HomeServicesRisk AdvisoryProcess Mapping, Re-engineering & Control Reviews

Risk Advisory · Internal Controls & Process Improvement

Process Mapping, Re-engineering & Control Reviews

Most businesses do not lose money to fraud — they lose it quietly, every month, to broken handoffs, duplicated approvals, manual reconciliations, and controls that exist on paper but not in practice.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

Most businesses do not lose money to fraud — they lose it quietly, every month, to broken handoffs, duplicated approvals, manual reconciliations, and controls that exist on paper but not in practice. PNPC Global maps how your business actually works today, identifies where process friction and control gaps are costing you time, money, and audit findings, and re-engineers the process into something faster, better controlled, and genuinely usable by your team. This is not a generic flowcharting exercise — it is a Chartered Accountant-led review that connects process design directly to financial control, statutory compliance, and the internal financial controls your Board is required to stand behind under the Companies Act 2013.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Process Mapping, Re-engineering & Control Reviews is

Process Mapping, Re-engineering & Control Reviews is an advisory engagement that documents an organisation's key business processes as they actually operate — not as an org chart or SOP manual claims they operate — and then evaluates each process against two lenses: efficiency (is this the fastest, least wasteful way to get the work done) and control (does this process prevent, or at least detect, error, fraud, and non-compliance). The output is a current-state process map, a gap analysis against leading practice and statutory control requirements, and a re-engineered future-state process design with the specific control points, approval matrices, and system configurations needed to operate it safely.

The discipline draws on two distinct but complementary traditions. Business Process Re-engineering (BPR), as popularised by Hammer and Champy, asks a fundamental question: if we were designing this process from scratch today, with today's technology and today's business objectives, would it look like this? It is deliberately willing to challenge process steps that exist only because 'we have always done it this way' — redundant approvals, manual data re-entry between systems, sequential steps that could run in parallel, and reconciliations that exist to catch errors a well-designed system would prevent in the first place. Internal control review, by contrast, is grounded in the control frameworks Indian companies are statutorily required to operate — Internal Financial Controls over Financial Reporting (IFC-FR) under Section 134(5)(e) and Section 143(3)(i) of the Companies Act 2013, commonly benchmarked against the COSO Internal Control–Integrated Framework, and the segregation-of-duties, authorisation, and documentation principles that any competent statutory or internal auditor will test.

In practice these two lenses reinforce each other more often than they conflict. A process with unclear ownership, undocumented exception handling, and three redundant sign-offs is usually both slow and poorly controlled — the redundant sign-offs create a false sense of control while the absence of a documented approval matrix means no one can say with confidence who is actually accountable when something goes wrong. PNPC's engagement model is built around this overlap: we do not hand a client a process-efficiency deck that ignores control risk, and we do not hand over a controls checklist that ignores the fact that an unusable process gets bypassed by staff within weeks. Every re-engineered process we design specifies the control points explicitly — segregation of duties, authorisation limits per the Delegation of Authority (DOA) matrix, three-way matching, system-enforced approval workflows, and the evidence trail an auditor will expect to see.

This service is typically engaged around a specific trigger: an internal or statutory auditor has flagged recurring process or control findings; the business has outgrown the informal, founder-driven processes that worked at a smaller scale; an ERP implementation or system migration creates a natural opportunity to redesign rather than merely digitise existing inefficiency; a merger or acquisition requires two organisations' processes to be harmonised; or the Board and Audit Committee are seeking documented assurance on IFC design ahead of a statutory audit sign-off or an investor's due diligence. Because the review sits at the intersection of operations, finance, and compliance, it is most effective when led by a team that understands not just process design but the statutory and tax consequences of getting it wrong — which is the specific vantage point a practising CA firm brings that a pure management-consulting engagement typically does not.

When a process mapping and control review engagement fits

Statutory or internal auditor has repeatedly flagged the same process or control finding — recurring findings usually indicate a process design flaw, not a one-off human error, and need re-engineering rather than another reminder memo

Rapid headcount or revenue growth has outpaced the informal, founder-driven processes that worked when the business was smaller — approvals, reconciliations, and handoffs that once fit on a WhatsApp thread now need documented ownership

Board or Audit Committee needs documented evidence of Internal Financial Controls (IFC) design and operating effectiveness under Section 134(5)(e) and Section 143(3)(i) of the Companies Act 2013 ahead of statutory audit sign-off

Preparing for a fundraise, acquisition, or IPO — a documented, controlled process environment materially de-risks financial and operational due diligence and reduces the scope for post-deal valuation adjustments

ERP implementation, system migration, or new accounting software rollout is planned — this is the single best window to re-engineer a broken process rather than digitise it as-is and carry the inefficiency forward for years

Merger, acquisition, or multi-entity integration requires two or more organisations' processes — procure-to-pay, order-to-cash, payroll — to be harmonised into one control environment

Recurring reconciliation breaks, duplicate payments, delayed month-end close, or unexplained margin or inventory variances point to an underlying process design or control gap rather than a one-off transaction error

Multi-location or multi-entity operations where management can no longer personally observe every branch, warehouse, or subsidiary and needs the process itself — not personal oversight — to carry the control

When a lighter-touch alternative may fit better

Very early-stage business with a handful of transactions per month and a founder who is still personally across every approval — a light SOP documentation exercise is often more proportionate than a full re-engineering engagement

A single, isolated process error has occurred and there is no evidence of a systemic design flaw — a root-cause review of that one incident may be sufficient without mapping the entire process landscape

