HomeServicesRisk AdvisoryGovernance, Risk & Control Assurance

Risk Advisory · Governance, Risk & Compliance (GRC)

Governance, Risk & Control Assurance

Governance, Risk & Control (GRC) Assurance is the independent lens that tells your Board and Audit Committee whether the governance structures, risk management framework, and internal control environment you believe you have actually operate the way you think they do.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

Governance, Risk & Control (GRC) Assurance is the independent lens that tells your Board and Audit Committee whether the governance structures, risk management framework, and internal control environment you believe you have actually operate the way you think they do. At PNPC Global, we do not simply test individual controls in isolation — we assess how governance, risk, and compliance functions interlock as a system, identify where accountability gaps or duplicated effort exist between them, and report findings your directors can act on with confidence. For listed companies under SEBI LODR, large private companies preparing for institutional capital, and family businesses professionalising their governance, GRC Assurance is the discipline that converts good intentions into a defensible, auditable framework.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Governance, Risk & Control Assurance is

GRC Assurance is an independent review activity that evaluates the design and operating effectiveness of an organisation's Governance, Risk Management, and Compliance (Internal Control) architecture — assessed together as an integrated system rather than as three disconnected functions. Governance covers Board structure, committee mandates, delegation of authority, and the tone set at the top. Risk covers whether the organisation has identified its material risks, assessed them consistently, and put mitigation and monitoring in place — typically benchmarked against recognised frameworks such as COSO Enterprise Risk Management (COSO ERM 2017) or ISO 31000. Control covers whether the day-to-day processes that are supposed to prevent or detect errors, fraud, and non-compliance are actually designed correctly and are operating as intended, generally assessed against the COSO Internal Control – Integrated Framework (2013). GRC Assurance sits alongside — and is distinct from — statutory financial audit, tax audit, and Internal Financial Controls (IFC) certification under Section 143(3)(i) of the Companies Act 2013; it is broader in scope and forward-looking in its recommendations rather than limited to an opinion on historical financial statements.

The practical trigger for a formal GRC Assurance engagement varies. For listed entities, SEBI's Listing Obligations and Disclosure Requirements (LODR) Regulations require a functioning Risk Management Committee (mandatory for the top 1,000 listed companies by market capitalisation under Regulation 21) and place responsibility on the Board for the risk management framework — an independent assurance review demonstrates that this obligation is being discharged in substance, not merely on paper. For large private companies, Section 134(5)(e) of the Companies Act 2013 requires directors to state in the Board's Report that they have laid down internal financial controls and that such controls are adequate and operating effectively — a statement the Board should not make without some independent basis for confidence. For companies preparing for a fundraise, an IPO, or a strategic sale, institutional investors and their diligence teams routinely request evidence of a working GRC framework as part of governance due diligence, and gaps discovered late in a transaction process can materially affect valuation or deal timelines.

A GRC Assurance engagement is not a single deliverable but a structured programme: it typically begins with a governance and risk-maturity assessment (mapping the current state against a recognised maturity model), moves through control design evaluation across key processes (financial reporting, procurement, revenue, IT, HR, and any sector-specific process), tests whether controls that are documented as existing are actually being performed as described, and concludes with a report to the Audit Committee or Board setting out rated findings, root causes, and a prioritised remediation roadmap. Unlike a one-time compliance certificate, GRC Assurance is most valuable when run as a recurring cycle — annually or on a rolling multi-year plan — because governance and risk exposure change as the business grows, enters new markets, or faces new regulation.

For unlisted companies and family-owned businesses, GRC Assurance often serves a second purpose beyond pure assurance: it is the mechanism through which an informally-run business builds the documented governance discipline that banks, private equity investors, and the next generation of family leadership will expect. A business that has never formalised its risk register, its delegation of authority, or its whistleblower mechanism can use a GRC Assurance engagement as the structured starting point for building all three — rather than attempting to build governance infrastructure for the first time under the pressure of an active investor due diligence process.

When a GRC Assurance engagement is the right call

Listed company with a mandatory Risk Management Committee under SEBI LODR Regulation 21 that needs independent evidence its risk framework operates in substance, not just as a committee charter on paper

Board or Audit Committee about to sign the Section 134(5)(e) internal financial controls adequacy statement and wants an independent basis for that representation beyond management's own assertion

Company preparing for a Series B/C round, pre-IPO readiness, or strategic sale where institutional investors will conduct governance and risk due diligence as part of the transaction process

Family-owned or founder-led business professionalising ahead of generational succession, external Board induction, or its first institutional investor

Organisation that has grown rapidly and suspects its governance structures, delegation of authority, and risk oversight have not kept pace with its scale or geographic spread

Board that has received whistleblower complaints, a fraud incident, or a regulatory notice and needs an independent view of whether the underlying governance and control environment is the root cause

Group structure with multiple subsidiaries or a UAE/overseas arm where consolidated risk oversight and consistent control standards across entities have never been formally assessed

Company adopting or renewing a formal Enterprise Risk Management (ERM) framework and wants independent validation that the framework, once built, is actually being used by risk owners

When a narrower or different engagement fits better

You need a statutory opinion on financial statements for regulatory or shareholder purposes — that is a Statutory Audit under the Companies Act, not GRC Assurance, which does not issue an opinion on financial statements

You need the Board's Section 143(3)(i)/134(5)(e) Internal Financial Controls certification itself prepared and tested to the specific IFC-over-financial-reporting standard — that is an IFC Review engagement, a related but narrower and more codified scope than a full GRC Assurance review

You need a specific, narrow investigation into a suspected fraud or a defined incident — a targeted Forensic Audit is faster and more appropriate than a broad governance and risk review

Your company is an early-stage startup with a lean team, no committee structure, and no near-term institutional fundraise or listing plan — the cost and formality of a full GRC programme is disproportionate; a lighter internal-controls readiness conversation is more suitable at this stage

