Risk Advisory · Governance, Risk & Compliance (GRC)
Governance, Risk & Control Assurance
Governance, Risk & Control (GRC) Assurance is the independent lens that tells your Board and Audit Committee whether the governance structures, risk management framework, and internal control environment you believe you have actually operate the way you think they do.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Governance, Risk & Control (GRC) Assurance is the independent lens that tells your Board and Audit Committee whether the governance structures, risk management framework, and internal control environment you believe you have actually operate the way you think they do. At PNPC Global, we do not simply test individual controls in isolation — we assess how governance, risk, and compliance functions interlock as a system, identify where accountability gaps or duplicated effort exist between them, and report findings your directors can act on with confidence. For listed companies under SEBI LODR, large private companies preparing for institutional capital, and family businesses professionalising their governance, GRC Assurance is the discipline that converts good intentions into a defensible, auditable framework.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
GRC Assurance is an independent review activity that evaluates the design and operating effectiveness of an organisation's Governance, Risk Management, and Compliance (Internal Control) architecture — assessed together as an integrated system rather than as three disconnected functions. Governance covers Board structure, committee mandates, delegation of authority, and the tone set at the top. Risk covers whether the organisation has identified its material risks, assessed them consistently, and put mitigation and monitoring in place — typically benchmarked against recognised frameworks such as COSO Enterprise Risk Management (COSO ERM 2017) or ISO 31000. Control covers whether the day-to-day processes that are supposed to prevent or detect errors, fraud, and non-compliance are actually designed correctly and are operating as intended, generally assessed against the COSO Internal Control – Integrated Framework (2013). GRC Assurance sits alongside — and is distinct from — statutory financial audit, tax audit, and Internal Financial Controls (IFC) certification under Section 143(3)(i) of the Companies Act 2013; it is broader in scope and forward-looking in its recommendations rather than limited to an opinion on historical financial statements.
The practical trigger for a formal GRC Assurance engagement varies. For listed entities, SEBI's Listing Obligations and Disclosure Requirements (LODR) Regulations require a functioning Risk Management Committee (mandatory for the top 1,000 listed companies by market capitalisation under Regulation 21) and place responsibility on the Board for the risk management framework — an independent assurance review demonstrates that this obligation is being discharged in substance, not merely on paper. For large private companies, Section 134(5)(e) of the Companies Act 2013 requires directors to state in the Board's Report that they have laid down internal financial controls and that such controls are adequate and operating effectively — a statement the Board should not make without some independent basis for confidence. For companies preparing for a fundraise, an IPO, or a strategic sale, institutional investors and their diligence teams routinely request evidence of a working GRC framework as part of governance due diligence, and gaps discovered late in a transaction process can materially affect valuation or deal timelines.
A GRC Assurance engagement is not a single deliverable but a structured programme: it typically begins with a governance and risk-maturity assessment (mapping the current state against a recognised maturity model), moves through control design evaluation across key processes (financial reporting, procurement, revenue, IT, HR, and any sector-specific process), tests whether controls that are documented as existing are actually being performed as described, and concludes with a report to the Audit Committee or Board setting out rated findings, root causes, and a prioritised remediation roadmap. Unlike a one-time compliance certificate, GRC Assurance is most valuable when run as a recurring cycle — annually or on a rolling multi-year plan — because governance and risk exposure change as the business grows, enters new markets, or faces new regulation.
For unlisted companies and family-owned businesses, GRC Assurance often serves a second purpose beyond pure assurance: it is the mechanism through which an informally-run business builds the documented governance discipline that banks, private equity investors, and the next generation of family leadership will expect. A business that has never formalised its risk register, its delegation of authority, or its whistleblower mechanism can use a GRC Assurance engagement as the structured starting point for building all three — rather than attempting to build governance infrastructure for the first time under the pressure of an active investor due diligence process.