The organisation is looking purely for a point-in-time statutory or tax compliance check — a compliance health-check or Internal Audit engagement targets that need more directly than a process re-engineering exercise

Management has not yet secured genuine leadership buy-in for change — a re-engineered process that leadership will not enforce reverts to the old informal way of working within weeks, wasting the engagement

The business is planning a complete platform or ERP replacement within the next few months — it is usually more efficient to design the future-state process together with the new system implementation rather than as two separate exercises

Budget and timeline only stretch to fixing one clearly identified bottleneck — a scoped, single-process improvement engagement may deliver more value per rupee than a full cross-functional review

Structure Comparison

Process Mapping & Control Review vs related assurance and advisory engagements

FeatureProcess Mapping & Re-engineeringInternal AuditIFC Review (Sec 134(5)(e))Statutory AuditERP Implementation Advisory
Primary objectiveRedesign process for efficiency + controlTest whether existing controls operate effectivelyOpine on design and operating effectiveness of IFC-FROpinion on true and fair view of financial statementsConfigure system to run the business process
OrientationForward-looking — designs the future-state processBackward-looking — tests what already happenedPoint-in-time assessment of current control designBackward-looking — annual, on completed transactionsForward-looking — system build and go-live
Typical triggerGrowth, recurring findings, M&A, ERP change, IFC gapsStatutory threshold (Sec 138) or governance requirementBoard/Audit Committee assurance requirementStatutory requirement — every company, annuallyBusiness decision to adopt or replace a system
Governing referenceCOSO framework, BPR methodology, DOA principlesSection 138 + Rule 13, Standards on Internal Audit (ICAI)Section 134(5)(e), Section 143(3)(i), Companies Act 2013Section 139–148, Standards on Auditing (SA)Vendor implementation methodology, no statutory basis
OutputCurrent-state map, gap analysis, re-engineered future-state process with control pointsAudit Committee report with rated findingsIFC documentation, RCM, testing evidence, gap remediation planIndependent Auditor's Report with an opinionConfigured, tested, live system
Who typically commissionsCFO/COO, Board, Audit CommitteeBoard, on Audit Committee recommendationBoard / Audit Committee / statutory auditor requirementShareholders at AGM, on Board recommendationCFO/CTO, IT steering committee
Relationship to the othersFeeds IFC documentation; findings often originate from Internal Audit; frequently paired with ERP rolloutOften the trigger that surfaces the need for re-engineeringRelies on process maps and RCM this engagement producesRelies on the control environment this engagement strengthensShould ideally follow, not precede, process redesign
FrequencyProject-based, revisited on major business change (typically every 2–3 years)Continuous / quarterly cycles per approved annual planAnnual, alongside statutory audit cycleAnnual, at financial year endOne-time project, with periodic upgrades

These engagements are complementary, not substitutes for one another. A mature governance environment typically runs process re-engineering as the foundation, Internal Audit as the ongoing test of whether the redesigned controls are actually operating, and IFC review and statutory audit as the annual assurance layers on top. The right sequencing and scope for your organisation should be confirmed with a practising CA based on your specific risk profile, growth stage, and audit findings history.

How it works
#Stage & What PNPC DoesWhat Generic Consultants SkipTimeline
1Scoping & Objective AlignmentWe start by clarifying why this engagement is happening now — a recurring audit finding, a growth inflection, an ERP decision, an IFC gap, or an M&A integration — because the trigger determines scope, depth, and the specific control framework we benchmark against. A vague 'review our processes' brief without a clear trigger produces a vague, low-impact deliverable.Week 1
2Process & Entity Universe MappingWe build a complete inventory of the processes, locations, and entities in scope — procure-to-pay, order-to-cash, inventory and fixed assets, payroll and HR, treasury, financial close, and any process specific to your sector — and prioritise by materiality and known risk, not an arbitrary alphabetical order.Week 1–2
3Current-State Process WalkthroughsWe sit with the actual process owners — not just the department head — and document how the process genuinely runs today, including the informal workarounds and exceptions that never made it into the SOP manual. This is where most of the real findings surface, and it is the step most frequently rushed by low-cost consultants who rely on interviewing management alone.Week 2–4
4Process Mapping — 'As-Is' DocumentationEach process is documented as a formal swimlane/flowchart showing every handoff, system touchpoint, approval, and decision point, cross-referenced to the Delegation of Authority matrix and the accounting entries each step generates. This becomes the baseline against which every future audit or system change can be measured.Week 3–5
5Gap Analysis — Efficiency & ControlEvery process step is tested against two questions: does it add value or is it redundant/duplicative, and does it prevent or detect error, fraud, or non-compliance. Gaps are classified by type — segregation-of-duties gap, missing authorisation, manual workaround masking a system limitation, redundant approval, unreconciled handoff — and rated by risk and effort to remediate.Week 4–6
6Benchmarking Against Leading PracticeWe benchmark the current-state process against the COSO Internal Control–Integrated Framework components and against how comparable businesses in your sector and scale run the same process — so recommendations are grounded in what actually works at your stage of growth, not a generic textbook ideal that assumes far larger teams and systems.Week 5–6
7Future-State Process DesignWe design the re-engineered process — eliminating redundant steps, closing control gaps, specifying the exact approval matrix and system configuration needed, and building in the evidence trail your statutory and internal auditors will expect to see. Every redesigned process includes a one-page control summary, not just a flowchart.Week 6–8
8Risk & Control Matrix (RCM) DocumentationFor each re-engineered process, we prepare a formal Risk and Control Matrix mapping identified risks to the specific controls that mitigate them — the exact artefact your statutory auditor or Internal Auditor will request when testing IFC design effectiveness under Section 143(3)(i).Week 7–8
9SOP Drafting & DOA AlignmentThe future-state process is translated into a usable Standard Operating Procedure document, and the Delegation of Authority matrix is updated to reflect any changed approval thresholds or ownership — an SOP that contradicts the DOA matrix is a control gap in itself, and we ensure the two are consistent.Week 8–9
10Management Presentation & Sign-offFindings and the future-state design are presented to management and, where relevant, the Audit Committee — with an honest assessment of implementation effort, sequencing, and any system dependency — before a single process changes. We do not hand over a report and walk away; we secure explicit sign-off on the implementation roadmap.Week 9–10
11Implementation Support & Change ManagementRe-engineered processes fail without change management — we support the rollout with process owner training, updated approval workflows in your ERP/accounting system where applicable, and a defined cut-over date so the old and new process do not run in parallel indefinitely.Week 10–14, project-dependent
12Post-Implementation TestingApproximately 60–90 days after go-live, we test whether the redesigned controls are actually operating as designed — not just whether the SOP was signed — using the same sampling discipline an Internal Auditor would apply. Gaps found here are cheap to fix; gaps found a year later, in a statutory audit, are not.60–90 days post go-live
13Handover to Ongoing Internal Audit / Compliance CalendarThe RCM and process documentation this engagement produces becomes the foundation for your ongoing Internal Audit programme (where applicable) and IFC documentation — we hand over a living set of documents your team and your auditors can use going forward, not a one-time report that gathers dust.Project close

