Risk Advisory · Risk Advisory Services
Business Continuity & Fraud Risk Assessments
Business Continuity & Fraud Risk Assessments answer two related but distinct questions your Board needs answered with evidence, not assumption: can this organisation keep operating through a disruption — a cyber incident, a key-vendor failure, a facility loss, a regional event — and where, specifically, is this organisation exposed to fraud because of how its people, processes, and controls are actually structured.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Business Continuity & Fraud Risk Assessments answer two related but distinct questions your Board needs answered with evidence, not assumption: can this organisation keep operating through a disruption — a cyber incident, a key-vendor failure, a facility loss, a regional event — and where, specifically, is this organisation exposed to fraud because of how its people, processes, and controls are actually structured. At PNPC Global, we do not hand you a generic BCP template or a fraud-risk checklist copied from a textbook. We map your actual critical processes, your actual single points of failure, and your actual fraud triangle exposure — opportunity, pressure, and rationalisation — as they exist in your business today, and we give your Audit Committee a prioritised, evidence-based view of what could go wrong and what it would take to keep the business running or to catch it early.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
A Business Continuity & Fraud Risk Assessment is a combined advisory and assurance engagement that evaluates two adjacent risk domains together because they share a common root cause: an organisation that has not systematically mapped its critical dependencies is usually the same organisation that has not systematically mapped where its controls can be overridden. Business continuity assessment identifies the processes, systems, people, vendors, and facilities that are critical to keeping the organisation operating, quantifies the Recovery Time Objective (RTO — how quickly a process must be restored) and Recovery Point Objective (RPO — how much data loss is tolerable) for each, and tests whether the Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) that exist on paper would actually work if invoked. Fraud risk assessment applies the internationally recognised Fraud Triangle framework (opportunity, pressure/incentive, and rationalisation) and the COSO Internal Control – Integrated Framework's fraud risk principle to identify where the organisation's control environment, segregation of duties, and oversight create genuine opportunity for asset misappropriation, financial statement fraud, or corruption — not as a theoretical exercise, but tested against actual transaction data, actual approval workflows, and actual access rights.
The two assessments are run together, and PNPC deliberately packages them as one engagement, because a mature risk conversation treats operational resilience and fraud exposure as facets of the same underlying question: does this organisation's control and governance environment actually work the way management believes it does? A single point of failure in a critical vendor relationship and a segregation-of-duties gap in the payables process are both, at their core, failures of the same discipline — systematic identification and mitigation of material risk. Running both assessments together also surfaces overlap that a siloed review would miss: a business continuity gap around IT access management, for instance, is frequently also a fraud-enabling gap, because the same weak access control that could cause a prolonged system outage also allows an employee with excessive system privileges to manipulate records undetected.
The statutory and governance backdrop in India makes this more than a best-practice conversation for many organisations. Section 134(5)(e) of the Companies Act 2013 requires directors of applicable companies to state that the company has adequate internal financial controls and that such controls were operating effectively during the year — a representation that is difficult to make in good faith without having identified and assessed fraud risk. SEBI's Listing Obligations and Disclosure Requirements (LODR) Regulations require the Risk Management Committee of the top 1,000 listed companies by market capitalisation (Regulation 21) to address business continuity within its risk management policy explicitly, alongside cybersecurity and information security risks. Section 143(12) of the Companies Act obligates the statutory auditor to report suspected fraud above a prescribed threshold to the Central Government or Audit Committee — a reporting trigger that is far less likely to arise as a surprise when a structured fraud risk assessment has already mapped the organisation's exposure. Standards on Auditing, particularly SA 240 (The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements), similarly place an explicit obligation on management and those charged with governance to design and implement controls to prevent and detect fraud — an obligation that a documented fraud risk assessment directly supports.