You need ongoing operational testing of specific process controls on a cyclical basis rather than a point-in-time or periodic governance-and-risk assessment — a structured Internal Audit programme (Section 138) is typically the better long-term vehicle, and is often run alongside or as a component of the broader GRC framework

Your immediate need is IT general controls or cybersecurity control testing specifically — an ISA 315/ITGC or Cybersecurity Audit engagement addresses that scope with more technical depth than a governance-level GRC review

Structure Comparison

GRC Assurance vs adjacent assurance and advisory engagements

FeatureGRC AssuranceStatutory AuditInternal Audit (Sec 138)IFC ReviewForensic Audit
Primary objectiveAssess governance, risk framework, and control environment as an integrated systemOpinion on true and fair view of financial statementsOngoing testing of process controls against risk-based planTest design & operating effectiveness of controls over financial reportingInvestigate a specific suspected irregularity or incident
Governing framework/standardCOSO ERM 2017, COSO Internal Control 2013, ISO 31000 (as reference frameworks)Standards on Auditing (SAs) under Companies Act 2013Standards on Internal Audit (SIA), Section 138 & Rule 13Guidance Note on Audit of ICFR (ICAI), Section 143(3)(i)No single statute — engagement-specific scope and forensic standards
Statutory mandateNot separately mandated by statute — driven by SEBI LODR Board/RMC obligations and governance practiceMandatory for every company under Section 139Mandatory for listed cos and prescribed classes under Rule 13Mandatory reporting by statutory auditor for most companies under Sec 143(3)(i)Not mandatory — engaged on a need basis
Reports toBoard / Audit Committee / Risk Management CommitteeShareholders (via AGM)Audit Committee / BoardShareholders (via statutory audit report) and BoardWhoever commissions it — Board, Audit Committee, or specific stakeholder
Scope breadthEntity-wide — Board, ERM framework, and control environment togetherFinancial statements and disclosuresProcess- and function-specific per audit planControls specifically over financial reportingNarrow and incident-specific
Typical frequencyAnnual or defined multi-year cycleAnnual — mandatory every FYContinuous per annual audit plan, typically quarterly cyclesAnnual, alongside statutory auditOne-off, triggered by an event
OutputGovernance & risk maturity rating, control gap register, prioritised remediation roadmapAudit opinion (unqualified/qualified/adverse/disclaimer)Audit findings report per engagement/quarterManagement letter on control deficiencies, feeds auditor's reportInvestigation report — findings, quantification, recommendations
Independence requirementShould be independent of the function being assessed; often run by external CA firmStatutory — independent under Section 141Should be independent of operations being tested; can be in-house or outsourcedPerformed by/relied upon by the statutory auditorMust be independent of the individuals/area under investigation
Best suited toBoards & Audit Committees needing systemic assurance ahead of listing, fundraise, or governance maturity milestonesEvery registered company, without exceptionCompanies meeting Section 138/Rule 13 thresholds, or choosing best practiceCompanies where auditor must opine on ICFRCompanies facing a specific fraud, whistleblower complaint, or dispute

These engagements are complementary rather than substitutes for one another — a mature governance programme typically runs Statutory Audit, Internal Audit, IFC Review, and periodic GRC Assurance together, each covering a different layer of assurance. PNPC scopes each engagement independently and advises on the right combination and sequencing for your stage and regulatory profile.

How it works
#Stage & What PNPC DoesWhat Generic Providers SkipTimeline
1Scoping & Objective-Setting — Understand why assurance is needed nowWe start by asking what triggered the need: a SEBI LODR obligation, an upcoming fundraise, a Board directive, a past incident, or first-time governance formalisation. This shapes whether the engagement is entity-wide or focused on specific risk domains. Generic providers often propose a fixed-scope template regardless of the actual driver.Week 1
2Governance Structure Review — Board, committees, delegation of authorityWe map the actual Board composition against Companies Act and SEBI LODR independence and expertise requirements, review committee charters (Audit, Risk Management, Nomination & Remuneration, CSR) against their statutory mandate, and test whether the Delegation of Authority matrix in use reflects what is actually happening in approvals — not just the document on file.Week 1–2
3Risk Universe & Risk Register AssessmentWe assess whether a documented risk register exists, whether it is genuinely risk-ranked (likelihood x impact, with a defined risk appetite) or is a static list untouched since creation, and whether risk owners across the business actually use it. Where COSO ERM or ISO 31000 has been adopted formally, we test whether the framework is embedded in decision-making, not just referenced in a policy document.Week 2–3
4Control Environment Walkthrough — Key process areasWe walk through the control design in financial reporting, procurement-to-pay, order-to-cash, payroll, treasury, and IT general controls — selecting the processes most material to your business and risk profile. Walkthroughs identify controls that exist on paper (in a policy manual) versus controls that are genuinely built into the process and system.Week 3–5
5Operating Effectiveness Testing — Sample-based control testingFor controls assessed as well-designed, we test a sample of actual transactions or instances to confirm the control operated as intended throughout the review period — not merely at a single point in time. This distinguishes GRC Assurance from a policy review: we test whether governance and controls work in practice.Week 4–6
6Compliance Management System ReviewWe assess whether the organisation has a structured compliance tracker covering applicable laws (Companies Act, FEMA, labour codes, sector regulation, data protection where applicable), whether ownership for each compliance is assigned, and whether escalation for missed compliances reaches the right level of management — not just a spreadsheet nobody reviews.Week 5–6
7Whistleblower & Fraud Risk AssessmentWe review the Vigil Mechanism/whistleblower policy mandated under Section 177(9) of the Companies Act and SEBI LODR Regulation 22, test whether complaints received (if any) were handled per the policy, and conduct a fraud risk assessment identifying areas of highest fraud exposure given the business model and control gaps found.Week 5–6
8Risk Maturity & Gap RatingEvery finding is rated against a defined maturity scale (typically Initial / Developing / Defined / Managed / Optimised, aligned to common maturity model conventions) so the Board sees not just a list of issues but a picture of where the organisation stands and what "good" looks like at the next stage.Week 6–7
9Draft Report & Management ResponseWe issue a draft report to management for factual accuracy confirmation and to capture management's proposed remediation timeline and owner for each finding — before anything is presented to the Audit Committee or Board. This avoids surprises and produces a report the Board can act on immediately.Week 7–8
10Presentation to Audit Committee / Board / Risk Management CommitteePNPC's engagement partner personally presents findings, root causes, and the remediation roadmap to the Committee or Board — not a written report emailed and left for the Company Secretary to summarise. Questions are answered in the room, in real time.Week 8
11Remediation Roadmap & PrioritisationFindings are prioritised (Critical/High/Medium/Low) with realistic remediation timelines agreed with process owners — a roadmap the Audit Committee can track at each subsequent meeting, not a report that is filed and forgotten.Week 8–9
12Follow-Up & Closure VerificationPNPC conducts a follow-up review — typically at the mid-point and end of the agreed remediation period — to verify that remediation actions were actually implemented and are operating, not just marked "closed" by the responsible owner without verification.3–6 months post-report
13Next-Cycle PlanningGRC Assurance is most effective as a recurring discipline. We work with the Audit Committee to plan the following year's scope — rotating emphasis across risk domains, incorporating new risks (new geography, new regulation, new business line) as the organisation evolves.Annually or per agreed cycle

