HomeServicesRisk AdvisoryBusiness Continuity & Fraud Risk Assessments

Risk Advisory · Risk Advisory Services

Business Continuity & Fraud Risk Assessments

Business Continuity & Fraud Risk Assessments answer two related but distinct questions your Board needs answered with evidence, not assumption: can this organisation keep operating through a disruption — a cyber incident, a key-vendor failure, a facility loss, a regional event — and where, specifically, is this organisation exposed to fraud because of how its people, processes, and controls are actually structured.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

Business Continuity & Fraud Risk Assessments answer two related but distinct questions your Board needs answered with evidence, not assumption: can this organisation keep operating through a disruption — a cyber incident, a key-vendor failure, a facility loss, a regional event — and where, specifically, is this organisation exposed to fraud because of how its people, processes, and controls are actually structured. At PNPC Global, we do not hand you a generic BCP template or a fraud-risk checklist copied from a textbook. We map your actual critical processes, your actual single points of failure, and your actual fraud triangle exposure — opportunity, pressure, and rationalisation — as they exist in your business today, and we give your Audit Committee a prioritised, evidence-based view of what could go wrong and what it would take to keep the business running or to catch it early.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Business Continuity & Fraud Risk Assessments is

A Business Continuity & Fraud Risk Assessment is a combined advisory and assurance engagement that evaluates two adjacent risk domains together because they share a common root cause: an organisation that has not systematically mapped its critical dependencies is usually the same organisation that has not systematically mapped where its controls can be overridden. Business continuity assessment identifies the processes, systems, people, vendors, and facilities that are critical to keeping the organisation operating, quantifies the Recovery Time Objective (RTO — how quickly a process must be restored) and Recovery Point Objective (RPO — how much data loss is tolerable) for each, and tests whether the Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) that exist on paper would actually work if invoked. Fraud risk assessment applies the internationally recognised Fraud Triangle framework (opportunity, pressure/incentive, and rationalisation) and the COSO Internal Control – Integrated Framework's fraud risk principle to identify where the organisation's control environment, segregation of duties, and oversight create genuine opportunity for asset misappropriation, financial statement fraud, or corruption — not as a theoretical exercise, but tested against actual transaction data, actual approval workflows, and actual access rights.

The two assessments are run together, and PNPC deliberately packages them as one engagement, because a mature risk conversation treats operational resilience and fraud exposure as facets of the same underlying question: does this organisation's control and governance environment actually work the way management believes it does? A single point of failure in a critical vendor relationship and a segregation-of-duties gap in the payables process are both, at their core, failures of the same discipline — systematic identification and mitigation of material risk. Running both assessments together also surfaces overlap that a siloed review would miss: a business continuity gap around IT access management, for instance, is frequently also a fraud-enabling gap, because the same weak access control that could cause a prolonged system outage also allows an employee with excessive system privileges to manipulate records undetected.

The statutory and governance backdrop in India makes this more than a best-practice conversation for many organisations. Section 134(5)(e) of the Companies Act 2013 requires directors of applicable companies to state that the company has adequate internal financial controls and that such controls were operating effectively during the year — a representation that is difficult to make in good faith without having identified and assessed fraud risk. SEBI's Listing Obligations and Disclosure Requirements (LODR) Regulations require the Risk Management Committee of the top 1,000 listed companies by market capitalisation (Regulation 21) to address business continuity within its risk management policy explicitly, alongside cybersecurity and information security risks. Section 143(12) of the Companies Act obligates the statutory auditor to report suspected fraud above a prescribed threshold to the Central Government or Audit Committee — a reporting trigger that is far less likely to arise as a surprise when a structured fraud risk assessment has already mapped the organisation's exposure. Standards on Auditing, particularly SA 240 (The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements), similarly place an explicit obligation on management and those charged with governance to design and implement controls to prevent and detect fraud — an obligation that a documented fraud risk assessment directly supports.

For unlisted and family-owned businesses, the driver is usually more immediate and practical: a key-person dependency that nobody has mapped, a critical vendor with no contingency, a finance team small enough that segregation of duties is structurally difficult, or a near-miss incident that revealed how little visibility management actually had into either operational resilience or fraud exposure. A well-run assessment does not end with a report that gets filed away — it ends with a prioritised remediation roadmap, a tested (not merely written) BCP, and control changes that close the specific fraud opportunities identified, each assigned an owner and a realistic timeline that the Audit Committee can track.

When this engagement is the right call

Listed company whose Risk Management Committee under SEBI LODR Regulation 21 must demonstrate that business continuity and fraud risk are addressed within its formal risk management policy, not just referenced in passing

Board or Audit Committee about to sign the Section 134(5)(e) internal financial controls adequacy statement and wants an independent, evidence-based view of fraud exposure before making that representation

Organisation that has never formally mapped its critical processes, key-person dependencies, or single points of failure and genuinely does not know how long it could operate through a major disruption

Company that has experienced a near-miss — a failed vendor, a ransomware attempt, a data centre outage, a suspected internal fraud — and wants a structured assessment rather than an ad hoc fix to the specific incident

Business with a lean finance or operations team where segregation of duties is structurally constrained and management wants to understand and mitigate the resulting fraud opportunity rather than ignore it

Organisation preparing for a fundraise, acquisition, or strategic sale where institutional investors and diligence teams will specifically probe both operational resilience and fraud control maturity

Company with a written BCP or DRP document that has never actually been tested through a tabletop exercise or simulated failover, and where management is not confident it would work if invoked

Group structure with a UAE or overseas subsidiary where continuity planning and fraud control standards across entities have never been assessed on a consistent basis