For unlisted and family-owned businesses, the driver is usually more immediate and practical: a key-person dependency that nobody has mapped, a critical vendor with no contingency, a finance team small enough that segregation of duties is structurally difficult, or a near-miss incident that revealed how little visibility management actually had into either operational resilience or fraud exposure. A well-run assessment does not end with a report that gets filed away — it ends with a prioritised remediation roadmap, a tested (not merely written) BCP, and control changes that close the specific fraud opportunities identified, each assigned an owner and a realistic timeline that the Audit Committee can track.
When this engagement is the right call
Listed company whose Risk Management Committee under SEBI LODR Regulation 21 must demonstrate that business continuity and fraud risk are addressed within its formal risk management policy, not just referenced in passing
Board or Audit Committee about to sign the Section 134(5)(e) internal financial controls adequacy statement and wants an independent, evidence-based view of fraud exposure before making that representation
Organisation that has never formally mapped its critical processes, key-person dependencies, or single points of failure and genuinely does not know how long it could operate through a major disruption
Company that has experienced a near-miss — a failed vendor, a ransomware attempt, a data centre outage, a suspected internal fraud — and wants a structured assessment rather than an ad hoc fix to the specific incident
Business with a lean finance or operations team where segregation of duties is structurally constrained and management wants to understand and mitigate the resulting fraud opportunity rather than ignore it
Organisation preparing for a fundraise, acquisition, or strategic sale where institutional investors and diligence teams will specifically probe both operational resilience and fraud control maturity
Company with a written BCP or DRP document that has never actually been tested through a tabletop exercise or simulated failover, and where management is not confident it would work if invoked
Group structure with a UAE or overseas subsidiary where continuity planning and fraud control standards across entities have never been assessed on a consistent basis
When a narrower or different engagement fits better
You need to investigate a specific, already-suspected fraud incident — identify what happened, who was involved, and quantify the loss — that is a targeted Forensic Audit, which moves faster and is scoped to the specific matter rather than the broader control environment
You need a technical cybersecurity and IT resilience assessment specifically — penetration testing, vulnerability scanning, and technical DR architecture review sit within our Cybersecurity Audit and IT risk engagements, which go deeper on the technical layer than a business-level continuity assessment
You need the Board's Section 143(3)(i)/134(5)(e) Internal Financial Controls certification itself prepared and tested against the codified ICFR standard — that is an IFC Review engagement, narrower and more specifically scoped to financial reporting controls
You need a full entity-wide governance, risk, and control review covering Board structure, committee effectiveness, and the whole risk universe — that broader scope is covered by our GRC Assurance engagement, of which business continuity and fraud risk assessment can form one component
Your organisation is a very early-stage startup with a handful of employees, no material vendor dependency, and no near-term institutional fundraise — the formality of a full assessment is disproportionate at this stage; a lighter foundational-controls conversation is more appropriate
You need ongoing, cyclical testing of process controls as a continuous programme rather than a point-in-time assessment — a structured Internal Audit function under Section 138 is the better long-term vehicle, often informed by the initial findings of a BCP and fraud risk assessment
BCP & Fraud Risk Assessment vs adjacent risk and assurance engagements
| Feature | BCP & Fraud Risk Assessment | Forensic Audit | GRC Assurance | Internal Audit (Sec 138) | Cybersecurity Audit |
|---|---|---|---|---|---|