A first-time, entity-wide GRC Assurance review for a mid-sized company typically takes 8–10 weeks from scoping to Board presentation; subsequent annual cycles are usually faster once the risk register, control matrix, and prior findings baseline exist. Actual duration depends on entity size, number of locations/subsidiaries, and the depth of testing agreed in scope.

Document Checklist
Governance & Board Documents

Memorandum & Articles of Association and any Shareholders' Agreement provisions relevant to governance rights

Board composition details — director profiles, independent director declarations under Section 149(6)/(7), related disclosures of interest/non-disqualification (Form MBP-1/DIR-8), and skills matrix if maintained

Committee charters — Audit Committee, Risk Management Committee, Nomination & Remuneration Committee, CSR Committee — and minutes for the review period

Delegation of Authority (DoA) matrix currently in force, with any amendment history

Board and Committee meeting minutes and attendance records for the period under review

Related Party Transaction policy and the register of related party transactions approved during the period

Risk Management Documents

Enterprise Risk Management policy or framework document, if one exists

Current risk register — risk descriptions, likelihood/impact ratings, mitigation status, and assigned risk owners

Board or Committee risk review minutes and any risk dashboard or heat map presented to leadership

Business continuity and disaster recovery plan, and evidence of any testing conducted

Insurance policy schedule — Directors & Officers (D&O), Professional Indemnity, cyber, and key-person cover as applicable

Internal Control & Process Documentation

Standard Operating Procedures (SOPs) for key processes — procurement, revenue recognition, payroll, treasury, fixed assets

Financial approval matrix and evidence of adherence — sample approved transactions across the period

IT general controls documentation — access management, change management, and backup policies

Segregation of duties matrix for key financial and operational processes

Prior internal audit reports and their closure status, if an internal audit function already exists

Compliance & Regulatory Documents

Compliance tracker or register covering applicable laws — Companies Act, FEMA, labour codes, GST, sector-specific licences

Evidence of statutory filings for the review period — MCA annual filings, tax filings, regulatory returns as applicable

Any regulatory correspondence, show-cause notices, or inspection reports received during the review period

Sector-specific licences and their renewal status, where the business is subject to sectoral regulation (RBI, SEBI, IRDAI, etc.)

Whistleblower, Ethics & Fraud Documents

Vigil Mechanism / whistleblower policy adopted under Section 177(9) and SEBI LODR Regulation 22

Code of Conduct for Directors and Senior Management, and evidence of periodic acknowledgement by employees

Log of whistleblower complaints received during the review period and their resolution status

Any known fraud incidents, disciplinary actions, or ongoing investigations relevant to the control environment

Prior Assurance & Group Structure Documents

Most recent statutory audit report, management letter, and Internal Financial Controls (IFC) certification, if available

Prior GRC, internal audit, or risk assessment reports from any earlier engagement, and their remediation tracker

Group/subsidiary structure chart, including any UAE or overseas entities, with an indication of consolidated risk oversight arrangements

Organisation chart identifying process owners and risk owners for each key function under review