When a narrower or different engagement fits better

You need to investigate a specific, already-suspected fraud incident — identify what happened, who was involved, and quantify the loss — that is a targeted Forensic Audit, which moves faster and is scoped to the specific matter rather than the broader control environment

You need a technical cybersecurity and IT resilience assessment specifically — penetration testing, vulnerability scanning, and technical DR architecture review sit within our Cybersecurity Audit and IT risk engagements, which go deeper on the technical layer than a business-level continuity assessment

You need the Board's Section 143(3)(i)/134(5)(e) Internal Financial Controls certification itself prepared and tested against the codified ICFR standard — that is an IFC Review engagement, narrower and more specifically scoped to financial reporting controls

You need a full entity-wide governance, risk, and control review covering Board structure, committee effectiveness, and the whole risk universe — that broader scope is covered by our GRC Assurance engagement, of which business continuity and fraud risk assessment can form one component

Your organisation is a very early-stage startup with a handful of employees, no material vendor dependency, and no near-term institutional fundraise — the formality of a full assessment is disproportionate at this stage; a lighter foundational-controls conversation is more appropriate

You need ongoing, cyclical testing of process controls as a continuous programme rather than a point-in-time assessment — a structured Internal Audit function under Section 138 is the better long-term vehicle, often informed by the initial findings of a BCP and fraud risk assessment

Structure Comparison

BCP & Fraud Risk Assessment vs adjacent risk and assurance engagements

FeatureBCP & Fraud Risk AssessmentForensic AuditGRC AssuranceInternal Audit (Sec 138)Cybersecurity Audit
Primary objectiveAssess operational resilience to disruption and identify fraud opportunity across people, process, and controlInvestigate a specific, already-suspected irregularity or incidentAssess governance, risk, and control as an integrated entity-wide systemOngoing testing of process controls against a risk-based annual planAssess technical IT security controls and vulnerability exposure
Governing framework/standardCOSO ERM 2017, Fraud Triangle model, ISO 22301 (BCM reference), SA 240 (fraud responsibilities)No single statute — scoped to the specific matter and forensic evidentiary standardsCOSO ERM 2017, COSO Internal Control 2013, ISO 31000Standards on Internal Audit (SIA), Section 138 & Rule 13ISO 27001, NIST CSF, sector-specific technical standards
TriggerProactive risk management, SEBI LODR obligation, near-miss incident, or pre-transaction readinessA specific whistleblower complaint, discrepancy, or suspected eventSEBI LODR obligation, governance maturity milestone, or pre-transaction readinessStatutory requirement (Rule 13) or best-practice adoptionData breach, technical audit requirement, or proactive hardening
Scope breadthCritical process mapping, single points of failure, and fraud opportunity across the control environmentNarrow and incident-specific — the individuals, transactions, or period under questionEntity-wide — Board, ERM framework, and control environment togetherProcess- and function-specific per the annual audit planIT infrastructure, applications, and technical security controls
Typical outputBusiness Impact Analysis, tested/updated BCP-DRP, fraud risk heat map, prioritised remediation roadmapInvestigation report — findings, quantification, and recommendationsGovernance & risk maturity rating, control gap register, remediation roadmapAudit findings report per engagement or quarterVulnerability report, penetration test findings, remediation plan
FrequencyTypically every 1–2 years, or after material business changeOne-off, triggered by an eventAnnual or a defined multi-year cycleContinuous, per annual audit planAnnual or per compliance requirement
Reports toBoard / Audit Committee / Risk Management CommitteeWhoever commissions it — Board, Audit Committee, or specific stakeholderBoard / Audit Committee / Risk Management CommitteeAudit Committee / BoardIT/Security leadership, and Board where material
Best suited toBoards wanting a structured, evidence-based view of resilience and fraud exposure before an incident forces the questionCompanies facing a specific fraud, whistleblower complaint, or disputeBoards needing systemic assurance ahead of listing, fundraise, or maturity milestonesCompanies meeting Section 138/Rule 13 thresholds, or adopting best practiceCompanies with material IT/data dependency needing technical assurance

These engagements are complementary, not substitutes. A mature risk programme typically runs a BCP & Fraud Risk Assessment periodically alongside GRC Assurance, Internal Audit, and — where the incident is specific — Forensic Audit as needed. PNPC scopes each independently and advises on the right sequence for your situation.