When a GRC Assurance engagement is the right call
Listed company with a mandatory Risk Management Committee under SEBI LODR Regulation 21 that needs independent evidence its risk framework operates in substance, not just as a committee charter on paper
Board or Audit Committee about to sign the Section 134(5)(e) internal financial controls adequacy statement and wants an independent basis for that representation beyond management's own assertion
Company preparing for a Series B/C round, pre-IPO readiness, or strategic sale where institutional investors will conduct governance and risk due diligence as part of the transaction process
Family-owned or founder-led business professionalising ahead of generational succession, external Board induction, or its first institutional investor
Organisation that has grown rapidly and suspects its governance structures, delegation of authority, and risk oversight have not kept pace with its scale or geographic spread
Board that has received whistleblower complaints, a fraud incident, or a regulatory notice and needs an independent view of whether the underlying governance and control environment is the root cause
Group structure with multiple subsidiaries or a UAE/overseas arm where consolidated risk oversight and consistent control standards across entities have never been formally assessed
Company adopting or renewing a formal Enterprise Risk Management (ERM) framework and wants independent validation that the framework, once built, is actually being used by risk owners
When a narrower or different engagement fits better
You need a statutory opinion on financial statements for regulatory or shareholder purposes — that is a Statutory Audit under the Companies Act, not GRC Assurance, which does not issue an opinion on financial statements
You need the Board's Section 143(3)(i)/134(5)(e) Internal Financial Controls certification itself prepared and tested to the specific IFC-over-financial-reporting standard — that is an IFC Review engagement, a related but narrower and more codified scope than a full GRC Assurance review
You need a specific, narrow investigation into a suspected fraud or a defined incident — a targeted Forensic Audit is faster and more appropriate than a broad governance and risk review
Your company is an early-stage startup with a lean team, no committee structure, and no near-term institutional fundraise or listing plan — the cost and formality of a full GRC programme is disproportionate; a lighter internal-controls readiness conversation is more suitable at this stage
You need ongoing operational testing of specific process controls on a cyclical basis rather than a point-in-time or periodic governance-and-risk assessment — a structured Internal Audit programme (Section 138) is typically the better long-term vehicle, and is often run alongside or as a component of the broader GRC framework
Your immediate need is IT general controls or cybersecurity control testing specifically — an ISA 315/ITGC or Cybersecurity Audit engagement addresses that scope with more technical depth than a governance-level GRC review
GRC Assurance vs adjacent assurance and advisory engagements
| Feature | GRC Assurance | Statutory Audit | Internal Audit (Sec 138) | IFC Review | Forensic Audit |
|---|---|---|---|---|---|
| Primary objective | Assess governance, risk framework, and control environment as an integrated system | Opinion on true and fair view of financial statements | Ongoing testing of process controls against risk-based plan | Test design & operating effectiveness of controls over financial reporting | Investigate a specific suspected irregularity or incident |
| Governing framework/standard | COSO ERM 2017, COSO Internal Control 2013, ISO 31000 (as reference frameworks) | Standards on Auditing (SAs) under Companies Act 2013 | Standards on Internal Audit (SIA), Section 138 & Rule 13 | Guidance Note on Audit of ICFR (ICAI), Section 143(3)(i) | No single statute — engagement-specific scope and forensic standards |
| Statutory mandate | Not separately mandated by statute — driven by SEBI LODR Board/RMC obligations and governance practice | Mandatory for every company under Section 139 | Mandatory for listed cos and prescribed classes under Rule 13 | Mandatory reporting by statutory auditor for most companies under Sec 143(3)(i) | Not mandatory — engaged on a need basis |
| Reports to | Board / Audit Committee / Risk Management Committee | Shareholders (via AGM) | Audit Committee / Board | Shareholders (via statutory audit report) and Board | Whoever commissions it — Board, Audit Committee, or specific stakeholder |
| Scope breadth | Entity-wide — Board, ERM framework, and control environment together | Financial statements and disclosures | Process- and function-specific per audit plan | Controls specifically over financial reporting | Narrow and incident-specific |
| Typical frequency | Annual or defined multi-year cycle | Annual — mandatory every FY | Continuous per annual audit plan, typically quarterly cycles | Annual, alongside statutory audit | One-off, triggered by an event |
| Output | Governance & risk maturity rating, control gap register, prioritised remediation roadmap | Audit opinion (unqualified/qualified/adverse/disclaimer) | Audit findings report per engagement/quarter | Management letter on control deficiencies, feeds auditor's report | Investigation report — findings, quantification, recommendations |
| Independence requirement | Should be independent of the function being assessed; often run by external CA firm | Statutory — independent under Section 141 | Should be independent of operations being tested; can be in-house or outsourced | Performed by/relied upon by the statutory auditor | Must be independent of the individuals/area under investigation |
| Best suited to | Boards & Audit Committees needing systemic assurance ahead of listing, fundraise, or governance maturity milestones | Every registered company, without exception | Companies meeting Section 138/Rule 13 thresholds, or choosing best practice | Companies where auditor must opine on ICFR | Companies facing a specific fraud, whistleblower complaint, or dispute |
These engagements are complementary rather than substitutes for one another — a mature governance programme typically runs Statutory Audit, Internal Audit, IFC Review, and periodic GRC Assurance together, each covering a different layer of assurance. PNPC scopes each engagement independently and advises on the right combination and sequencing for your stage and regulatory profile.