Realistic timeline for a focused single-process review: 6–8 weeks from scoping to future-state design sign-off. A multi-process, multi-location engagement (e.g., procure-to-pay plus order-to-cash plus payroll across 3 locations) typically runs 10–16 weeks end-to-end including implementation support. Post-implementation testing is best scheduled 60–90 days after go-live to give the redesigned process time to bed in.

Document Checklist
Corporate & Governance Documents

Certificate of Incorporation, Memorandum & Articles of Association, and group/holding structure chart for entities in scope

Board and Audit Committee composition, terms of reference, and minutes of the last 4–6 meetings referencing process or control matters

Existing Delegation of Authority (DOA) matrix — approval limits by role, transaction type, and value

Any prior internal audit, statutory audit management letter, or IFC review findings relating to the processes in scope

Organisation chart and reporting lines for the functions being reviewed

Existing Process & SOP Documentation

Any existing Standard Operating Procedures (SOPs), process manuals, or workflow diagrams for the processes in scope

System-generated workflow configuration exports where approvals are routed through an ERP or accounting system

Job descriptions for roles involved in the processes under review, to map segregation of duties

List of exceptions, workarounds, or manual overrides currently in use that are not captured in formal SOPs

Any change-management or process-improvement initiatives attempted in the last 2–3 years, including why they succeeded or stalled

Financial & Transactional Records

Trial balance and general ledger extracts for the period covering the processes in scope

Sample purchase orders, sales invoices, goods receipt notes, delivery challans, and payment vouchers for the review period

Bank statements and bank reconciliation statements for accounts relevant to the processes reviewed

Reconciliation reports (vendor, customer, inventory, inter-company) for the review period, including any recurring unreconciled items

Details of duplicate payments, write-offs, or unexplained variances identified in the last 12 months

IT & Systems Environment

List of ERP/accounting systems and other business applications supporting the processes in scope, including hosting environment

System user-access matrix — who has access to which modules and at what permission level, for the processes under review

Details of any system limitations currently being worked around manually (e.g., approvals outside the system, spreadsheet-based tracking)

IT change-management log for any recent modifications to workflow, approval configuration, or master data controls

Compliance & Regulatory Records

GST returns, TDS returns, PF/ESI challans, and other statutory filings connected to the processes in scope, where relevant to control design

List of licences, registrations, and regulatory approvals whose compliance depends on the process being reviewed

Details of any regulatory notice, show-cause, or penalty in the last 3 years traceable to a process or control gap

Related-party transaction records and supporting Board/shareholder approvals under Section 188, where the process touches related parties

People & Stakeholder Access

Access to process owners and operational staff for walkthrough interviews — not management summaries alone

Availability of the Audit Committee/Board sponsor for scoping and final sign-off meetings

Contact details for the IT/ERP team, where system reconfiguration will be part of the re-engineered process

Nomination of an internal project coordinator to schedule interviews, gather documents, and track implementation actions