How it works
#Stage & What PNPC DoesWhat Generic Providers SkipTimeline
1Scoping & Objective-SettingWe start by understanding what triggered the need — a SEBI LODR obligation, a near-miss incident, pre-fundraise readiness, or first-time formalisation — because this determines whether the assessment should be entity-wide or focused on the highest-risk processes. Generic providers frequently apply a fixed-scope template regardless of the actual driver.Week 1
2Critical Process Identification & Business Impact Analysis (BIA)We work with process owners to identify which functions are genuinely mission-critical (payroll, order fulfilment, customer-facing systems, treasury, statutory filing capability) versus important-but-deferrable, and quantify the Maximum Tolerable Downtime, RTO, and RPO for each — a step most template BCP exercises skip entirely, defaulting to identical recovery targets for every process.Week 1–2
3Single Point of Failure MappingWe map dependency on key individuals, sole-source vendors, single facilities, and single IT systems — identifying where the organisation has no fallback if that one point fails. Key-person dependency is the most commonly under-assessed risk in mid-sized Indian businesses, where critical process knowledge often sits with one or two individuals and is not documented anywhere.Week 2–3
4Existing BCP/DRP Document ReviewWhere a BCP or DRP already exists, we review it against the BIA findings to check whether it actually addresses the processes identified as critical, or whether it is a generic document — often adapted from a template or a prior employer's plan — that does not reflect this organisation's actual dependencies.Week 2–3
5Fraud Risk Universe AssessmentUsing the Fraud Triangle (opportunity, pressure, rationalisation) as the analytical lens, we map where the organisation's control environment creates opportunity — weak segregation of duties, excessive system access, unmonitored related-party dealings, cash-intensive processes, discretionary approval authority — process area by process area, rather than applying a generic industry fraud checklist.Week 3–4
6Segregation of Duties & Access Rights TestingWe test actual ERP/accounting system access rights against the roles that should be segregated — who can create a vendor and also approve payment to that vendor, who can post journal entries and also reconcile the bank, who can approve purchase orders and also receive goods — and sample actual transactions to confirm whether the theoretical segregation held in practice.Week 4–5
7Fraud Scenario & Red-Flag AnalysisFor the highest-opportunity areas identified, we develop specific fraud scenarios (ghost vendors, duplicate payments, revenue manipulation, expense reimbursement abuse, related-party diversion) relevant to this business model, and test whether existing controls or data analytics would actually detect each scenario — not merely whether a policy prohibiting it exists.Week 4–6
8Tabletop Exercise / BCP SimulationRather than relying solely on document review, we run a facilitated tabletop exercise — a simulated disruption scenario relevant to the business (key system outage, loss of a critical vendor, facility inaccessibility) — walking management through the actual decisions and communications the written plan calls for, which reliably surfaces gaps a paper review alone would miss.Week 6–7
9Findings Consolidation & Risk RatingBusiness continuity gaps and fraud risk findings are each rated (Critical/High/Medium/Low) based on likelihood and potential impact, and cross-referenced where the same root cause — commonly a weak access-management or oversight gap — drives both a continuity risk and a fraud opportunity.Week 7
10Draft Report & Management ResponseA draft report is shared with management to confirm factual accuracy and capture a proposed remediation owner and timeline for each finding, before anything reaches the Audit Committee or Board — avoiding a report the Board sees findings in for the first time with no indication of how they will be addressed.Week 7–8
11Presentation to Audit Committee / Board / Risk Management CommitteePNPC's engagement partner presents the findings, the updated BCP recommendations, and the fraud risk heat map directly to the Committee or Board, answering questions in real time rather than leaving a written report to be summarised by the Company Secretary.Week 8
12Remediation Support & BCP/DRP FinalisationPNPC supports process owners in updating the BCP/DRP document to reflect the BIA findings, redesigning specific controls to close identified fraud opportunities, and sequencing remediation by priority so the highest-risk gaps are addressed first.Week 8–12
13Follow-Up Verification & Next-Cycle PlanningA follow-up review confirms that remediation actions were genuinely implemented — not just marked complete — and PNPC works with the Audit Committee to plan the next assessment cycle, incorporating any business changes (new geography, new system, new vendor dependency) since the last review.3–6 months post-report, then per agreed cycle

A first-time, entity-wide BCP & Fraud Risk Assessment for a mid-sized company typically takes 8–12 weeks from scoping to Board presentation, depending on the number of critical processes, locations, and the depth of segregation-of-duties testing agreed in scope. Subsequent cycles are generally faster once the BIA and fraud risk baseline already exist.

Document Checklist
Organisational & Process Documents

Organisation chart identifying process owners, key-person roles, and reporting lines across critical functions

Process maps or Standard Operating Procedures (SOPs) for key business processes — order-to-cash, procure-to-pay, payroll, treasury, IT operations

List of premises, facilities, and locations relevant to operations, including ownership/lease status

IT systems inventory — core applications, hosting arrangement (on-premise/cloud), and criticality ranking if one already exists

Existing Continuity & Recovery Documents

Any existing Business Continuity Plan (BCP) or Disaster Recovery Plan (DRP) document, however dated

Prior business continuity or disaster recovery test/exercise records, if any tabletop or simulation has previously been conducted

IT backup policy and evidence of backup testing — frequency, retention, and last successful restoration test

Insurance policy schedule — business interruption, cyber, key-person, property, and Directors & Officers (D&O) cover as applicable

Vendor and supplier contracts for any sole-source or critical-dependency relationships, including any continuity or SLA clauses

Financial Control & Access Documents

Chart of authority / Delegation of Authority (DoA) matrix currently in force, with amendment history

ERP/accounting system access rights listing — user roles and permissions across finance, procurement, and HR modules

Bank signatory list and mandate documents for all operating accounts

Segregation of duties matrix, if one is currently documented, for finance and procurement processes

Sample of vendor master data and vendor onboarding approval records for the review period

Fraud Risk & Governance Documents

Code of Conduct for directors, senior management, and employees, and evidence of periodic acknowledgement

Vigil Mechanism / whistleblower policy adopted under Section 177(9) of the Companies Act, where applicable, and any complaints log

Related Party Transaction policy and register of related party transactions for the period under review

Any prior internal audit, statutory audit management letter, or GRC review findings relevant to fraud risk or control gaps

Records of any past suspected fraud, disciplinary action, or whistleblower complaint, however informally handled at the time

HR & Key-Person Dependency Documents

List of roles/individuals holding sole institutional knowledge of critical processes, systems, or client relationships

Succession or cross-training documentation, if any exists, for key finance, operations, and IT roles

Employee handbook sections covering conflict of interest, gifts and hospitality, and reporting obligations

Key-person insurance policy details, if held, for founders or critical personnel

Regulatory & Prior Assurance Documents

Most recent statutory audit report and management letter, if available

Any prior GRC Assurance, internal audit, or risk assessment reports and their remediation status