| # | Stage & What PNPC Does | What Generic Providers Skip | Timeline |
|---|---|---|---|
| 1 | Scoping & Objective-Setting — Understand why assurance is needed now | We start by asking what triggered the need: a SEBI LODR obligation, an upcoming fundraise, a Board directive, a past incident, or first-time governance formalisation. This shapes whether the engagement is entity-wide or focused on specific risk domains. Generic providers often propose a fixed-scope template regardless of the actual driver. | Week 1 |
| 2 | Governance Structure Review — Board, committees, delegation of authority | We map the actual Board composition against Companies Act and SEBI LODR independence and expertise requirements, review committee charters (Audit, Risk Management, Nomination & Remuneration, CSR) against their statutory mandate, and test whether the Delegation of Authority matrix in use reflects what is actually happening in approvals — not just the document on file. | Week 1–2 |
| 3 | Risk Universe & Risk Register Assessment | We assess whether a documented risk register exists, whether it is genuinely risk-ranked (likelihood x impact, with a defined risk appetite) or is a static list untouched since creation, and whether risk owners across the business actually use it. Where COSO ERM or ISO 31000 has been adopted formally, we test whether the framework is embedded in decision-making, not just referenced in a policy document. | Week 2–3 |
| 4 | Control Environment Walkthrough — Key process areas | We walk through the control design in financial reporting, procurement-to-pay, order-to-cash, payroll, treasury, and IT general controls — selecting the processes most material to your business and risk profile. Walkthroughs identify controls that exist on paper (in a policy manual) versus controls that are genuinely built into the process and system. | Week 3–5 |
| 5 | Operating Effectiveness Testing — Sample-based control testing | For controls assessed as well-designed, we test a sample of actual transactions or instances to confirm the control operated as intended throughout the review period — not merely at a single point in time. This distinguishes GRC Assurance from a policy review: we test whether governance and controls work in practice. | Week 4–6 |
| 6 | Compliance Management System Review | We assess whether the organisation has a structured compliance tracker covering applicable laws (Companies Act, FEMA, labour codes, sector regulation, data protection where applicable), whether ownership for each compliance is assigned, and whether escalation for missed compliances reaches the right level of management — not just a spreadsheet nobody reviews. | Week 5–6 |
| 7 | Whistleblower & Fraud Risk Assessment | We review the Vigil Mechanism/whistleblower policy mandated under Section 177(9) of the Companies Act and SEBI LODR Regulation 22, test whether complaints received (if any) were handled per the policy, and conduct a fraud risk assessment identifying areas of highest fraud exposure given the business model and control gaps found. | Week 5–6 |
| 8 | Risk Maturity & Gap Rating | Every finding is rated against a defined maturity scale (typically Initial / Developing / Defined / Managed / Optimised, aligned to common maturity model conventions) so the Board sees not just a list of issues but a picture of where the organisation stands and what "good" looks like at the next stage. | Week 6–7 |
| 9 | Draft Report & Management Response | We issue a draft report to management for factual accuracy confirmation and to capture management's proposed remediation timeline and owner for each finding — before anything is presented to the Audit Committee or Board. This avoids surprises and produces a report the Board can act on immediately. | Week 7–8 |
| 10 | Presentation to Audit Committee / Board / Risk Management Committee | PNPC's engagement partner personally presents findings, root causes, and the remediation roadmap to the Committee or Board — not a written report emailed and left for the Company Secretary to summarise. Questions are answered in the room, in real time. | Week 8 |
| 11 | Remediation Roadmap & Prioritisation | Findings are prioritised (Critical/High/Medium/Low) with realistic remediation timelines agreed with process owners — a roadmap the Audit Committee can track at each subsequent meeting, not a report that is filed and forgotten. | Week 8–9 |
| 12 | Follow-Up & Closure Verification | PNPC conducts a follow-up review — typically at the mid-point and end of the agreed remediation period — to verify that remediation actions were actually implemented and are operating, not just marked "closed" by the responsible owner without verification. | 3–6 months post-report |
| 13 | Next-Cycle Planning | GRC Assurance is most effective as a recurring discipline. We work with the Audit Committee to plan the following year's scope — rotating emphasis across risk domains, incorporating new risks (new geography, new regulation, new business line) as the organisation evolves. | Annually or per agreed cycle |
A first-time, entity-wide GRC Assurance review for a mid-sized company typically takes 8–10 weeks from scoping to Board presentation; subsequent annual cycles are usually faster once the risk register, control matrix, and prior findings baseline exist. Actual duration depends on entity size, number of locations/subsidiaries, and the depth of testing agreed in scope.