| Primary objective | Assess operational resilience to disruption and identify fraud opportunity across people, process, and control | Investigate a specific, already-suspected irregularity or incident | Assess governance, risk, and control as an integrated entity-wide system | Ongoing testing of process controls against a risk-based annual plan | Assess technical IT security controls and vulnerability exposure |
| Governing framework/standard | COSO ERM 2017, Fraud Triangle model, ISO 22301 (BCM reference), SA 240 (fraud responsibilities) | No single statute — scoped to the specific matter and forensic evidentiary standards | COSO ERM 2017, COSO Internal Control 2013, ISO 31000 | Standards on Internal Audit (SIA), Section 138 & Rule 13 | ISO 27001, NIST CSF, sector-specific technical standards |
| Trigger | Proactive risk management, SEBI LODR obligation, near-miss incident, or pre-transaction readiness | A specific whistleblower complaint, discrepancy, or suspected event | SEBI LODR obligation, governance maturity milestone, or pre-transaction readiness | Statutory requirement (Rule 13) or best-practice adoption | Data breach, technical audit requirement, or proactive hardening |
| Scope breadth | Critical process mapping, single points of failure, and fraud opportunity across the control environment | Narrow and incident-specific — the individuals, transactions, or period under question | Entity-wide — Board, ERM framework, and control environment together | Process- and function-specific per the annual audit plan | IT infrastructure, applications, and technical security controls |
| Typical output | Business Impact Analysis, tested/updated BCP-DRP, fraud risk heat map, prioritised remediation roadmap | Investigation report — findings, quantification, and recommendations | Governance & risk maturity rating, control gap register, remediation roadmap | Audit findings report per engagement or quarter | Vulnerability report, penetration test findings, remediation plan |
| Frequency | Typically every 1–2 years, or after material business change | One-off, triggered by an event | Annual or a defined multi-year cycle | Continuous, per annual audit plan | Annual or per compliance requirement |
| Reports to | Board / Audit Committee / Risk Management Committee | Whoever commissions it — Board, Audit Committee, or specific stakeholder | Board / Audit Committee / Risk Management Committee | Audit Committee / Board | IT/Security leadership, and Board where material |
| Best suited to | Boards wanting a structured, evidence-based view of resilience and fraud exposure before an incident forces the question | Companies facing a specific fraud, whistleblower complaint, or dispute | Boards needing systemic assurance ahead of listing, fundraise, or maturity milestones | Companies meeting Section 138/Rule 13 thresholds, or adopting best practice | Companies with material IT/data dependency needing technical assurance |
These engagements are complementary, not substitutes. A mature risk programme typically runs a BCP & Fraud Risk Assessment periodically alongside GRC Assurance, Internal Audit, and — where the incident is specific — Forensic Audit as needed. PNPC scopes each independently and advises on the right sequence for your situation.
| # | Stage & What PNPC Does | What Generic Providers Skip | Timeline |
|---|---|---|---|
| 1 | Scoping & Objective-Setting | We start by understanding what triggered the need — a SEBI LODR obligation, a near-miss incident, pre-fundraise readiness, or first-time formalisation — because this determines whether the assessment should be entity-wide or focused on the highest-risk processes. Generic providers frequently apply a fixed-scope template regardless of the actual driver. | Week 1 |
| 2 | Critical Process Identification & Business Impact Analysis (BIA) | We work with process owners to identify which functions are genuinely mission-critical (payroll, order fulfilment, customer-facing systems, treasury, statutory filing capability) versus important-but-deferrable, and quantify the Maximum Tolerable Downtime, RTO, and RPO for each — a step most template BCP exercises skip entirely, defaulting to identical recovery targets for every process. | Week 1–2 |
| 3 | Single Point of Failure Mapping | We map dependency on key individuals, sole-source vendors, single facilities, and single IT systems — identifying where the organisation has no fallback if that one point fails. Key-person dependency is the most commonly under-assessed risk in mid-sized Indian businesses, where critical process knowledge often sits with one or two individuals and is not documented anywhere. | Week 2–3 |