Regulatory correspondence, show-cause notices, or inspection reports received in the review period, if any

Group/subsidiary structure chart, including any UAE or overseas entity, with an indication of shared or separate continuity and fraud controls

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Pre-Engagement ScopingBoard or Audit Committee decision to commission the assessmentScoping conversation to align on driver — SEBI LODR obligation, near-miss incident, pre-transaction readiness, or first-time formalisation — and right-size the assessment to entity scale and complexity.A generic, wrong-sized scope either misses the risks specific to this business or imposes disproportionate cost and management time on a smaller organisation.
Business Impact AnalysisEngagement kickoffIdentification of genuinely critical processes and quantification of RTO/RPO for each, rather than treating every process as equally critical, which dilutes the plan and the resource allocation behind it.Without a proper BIA, a BCP either protects the wrong processes first or spreads limited recovery resources evenly across processes of very different real-world criticality.
Fraud Risk Mapping & SoD TestingBIA substantially completeFraud Triangle-based mapping of opportunity by process area, combined with actual system access-rights testing — not a generic checklist — to identify where this specific organisation's control environment creates real exposure.A checklist-based fraud review that is not tested against actual access rights and transaction samples routinely misses the specific opportunity gaps that materialise into an actual loss.
Tabletop Exercise & FindingsMapping and testing completeA facilitated simulation of a realistic disruption scenario, walking management through the plan's actual mechanics — who calls whom, what system comes up first, what the manual workaround is — which reliably surfaces gaps a document review alone misses.A BCP that has never been rehearsed frequently fails at the exact moment it is needed — the plan reads well on paper but the contact list is outdated, the backup was never tested, or no one knows who has authority to declare an incident.
Reporting & Board PresentationTesting and findings consolidatedDraft report validated by management, then presented directly to the Audit Committee/Board by the engagement partner, with remediation ownership and realistic timelines agreed in the room.Findings emailed without a live Board discussion are frequently filed without genuine engagement, and the Board's own governance representations end up resting on a document that was never actually discussed at Board level.
Remediation & BCP/DRP UpdateReport accepted, roadmap agreedPNPC supports updating the BCP/DRP to reflect BIA findings, redesigning specific controls (segregation of duties, access rights, approval thresholds) to close fraud opportunities identified, sequenced by priority.Remediation left with process owners and no structured follow-up routinely stalls against day-to-day operational pressure, particularly for controls that create short-term friction in a process.
Follow-Up VerificationAgreed remediation period elapsesIndependent follow-up testing to confirm the BCP was genuinely updated and controls redesigned are actually operating — not simply marked complete by the same owner responsible for the original gap.Self-certified closure without independent verification is the most common reason the same continuity gap or fraud opportunity resurfaces in the next assessment cycle.
Trigger Events (Incident, Fundraise, Growth)Actual disruption, investor due diligence, or significant business changeWhere an actual incident occurs, PNPC supports incident response coordination alongside a root-cause review; where growth or a new geography changes the risk profile, the BIA and fraud risk map are refreshed accordingly.An untested BCP or an unmapped fraud opportunity discovered for the first time during a live incident or live investor due diligence is materially more costly and disruptive than the same gap addressed on a planned assessment cycle.
Frequently asked
What exactly is a Business Continuity & Fraud Risk Assessment, in plain terms?

It is a structured review that answers two practical questions together: if something disrupts your business tomorrow — a key system going down, a critical vendor failing, a facility becoming inaccessible — how long could you keep operating and how quickly could you recover; and separately, where in your organisation does the way people, processes, and controls are set up today create a genuine opportunity for fraud, whether by an employee, a vendor, or a combination of both. We assess both together because the underlying discipline — systematically identifying where things can go wrong before they do — is the same for each.

Practitioner noteMost organisations we meet have thought about one of these two risks informally and never structured the other at all. Business continuity gets attention after an IT outage; fraud risk gets attention after a loss is discovered. This engagement is designed to get ahead of both, before either becomes a live incident.
Is this assessment legally required for my company?

There is no single statute in India that mandates a 'Business Continuity & Fraud Risk Assessment' by that exact name. However, the underlying obligations are real: Section 134(5)(e) of the Companies Act 2013 requires directors of applicable companies to represent that internal financial controls are adequate and operating effectively — fraud risk assessment is a foundational input to making that statement in good faith. SEBI LODR Regulation 21 requires the top 1,000 listed companies by market capitalisation to have a Risk Management Committee whose risk policy must address business continuity and cybersecurity risk explicitly. Standards on Auditing (SA 240) place an express responsibility on management and those charged with governance to design controls that prevent and detect fraud.

Practitioner noteWe are asked 'is this mandatory' frequently. The honest answer depends on your listing status and size — but even where it is not a named statutory filing, the underlying obligations it supports very often are. We map exactly which obligations apply to your company before scoping.
Why does PNPC combine business continuity and fraud risk into one engagement rather than offering them separately?

Because in practice they share root causes and PNPC can offer either separately when that is genuinely what a client needs. A weak IT access-management control, for example, is simultaneously a business continuity risk (unauthorised or accidental system changes causing an outage) and a fraud risk (excessive access enabling record manipulation undetected). Assessing them together surfaces this overlap and produces a more efficient, more coherent remediation plan than two disconnected reviews conducted by different teams at different times.

Practitioner noteClients sometimes ask for 'just the BCP' or 'just the fraud review.' We are happy to scope either independently — but we always flag where we expect meaningful overlap, because addressing only one side sometimes leaves the other exposed through the exact same underlying gap.
What is a Business Impact Analysis (BIA) and why does it come before the BCP itself?