Memorandum & Articles of Association and any Shareholders' Agreement provisions relevant to governance rights
Board composition details — director profiles, independent director declarations under Section 149(6)/(7), related disclosures of interest/non-disqualification (Form MBP-1/DIR-8), and skills matrix if maintained
Committee charters — Audit Committee, Risk Management Committee, Nomination & Remuneration Committee, CSR Committee — and minutes for the review period
Delegation of Authority (DoA) matrix currently in force, with any amendment history
Board and Committee meeting minutes and attendance records for the period under review
Related Party Transaction policy and the register of related party transactions approved during the period
Enterprise Risk Management policy or framework document, if one exists
Current risk register — risk descriptions, likelihood/impact ratings, mitigation status, and assigned risk owners
Board or Committee risk review minutes and any risk dashboard or heat map presented to leadership
Business continuity and disaster recovery plan, and evidence of any testing conducted
Insurance policy schedule — Directors & Officers (D&O), Professional Indemnity, cyber, and key-person cover as applicable
Standard Operating Procedures (SOPs) for key processes — procurement, revenue recognition, payroll, treasury, fixed assets
Financial approval matrix and evidence of adherence — sample approved transactions across the period
IT general controls documentation — access management, change management, and backup policies
Segregation of duties matrix for key financial and operational processes
Prior internal audit reports and their closure status, if an internal audit function already exists
Compliance tracker or register covering applicable laws — Companies Act, FEMA, labour codes, GST, sector-specific licences
Evidence of statutory filings for the review period — MCA annual filings, tax filings, regulatory returns as applicable
Any regulatory correspondence, show-cause notices, or inspection reports received during the review period
Sector-specific licences and their renewal status, where the business is subject to sectoral regulation (RBI, SEBI, IRDAI, etc.)
Vigil Mechanism / whistleblower policy adopted under Section 177(9) and SEBI LODR Regulation 22
Code of Conduct for Directors and Senior Management, and evidence of periodic acknowledgement by employees
Log of whistleblower complaints received during the review period and their resolution status
Any known fraud incidents, disciplinary actions, or ongoing investigations relevant to the control environment
Most recent statutory audit report, management letter, and Internal Financial Controls (IFC) certification, if available
Prior GRC, internal audit, or risk assessment reports from any earlier engagement, and their remediation tracker
Group/subsidiary structure chart, including any UAE or overseas entities, with an indication of consolidated risk oversight arrangements
Organisation chart identifying process owners and risk owners for each key function under review
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Pre-Engagement Readiness | Board or Audit Committee decision to commission GRC review | Scoping conversation to align on objective — SEBI LODR obligation, pre-fundraise readiness, post-incident review, or first-time formalisation. Right-sizing scope to entity size and risk profile so the engagement is proportionate and useful. | Wrong-sized scope — either an overly generic review that misses the risks that matter, or an overly heavy engagement disproportionate to the business, wasting budget and management time. |
| Baseline Assessment | Engagement kickoff | Governance structure review, risk register assessment, and control walkthroughs across material processes. Establishing an honest baseline — including uncomfortable findings — rather than a report calibrated to please management. | A baseline that understates real gaps gives the Board false comfort — and becomes a liability if a control failure or incident later exposes that the earlier assessment missed it. |
| Testing & Findings | Baseline complete | Sample-based operating effectiveness testing, fraud risk assessment, and compliance management system review — producing a rated, prioritised findings register rather than a narrative list of observations. | Findings without prioritisation or root-cause analysis lead management to fix low-impact issues while critical gaps remain — a common failure mode of superficial reviews. |
| Reporting & Board Presentation | Testing complete | Draft report shared with management for factual validation, then presented directly to the Audit Committee/Board by the engagement partner, with remediation ownership and timelines agreed in the room. | A report emailed without a live presentation is frequently filed without full Board engagement — and the Board's Section 134(5)(e) representation ends up resting on a document nobody at Board level actually discussed. |
| Remediation Execution | Report accepted, roadmap agreed | PNPC supports process owners in interpreting findings and designing practical remediation — policy updates, control redesign, system configuration changes, training — sequenced by priority and resource availability. | Remediation items assigned without follow-up support routinely stall — process owners deprioritise governance fixes against operational pressure unless there is a structured check-in cadence. |
| Follow-Up Verification | Agreed remediation period elapses | Independent follow-up testing to confirm remediation actually occurred and is operating — not just marked complete by the same owner who was responsible for the original gap. | Self-certified closure without independent verification is the single most common reason the same finding reappears in the following year's review, undermining Board confidence in the whole programme. |
| Next-Cycle Planning & Continuous Improvement | Annual governance calendar | Scope for the following cycle is planned with the Audit Committee — rotating depth across risk domains, incorporating new risks from business growth, new geographies, new regulation, or M&A activity. | A GRC programme that repeats an identical scope every year loses relevance as the business changes — new risks (a new subsidiary, a new regulation, a new business line) go unassessed while mature areas are reviewed repeatedly. |
| Trigger Events (Fundraise, Listing, Incident) | Investor due diligence, IPO process, or a control failure/whistleblower complaint | Accelerated or focused review scoped specifically to the trigger — governance due diligence readiness for a fundraise, IPO governance-readiness assessment against SEBI LODR, or root-cause review following an incident. | Governance and risk gaps discovered for the first time during live investor or IPO due diligence create timeline risk, can affect valuation, and are far more costly to remediate under transaction pressure than through a planned assurance cycle. |
What exactly does GRC Assurance mean, in plain terms?