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Scoping & Discovery (Week 1–4)Decision to commission the reviewObjective alignment, process universe mapping, and current-state walkthroughs with actual process owners — not management summaries alone. This is where undocumented workarounds and true segregation-of-duties gaps surface.Scoping based on management's assumption of how a process runs, rather than reality, produces a redesign that misses the actual failure points and gets rejected by staff at rollout.
Design (Week 4–9)Gap analysis completeFuture-state process design, Risk and Control Matrix (RCM) documentation, and SOP/DOA alignment — every redesigned process specifies exact approval points, system configuration, and the evidence trail auditors will expect.A redesign that improves efficiency but does not explicitly document control points produces a process that is fast but still fails an IFC or Internal Audit test — and needs to be redone.
Implementation (Week 9–14)Management sign-off on future-state designChange management support — process owner training, updated system approval workflows, and a defined cut-over date so old and new processes do not run in parallel indefinitely.Re-engineered processes without change management revert to the old informal way of working within weeks — staff bypass the new controls under time pressure, and the engagement's value is lost.
Post-Implementation Testing (Day 60–90 post go-live)Redesigned process has been live for a full operating cycleSample testing of whether the redesigned controls are actually operating as designed, using the same rigour an Internal Auditor would apply — gaps are cheap to fix at this stage.Skipping post-implementation testing means the first real test of the new process is the next statutory or internal audit — by which time any gap has already generated a finding, and possibly a financial misstatement.
Ongoing Monitoring (Annual Cycle)Handover to Internal Audit / compliance calendarThe RCM and process documentation feed directly into the ongoing Internal Audit programme (Section 138, where applicable) and the annual IFC assessment under Section 134(5)(e) and Section 143(3)(i).Process documentation that is not maintained goes stale within a year as staff, systems, or volumes change — the next audit tests a process that no longer matches what is documented, generating avoidable findings.
Business Change Trigger (As Needed)Growth, M&A, ERP change, new regulationAny material change — a new product line, an acquired entity, an ERP migration, a new regulatory requirement — is reviewed against the existing process design before go-live, not discovered as a gap afterward.Processes designed for yesterday's scale and yesterday's regulation quietly become tomorrow's audit finding, control failure, or compliance penalty as the business changes underneath them.
Full Re-assessment (Every 2–3 Years)Scheduled review or significant drift observedA full current-state re-mapping and gap analysis, comparable to the original engagement, to catch the cumulative informal drift that occurs even in well-run organisations over a multi-year period.Even well-controlled processes drift as people change roles and informal shortcuts creep back in; skipping periodic re-assessment allows small deviations to compound into a materially weaker control environment.
Frequently asked
What exactly is Business Process Re-engineering, in plain terms?

It is the deliberate redesign of how a piece of work gets done — from the moment it starts to the moment it finishes — with the explicit goal of making it faster, less error-prone, and better controlled. Rather than tweaking an existing process at the margins, it asks whether the process would look the same if you were designing it today, from scratch, with your current team size, systems, and objectives. Very often the honest answer is no — and the redesign removes steps that exist only because 'we have always done it this way'.

Practitioner noteThe phrase 're-engineering' sometimes worries clients into thinking this means mass layoffs or a complete operational overhaul. In practice, most engagements we run tighten and clarify an existing process rather than replace it wholesale — the goal is a process your team can actually follow, not a theoretical ideal no one will use.
How is this different from just hiring a management consultant to improve our operations?

A general management consultant typically optimises for speed and cost. PNPC's engagement is led by practising Chartered Accountants, which means every redesigned process is evaluated simultaneously against the internal financial control requirements your Board is statutorily accountable for under Section 134(5)(e) and Section 143(3)(i) of the Companies Act 2013, and against the tax and GST consequences the process touches — TDS deduction points, GST input credit reconciliation, related-party transaction approvals under Section 188. A process that is fast but breaks a statutory control requirement is not actually an improvement.

Practitioner noteWe have taken over engagements that a pure operations consultant designed beautifully for speed but that created a segregation-of-duties gap the statutory auditor flagged within the first quarter of rollout. Efficiency and control cannot be designed separately.
Is this the same as an Internal Audit?

No, though the two are closely related and often feed each other. Internal Audit tests whether existing controls are operating effectively — it looks backward at what has already happened, typically through sampling. Process Mapping and Re-engineering looks forward — it redesigns the process itself, including the control points, before testing whether it operates correctly. In practice, recurring Internal Audit findings are one of the most common triggers for commissioning a process re-engineering engagement, and the Risk and Control Matrix this engagement produces becomes a key input into the next Internal Audit cycle.

Practitioner noteWe frequently recommend running process re-engineering first for a process with recurring findings, and letting the ongoing Internal Audit programme test whether the redesign actually held — rather than repeatedly auditing a process everyone already knows is broken.
Which processes typically get reviewed in an engagement like this?

The most common candidates are procure-to-pay, order-to-cash, inventory and fixed-asset management, payroll and HR onboarding/exit, treasury and banking operations, and the month-end/year-end financial close. Sector-specific processes are added depending on the business — shop-floor production controls for manufacturers, project accounting for real estate and construction, loan origination and collections for NBFCs, or reconciliation between marketplace and books for e-commerce businesses. We scope the specific list with you at the start of the engagement based on where the pain or risk is greatest.

Practitioner noteWe rarely recommend reviewing every process in the business at once unless the organisation is preparing for a major event like an IPO or acquisition. A focused review of 1–3 high-risk processes, done properly, delivers more usable value than a shallow review of everything.
How long does a typical engagement take?

A focused review of a single process — say, procure-to-pay at one location — typically runs 6–8 weeks from scoping to a signed-off future-state design. A multi-process, multi-location engagement, such as procure-to-pay plus order-to-cash plus payroll across three branches, typically runs 10–16 weeks end-to-end including implementation support. Post-implementation testing is best scheduled 60–90 days after go-live, once the redesigned process has had time to bed in under real operating conditions.

Practitioner noteThe single biggest variable affecting timeline is stakeholder availability — process owner interviews cannot be compressed below a certain point without losing quality. We build the interview schedule with your team upfront to avoid weeks lost to calendar conflicts.
What does the final deliverable actually look like?