| 4 | Existing BCP/DRP Document Review | Where a BCP or DRP already exists, we review it against the BIA findings to check whether it actually addresses the processes identified as critical, or whether it is a generic document — often adapted from a template or a prior employer's plan — that does not reflect this organisation's actual dependencies. | Week 2–3 |
| 5 | Fraud Risk Universe Assessment | Using the Fraud Triangle (opportunity, pressure, rationalisation) as the analytical lens, we map where the organisation's control environment creates opportunity — weak segregation of duties, excessive system access, unmonitored related-party dealings, cash-intensive processes, discretionary approval authority — process area by process area, rather than applying a generic industry fraud checklist. | Week 3–4 |
| 6 | Segregation of Duties & Access Rights Testing | We test actual ERP/accounting system access rights against the roles that should be segregated — who can create a vendor and also approve payment to that vendor, who can post journal entries and also reconcile the bank, who can approve purchase orders and also receive goods — and sample actual transactions to confirm whether the theoretical segregation held in practice. | Week 4–5 |
| 7 | Fraud Scenario & Red-Flag Analysis | For the highest-opportunity areas identified, we develop specific fraud scenarios (ghost vendors, duplicate payments, revenue manipulation, expense reimbursement abuse, related-party diversion) relevant to this business model, and test whether existing controls or data analytics would actually detect each scenario — not merely whether a policy prohibiting it exists. | Week 4–6 |
| 8 | Tabletop Exercise / BCP Simulation | Rather than relying solely on document review, we run a facilitated tabletop exercise — a simulated disruption scenario relevant to the business (key system outage, loss of a critical vendor, facility inaccessibility) — walking management through the actual decisions and communications the written plan calls for, which reliably surfaces gaps a paper review alone would miss. | Week 6–7 |
| 9 | Findings Consolidation & Risk Rating | Business continuity gaps and fraud risk findings are each rated (Critical/High/Medium/Low) based on likelihood and potential impact, and cross-referenced where the same root cause — commonly a weak access-management or oversight gap — drives both a continuity risk and a fraud opportunity. | Week 7 |
| 10 | Draft Report & Management Response | A draft report is shared with management to confirm factual accuracy and capture a proposed remediation owner and timeline for each finding, before anything reaches the Audit Committee or Board — avoiding a report the Board sees findings in for the first time with no indication of how they will be addressed. | Week 7–8 |
| 11 | Presentation to Audit Committee / Board / Risk Management Committee | PNPC's engagement partner presents the findings, the updated BCP recommendations, and the fraud risk heat map directly to the Committee or Board, answering questions in real time rather than leaving a written report to be summarised by the Company Secretary. | Week 8 |
| 12 | Remediation Support & BCP/DRP Finalisation | PNPC supports process owners in updating the BCP/DRP document to reflect the BIA findings, redesigning specific controls to close identified fraud opportunities, and sequencing remediation by priority so the highest-risk gaps are addressed first. | Week 8–12 |
| 13 | Follow-Up Verification & Next-Cycle Planning | A follow-up review confirms that remediation actions were genuinely implemented — not just marked complete — and PNPC works with the Audit Committee to plan the next assessment cycle, incorporating any business changes (new geography, new system, new vendor dependency) since the last review. | 3–6 months post-report, then per agreed cycle |
A first-time, entity-wide BCP & Fraud Risk Assessment for a mid-sized company typically takes 8–12 weeks from scoping to Board presentation, depending on the number of critical processes, locations, and the depth of segregation-of-duties testing agreed in scope. Subsequent cycles are generally faster once the BIA and fraud risk baseline already exist.