A Business Impact Analysis identifies which of your business processes are genuinely critical, and for each, quantifies the Maximum Tolerable Downtime, the Recovery Time Objective (how quickly it must be restored), and the Recovery Point Objective (how much data loss, if any, is acceptable). Without a BIA, a BCP has no basis for prioritisation — it either treats every process as equally urgent, which wastes recovery resources, or is built around management's assumptions rather than a tested reality. We always run the BIA first; the BCP is built on its findings, not the other way around.

Practitioner noteWe frequently find that management's gut-feel ranking of 'most critical process' does not match what the BIA actually reveals once dependencies are mapped properly — a support function nobody thought of as critical often turns out to be a genuine single point of failure for several other processes.
What is a single point of failure, and how do you identify them?

A single point of failure is any person, vendor, system, or facility whose unavailability would materially disrupt a critical process, with no fallback in place. We identify these through structured interviews with process owners, review of vendor contracts for sole-source dependencies, and mapping of who holds undocumented institutional knowledge of key processes. Key-person dependency — where only one individual genuinely understands how to run a critical process — is one of the most common and most under-assessed single points of failure in mid-sized Indian businesses.

Practitioner noteWe have seen finance functions where only one person knows the exact steps to run month-end close, with no documentation and no cross-training. That person taking unplanned leave, let alone resigning, becomes a genuine continuity event — not a hypothetical one.
What is the Fraud Triangle and how does PNPC apply it?

The Fraud Triangle is a widely used framework describing the three conditions that typically must be present for fraud to occur: opportunity (a control weakness that allows it), pressure or incentive (a personal or business reason to commit it), and rationalisation (a way for the individual to justify it to themselves). We apply this framework primarily to the opportunity leg — since that is the one an organisation can most directly control through segregation of duties, access management, and oversight — while also considering where business or personal pressures (aggressive targets, financial distress, inadequate compensation relative to trust placed) may elevate risk in specific roles or process areas.

Practitioner noteWe are careful not to present fraud risk assessment as an accusation against any individual. It is a review of the control environment — asking 'where could fraud happen given how this process is currently set up,' not 'who is likely to commit it.'
What is segregation of duties and why do you test system access rights, not just the policy document?

Segregation of duties means no single individual should be able to both execute and conceal a fraudulent transaction alone — for example, the person who creates a new vendor in the system should not also be the person who approves payment to that vendor. Many organisations have a segregation of duties matrix on paper that does not match actual system access rights. We test the actual ERP or accounting system permissions granted to each user, and sample real transactions, to confirm whether the documented segregation genuinely held in practice — not just whether the policy exists.

Practitioner noteIt is common to find a former employee's system access still active months after their exit, or a single 'super-admin' account used by multiple people for convenience. Both defeat segregation of duties regardless of what the written policy says.
We are a small company with a lean finance team. Is proper segregation of duties even possible for us?

Full textbook segregation of duties is often genuinely difficult with a small finance team — this is a real, structural constraint, not a failure of discipline. Where full segregation is not achievable, we recommend compensating controls: mandatory secondary review or approval by someone outside the finance team (even a business owner or a Board member) above defined thresholds, periodic surprise reconciliation checks, and system-enforced approval workflows that at least require a second click by a different login even if the same small team is involved. We size the recommendation to what is realistic for the organisation's stage.

Practitioner noteWe do not recommend hiring additional finance headcount purely to satisfy textbook segregation of duties when the business genuinely cannot support it yet. Compensating controls, properly designed, close most of the practical risk at a fraction of the cost.
What does a tabletop exercise involve, and why is it necessary if we already have a written BCP?

A tabletop exercise is a facilitated, structured walkthrough of a realistic disruption scenario — for example, your core system becomes unavailable for 48 hours, or your primary facility is inaccessible for a week — in which management works through the actual decisions the written plan calls for: who is notified first, who has authority to declare an incident, what the manual workaround is, how customers and vendors are communicated with. This consistently surfaces gaps that a document review alone does not — an outdated contact list, an assumption that someone else holds a critical password, a step that reads clearly on paper but nobody has actually rehearsed.

Practitioner noteThe single most common finding from a tabletop exercise, in our experience, is that the plan assumes a person who has since left the organisation will lead the response. Nobody updates a BCP contact list unless someone is specifically responsible for doing so on a defined schedule.
How is this different from Forensic Audit?

A Forensic Audit investigates a specific, already-suspected incident — what happened, who was involved, and what the quantified loss is — and is engaged reactively after a concern has already surfaced. A BCP & Fraud Risk Assessment is proactive and systemic: it identifies where fraud opportunity and continuity risk exist across the organisation before any specific incident has occurred, so gaps can be closed ahead of time. Where a specific incident has already occurred, we recommend a Forensic Audit for that matter, often followed by (or alongside) a broader BCP & Fraud Risk Assessment to identify whether the same root-cause control gap exists elsewhere.

Practitioner noteWe routinely see clients come to us after a specific fraud loss asking for the forensic investigation, and we then recommend the broader assessment as a follow-on — because resolving the one incident without checking whether the same opportunity exists elsewhere in the business usually means a similar loss recurs within a few years.
How is this different from GRC Assurance?

GRC Assurance is a broader, entity-wide review of governance structure, the full enterprise risk universe, and the control environment as a system — of which fraud risk and business continuity are two components among several (governance, compliance management, whistleblower mechanisms, and more). A BCP & Fraud Risk Assessment is a focused, deeper dive specifically into operational resilience and fraud exposure. Organisations that have already had a GRC Assurance review, or whose immediate concern is specifically continuity and fraud rather than the full governance picture, typically choose this narrower engagement; a first-time, entity-wide governance review is better served by GRC Assurance, with BCP and fraud risk as one workstream within it.