You receive a current-state process map (swimlane/flowchart format), a gap analysis document classifying each finding by type and risk rating, a future-state process design with explicit control points and an updated Delegation of Authority matrix, a formal Risk and Control Matrix (RCM) mapping risks to mitigating controls, and an updated SOP document your team can actually follow. Where the review touches an ERP or accounting system, we also provide the specific workflow/approval configuration required to enforce the new design in the system, not just on paper.

Practitioner noteThe RCM in particular tends to have a long shelf life beyond the immediate engagement — it becomes the reference document your statutory auditor, internal auditor, and any future investor's due diligence team will ask for.
We already have SOP documents for most of our processes. Do we still need this?

Often, yes — the gap we most commonly find is between the documented SOP and how the process actually runs day to day. Staff develop workarounds when a system limitation, an unavailable approver, or a genuine process flaw makes the documented steps impractical, and these workarounds rarely make it back into the SOP. A walkthrough with actual process owners, not just a read of the existing document, is the only reliable way to find this gap — which is exactly what our current-state mapping step is designed to surface.

Practitioner noteWe have reviewed SOP manuals that were technically excellent documents describing a process that no longer existed in practice — sometimes for years. The SOP being well-written is not evidence the process is well-controlled.
Do you only work with large companies, or is this relevant for a smaller, growing business too?

It is highly relevant for growing businesses specifically — this is usually the exact inflection point where informal, founder-driven processes stop scaling. A business that has grown from 10 to 80 employees in two years, or added a second location, often finds that approvals which used to happen over a quick conversation now need a documented, system-enforced process because the founder can no longer personally review every transaction. Catching this early, before a statutory audit finding or an investor due diligence process surfaces it, is materially cheaper than fixing it under pressure later.

Practitioner noteWe scale the engagement to the business — a growing startup does not need the same depth of review as a listed company, but the underlying discipline of mapping, gap analysis, and redesign is the same regardless of size.
How does this connect to Internal Financial Controls (IFC) that our Board has to certify?

Under Section 134(5)(e) of the Companies Act 2013, the Board's report must state that the company has laid down internal financial controls and that these controls are adequate and were operating effectively. Under Section 143(3)(i), the statutory auditor must separately opine on the adequacy and operating effectiveness of the company's internal financial controls over financial reporting — though a private company that is not a subsidiary or holding company of a public company, and that meets the small-turnover and low-borrowing conditions specified in the MCA's Companies (Audit and Auditors) Rules exemption, is excluded from this specific auditor-reporting requirement (the Board's own obligation under Section 134(5)(e) still applies). Whether your company qualifies for that exemption should be confirmed with your statutory auditor. Both requirements depend on having documented processes and a Risk and Control Matrix that ties specific risks to specific controls — which is precisely the artefact this engagement produces. Without it, the IFC assessment each year becomes a rushed, undocumented exercise that is difficult for the Board to stand behind with confidence.

Practitioner noteWe see IFC assessments done as a last-minute annual scramble far too often — a documented RCM built once and refreshed annually turns this into a much lighter, more defensible exercise every year rather than a fire drill.
What is a Risk and Control Matrix (RCM) and why does it matter so much?

An RCM is a structured document that lists, for each process, the specific risks that could occur (e.g., payment made to a fictitious vendor, revenue recognised before delivery, inventory shrinkage going undetected) alongside the specific control that is designed to prevent or detect that risk (e.g., three-way match between purchase order, goods receipt, and invoice before payment approval). It is the standard artefact statutory auditors and internal auditors use to test control design and, subsequently, operating effectiveness. Without a documented RCM, every audit cycle has to reconstruct this mapping from scratch through interviews — slower, less consistent, and more prone to gaps being missed.

Practitioner noteA well-built RCM is reusable for years with periodic updates — it is one of the highest-leverage documents an organisation can invest in once, because every future audit, investor review, and system change references it.
Can this engagement be combined with an ERP implementation or migration?

Yes, and it is one of the most effective times to run it. Implementing a new ERP or accounting system without first re-engineering the underlying process typically results in the new system simply automating the old inefficiency — the same redundant approvals and manual workarounds, just inside a more expensive system. Running process re-engineering ahead of or alongside the system implementation means the future-state process design directly informs how the new system's workflows, approval hierarchies, and access controls are configured.

Practitioner noteWe have seen organisations spend significant budget on an ERP rollout only to recreate every inefficiency of their old Excel-based process inside the new system, because no one paused to ask whether the process itself needed to change first. Sequencing this correctly saves real money.
What is segregation of duties, and why does it come up so often in these reviews?

Segregation of duties is the principle that no single individual should control every stage of a transaction — initiation, approval, custody of the asset, and recording — because a single person controlling all stages creates both fraud opportunity and error risk that no one else is positioned to catch. It is one of the most fundamental internal control principles and one of the most common gaps we find in growing businesses, where a small finance team means the same person raises a payment, approves it, and reconciles the bank statement. Re-engineering typically resolves this either by redistributing responsibilities across existing staff or, where headcount genuinely does not allow it, by introducing a compensating control such as a mandatory secondary review.

Practitioner noteIn genuinely small teams where full segregation is not realistic, we design compensating controls rather than recommending headcount the business cannot yet justify — the goal is proportionate control, not a textbook ideal that ignores your actual constraints.
How do you handle a process that spans multiple locations or entities?

We map each location's variant of the process separately during the current-state walkthrough stage, because processes that are supposedly 'standardised' across locations frequently diverge in practice — different approval thresholds, different documentation habits, different system usage. The future-state design then either harmonises the process into one standard version applied everywhere, or, where a genuine business reason requires local variation, documents the variation explicitly with its own control points rather than leaving it undocumented.