Organisation chart identifying process owners, key-person roles, and reporting lines across critical functions
Process maps or Standard Operating Procedures (SOPs) for key business processes — order-to-cash, procure-to-pay, payroll, treasury, IT operations
List of premises, facilities, and locations relevant to operations, including ownership/lease status
IT systems inventory — core applications, hosting arrangement (on-premise/cloud), and criticality ranking if one already exists
Any existing Business Continuity Plan (BCP) or Disaster Recovery Plan (DRP) document, however dated
Prior business continuity or disaster recovery test/exercise records, if any tabletop or simulation has previously been conducted
IT backup policy and evidence of backup testing — frequency, retention, and last successful restoration test
Insurance policy schedule — business interruption, cyber, key-person, property, and Directors & Officers (D&O) cover as applicable
Vendor and supplier contracts for any sole-source or critical-dependency relationships, including any continuity or SLA clauses
Chart of authority / Delegation of Authority (DoA) matrix currently in force, with amendment history
ERP/accounting system access rights listing — user roles and permissions across finance, procurement, and HR modules
Bank signatory list and mandate documents for all operating accounts
Segregation of duties matrix, if one is currently documented, for finance and procurement processes
Sample of vendor master data and vendor onboarding approval records for the review period
Code of Conduct for directors, senior management, and employees, and evidence of periodic acknowledgement
Vigil Mechanism / whistleblower policy adopted under Section 177(9) of the Companies Act, where applicable, and any complaints log
Related Party Transaction policy and register of related party transactions for the period under review
Any prior internal audit, statutory audit management letter, or GRC review findings relevant to fraud risk or control gaps
Records of any past suspected fraud, disciplinary action, or whistleblower complaint, however informally handled at the time
List of roles/individuals holding sole institutional knowledge of critical processes, systems, or client relationships
Succession or cross-training documentation, if any exists, for key finance, operations, and IT roles
Employee handbook sections covering conflict of interest, gifts and hospitality, and reporting obligations
Key-person insurance policy details, if held, for founders or critical personnel
Most recent statutory audit report and management letter, if available
Any prior GRC Assurance, internal audit, or risk assessment reports and their remediation status
Regulatory correspondence, show-cause notices, or inspection reports received in the review period, if any
Group/subsidiary structure chart, including any UAE or overseas entity, with an indication of shared or separate continuity and fraud controls
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Pre-Engagement Scoping | Board or Audit Committee decision to commission the assessment | Scoping conversation to align on driver — SEBI LODR obligation, near-miss incident, pre-transaction readiness, or first-time formalisation — and right-size the assessment to entity scale and complexity. | A generic, wrong-sized scope either misses the risks specific to this business or imposes disproportionate cost and management time on a smaller organisation. |
| Business Impact Analysis | Engagement kickoff | Identification of genuinely critical processes and quantification of RTO/RPO for each, rather than treating every process as equally critical, which dilutes the plan and the resource allocation behind it. | Without a proper BIA, a BCP either protects the wrong processes first or spreads limited recovery resources evenly across processes of very different real-world criticality. |
| Fraud Risk Mapping & SoD Testing | BIA substantially complete | Fraud Triangle-based mapping of opportunity by process area, combined with actual system access-rights testing — not a generic checklist — to identify where this specific organisation's control environment creates real exposure. | A checklist-based fraud review that is not tested against actual access rights and transaction samples routinely misses the specific opportunity gaps that materialise into an actual loss. |
| Tabletop Exercise & Findings | Mapping and testing complete | A facilitated simulation of a realistic disruption scenario, walking management through the plan's actual mechanics — who calls whom, what system comes up first, what the manual workaround is — which reliably surfaces gaps a document review alone misses. | A BCP that has never been rehearsed frequently fails at the exact moment it is needed — the plan reads well on paper but the contact list is outdated, the backup was never tested, or no one knows who has authority to declare an incident. |
| Reporting & Board Presentation | Testing and findings consolidated | Draft report validated by management, then presented directly to the Audit Committee/Board by the engagement partner, with remediation ownership and realistic timelines agreed in the room. | Findings emailed without a live Board discussion are frequently filed without genuine engagement, and the Board's own governance representations end up resting on a document that was never actually discussed at Board level. |
| Remediation & BCP/DRP Update | Report accepted, roadmap agreed | PNPC supports updating the BCP/DRP to reflect BIA findings, redesigning specific controls (segregation of duties, access rights, approval thresholds) to close fraud opportunities identified, sequenced by priority. | Remediation left with process owners and no structured follow-up routinely stalls against day-to-day operational pressure, particularly for controls that create short-term friction in a process. |
| Follow-Up Verification | Agreed remediation period elapses | Independent follow-up testing to confirm the BCP was genuinely updated and controls redesigned are actually operating — not simply marked complete by the same owner responsible for the original gap. | Self-certified closure without independent verification is the most common reason the same continuity gap or fraud opportunity resurfaces in the next assessment cycle. |
| Trigger Events (Incident, Fundraise, Growth) | Actual disruption, investor due diligence, or significant business change | Where an actual incident occurs, PNPC supports incident response coordination alongside a root-cause review; where growth or a new geography changes the risk profile, the BIA and fraud risk map are refreshed accordingly. | An untested BCP or an unmapped fraud opportunity discovered for the first time during a live incident or live investor due diligence is materially more costly and disruptive than the same gap addressed on a planned assessment cycle. |
What exactly is a Business Continuity & Fraud Risk Assessment, in plain terms?