Practitioner noteWe often recommend GRC Assurance as the first, broader engagement for a company that has never had any structured risk review, with BCP & Fraud Risk Assessment as a deeper subsequent dive into the two areas the GRC review flags as highest-priority.
Does this cover cybersecurity as well?

The business continuity component includes assessing your dependency on IT systems, your backup and recovery arrangements, and whether IT-related disruption scenarios are addressed in your BCP/DRP — because IT resilience is usually central to overall business continuity today. However, a deep technical cybersecurity assessment — penetration testing, vulnerability scanning, technical security architecture review — is a more specialised, separate engagement. We scope the appropriate level of IT/cyber coverage within this assessment and can bring in or refer to our dedicated Cybersecurity Audit capability where deeper technical testing is warranted.

Practitioner noteWe consistently find that IT-related single points of failure and IT access-control gaps are among the most material findings in both the continuity and fraud halves of this assessment — even in businesses that do not think of themselves as 'technology companies.'
We had a suspected internal fraud recently. Should we start here or with a Forensic Audit?

If you already have a specific, identifiable concern — a discrepancy, a whistleblower report, an anomaly someone has flagged — start with a Forensic Audit to establish the facts of that specific matter. A BCP & Fraud Risk Assessment is the right next step once the specific matter is resolved, or can run in parallel, to answer the systemic question: what control gap allowed this, and does the same gap exist in other processes or locations across the organisation.

Practitioner noteAddressing only the specific incident — typically by terminating the individual involved — without addressing the underlying control gap is the most common reason we see a similar fraud recur elsewhere in the same organisation within a few years.
What deliverables do we actually receive?

A written report covering: the Business Impact Analysis with RTO/RPO for each critical process; a single-point-of-failure register; an updated or newly drafted BCP/DRP reflecting the BIA findings; a fraud risk heat map by process area with root-cause analysis; a segregation-of-duties and access-rights testing summary; a prioritised, rated findings register (Critical/High/Medium/Low) with management's response and remediation timeline; and a recommended follow-up review date. This is supplemented by a live presentation to the Audit Committee or Board and, typically, a facilitated tabletop exercise.

Practitioner noteWe do not deliver a generic industry template with your company name inserted. Every finding, scenario, and BCP recommendation in our report reflects what we actually observed in your organisation's processes and data — the Board can trust the basis for every conclusion.
How long does the engagement take?

A first-time, entity-wide assessment for a mid-sized company typically takes 8–12 weeks from initial scoping to Board presentation, depending on the number of critical processes and locations covered and the depth of segregation-of-duties testing agreed. A more narrowly scoped assessment — for example, business continuity only, or fraud risk limited to the finance function — can be completed faster. Subsequent cycles are generally quicker once the BIA and fraud risk baseline already exist.

Practitioner noteThe most common cause of delay is not the assessment work itself but management taking longer than expected to assemble process documentation and schedule interviews with process owners. We build realistic buffer into the proposed timeline and coordinate through a single internal point of contact to keep this on track.
What does this engagement cost?

Fees depend on entity size, the number of critical processes and locations in scope, whether a full tabletop exercise is included, and the depth of segregation-of-duties and access-rights testing agreed. PNPC provides a written scope and fixed-fee proposal after an initial scoping conversation — we do not quote a fee before understanding what is actually being assessed and why.

Practitioner noteWe are not the cheapest option for a generic template BCP document with your logo on the cover. What you are paying for is the actual Business Impact Analysis, the tested access-rights review, the facilitated tabletop exercise, and the direct Board presentation — the parts of the engagement that genuinely reduce risk rather than just document it.
Who at PNPC conducts this assessment — is it the same team as our statutory auditor?

Where PNPC is also your statutory auditor, we structure this engagement with an appropriately separate team and reporting line to preserve independence, consistent with the Companies Act and applicable professional standards. For companies where independence rules restrict the statutory auditor from providing certain non-audit services, we advise upfront on whether PNPC can undertake this assessment or whether an independent firm should be engaged instead.

Practitioner noteWe raise the independence question proactively at the first scoping conversation, not after the engagement has already begun. Getting this wrong can affect both the credibility of the assessment findings and the statutory audit relationship.
Will this disrupt our day-to-day operations while it's underway?

We design the engagement to minimise disruption. Most of the work involves document and system-access review, structured interviews with process owners (typically 30–60 minutes each), sample-based testing that does not require processes to pause, and a single facilitated tabletop exercise scheduled at a convenient time. We coordinate through a single internal point of contact — typically the CFO's office or Company Secretary — to manage information flow efficiently.

Practitioner noteWe ask for one coordinating contact rather than chasing multiple department heads independently. This alone materially reduces the internal burden on your team and keeps the engagement on schedule.
Does the report get shared with any regulator?

No. This is a private, management-and-Board-facing advisory and assurance engagement — findings are reported to the Audit Committee, Risk Management Committee, or Board that commissioned it, not to SEBI, MCA, or any other regulator. Separately, where a finding indicates a potential fraud that triggers the statutory auditor's specific reporting obligation under Section 143(12) of the Companies Act, that obligation applies to the entity's statutory auditor in that defined circumstance — not to PNPC in this advisory capacity, unless PNPC also happens to hold that statutory role for the entity.

Practitioner noteWe are explicit about this distinction at the outset of every engagement, because management engages far more candidly with the review once they understand findings are not automatically headed for external reporting.
How often should this assessment be repeated?

