs, against current mandated minimums
- 03
Risk-based audit universe mapping and annual audit plan, calibrated to your actual transaction volume and functional risk
- 04
SOP and policy gap review — flagging missing or stale documented procedures before fieldwork begins
- 05
On-site walkthroughs and independent transaction sampling, sized to materiality rather than a fixed generic percentage
- 06
Root-cause analysis on every significant finding — not just a list of deviations
- 07
Risk-rated audit report with management response and agreed corrective-action closure dates
- 08
Direct presentation of findings to your Audit Committee or Board, with a named engagement CA fielding questions
- 09
Independent verification of corrective-action closure at the next audit cycle — not reliance on self-reported closure
- 10
Coordination with your statutory auditor (where a different firm) via the Audit Committee to avoid duplicated fieldwork
- 11
India-UAE coordinated coverage for group structures with operations or branches in both jurisdictions
- 12
Escalation protocol for fraud-indicative findings, with a scoped forensic audit recommendation where warranted
Speak directly with a PNPC Chartered Accountant about your concurrent, operational, or process audit needs — not a call-centre intake process. A practising CA who will scope the right engagement for your regulatory status and risk profile, sit through the fieldwork, and present the findings to your Audit Committee in person.