It is a structured review that answers two practical questions together: if something disrupts your business tomorrow — a key system going down, a critical vendor failing, a facility becoming inaccessible — how long could you keep operating and how quickly could you recover; and separately, where in your organisation does the way people, processes, and controls are set up today create a genuine opportunity for fraud, whether by an employee, a vendor, or a combination of both. We assess both together because the underlying discipline — systematically identifying where things can go wrong before they do — is the same for each.
Is this assessment legally required for my company?
There is no single statute in India that mandates a 'Business Continuity & Fraud Risk Assessment' by that exact name. However, the underlying obligations are real: Section 134(5)(e) of the Companies Act 2013 requires directors of applicable companies to represent that internal financial controls are adequate and operating effectively — fraud risk assessment is a foundational input to making that statement in good faith. SEBI LODR Regulation 21 requires the top 1,000 listed companies by market capitalisation to have a Risk Management Committee whose risk policy must address business continuity and cybersecurity risk explicitly. Standards on Auditing (SA 240) place an express responsibility on management and those charged with governance to design controls that prevent and detect fraud.
Why does PNPC combine business continuity and fraud risk into one engagement rather than offering them separately?
Because in practice they share root causes and PNPC can offer either separately when that is genuinely what a client needs. A weak IT access-management control, for example, is simultaneously a business continuity risk (unauthorised or accidental system changes causing an outage) and a fraud risk (excessive access enabling record manipulation undetected). Assessing them together surfaces this overlap and produces a more efficient, more coherent remediation plan than two disconnected reviews conducted by different teams at different times.
What is a Business Impact Analysis (BIA) and why does it come before the BCP itself?
A Business Impact Analysis identifies which of your business processes are genuinely critical, and for each, quantifies the Maximum Tolerable Downtime, the Recovery Time Objective (how quickly it must be restored), and the Recovery Point Objective (how much data loss, if any, is acceptable). Without a BIA, a BCP has no basis for prioritisation — it either treats every process as equally urgent, which wastes recovery resources, or is built around management's assumptions rather than a tested reality. We always run the BIA first; the BCP is built on its findings, not the other way around.
What is a single point of failure, and how do you identify them?
A single point of failure is any person, vendor, system, or facility whose unavailability would materially disrupt a critical process, with no fallback in place. We identify these through structured interviews with process owners, review of vendor contracts for sole-source dependencies, and mapping of who holds undocumented institutional knowledge of key processes. Key-person dependency — where only one individual genuinely understands how to run a critical process — is one of the most common and most under-assessed single points of failure in mid-sized Indian businesses.
What is the Fraud Triangle and how does PNPC apply it?
The Fraud Triangle is a widely used framework describing the three conditions that typically must be present for fraud to occur: opportunity (a control weakness that allows it), pressure or incentive (a personal or business reason to commit it), and rationalisation (a way for the individual to justify it to themselves). We apply this framework primarily to the opportunity leg — since that is the one an organisation can most directly control through segregation of duties, access management, and oversight — while also considering where business or personal pressures (aggressive targets, financial distress, inadequate compensation relative to trust placed) may elevate risk in specific roles or process areas.