It is an independent check on three things together: whether your Board and committees are structured and functioning the way governance rules expect (Governance); whether your organisation has properly identified and is actively managing its most important risks (Risk); and whether the day-to-day controls that are supposed to prevent errors, fraud, and non-compliance actually work in practice, not just on paper (Control/Compliance). Most reviews look at only one of these in isolation. GRC Assurance looks at all three together, because in practice they interlock — a governance gap often explains why a risk went unmanaged, which in turn explains why a control failed.
Is GRC Assurance a legal requirement for my company?
There is no single statute in India titled 'GRC Assurance' that mandates the exact engagement by that name. However, several underlying obligations make it highly relevant: SEBI LODR Regulation 21 requires the top 1,000 listed companies by market capitalisation to have a functioning Risk Management Committee; Section 134(5)(e) of the Companies Act 2013 requires directors of applicable companies to state that internal financial controls are adequate and operating effectively; and Section 177(9) requires a Vigil Mechanism. GRC Assurance is the independent activity that gives the Board a defensible basis for making those statements and meeting those obligations in substance.
How is GRC Assurance different from Internal Audit?
Internal Audit (mandatory under Section 138 for listed companies and prescribed classes under Rule 13) is typically a recurring, process-focused testing function that works through a risk-based annual audit plan, function by function — procurement this quarter, payroll next quarter, and so on. GRC Assurance takes a step back and looks at the governance and risk architecture as a whole — is the Board structured correctly, is there a real risk register that risk owners use, does the compliance tracking system actually work — before or alongside testing individual process controls. In a mature organisation, GRC Assurance often sets the risk-based plan that the Internal Audit function then executes against.
How is GRC Assurance different from the statutory audit my company already gets every year?
The statutory audit under the Companies Act gives shareholders an opinion on whether your financial statements present a true and fair view — its scope is the financial statements and the controls that materially affect them. GRC Assurance is broader and forward-looking: it covers the Board's governance structure, the enterprise-wide risk framework, and controls across operational, compliance, and IT domains that may never surface in a financial statement audit at all — such as whether your whistleblower mechanism actually works, or whether your Delegation of Authority matrix reflects reality.
How is GRC Assurance different from an IFC (Internal Financial Controls) Review?
An IFC Review is a specific, codified engagement — typically performed by or relied upon by the statutory auditor under Section 143(3)(i) — testing the design and operating effectiveness of controls specifically over financial reporting, following the ICAI's Guidance Note on Audit of Internal Financial Controls. GRC Assurance is broader: it covers governance structures and enterprise-wide risk management in addition to controls, and the controls it tests are not limited to those affecting financial reporting — operational, compliance, and IT controls are all in scope. In practice, IFC work is often one input into, or run alongside, a fuller GRC Assurance programme.
We are a private, unlisted company. Do we still need this?
SEBI LODR obligations apply only to listed companies, so the specific Risk Management Committee mandate does not apply to you. But GRC Assurance remains highly relevant for unlisted companies in three common scenarios: preparing for institutional fundraising, where investor due diligence will assess governance maturity regardless of listing status; family businesses professionalising ahead of succession or bringing in external directors; and any company where rapid growth has outpaced the formality of its governance and control structures.
What frameworks does PNPC use to assess our governance and risk maturity?
We reference the COSO Enterprise Risk Management framework (COSO ERM 2017) for risk management assessment and the COSO Internal Control – Integrated Framework (2013) for control environment assessment — both widely recognised internationally and referenced in Indian regulatory guidance. Where relevant, we also draw on ISO 31000 for risk management principles. We do not force a rigid framework onto every client; we calibrate the depth and formality of the assessment to your size, sector, and regulatory profile.
How long does a full GRC Assurance engagement take?
A first-time, entity-wide review for a mid-sized company typically takes 8–10 weeks from initial scoping to the final Board presentation, depending on the number of locations, subsidiaries, and process areas covered. Subsequent annual or periodic reviews are generally faster once the risk register, control matrix, and prior findings baseline already exist. A narrowly scoped review — for example, focused only on governance structure and risk register maturity without full operating-effectiveness testing — can be completed faster.
What does a GRC Assurance engagement cost?
Fees depend on entity size, number of locations and subsidiaries, the process areas in scope, and whether the engagement includes operating-effectiveness testing (sample transaction testing) or is limited to a design-level governance and risk review. PNPC provides a written scope and fixed-fee proposal after an initial scoping conversation — we do not quote a fee without first understanding what triggered the need and how deep the review needs to go.
Who conducts the GRC Assurance review — is it the same team as our statutory auditor?
Independence matters here. Where PNPC is also your statutory auditor, we structure the GRC Assurance engagement with an appropriately separate team and reporting line to preserve independence and avoid the auditor effectively reviewing its own work. For companies where independence rules under the Companies Act or SEBI regulations restrict the statutory auditor from providing certain non-audit services, we advise upfront on whether PNPC can undertake the GRC engagement or whether it should be performed by an independent firm.