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Pre-Engagement ReadinessBoard or Audit Committee decision to commission GRC reviewScoping conversation to align on objective — SEBI LODR obligation, pre-fundraise readiness, post-incident review, or first-time formalisation. Right-sizing scope to entity size and risk profile so the engagement is proportionate and useful.Wrong-sized scope — either an overly generic review that misses the risks that matter, or an overly heavy engagement disproportionate to the business, wasting budget and management time.
Baseline AssessmentEngagement kickoffGovernance structure review, risk register assessment, and control walkthroughs across material processes. Establishing an honest baseline — including uncomfortable findings — rather than a report calibrated to please management.A baseline that understates real gaps gives the Board false comfort — and becomes a liability if a control failure or incident later exposes that the earlier assessment missed it.
Testing & FindingsBaseline completeSample-based operating effectiveness testing, fraud risk assessment, and compliance management system review — producing a rated, prioritised findings register rather than a narrative list of observations.Findings without prioritisation or root-cause analysis lead management to fix low-impact issues while critical gaps remain — a common failure mode of superficial reviews.
Reporting & Board PresentationTesting completeDraft report shared with management for factual validation, then presented directly to the Audit Committee/Board by the engagement partner, with remediation ownership and timelines agreed in the room.A report emailed without a live presentation is frequently filed without full Board engagement — and the Board's Section 134(5)(e) representation ends up resting on a document nobody at Board level actually discussed.
Remediation ExecutionReport accepted, roadmap agreedPNPC supports process owners in interpreting findings and designing practical remediation — policy updates, control redesign, system configuration changes, training — sequenced by priority and resource availability.Remediation items assigned without follow-up support routinely stall — process owners deprioritise governance fixes against operational pressure unless there is a structured check-in cadence.
Follow-Up VerificationAgreed remediation period elapsesIndependent follow-up testing to confirm remediation actually occurred and is operating — not just marked complete by the same owner who was responsible for the original gap.Self-certified closure without independent verification is the single most common reason the same finding reappears in the following year's review, undermining Board confidence in the whole programme.
Next-Cycle Planning & Continuous ImprovementAnnual governance calendarScope for the following cycle is planned with the Audit Committee — rotating depth across risk domains, incorporating new risks from business growth, new geographies, new regulation, or M&A activity.A GRC programme that repeats an identical scope every year loses relevance as the business changes — new risks (a new subsidiary, a new regulation, a new business line) go unassessed while mature areas are reviewed repeatedly.
Trigger Events (Fundraise, Listing, Incident)Investor due diligence, IPO process, or a control failure/whistleblower complaintAccelerated or focused review scoped specifically to the trigger — governance due diligence readiness for a fundraise, IPO governance-readiness assessment against SEBI LODR, or root-cause review following an incident.Governance and risk gaps discovered for the first time during live investor or IPO due diligence create timeline risk, can affect valuation, and are far more costly to remediate under transaction pressure than through a planned assurance cycle.
Frequently asked
What exactly does GRC Assurance mean, in plain terms?

It is an independent check on three things together: whether your Board and committees are structured and functioning the way governance rules expect (Governance); whether your organisation has properly identified and is actively managing its most important risks (Risk); and whether the day-to-day controls that are supposed to prevent errors, fraud, and non-compliance actually work in practice, not just on paper (Control/Compliance). Most reviews look at only one of these in isolation. GRC Assurance looks at all three together, because in practice they interlock — a governance gap often explains why a risk went unmanaged, which in turn explains why a control failed.

Practitioner noteBoards often assume that having an Audit Committee and a risk policy document means governance is 'done.' The gap we most consistently find is between what is documented and what actually happens in practice — and that gap is exactly what GRC Assurance is designed to surface.
Is GRC Assurance a legal requirement for my company?

There is no single statute in India titled 'GRC Assurance' that mandates the exact engagement by that name. However, several underlying obligations make it highly relevant: SEBI LODR Regulation 21 requires the top 1,000 listed companies by market capitalisation to have a functioning Risk Management Committee; Section 134(5)(e) of the Companies Act 2013 requires directors of applicable companies to state that internal financial controls are adequate and operating effectively; and Section 177(9) requires a Vigil Mechanism. GRC Assurance is the independent activity that gives the Board a defensible basis for making those statements and meeting those obligations in substance.

Practitioner noteWe are frequently asked 'is this mandatory?' The honest answer is that the components are mandatory in various forms depending on your listing status and size, but the independent assurance itself is a governance best practice rather than a named statutory filing. We help clients understand exactly which underlying obligations apply to their specific company before scoping the engagement.
How is GRC Assurance different from Internal Audit?

Internal Audit (mandatory under Section 138 for listed companies and prescribed classes under Rule 13) is typically a recurring, process-focused testing function that works through a risk-based annual audit plan, function by function — procurement this quarter, payroll next quarter, and so on. GRC Assurance takes a step back and looks at the governance and risk architecture as a whole — is the Board structured correctly, is there a real risk register that risk owners use, does the compliance tracking system actually work — before or alongside testing individual process controls. In a mature organisation, GRC Assurance often sets the risk-based plan that the Internal Audit function then executes against.

Practitioner noteWe often recommend the two run together: a GRC Assurance review every year or two to reset the risk universe and governance baseline, with Internal Audit executing continuously against the risk-based plan that emerges from it.
How is GRC Assurance different from the statutory audit my company already gets every year?

The statutory audit under the Companies Act gives shareholders an opinion on whether your financial statements present a true and fair view — its scope is the financial statements and the controls that materially affect them. GRC Assurance is broader and forward-looking: it covers the Board's governance structure, the enterprise-wide risk framework, and controls across operational, compliance, and IT domains that may never surface in a financial statement audit at all — such as whether your whistleblower mechanism actually works, or whether your Delegation of Authority matrix reflects reality.

Practitioner noteWe sometimes see companies assume that a clean, unqualified statutory audit opinion means governance is sound. It does not — a statutory audit is not designed to test governance structure or enterprise risk management, and can be unqualified even where meaningful governance gaps exist.
How is GRC Assurance different from an IFC (Internal Financial Controls) Review?

An IFC Review is a specific, codified engagement — typically performed by or relied upon by the statutory auditor under Section 143(3)(i) — testing the design and operating effectiveness of controls specifically over financial reporting, following the ICAI's Guidance Note on Audit of Internal Financial Controls. GRC Assurance is broader: it covers governance structures and enterprise-wide risk management in addition to controls, and the controls it tests are not limited to those affecting financial reporting — operational, compliance, and IT controls are all in scope. In practice, IFC work is often one input into, or run alongside, a fuller GRC Assurance programme.

Practitioner noteIf your immediate need is specifically the Board's Section 134(5)(e)/143(3)(i) representation on financial reporting controls, our separate IFC Review engagement may be the more precisely-scoped and cost-effective starting point. We discuss this trade-off in every scoping conversation.
We are a private, unlisted company. Do we still need this?