What is segregation of duties and why do you test system access rights, not just the policy document?
Segregation of duties means no single individual should be able to both execute and conceal a fraudulent transaction alone — for example, the person who creates a new vendor in the system should not also be the person who approves payment to that vendor. Many organisations have a segregation of duties matrix on paper that does not match actual system access rights. We test the actual ERP or accounting system permissions granted to each user, and sample real transactions, to confirm whether the documented segregation genuinely held in practice — not just whether the policy exists.
We are a small company with a lean finance team. Is proper segregation of duties even possible for us?
Full textbook segregation of duties is often genuinely difficult with a small finance team — this is a real, structural constraint, not a failure of discipline. Where full segregation is not achievable, we recommend compensating controls: mandatory secondary review or approval by someone outside the finance team (even a business owner or a Board member) above defined thresholds, periodic surprise reconciliation checks, and system-enforced approval workflows that at least require a second click by a different login even if the same small team is involved. We size the recommendation to what is realistic for the organisation's stage.
What does a tabletop exercise involve, and why is it necessary if we already have a written BCP?
A tabletop exercise is a facilitated, structured walkthrough of a realistic disruption scenario — for example, your core system becomes unavailable for 48 hours, or your primary facility is inaccessible for a week — in which management works through the actual decisions the written plan calls for: who is notified first, who has authority to declare an incident, what the manual workaround is, how customers and vendors are communicated with. This consistently surfaces gaps that a document review alone does not — an outdated contact list, an assumption that someone else holds a critical password, a step that reads clearly on paper but nobody has actually rehearsed.
How is this different from Forensic Audit?
A Forensic Audit investigates a specific, already-suspected incident — what happened, who was involved, and what the quantified loss is — and is engaged reactively after a concern has already surfaced. A BCP & Fraud Risk Assessment is proactive and systemic: it identifies where fraud opportunity and continuity risk exist across the organisation before any specific incident has occurred, so gaps can be closed ahead of time. Where a specific incident has already occurred, we recommend a Forensic Audit for that matter, often followed by (or alongside) a broader BCP & Fraud Risk Assessment to identify whether the same root-cause control gap exists elsewhere.
How is this different from GRC Assurance?
GRC Assurance is a broader, entity-wide review of governance structure, the full enterprise risk universe, and the control environment as a system — of which fraud risk and business continuity are two components among several (governance, compliance management, whistleblower mechanisms, and more). A BCP & Fraud Risk Assessment is a focused, deeper dive specifically into operational resilience and fraud exposure. Organisations that have already had a GRC Assurance review, or whose immediate concern is specifically continuity and fraud rather than the full governance picture, typically choose this narrower engagement; a first-time, entity-wide governance review is better served by GRC Assurance, with BCP and fraud risk as one workstream within it.
Does this cover cybersecurity as well?
The business continuity component includes assessing your dependency on IT systems, your backup and recovery arrangements, and whether IT-related disruption scenarios are addressed in your BCP/DRP — because IT resilience is usually central to overall business continuity today. However, a deep technical cybersecurity assessment — penetration testing, vulnerability scanning, technical security architecture review — is a more specialised, separate engagement. We scope the appropriate level of IT/cyber coverage within this assessment and can bring in or refer to our dedicated Cybersecurity Audit capability where deeper technical testing is warranted.
We had a suspected internal fraud recently. Should we start here or with a Forensic Audit?
If you already have a specific, identifiable concern — a discrepancy, a whistleblower report, an anomaly someone has flagged — start with a Forensic Audit to establish the facts of that specific matter. A BCP & Fraud Risk Assessment is the right next step once the specific matter is resolved, or can run in parallel, to answer the systemic question: what control gap allowed this, and does the same gap exist in other processes or locations across the organisation.
What deliverables do we actually receive?