What is a risk register, and why does PNPC test whether it is 'actually used'?
A risk register is a structured document listing an organisation's identified risks, their likelihood and potential impact, the mitigation measures in place, and the person accountable for each risk. Many companies have a risk register that was created once — often for an audit or a funding round — and never updated again. Testing whether it is 'actually used' means checking whether risk owners can describe their assigned risks without reading from the document, whether the register has been updated for new risks in the last review cycle, and whether Board or Committee minutes show genuine discussion of it rather than a formality.
What is the Vigil Mechanism / whistleblower policy, and is it mandatory?
The Vigil Mechanism is a formal channel required under Section 177(9) of the Companies Act 2013 for listed companies and certain classes of prescribed companies (those accepting deposits from the public, or having borrowed money from banks/public financial institutions exceeding ₹50 crore), and separately under SEBI LODR Regulation 22 for listed companies, allowing directors and employees to report genuine concerns about unethical behaviour, fraud, or violation of the company's code of conduct, with protection against victimisation. As part of GRC Assurance, we test whether the mechanism exists on paper, whether employees are actually aware of it, and how any complaints received were investigated and closed.
What is a Delegation of Authority (DoA) matrix, and why does it matter for GRC?
A DoA matrix defines who in the organisation has authority to approve what — transaction types, spending limits, hiring decisions, contract sign-off — at each level of the hierarchy. It is one of the most fundamental internal controls because it prevents any single individual from having unchecked authority over material decisions. In our GRC reviews, we frequently find a documented DoA that has not been updated as the organisation has grown or restructured, or that is routinely bypassed in practice — both of which materially increase fraud and error risk.
Does GRC Assurance cover our IT systems and cybersecurity?
GRC Assurance includes a review of IT general controls (ITGC) — access management, change management, backup and business continuity — as part of the broader control environment assessment, because IT controls underpin the reliability of financial and operational data across the business. However, a deep technical cybersecurity assessment (penetration testing, vulnerability scanning, technical security architecture review) is a more specialised, separate engagement. We scope which level of IT coverage is appropriate for your GRC review and can bring in or refer to our dedicated cybersecurity audit capability where a deeper technical review is warranted.
We had a whistleblower complaint / suspected fraud recently. Should this be a GRC Assurance engagement or a forensic audit?
If the immediate need is to investigate a specific incident — establish what happened, who was involved, and quantify any loss — that is a Forensic Audit, a narrower and more urgent engagement. GRC Assurance is the broader, subsequent (or parallel) exercise that asks the systemic question: what governance or control gap allowed this to happen, and where else might similar gaps exist? Many clients commission both — a forensic audit to resolve the specific incident, and a GRC Assurance review to address the root cause and prevent recurrence elsewhere in the organisation.
How does GRC Assurance help us prepare for an IPO or a large fundraise?
Institutional investors and IPO due diligence teams routinely assess Board composition and independence, the risk management framework, related party transaction governance, and internal control maturity as part of their process — and gaps found late in a live transaction can delay timelines or affect valuation and deal terms. A GRC Assurance review conducted proactively, well before the transaction process begins, identifies and allows remediation of these gaps on your own timeline rather than under the pressure and scrutiny of active diligence.
What happens if the GRC Assurance review finds serious gaps? Does PNPC report this to regulators?
No. A GRC Assurance engagement is a private, management-and-Board-facing advisory and assurance exercise — findings are reported to the Audit Committee, Risk Management Committee, or Board that commissioned the review, not to SEBI, MCA, or any other regulator. The purpose is to give the Board the information and time to remediate proactively. Separately, where a finding indicates a potential fraud that triggers a statutory reporting obligation under Section 143(12) of the Companies Act, that obligation falls specifically on the statutory auditor in that defined circumstance — not on a GRC Assurance provider conducting an advisory review.
Can GRC Assurance be scoped for just one function or risk area, rather than the whole organisation?
Yes. While entity-wide GRC Assurance gives the most complete picture, we regularly scope focused reviews — for example, governance structure and Board effectiveness only, or risk management framework maturity only, or a control review limited to financial reporting and IT processes. A focused scope is often the right starting point for a company running its first GRC-style review, with broader coverage added in subsequent cycles.
How does GRC Assurance work for a group with subsidiaries, including a UAE entity?
For group structures, we assess whether risk oversight and control standards are being applied consistently across the parent and its subsidiaries — not just at the holding company level — and whether the parent Board has visibility into subsidiary-level risks, including those of any UAE or overseas entity. PNPC's presence in both India and the UAE (Dubai office) allows us to assess governance and control consistency across both jurisdictions under a single coordinated engagement, rather than requiring separate reviews by unconnected local firms that do not share findings.