SEBI LODR obligations apply only to listed companies, so the specific Risk Management Committee mandate does not apply to you. But GRC Assurance remains highly relevant for unlisted companies in three common scenarios: preparing for institutional fundraising, where investor due diligence will assess governance maturity regardless of listing status; family businesses professionalising ahead of succession or bringing in external directors; and any company where rapid growth has outpaced the formality of its governance and control structures.

Practitioner noteSome of our most valuable GRC engagements are with unlisted, founder-run businesses preparing for their first institutional round. Investors increasingly run a structured governance diligence checklist even for Series A/B rounds, and having a recent GRC Assurance report materially speeds up that process.
What frameworks does PNPC use to assess our governance and risk maturity?

We reference the COSO Enterprise Risk Management framework (COSO ERM 2017) for risk management assessment and the COSO Internal Control – Integrated Framework (2013) for control environment assessment — both widely recognised internationally and referenced in Indian regulatory guidance. Where relevant, we also draw on ISO 31000 for risk management principles. We do not force a rigid framework onto every client; we calibrate the depth and formality of the assessment to your size, sector, and regulatory profile.

Practitioner noteSmaller and mid-sized clients sometimes worry that 'COSO' and 'ISO 31000' sound like heavyweight frameworks meant for large multinationals. In practice we use these as reference structures to organise findings clearly for the Board — not as a rigid compliance checklist that forces disproportionate documentation on a smaller business.
How long does a full GRC Assurance engagement take?

A first-time, entity-wide review for a mid-sized company typically takes 8–10 weeks from initial scoping to the final Board presentation, depending on the number of locations, subsidiaries, and process areas covered. Subsequent annual or periodic reviews are generally faster once the risk register, control matrix, and prior findings baseline already exist. A narrowly scoped review — for example, focused only on governance structure and risk register maturity without full operating-effectiveness testing — can be completed faster.

Practitioner noteWe agree a realistic timeline at scoping and flag dependencies early — the most common cause of delay is management taking longer than expected to assemble documentation, not the assurance work itself. We build buffer into our proposed timeline for this.
What does a GRC Assurance engagement cost?

Fees depend on entity size, number of locations and subsidiaries, the process areas in scope, and whether the engagement includes operating-effectiveness testing (sample transaction testing) or is limited to a design-level governance and risk review. PNPC provides a written scope and fixed-fee proposal after an initial scoping conversation — we do not quote a fee without first understanding what triggered the need and how deep the review needs to go.

Practitioner noteWe are not the cheapest option for a superficial governance checklist review. What we charge for is the operating-effectiveness testing, the root-cause analysis behind each finding, and the direct Board presentation — the parts of the engagement that actually change how your governance functions, not just document how it currently doesn't.
Who conducts the GRC Assurance review — is it the same team as our statutory auditor?

Independence matters here. Where PNPC is also your statutory auditor, we structure the GRC Assurance engagement with an appropriately separate team and reporting line to preserve independence and avoid the auditor effectively reviewing its own work. For companies where independence rules under the Companies Act or SEBI regulations restrict the statutory auditor from providing certain non-audit services, we advise upfront on whether PNPC can undertake the GRC engagement or whether it should be performed by an independent firm.

Practitioner noteWe raise the independence question proactively at the first conversation rather than waiting for a regulator or investor to raise it later. Getting this wrong can taint both the GRC report's credibility and, in some cases, the statutory audit relationship.
What is a risk register, and why does PNPC test whether it is 'actually used'?

A risk register is a structured document listing an organisation's identified risks, their likelihood and potential impact, the mitigation measures in place, and the person accountable for each risk. Many companies have a risk register that was created once — often for an audit or a funding round — and never updated again. Testing whether it is 'actually used' means checking whether risk owners can describe their assigned risks without reading from the document, whether the register has been updated for new risks in the last review cycle, and whether Board or Committee minutes show genuine discussion of it rather than a formality.

Practitioner noteA stale risk register is one of the most common findings we report. It usually indicates that risk management exists as a compliance artefact rather than a live management tool — and that gap alone often explains why other findings in the same review went undetected internally.
What is the Vigil Mechanism / whistleblower policy, and is it mandatory?

The Vigil Mechanism is a formal channel required under Section 177(9) of the Companies Act 2013 for listed companies and certain classes of prescribed companies (those accepting deposits from the public, or having borrowed money from banks/public financial institutions exceeding ₹50 crore), and separately under SEBI LODR Regulation 22 for listed companies, allowing directors and employees to report genuine concerns about unethical behaviour, fraud, or violation of the company's code of conduct, with protection against victimisation. As part of GRC Assurance, we test whether the mechanism exists on paper, whether employees are actually aware of it, and how any complaints received were investigated and closed.

Practitioner noteA whistleblower policy that exists in the employee handbook but that no employee has ever heard of, or that has no evidence of any complaint ever being logged in a reasonably sized organisation, is itself a red flag worth investigating — silence is not always evidence that nothing has gone wrong.
What is a Delegation of Authority (DoA) matrix, and why does it matter for GRC?

A DoA matrix defines who in the organisation has authority to approve what — transaction types, spending limits, hiring decisions, contract sign-off — at each level of the hierarchy. It is one of the most fundamental internal controls because it prevents any single individual from having unchecked authority over material decisions. In our GRC reviews, we frequently find a documented DoA that has not been updated as the organisation has grown or restructured, or that is routinely bypassed in practice — both of which materially increase fraud and error risk.

Practitioner noteWe test the DoA against actual approved transactions, not just against the document. A DoA that says the CFO must approve expenses above a threshold is meaningless if we find multiple sampled transactions above that threshold approved by someone else without any escalation trail.
Does GRC Assurance cover our IT systems and cybersecurity?