Practitioner noteMulti-location divergence is one of the most common — and most consistently underestimated — sources of control failure we encounter. Head office often assumes branch processes mirror the documented SOP; they frequently do not.
Does the review cover IT and system controls, or only manual/paper processes?

Both. Most processes today run through some combination of manual steps and system workflows, and a control that exists on paper but is not enforced by the system (or vice versa) is a common gap. We review the system access matrix, workflow configuration, and any manual workarounds being used to bypass a system limitation, alongside the manual approval and documentation steps. Where IT general controls (user access management, change management, backup and business continuity) are materially relevant to the process, we flag them, though a dedicated ITGC/IS audit is a separate, deeper engagement if that is the primary concern.

Practitioner noteA very common finding: a system technically enforces an approval workflow, but staff have found a manual override or a parallel spreadsheet process to bypass it when the system approver is unavailable. The system control exists on paper; it does not exist in practice.
What does 'gap analysis' actually involve — how do you decide something is a gap?

Each documented process step is tested against two questions: first, does this step add genuine value, or is it redundant, duplicative, or a manual workaround for a system limitation; second, does this step prevent or detect error, fraud, or non-compliance, and is that control actually operating as intended (not just documented). Gaps are then classified by type — segregation-of-duties gap, missing or informal authorisation, unreconciled handoff between systems or teams, redundant approval that adds delay without adding control — and rated by risk severity and the effort required to remediate.

Practitioner noteWe deliberately separate efficiency findings from control findings in the final report, because they often require different owners to fix — an operations head can usually fix a redundant approval step, while a control gap may need Board or Audit Committee sign-off on a policy change.
How much does this typically cost, and how is it priced?

PNPC prices this as a fixed-fee, scope-defined engagement — the fee depends on the number of processes, locations, and entities in scope, and whether implementation support and post-implementation testing are included. The exact fee and scope are confirmed in writing before any work begins, following the scoping conversation. We are not the cheapest option in the market; the value is in a CA-led review that connects process efficiency directly to statutory control obligations, not a generic operations consulting deliverable.

Practitioner noteAsk for a written scope and fee letter that specifies exactly which processes and locations are included before engaging any firm for this kind of work — 'process review' can mean very different things, and a vague scope is the most common source of client dissatisfaction with this type of engagement industry-wide.
Who from our organisation needs to be involved, and how much of their time does it take?

The engagement needs genuine access to the actual process owners and operational staff who perform the work daily — not just a summary from the department head — because that is where the real gaps and workarounds surface. Typically this means a series of structured interviews of 60–90 minutes per process per location during the discovery phase, plus availability for a validation session once the current-state map is drafted, and sign-off meetings with the Audit Committee/Board sponsor at scoping and at future-state design approval. We schedule this to minimise disruption, but genuine engagement from process owners is not optional for a credible outcome.

Practitioner noteEngagements where only management is interviewed and process owners are bypassed consistently produce weaker, less accurate current-state maps. We insist on direct process-owner access as a condition of the engagement.
What happens if we implement the recommendations but staff go back to the old way of working?

This is the single most common reason a re-engineering exercise fails to deliver value, and it is why our engagement explicitly includes implementation support and change management — process owner training, a defined cut-over date so the old and new process do not run in parallel indefinitely, and post-implementation testing 60–90 days after go-live to confirm the new process is actually being followed, not just that the SOP was signed off. A redesign without this follow-through is, in our experience, reliably abandoned under the first real deadline pressure.

Practitioner noteWe treat post-implementation testing as a non-negotiable part of the engagement, not an optional add-on — a beautifully designed process that reverts to the old way of working within weeks has delivered zero value for the fee paid.
Is process re-engineering mandatory under any Indian statute?

There is no standalone statute that mandates 'process re-engineering' as a named exercise. However, the underlying obligation to maintain adequate and effective internal financial controls is a statutory requirement under Section 134(5)(e) and Section 143(3)(i) of the Companies Act 2013, and companies crossing the thresholds under Section 138 read with Rule 13 of the Companies (Accounts) Rules, 2014 must maintain an Internal Audit function that will test those controls. Process mapping and re-engineering is the practical mechanism by which many organisations actually meet these underlying statutory obligations, even though the exercise itself is not separately named in the law.

Practitioner noteWe are careful never to imply this exercise is itself a standalone statutory filing requirement — it is the practical work that makes your genuine statutory obligations under Sections 134 and 143 defensible and real, rather than a paper exercise.
How is this relevant to a company preparing for a fundraise or acquisition?

Financial and operational due diligence in a fundraise or acquisition routinely tests exactly the things this engagement documents — segregation of duties, approval trails, reconciliation discipline, and whether controls described to the investor actually operate as described. A documented process environment with a current Risk and Control Matrix materially shortens diligence timelines and reduces the scope for the investor's advisers to raise findings that get used to negotiate a lower valuation or additional warranties. Undertaking this review proactively, well before a term sheet, is significantly cheaper and less stressful than doing it reactively under diligence deadline pressure.

Practitioner noteWe have supported multiple clients through diligence where a prior process re-engineering engagement meant the diligence team's control-related questions were answered by handing over an existing RCM, rather than scrambling to document processes for the first time under a two-week deadline.
Does PNPC also implement the recommended system changes, or only recommend them?