What is a 'management response' and why does PNPC insist on capturing it before the Board presentation?
A management response is management's factual confirmation of each finding, along with their proposed remediation action, owner, and timeline — captured before the report goes to the Audit Committee or Board. This ensures the Board is not seeing findings for the first time without any indication of how management intends to address them, and it gives management a fair opportunity to correct any factual misunderstanding before the report is finalised.
How are findings prioritised in the report?
We rate each finding — typically Critical, High, Medium, or Low — based on the likelihood of the underlying risk materialising and the potential impact if it does, combined with how pervasive the control gap is across the organisation. Critical and High findings are those that could result in material financial loss, regulatory non-compliance with meaningful penalty exposure, or reputational damage, and these are highlighted for priority remediation with the shortest recommended timelines.
Does PNPC only identify problems, or does it also help fix them?
Both, by design. The report includes practical, sequenced remediation recommendations for each finding — not just a description of the gap. Where the client wants implementation support (redesigning a process, drafting an updated policy, configuring an approval workflow in the ERP), PNPC can support that as a follow-on engagement, kept appropriately separate from the assurance role where independence considerations require it.
How often should we repeat a GRC Assurance review?
For listed companies and larger private companies with an active Risk Management Committee, an annual cycle — even if narrower in scope than the first full review — keeps the risk register and control assessment current as the business evolves. For smaller unlisted companies without a regulatory trigger, a review every 18–24 months, or ahead of any major milestone (fundraise, new geography, significant headcount growth), is generally sufficient.
What is the Risk Management Committee (RMC) under SEBI LODR, and who must have one?
Regulation 21 of the SEBI LODR Regulations requires the top 1,000 listed companies by market capitalisation (as determined as of the end of the immediately preceding financial year) to constitute a Risk Management Committee, with a majority of members being members of the Board of Directors, including at least one independent director, and with the chairperson being a member of the Board of Directors. The RMC's role includes formulating a detailed risk management policy, monitoring and reviewing it periodically, and reporting to the Board.
Our Board already has an Audit Committee. Isn't that enough oversight without a separate GRC review?
An Audit Committee's statutory mandate under Section 177 focuses primarily on financial statements, the statutory audit process, and related party transactions — it does not, by itself, constitute an independent test of whether the broader risk management framework and control environment are functioning. A GRC Assurance review provides the Audit Committee with the independent evidence base it needs to discharge its own oversight role effectively, rather than relying solely on management's self-reporting.
What deliverables do we actually receive at the end of the engagement?
A written GRC Assurance report covering: an executive summary with an overall governance and risk maturity assessment; detailed findings organised by domain (governance, risk, control, compliance) with root-cause analysis; a prioritised, rated findings register; management's response and proposed remediation plan for each finding; and a recommended follow-up review timeline. This is supplemented by a live presentation to the Audit Committee or Board.
Can a startup or small private company benefit from a lighter version of this?
Yes. For an early-stage or smaller company without a near-term listing or major fundraise trigger, we typically recommend a scaled-down governance and risk-readiness conversation rather than the full multi-week programme — focused on the handful of foundational elements (a basic risk register, a simple DoA, a whistleblower channel, core financial controls) that matter most at that stage, without the cost and formality appropriate to a listed company.
How does GRC Assurance interact with our CSR Committee obligations?
Where applicable under Section 135 of the Companies Act 2013 (companies meeting the prescribed net worth, turnover, or net profit thresholds), the CSR Committee's governance — its composition, the CSR policy, and whether CSR spend is tracked, reported, and reconciled correctly — is one of the governance areas we review as part of an entity-wide GRC Assurance engagement, alongside the Audit, Nomination & Remuneration, and Risk Management Committees.
Does PNPC benchmark our governance maturity against industry peers?
Where relevant data and comparable public disclosures are available (for listed peers, primarily through public annual reports and corporate governance reports), we can provide qualitative, directional benchmarking as context for the Board — noting how your committee structure, disclosure practices, or risk framework compare to sector norms. This is offered as useful context rather than a precise quantitative score, since governance maturity depends heavily on company-specific factors.
What is the difference between a control 'design' gap and an 'operating effectiveness' gap?
A design gap means the control, as documented or intended, would not actually prevent or detect the risk it is meant to address even if performed perfectly — for example, an approval control that does not specify a monetary threshold. An operating effectiveness gap means the control is well-designed on paper but is not being consistently performed in practice — for example, approvals are required above a threshold, but our sample testing found several instances where that approval was skipped. Both are reported separately because the remediation is different: a design gap needs a redesigned control; an operating effectiveness gap needs better enforcement, training, or system automation of an already-adequate design.
Will the GRC Assurance review disrupt our day-to-day operations?