GRC Assurance includes a review of IT general controls (ITGC) — access management, change management, backup and business continuity — as part of the broader control environment assessment, because IT controls underpin the reliability of financial and operational data across the business. However, a deep technical cybersecurity assessment (penetration testing, vulnerability scanning, technical security architecture review) is a more specialised, separate engagement. We scope which level of IT coverage is appropriate for your GRC review and can bring in or refer to our dedicated cybersecurity audit capability where a deeper technical review is warranted.

Practitioner noteIT general controls weaknesses are one of the most common root causes we trace other findings back to — a broken change management process, for example, often explains an otherwise-inexplicable financial reporting error. We always include ITGC at a proportionate level even in a governance-focused review.
We had a whistleblower complaint / suspected fraud recently. Should this be a GRC Assurance engagement or a forensic audit?

If the immediate need is to investigate a specific incident — establish what happened, who was involved, and quantify any loss — that is a Forensic Audit, a narrower and more urgent engagement. GRC Assurance is the broader, subsequent (or parallel) exercise that asks the systemic question: what governance or control gap allowed this to happen, and where else might similar gaps exist? Many clients commission both — a forensic audit to resolve the specific incident, and a GRC Assurance review to address the root cause and prevent recurrence elsewhere in the organisation.

Practitioner noteWe consistently advise against skipping the systemic review after a specific incident is resolved. Addressing only the symptom — for example, terminating the individual involved — without addressing the control gap that allowed it typically means a similar incident recurs elsewhere in the business within a few years.
How does GRC Assurance help us prepare for an IPO or a large fundraise?

Institutional investors and IPO due diligence teams routinely assess Board composition and independence, the risk management framework, related party transaction governance, and internal control maturity as part of their process — and gaps found late in a live transaction can delay timelines or affect valuation and deal terms. A GRC Assurance review conducted proactively, well before the transaction process begins, identifies and allows remediation of these gaps on your own timeline rather than under the pressure and scrutiny of active diligence.

Practitioner noteWe recommend running a GRC readiness review at least 6–12 months ahead of a planned fundraise or IPO process wherever the timeline allows — enough time to remediate meaningful findings, not just document them, before an investor's diligence team arrives.
What happens if the GRC Assurance review finds serious gaps? Does PNPC report this to regulators?

No. A GRC Assurance engagement is a private, management-and-Board-facing advisory and assurance exercise — findings are reported to the Audit Committee, Risk Management Committee, or Board that commissioned the review, not to SEBI, MCA, or any other regulator. The purpose is to give the Board the information and time to remediate proactively. Separately, where a finding indicates a potential fraud that triggers a statutory reporting obligation under Section 143(12) of the Companies Act, that obligation falls specifically on the statutory auditor in that defined circumstance — not on a GRC Assurance provider conducting an advisory review.

Practitioner noteWe are transparent about this distinction at the outset of every engagement. Boards sometimes hesitate to commission a thorough review out of concern that findings will automatically trigger external reporting — that is not how this engagement works, and clarity on this point upfront leads to more candid engagement from management throughout the review.
Can GRC Assurance be scoped for just one function or risk area, rather than the whole organisation?

Yes. While entity-wide GRC Assurance gives the most complete picture, we regularly scope focused reviews — for example, governance structure and Board effectiveness only, or risk management framework maturity only, or a control review limited to financial reporting and IT processes. A focused scope is often the right starting point for a company running its first GRC-style review, with broader coverage added in subsequent cycles.

Practitioner noteWe recommend against an unfocused 'review everything' first engagement for companies new to this kind of assurance — it tends to produce a long list of findings without the depth needed to prioritise effectively. A phased approach, starting with the highest-risk domain, produces more actionable results.
How does GRC Assurance work for a group with subsidiaries, including a UAE entity?

For group structures, we assess whether risk oversight and control standards are being applied consistently across the parent and its subsidiaries — not just at the holding company level — and whether the parent Board has visibility into subsidiary-level risks, including those of any UAE or overseas entity. PNPC's presence in both India and the UAE (Dubai office) allows us to assess governance and control consistency across both jurisdictions under a single coordinated engagement, rather than requiring separate reviews by unconnected local firms that do not share findings.

Practitioner noteGroup-level GRC gaps are common where a UAE subsidiary was set up quickly to capture a commercial opportunity, with local governance and reporting discipline lagging well behind the parent company's standards. We flag consolidated risk oversight gaps specifically in every group engagement.
What is a 'management response' and why does PNPC insist on capturing it before the Board presentation?

A management response is management's factual confirmation of each finding, along with their proposed remediation action, owner, and timeline — captured before the report goes to the Audit Committee or Board. This ensures the Board is not seeing findings for the first time without any indication of how management intends to address them, and it gives management a fair opportunity to correct any factual misunderstanding before the report is finalised.

Practitioner noteSkipping this step and going straight to the Board with unvalidated findings tends to put management on the defensive in the boardroom rather than focused on remediation — capturing the response first produces a far more constructive Board conversation.
How are findings prioritised in the report?

We rate each finding — typically Critical, High, Medium, or Low — based on the likelihood of the underlying risk materialising and the potential impact if it does, combined with how pervasive the control gap is across the organisation. Critical and High findings are those that could result in material financial loss, regulatory non-compliance with meaningful penalty exposure, or reputational damage, and these are highlighted for priority remediation with the shortest recommended timelines.

Practitioner noteBoards with limited time need a report they can act on in the meeting, not one that requires them to read forty pages to find the three issues that actually matter. Our reports lead with a one-page findings summary ranked by priority, with full detail available for anyone who wants to go deeper.
Does PNPC only identify problems, or does it also help fix them?

Both, by design. The report includes practical, sequenced remediation recommendations for each finding — not just a description of the gap. Where the client wants implementation support (redesigning a process, drafting an updated policy, configuring an approval workflow in the ERP), PNPC can support that as a follow-on engagement, kept appropriately separate from the assurance role where independence considerations require it.