PNPC's core deliverable is the process design, the RCM, and the SOP/DOA documentation, along with change management support for rollout. Where system reconfiguration is required — updating an ERP's approval workflow, for example — we specify the exact configuration needed and work alongside your IT team or ERP implementation partner to ensure it is built correctly; PNPC is not typically the party doing the hands-on system coding itself unless that is separately scoped as part of a broader engagement.

Practitioner noteWe are explicit about this division of labour at scoping stage so there is no ambiguity about who is responsible for what — a process design that is never actually configured into the system delivers no control benefit.
What is the difference between a control gap and an efficiency gap, and does it matter which is which?

A control gap is a point in the process where error, fraud, or non-compliance could occur, or already has occurred, without being reliably prevented or detected — for example, a payment approved by the same person who raised it. An efficiency gap is a point where the process is slower or more resource-intensive than necessary without adding any corresponding control benefit — for example, three sequential sign-offs for a routine, low-value purchase order. The distinction matters because control gaps are generally the higher priority to fix and are the ones your auditors will test, while efficiency gaps affect cost and speed but not, on their own, financial statement integrity.

Practitioner noteWe rate every finding separately on both dimensions in the gap analysis report, because a process can be simultaneously over-controlled in low-risk areas (wasting time) and under-controlled in high-risk areas (creating real exposure) — the fix for each is different.
Can this review help us identify where fraud or cash leakage might be occurring?

The process mapping and control gap analysis frequently surfaces the structural weaknesses — missing segregation of duties, unreconciled handoffs, informal approval overrides — that create the opportunity for fraud or leakage to occur, and closing those gaps is a genuine preventive benefit. However, this engagement is not a forensic investigation: if you already suspect a specific fraud has occurred, a targeted forensic audit engagement with evidence-gathering standards appropriate for potential legal or disciplinary action is the more precise tool, and we would recommend that route instead or alongside this one.

Practitioner noteWe are careful to distinguish these two engagement types with clients upfront — a preventive control review and a fraud investigation have different objectives, different methodologies, and different standards of evidence, and conflating them under-serves both.
How often should we revisit process maps once they are documented?

A full re-assessment is generally advisable every 2–3 years, or sooner if triggered by a material business change — a new product line, an acquired entity, an ERP migration, a significant headcount increase, or a new regulatory requirement affecting the process. Even well-controlled processes drift over time as people change roles and informal shortcuts creep back in; the documentation itself should also be reviewed annually as part of the ongoing Internal Audit or IFC assessment cycle, even without a major trigger event.

Practitioner noteWe build a lightweight annual 'is this still accurate' check into our ongoing client relationships specifically to catch this drift early, rather than discovering it only at the next full re-assessment cycle.
What is the COSO framework, and do we need to formally adopt it?

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control–Integrated Framework is the most widely referenced framework globally for designing and evaluating internal controls, structured around five components — control environment, risk assessment, control activities, information and communication, and monitoring activities. Indian statutory and internal auditors commonly benchmark IFC assessments against COSO's structure, even though the Companies Act itself does not mandate COSO by name. You do not need to formally 'adopt' COSO as a certification; we use it as the reference structure to ensure the control environment we design is complete and defensible against what an auditor will expect to see.

Practitioner noteClients occasionally ask whether they need COSO 'certification' — there is no such certification to obtain. COSO is a reference framework, not a compliance credential, and we use it as a design and benchmarking tool rather than something to formally register for.
Will this engagement disrupt our day-to-day operations while it is underway?

The discovery and design phases require structured interview time from process owners but do not require operations to pause — walkthroughs are scheduled around the team's existing workload, and current processes continue to run unchanged until the future-state design is signed off and a deliberate cut-over is planned. Some short-term disruption is expected during the actual implementation and change-management phase, as staff learn the new process, which is why we recommend a defined cut-over date and, where practical, a phased rollout rather than switching every process simultaneously.

Practitioner noteWe deliberately avoid recommending a 'big bang' simultaneous rollout of multiple redesigned processes unless the organisation specifically has the change-management capacity for it — a phased approach almost always sticks better.
Do you provide this service for businesses in the UAE as well as India?

Yes. PNPC has offices in Chennai, Bangalore, Hyderabad, and Dubai, and the underlying methodology — process mapping, gap analysis, control redesign — applies equally in the UAE, adapted to the relevant regulatory context, including UAE Corporate Tax record-keeping requirements, VAT compliance touchpoints, and any sector-specific regulation (financial free zones, DIFC/ADGM entities, and so on). For groups with both an Indian and a UAE entity, we can run a coordinated review across both jurisdictions under one engagement rather than splitting the work between two separate advisers who never compare notes.

Practitioner noteFor India-UAE groups, inter-company processes — transfer pricing documentation, cross-border payment approvals, consolidated reporting — are a common area where control gaps hide precisely because no single adviser has visibility into both sides of the transaction. We are positioned to see both.
What is the single biggest mistake companies make when trying to do this themselves without external help?

The most common mistake is documenting the process as management believes it runs, based on the original SOP or an interview with the department head, rather than walking the floor with the actual staff performing the work. The second most common mistake is treating the exercise as a documentation project rather than a redesign project — producing a beautiful flowchart of the existing broken process instead of asking whether the process itself needs to change. Both mistakes produce a deliverable that looks professional but does not close the actual gaps.

Practitioner noteAn external, CA-led review also brings something internal teams structurally cannot: staff are candid with an outside reviewer about workarounds and informal shortcuts in a way they rarely are in an internal review led by their own management chain.
Can a smaller version of this be done as a quick diagnostic before committing to a full engagement?