We design the engagement to minimise disruption — most of the work involves document review, interviews with process owners (typically 30–60 minutes each), and sample-based testing that does not require operational processes to pause. We schedule interviews around the availability of key personnel and typically coordinate through a single internal point of contact (often the Company Secretary or CFO's office) to manage the information flow efficiently.
Why should we choose PNPC for GRC Assurance rather than a Big 4 firm or a boutique risk consultancy?
A Big 4 firm brings brand recognition and large-team capacity, often at a substantially higher fee and with rotating junior staff on the engagement. A boutique risk consultancy may lack the Chartered Accountancy grounding to connect governance findings back to statutory obligations under the Companies Act, SEBI regulations, and tax law with full technical accuracy. PNPC combines nearly four decades of practising CA experience — including the statutory audit, tax, and FEMA/regulatory context that governance findings inevitably touch — with a senior-partner-led engagement model and a presence in both India and the UAE for group structures spanning both jurisdictions.
What does the PNPC GRC Assurance engagement include, end to end?
Scoping consultation to align objectives and right-size the review; governance structure review (Board, committees, DoA); risk register and ERM framework assessment; control design walkthroughs across material process areas; sample-based operating effectiveness testing; compliance management system review; whistleblower mechanism and fraud risk assessment; a rated, prioritised findings register with root-cause analysis; management response capture; a written report; a live presentation to the Audit Committee/Board; and a follow-up verification review within the agreed remediation period.
Is the GRC Assurance report confidential, or does it become part of any public filing?
The GRC Assurance report itself is a private document addressed to the Audit Committee/Board and is not, by default, filed with MCA, SEBI, or any regulator, and is not a public document. Separately, the Board's own Section 134(5)(e) representation in the Board's Report (which is a public filing as part of the Annual Report) may be informed by the findings of a GRC or IFC review, but the underlying detailed report itself remains an internal document unless the company chooses to disclose it or a regulator specifically requests it in the course of an inquiry.
| Feature | Big 4 / Large Firm | Boutique Risk Consultancy | PNPC Global |
|---|---|---|---|
| Statutory & tax grounding of findings | Strong technically, but engagement often led by junior staff day-to-day | Often limited — risk-framework expertise without deep CA/regulatory grounding | Senior CA-led — every finding connected to the actual Companies Act, SEBI, and tax implications |
| Engagement continuity | Frequent staff rotation across the engagement lifecycle | Variable — depends on consultancy size and retention | Same engagement partner from scoping through Board presentation and follow-up |
| Cost proportionality | Premium fee structure, often disproportionate for mid-sized private companies | Can be cost-effective but may lack assurance rigour | Right-sized scope and fee for entity stage — we recommend narrower scope when a full review is not yet warranted |
| India-UAE group coverage | Available but often via separate country teams with limited coordination | Rarely available | Single coordinated engagement across Chennai, Bangalore, Hyderabad, and Dubai offices |
| Board presentation | Often delegated to a senior manager rather than the partner | Varies by consultancy | Engagement partner presents personally to the Audit Committee/Board |
| Follow-up verification | Frequently offered as a separate, re-priced engagement | Inconsistent | Built into the engagement scope as a standard follow-up review within the agreed remediation period |
| Independence handling | Formal but can feel process-heavy for a mid-market client | May not proactively flag independence conflicts | Independence considerations raised proactively at scoping — before they become a problem |
| Ongoing relationship | Engagement-by-engagement, re-scoped each cycle | Project-based | Long-term advisory relationship spanning audit, tax, GRC, and cross-border needs since 1986 |
What the PNPC package includes
- 01
Scoping consultation to align GRC Assurance objectives with your actual regulatory triggers and business stage
- 02
Governance structure review — Board composition, committee charters, and Delegation of Authority tested against actual practice
- 03
Risk register and Enterprise Risk Management framework assessment against COSO ERM 2017 / ISO 31000 reference frameworks
- 04
Control design walkthroughs across financial, operational, compliance, and IT process areas
- 05
Sample-based operating effectiveness testing — not a paper-only policy review
- 06
Compliance management system review across applicable Companies Act, FEMA, labour, tax, and sector-specific obligations
- 07
Whistleblower mechanism and fraud risk assessment under Section 177(9) and SEBI LODR Regulation 22
- 08
Rated, prioritised findings register with root-cause analysis for each finding
- 09
Management response capture before the report reaches the Audit Committee or Board
- 10
Live presentation to the Audit Committee / Risk Management Committee / Board by the engagement partner
- 11
Follow-up verification review within the agreed remediation period to confirm actual closure
- 12
India-UAE coordinated coverage for group structures with a Dubai or overseas subsidiary
- 13
Direct access to your engagement partner — by phone and WhatsApp — for questions between formal review cycles
Give your Board a governance, risk, and control picture it can actually rely on. Speak with a PNPC engagement partner — a practising Chartered Accountant who will scope the review to your real risk profile, test what actually happens (not just what is documented), and present findings to your Audit Committee in person.