For listed companies and larger private companies with an active Risk Management Committee, we recommend revisiting the BIA and fraud risk map every 1–2 years, or sooner following material business change — a new system implementation, a new geography, significant headcount growth, or a merger. For smaller unlisted companies without a regulatory trigger, every 2–3 years, or ahead of a major milestone such as a fundraise, is generally proportionate.

Practitioner noteWe recommend a cadence honestly calibrated to the client's actual risk profile rather than defaulting to 'annual' for everyone — an assessment repeated too frequently on an unchanged business tends to produce diminishing findings at full cost.
How does this help us prepare for a fundraise, acquisition, or sale?

Institutional investors and acquirers routinely assess operational resilience and internal control/fraud risk maturity as part of due diligence — key-person dependency, vendor concentration risk, and segregation-of-duties gaps are common diligence findings that can affect valuation, deal terms, or timeline if discovered late in a live process. Conducting this assessment proactively, well ahead of a transaction, allows genuine remediation on your own schedule rather than under the pressure and scrutiny of active diligence.

Practitioner noteWe recommend running this assessment at least 6–12 months ahead of a planned transaction wherever the timeline allows — enough time to actually close material gaps, not merely document them, before a diligence team arrives.
What is the difference between a BCP and a DRP?

A Business Continuity Plan (BCP) is the broader plan covering how the entire organisation continues critical operations through a disruption — people, processes, facilities, communications, and vendor relationships. A Disaster Recovery Plan (DRP) is the more technical, IT-specific subset focused on restoring systems, applications, and data after an outage. A DRP is typically a component nested within, or run alongside, the broader BCP — restoring the IT system is necessary but not sufficient if, for example, staff cannot reach the facility or a key vendor relationship has also failed.

Practitioner noteWe frequently find organisations that have invested meaningfully in IT disaster recovery (backups, redundant infrastructure) while having no equivalent plan for a non-IT disruption, such as losing access to a facility or a critical vendor — an unbalanced continuity posture that a proper BIA immediately surfaces.
Does this assessment apply to a UAE subsidiary or overseas entity as well?

Yes, where in scope. For group structures with a UAE or overseas subsidiary, PNPC's presence in both India and the UAE (Dubai office) allows a coordinated assessment across jurisdictions under a single engagement — assessing whether continuity planning and fraud control standards are applied consistently at the subsidiary level, and whether the parent Board has adequate visibility into subsidiary-level risk, rather than requiring separate, disconnected reviews by unrelated local providers.

Practitioner noteWe commonly find that a UAE subsidiary set up quickly to capture a commercial opportunity has meaningfully lighter continuity planning and financial controls than the Indian parent — a gap that only becomes visible when someone actually looks at both together.
Can this be scoped narrowly — just fraud risk, or just business continuity — rather than both together?

Yes. While we recommend running both together where budget and time allow, given the overlap in root causes, we regularly scope either independently — a fraud risk assessment focused specifically on the finance function, for example, or a business continuity assessment focused only on IT and facilities. A narrower first engagement is often the right starting point for an organisation new to structured risk assessment, with the other half added in a subsequent phase.

Practitioner noteWe are candid about which half is likely to matter more for a given client based on an initial conversation — a cash-intensive retail business, for example, often has more urgent fraud risk exposure than continuity risk, and we say so rather than defaulting to a standard combined scope regardless of fit.
What red flags does PNPC typically look for in the fraud risk assessment?

Common red flags include: a vendor master file with duplicate or suspiciously similar vendor names, vendors sharing an address or bank account with an employee, round-number or just-below-approval-threshold transaction patterns, dormant vendor accounts suddenly becoming active, journal entries posted and approved by the same individual, unusually high employee reimbursement claims relative to role, and related-party transactions not routed through the formal approval and disclosure process. We test for these patterns using available transaction data as part of the assessment, alongside the qualitative control-environment review.

Practitioner noteWe are careful to frame red-flag findings as risk indicators warranting further review, not conclusions of actual fraud — a red flag can also have an entirely innocent explanation, and jumping to a conclusion without proper investigation creates its own legal and employee-relations risk.
Our Board already has cyber and D&O insurance. Does that reduce the need for this assessment?

Insurance transfers financial risk after a loss occurs; it does not prevent the disruption or the fraud from happening, and most policies have conditions, exclusions, and sub-limits that only become apparent when a claim is made. In our experience, insurers themselves increasingly ask about the existence of a tested BCP and documented fraud risk controls when underwriting or renewing cyber and crime insurance — so a completed assessment can also support better insurance terms, not merely reduce reliance on the policy.

Practitioner noteWe have seen claims complicated or reduced because the insured could not demonstrate that reasonable, documented controls were in place at the time of the loss. A completed assessment strengthens your position with insurers, in addition to reducing the likelihood of needing to claim at all.
What happens after the report — does PNPC help implement the recommendations, or just identify them?

Both, by design. The report includes specific, sequenced remediation recommendations — not just a description of each gap. Where the client wants implementation support (updating the BCP/DRP document, redesigning a specific control, reconfiguring ERP access rights, drafting a revised vendor-onboarding approval workflow), PNPC provides that as a follow-on engagement, kept appropriately separate from the assessment role where independence considerations require it.

Practitioner noteWe discuss the assurance-versus-implementation boundary at scoping, particularly where PNPC also serves as statutory auditor, so there is no ambiguity about what PNPC can and cannot do in both an assessor and an implementer capacity for the same client.
Why should we choose PNPC for this over a specialist risk consultancy or a Big 4 firm?