Yes. We can run a scoped diagnostic review — typically a 1–2 week rapid assessment of one or two priority processes — to surface the most material gaps and give management and the Board a clear, evidence-based business case for whether a fuller engagement is warranted, and at what scope. This is a common and sensible way to start for organisations that are not yet certain how deep the issue runs.

Practitioner noteWe recommend this diagnostic route whenever a client is uncertain about scope — it is a modest investment that produces a much better-informed decision about the full engagement, rather than committing to a large scope upfront on a guess.
How do you ensure the redesigned process actually reduces, not adds, work for our team?

This is one of the explicit design tests we apply — a re-engineered process that adds steps or approval layers without a corresponding, clearly articulated control justification has failed the efficiency half of the brief, regardless of how well-controlled it looks on paper. Wherever we recommend a new control point, we identify what it replaces or consolidates elsewhere in the process, so the net effect on the team's workload is transparent and, in most well-executed engagements, net-positive rather than simply additive.

Practitioner noteWe show clients a before/after step-count and approval-count comparison as part of the future-state design presentation specifically so this trade-off is visible and discussable, not just asserted.
What qualifications does the team conducting this review actually have?

PNPC's process and control review engagements are led by Chartered Accountants with practising experience in statutory audit, internal audit, and IFC assessment, supported by team members with relevant sector and systems experience where the engagement requires it (for example, ERP-specific expertise for a system-heavy process review). This CA-led structure is deliberate — it ensures the process redesign is evaluated not just for operational efficiency but for its statutory and tax consequences from the outset, rather than those consequences being discovered later by a separate auditor.

Practitioner noteWe are candid with prospective clients that a general management consultancy without CA-qualified leadership can absolutely improve process speed — what it typically cannot do as reliably is anticipate exactly how a redesigned approval workflow interacts with Section 40(a)(ia) TDS disallowance risk or GST input credit timing, because that requires practising tax and audit experience alongside process design skill.
Why should we engage PNPC rather than a generic process-consulting firm?

A generic process consultant optimises for speed and cost reduction. PNPC is a practising Chartered Accountancy firm with four decades of statutory audit, internal audit, and tax practice — which means the process we design for you is evaluated simultaneously against the Companies Act control requirements your Board must certify, the tax and GST consequences embedded in the transaction flow, and the documentation your next statutory or internal auditor will actually test. We do not hand you a report and disappear; we support implementation, test post-go-live whether the redesign held, and hand the Risk and Control Matrix over to your ongoing Internal Audit and IFC programme so the investment compounds year after year rather than expiring the day the report is delivered.

Practitioner noteClients who come to us after a generic consulting engagement often have a polished flowchart binder and the same control gaps they started with, because the redesign was never connected to what their statutory auditor would actually test. We build that connection in from day one.
Why PNPC Global

PNPC Global vs typical alternatives for process mapping and control review work

DimensionGeneric Management ConsultantIn-House Project TeamPNPC Global
Statutory control lens (Sec 134(5)(e), 143(3)(i))Rarely built in — efficiency-only focusDepends entirely on in-house expertise availableBuilt in by default — CA-led from scoping onward
Tax and GST consequence awareness in process designTypically outside scopeDepends on internal finance team's depthIntegrated — same firm handles your tax and audit work
Actual process-owner walkthroughs vs management interviews onlyVaries by firm and engagement price pointInternal bias — staff less candid with own managementStandard practice — direct floor-level access is non-negotiable
Risk and Control Matrix (RCM) handed over as reusable artefactNot always a standard deliverableRarely formalised without external structureStandard deliverable, feeds ongoing Internal Audit/IFC cycle
Post-implementation testing (60–90 days)Frequently an unscoped extraRarely done systematically without a pushIncluded as a non-negotiable part of the engagement
India + UAE coordinated capabilityRare — most are India-only or UAE-onlyNot applicable for cross-border groupsOffices in Chennai, Bangalore, Hyderabad, and Dubai
Continuity into next year's audit and compliance cycleEngagement typically ends at report deliveryDepends on staff retention and documentation disciplineRCM and SOPs handed to ongoing retainer, audit, and compliance work

What the PNPC package includes

  1. 01

    Scoping and objective alignment session to confirm the trigger, priority processes, and success criteria before any fieldwork begins

  2. 02

    Current-state process walkthroughs conducted directly with process owners, not management summaries alone

  3. 03

    Formal swimlane/flowchart process maps cross-referenced to your Delegation of Authority matrix

  4. 04

    Gap analysis rating every finding on both efficiency and control dimensions, benchmarked against the COSO framework

  5. 05

    Future-state process redesign with explicit control points, approval matrices, and system configuration requirements

  6. 06

    Formal Risk and Control Matrix (RCM) — the reusable artefact your statutory and internal auditors will reference for years

  7. 07

    Updated SOP documentation and DOA alignment so the process on paper matches the process in practice

  8. 08

    Implementation and change-management support through go-live, including process owner training

  9. 09

    Post-implementation testing 60–90 days after rollout to confirm the redesigned controls are genuinely operating

  10. 10

    Direct handover of documentation into your ongoing Internal Audit programme and annual IFC assessment cycle

Talk to a PNPC Chartered Accountant before your next audit finding repeats itself — book a scoping conversation and get a clear view of what your process gaps are actually costing you.

← Back to Risk Advisory
Talk to a CA