Practitioner noteWe are careful about the line between assurance and implementation where independence rules apply — particularly if we are also the statutory auditor. We discuss this structure at scoping so there is no ambiguity about what PNPC can and cannot do as both assessor and implementer.
How often should we repeat a GRC Assurance review?

For listed companies and larger private companies with an active Risk Management Committee, an annual cycle — even if narrower in scope than the first full review — keeps the risk register and control assessment current as the business evolves. For smaller unlisted companies without a regulatory trigger, a review every 18–24 months, or ahead of any major milestone (fundraise, new geography, significant headcount growth), is generally sufficient.

Practitioner noteWe tailor the cadence to the client rather than defaulting to 'annual' for everyone — an annual cycle for a stable, smaller private company can become a check-the-box exercise that adds cost without proportionate value. We recommend the cadence honestly, even when it means less frequent (and lower) fee engagement for PNPC.
What is the Risk Management Committee (RMC) under SEBI LODR, and who must have one?

Regulation 21 of the SEBI LODR Regulations requires the top 1,000 listed companies by market capitalisation (as determined as of the end of the immediately preceding financial year) to constitute a Risk Management Committee, with a majority of members being members of the Board of Directors, including at least one independent director, and with the chairperson being a member of the Board of Directors. The RMC's role includes formulating a detailed risk management policy, monitoring and reviewing it periodically, and reporting to the Board.

Practitioner noteCompanies just below the top-1,000 threshold sometimes assume the requirement does not apply and defer setting up an RMC — until the next annual market-cap ranking brings them into scope with limited lead time. We recommend companies approaching the threshold set up the committee proactively rather than reactively.
Our Board already has an Audit Committee. Isn't that enough oversight without a separate GRC review?

An Audit Committee's statutory mandate under Section 177 focuses primarily on financial statements, the statutory audit process, and related party transactions — it does not, by itself, constitute an independent test of whether the broader risk management framework and control environment are functioning. A GRC Assurance review provides the Audit Committee with the independent evidence base it needs to discharge its own oversight role effectively, rather than relying solely on management's self-reporting.

Practitioner noteWe often find that Audit Committee members themselves are the ones requesting a GRC Assurance review — because they recognise that reviewing management's own presentations at each meeting is not the same as independent testing, and they want a more defensible basis for their own oversight responsibilities.
What deliverables do we actually receive at the end of the engagement?

A written GRC Assurance report covering: an executive summary with an overall governance and risk maturity assessment; detailed findings organised by domain (governance, risk, control, compliance) with root-cause analysis; a prioritised, rated findings register; management's response and proposed remediation plan for each finding; and a recommended follow-up review timeline. This is supplemented by a live presentation to the Audit Committee or Board.

Practitioner noteWe avoid delivering a generic template report with client name and logo swapped in — every finding in our reports is specific to what we actually observed at your organisation, with the evidence and sample basis referenced, so the Board can trust the basis for each conclusion.
Can a startup or small private company benefit from a lighter version of this?

Yes. For an early-stage or smaller company without a near-term listing or major fundraise trigger, we typically recommend a scaled-down governance and risk-readiness conversation rather than the full multi-week programme — focused on the handful of foundational elements (a basic risk register, a simple DoA, a whistleblower channel, core financial controls) that matter most at that stage, without the cost and formality appropriate to a listed company.

Practitioner noteWe are candid when a full GRC Assurance engagement is disproportionate to a client's current stage. Recommending a lighter, appropriately-scoped starting point — even at a lower fee — builds the relationship for the fuller engagement once the company genuinely needs it.
How does GRC Assurance interact with our CSR Committee obligations?

Where applicable under Section 135 of the Companies Act 2013 (companies meeting the prescribed net worth, turnover, or net profit thresholds), the CSR Committee's governance — its composition, the CSR policy, and whether CSR spend is tracked, reported, and reconciled correctly — is one of the governance areas we review as part of an entity-wide GRC Assurance engagement, alongside the Audit, Nomination & Remuneration, and Risk Management Committees.

Practitioner noteCSR governance is sometimes treated as a lower priority relative to financial and risk controls, but unspent CSR obligations carry their own compliance consequences under Section 135(5) and (6) — we always include it in scope for companies where Section 135 applies.
Does PNPC benchmark our governance maturity against industry peers?

Where relevant data and comparable public disclosures are available (for listed peers, primarily through public annual reports and corporate governance reports), we can provide qualitative, directional benchmarking as context for the Board — noting how your committee structure, disclosure practices, or risk framework compare to sector norms. This is offered as useful context rather than a precise quantitative score, since governance maturity depends heavily on company-specific factors.

Practitioner noteWe are careful not to present benchmarking as more precise than it actually is — publicly available peer data is limited, and we flag clearly where a comparison is directional rather than a rigorous statistical benchmark.
What is the difference between a control 'design' gap and an 'operating effectiveness' gap?

A design gap means the control, as documented or intended, would not actually prevent or detect the risk it is meant to address even if performed perfectly — for example, an approval control that does not specify a monetary threshold. An operating effectiveness gap means the control is well-designed on paper but is not being consistently performed in practice — for example, approvals are required above a threshold, but our sample testing found several instances where that approval was skipped. Both are reported separately because the remediation is different: a design gap needs a redesigned control; an operating effectiveness gap needs better enforcement, training, or system automation of an already-adequate design.

Practitioner noteThis distinction matters enormously for remediation planning. We have seen organisations spend months redesigning a control that was already well-designed, when the real issue was simply that nobody was enforcing it — a much faster and cheaper fix.
Will the GRC Assurance review disrupt our day-to-day operations?