A Big 4 firm brings brand recognition and large-team capacity, typically at a substantially higher fee, often with the day-to-day engagement led by junior staff. A specialist risk consultancy may bring strong continuity or fraud-analytics expertise without the Chartered Accountancy grounding to connect findings back to the actual Companies Act, SEBI, and tax implications with full technical accuracy. PNPC combines nearly four decades of practising CA experience — including the statutory audit, tax, and regulatory context that fraud and continuity findings inevitably touch — with a senior-partner-led engagement model and coordinated India-UAE coverage for group structures.

Practitioner noteAsk any provider who is actually in the room testing your system access rights and presenting findings to your Board. We have had clients describe prior engagements where the report was authored by a team they never met. Our engagement partner leads this review from scoping through the Board presentation and follow-up.
What does the full PNPC engagement include, end to end?

Scoping consultation aligned to your actual driver and risk profile; Business Impact Analysis with RTO/RPO quantification for critical processes; single-point-of-failure mapping across people, vendors, systems, and facilities; review and update of existing BCP/DRP documentation; fraud risk mapping using the Fraud Triangle framework; segregation-of-duties and system access-rights testing; a facilitated tabletop exercise; a rated, prioritised findings register with root-cause analysis; management response capture; a written report; a live presentation to the Audit Committee/Board; and a follow-up verification review within the agreed remediation period.

Practitioner noteEvery item above is confirmed in a written scope and fee proposal before work begins. We do not start on a verbal understanding of scope — ambiguous scope is one of the most common sources of dissatisfaction with risk and assurance engagements generally, and we avoid it by design.
Can this assessment be triggered as an urgent, accelerated review rather than the standard 8–12 week cycle?

Yes. Where the trigger is time-sensitive — an active investor due diligence process with a tight timeline, or a recent near-miss the Board wants addressed urgently — we can scope an accelerated, focused review covering the highest-risk processes and the most material fraud opportunity areas first, with the full assessment following as a second phase. This trades some breadth for speed and is agreed explicitly at scoping, not assumed.

Practitioner noteWe are transparent when an accelerated scope means certain lower-priority areas will not be covered in the first pass. Rushing the full assessment to an unrealistic timeline tends to produce a report that reads complete but has not actually tested what it claims to — we would rather scope an honest, faster partial review than a compromised full one.
Why PNPC Global
FeatureGeneric BCP Template ProviderBoutique Risk/Fraud ConsultancyPNPC Global
Business Impact Analysis depthOften skipped or generic — same RTO/RPO applied to every processUsually thorough for continuity, but rarely paired with a fraud lensFull BIA with process-specific RTO/RPO, paired with fraud risk mapping using the same critical-process data
Fraud risk testing methodNot typically offeredData-analytics driven, but often without statutory/regulatory groundingFraud Triangle-based mapping plus actual system access-rights and transaction testing, connected to Companies Act and SA 240 obligations
Statutory & tax grounding of findingsNot applicable — template-only providersOften limited — risk expertise without deep CA/regulatory groundingSenior CA-led — every finding connected to actual Companies Act, SEBI, and tax implications
Tabletop exercise includedRarely, if everSometimes, as a separate paid add-onIncluded as a standard part of the engagement to test the plan, not just document it
Engagement continuityOne-time document delivery, no ongoing relationshipVariable — depends on consultancy size and retentionSame engagement partner from scoping through Board presentation and follow-up verification
India-UAE group coverageNot availableRarely availableSingle coordinated engagement across Chennai, Bangalore, Hyderabad, and Dubai offices
Board presentationNot offered — document delivered by emailVaries by consultancyEngagement partner presents findings personally to the Audit Committee/Board
Follow-up verificationNot offeredInconsistent, often re-priced separatelyBuilt into the engagement scope as a standard follow-up review within the agreed remediation period

What the PNPC package includes

  1. 01

    Scoping consultation to align the assessment with your actual risk driver — regulatory obligation, near-miss incident, or pre-transaction readiness

  2. 02

    Business Impact Analysis with Recovery Time Objective and Recovery Point Objective quantified for each genuinely critical process

  3. 03

    Single-point-of-failure mapping across key personnel, sole-source vendors, facilities, and IT systems

  4. 04

    Review and update of existing Business Continuity and Disaster Recovery Plan documentation against BIA findings

  5. 05

    Fraud Triangle-based fraud risk mapping across finance, procurement, HR, and operational process areas

  6. 06

    Segregation-of-duties testing against actual ERP/accounting system access rights, not just the policy document

  7. 07

    Fraud scenario and red-flag analysis using available transaction data for the highest-opportunity process areas

  8. 08

    Facilitated tabletop exercise simulating a realistic disruption scenario to test the plan in practice

  9. 09

    Rated, prioritised findings register with root-cause analysis spanning both continuity and fraud risk domains

  10. 10

    Management response capture before the report reaches the Audit Committee or Board

  11. 11

    Live presentation to the Audit Committee / Risk Management Committee / Board by the engagement partner

  12. 12

    Follow-up verification review within the agreed remediation period to confirm actual closure

  13. 13

    India-UAE coordinated coverage for group structures with a Dubai or overseas subsidiary

  14. 14

    Direct access to your engagement partner — by phone and WhatsApp — for questions between formal review cycles

Find out how your business would actually hold up through a disruption — and where it is genuinely exposed to fraud — before either question gets answered the hard way. Speak with a PNPC engagement partner, a practising Chartered Accountant who will map your real dependencies, test your real controls, and present findings your Audit Committee can act on immediately.

← Back to Risk Advisory
Talk to a CA