We design the engagement to minimise disruption — most of the work involves document review, interviews with process owners (typically 30–60 minutes each), and sample-based testing that does not require operational processes to pause. We schedule interviews around the availability of key personnel and typically coordinate through a single internal point of contact (often the Company Secretary or CFO's office) to manage the information flow efficiently.

Practitioner noteWe ask for a single coordinating point of contact at the client, rather than chasing multiple department heads independently — this alone significantly reduces the internal burden of the engagement and keeps the timeline on track.
Why should we choose PNPC for GRC Assurance rather than a Big 4 firm or a boutique risk consultancy?

A Big 4 firm brings brand recognition and large-team capacity, often at a substantially higher fee and with rotating junior staff on the engagement. A boutique risk consultancy may lack the Chartered Accountancy grounding to connect governance findings back to statutory obligations under the Companies Act, SEBI regulations, and tax law with full technical accuracy. PNPC combines nearly four decades of practising CA experience — including the statutory audit, tax, and FEMA/regulatory context that governance findings inevitably touch — with a senior-partner-led engagement model and a presence in both India and the UAE for group structures spanning both jurisdictions.

Practitioner noteAsk any provider who will actually be in the room presenting findings to your Board. In our experience, clients coming to us after a prior engagement elsewhere frequently describe a report authored by a team they never met and presented by someone reading from the same document for the first time. Our engagement partner leads the review from scoping through the Board presentation.
What does the PNPC GRC Assurance engagement include, end to end?

Scoping consultation to align objectives and right-size the review; governance structure review (Board, committees, DoA); risk register and ERM framework assessment; control design walkthroughs across material process areas; sample-based operating effectiveness testing; compliance management system review; whistleblower mechanism and fraud risk assessment; a rated, prioritised findings register with root-cause analysis; management response capture; a written report; a live presentation to the Audit Committee/Board; and a follow-up verification review within the agreed remediation period.

Practitioner noteEvery item above is confirmed in a written scope and fee proposal before work begins — we do not start an engagement on a verbal understanding of scope, precisely because ambiguous scope is one of the most common sources of client dissatisfaction with assurance engagements generally.
Is the GRC Assurance report confidential, or does it become part of any public filing?

The GRC Assurance report itself is a private document addressed to the Audit Committee/Board and is not, by default, filed with MCA, SEBI, or any regulator, and is not a public document. Separately, the Board's own Section 134(5)(e) representation in the Board's Report (which is a public filing as part of the Annual Report) may be informed by the findings of a GRC or IFC review, but the underlying detailed report itself remains an internal document unless the company chooses to disclose it or a regulator specifically requests it in the course of an inquiry.

Practitioner noteWe are explicit about this confidentiality boundary with every client — it materially affects how candidly management engages with the review process when they understand the detailed findings are not headed for public disclosure.
Why PNPC Global
FeatureBig 4 / Large FirmBoutique Risk ConsultancyPNPC Global
Statutory & tax grounding of findingsStrong technically, but engagement often led by junior staff day-to-dayOften limited — risk-framework expertise without deep CA/regulatory groundingSenior CA-led — every finding connected to the actual Companies Act, SEBI, and tax implications
Engagement continuityFrequent staff rotation across the engagement lifecycleVariable — depends on consultancy size and retentionSame engagement partner from scoping through Board presentation and follow-up
Cost proportionalityPremium fee structure, often disproportionate for mid-sized private companiesCan be cost-effective but may lack assurance rigourRight-sized scope and fee for entity stage — we recommend narrower scope when a full review is not yet warranted
India-UAE group coverageAvailable but often via separate country teams with limited coordinationRarely availableSingle coordinated engagement across Chennai, Bangalore, Hyderabad, and Dubai offices
Board presentationOften delegated to a senior manager rather than the partnerVaries by consultancyEngagement partner presents personally to the Audit Committee/Board
Follow-up verificationFrequently offered as a separate, re-priced engagementInconsistentBuilt into the engagement scope as a standard follow-up review within the agreed remediation period
Independence handlingFormal but can feel process-heavy for a mid-market clientMay not proactively flag independence conflictsIndependence considerations raised proactively at scoping — before they become a problem
Ongoing relationshipEngagement-by-engagement, re-scoped each cycleProject-basedLong-term advisory relationship spanning audit, tax, GRC, and cross-border needs since 1986

What the PNPC package includes

  1. 01

    Scoping consultation to align GRC Assurance objectives with your actual regulatory triggers and business stage

  2. 02

    Governance structure review — Board composition, committee charters, and Delegation of Authority tested against actual practice

  3. 03

    Risk register and Enterprise Risk Management framework assessment against COSO ERM 2017 / ISO 31000 reference frameworks

  4. 04

    Control design walkthroughs across financial, operational, compliance, and IT process areas

  5. 05

    Sample-based operating effectiveness testing — not a paper-only policy review

  6. 06

    Compliance management system review across applicable Companies Act, FEMA, labour, tax, and sector-specific obligations

  7. 07

    Whistleblower mechanism and fraud risk assessment under Section 177(9) and SEBI LODR Regulation 22

  8. 08

    Rated, prioritised findings register with root-cause analysis for each finding

  9. 09

    Management response capture before the report reaches the Audit Committee or Board

  10. 10

    Live presentation to the Audit Committee / Risk Management Committee / Board by the engagement partner

  11. 11

    Follow-up verification review within the agreed remediation period to confirm actual closure

  12. 12

    India-UAE coordinated coverage for group structures with a Dubai or overseas subsidiary

  13. 13

    Direct access to your engagement partner — by phone and WhatsApp — for questions between formal review cycles

Give your Board a governance, risk, and control picture it can actually rely on. Speak with a PNPC engagement partner — a practising Chartered Accountant who will scope the review to your real risk profile, test what actually happens (not just what is documented), and present findings to your Audit Committee in person.

← Back to Risk Advisory
Talk to a CA