A written report covering: the Business Impact Analysis with RTO/RPO for each critical process; a single-point-of-failure register; an updated or newly drafted BCP/DRP reflecting the BIA findings; a fraud risk heat map by process area with root-cause analysis; a segregation-of-duties and access-rights testing summary; a prioritised, rated findings register (Critical/High/Medium/Low) with management's response and remediation timeline; and a recommended follow-up review date. This is supplemented by a live presentation to the Audit Committee or Board and, typically, a facilitated tabletop exercise.
How long does the engagement take?
A first-time, entity-wide assessment for a mid-sized company typically takes 8–12 weeks from initial scoping to Board presentation, depending on the number of critical processes and locations covered and the depth of segregation-of-duties testing agreed. A more narrowly scoped assessment — for example, business continuity only, or fraud risk limited to the finance function — can be completed faster. Subsequent cycles are generally quicker once the BIA and fraud risk baseline already exist.
What does this engagement cost?
Fees depend on entity size, the number of critical processes and locations in scope, whether a full tabletop exercise is included, and the depth of segregation-of-duties and access-rights testing agreed. PNPC provides a written scope and fixed-fee proposal after an initial scoping conversation — we do not quote a fee before understanding what is actually being assessed and why.
Who at PNPC conducts this assessment — is it the same team as our statutory auditor?
Where PNPC is also your statutory auditor, we structure this engagement with an appropriately separate team and reporting line to preserve independence, consistent with the Companies Act and applicable professional standards. For companies where independence rules restrict the statutory auditor from providing certain non-audit services, we advise upfront on whether PNPC can undertake this assessment or whether an independent firm should be engaged instead.
Will this disrupt our day-to-day operations while it's underway?
We design the engagement to minimise disruption. Most of the work involves document and system-access review, structured interviews with process owners (typically 30–60 minutes each), sample-based testing that does not require processes to pause, and a single facilitated tabletop exercise scheduled at a convenient time. We coordinate through a single internal point of contact — typically the CFO's office or Company Secretary — to manage information flow efficiently.
Does the report get shared with any regulator?
No. This is a private, management-and-Board-facing advisory and assurance engagement — findings are reported to the Audit Committee, Risk Management Committee, or Board that commissioned it, not to SEBI, MCA, or any other regulator. Separately, where a finding indicates a potential fraud that triggers the statutory auditor's specific reporting obligation under Section 143(12) of the Companies Act, that obligation applies to the entity's statutory auditor in that defined circumstance — not to PNPC in this advisory capacity, unless PNPC also happens to hold that statutory role for the entity.
How often should this assessment be repeated?
For listed companies and larger private companies with an active Risk Management Committee, we recommend revisiting the BIA and fraud risk map every 1–2 years, or sooner following material business change — a new system implementation, a new geography, significant headcount growth, or a merger. For smaller unlisted companies without a regulatory trigger, every 2–3 years, or ahead of a major milestone such as a fundraise, is generally proportionate.
How does this help us prepare for a fundraise, acquisition, or sale?
Institutional investors and acquirers routinely assess operational resilience and internal control/fraud risk maturity as part of due diligence — key-person dependency, vendor concentration risk, and segregation-of-duties gaps are common diligence findings that can affect valuation, deal terms, or timeline if discovered late in a live process. Conducting this assessment proactively, well ahead of a transaction, allows genuine remediation on your own schedule rather than under the pressure and scrutiny of active diligence.
What is the difference between a BCP and a DRP?
A Business Continuity Plan (BCP) is the broader plan covering how the entire organisation continues critical operations through a disruption — people, processes, facilities, communications, and vendor relationships. A Disaster Recovery Plan (DRP) is the more technical, IT-specific subset focused on restoring systems, applications, and data after an outage. A DRP is typically a component nested within, or run alongside, the broader BCP — restoring the IT system is necessary but not sufficient if, for example, staff cannot reach the facility or a key vendor relationship has also failed.
Does this assessment apply to a UAE subsidiary or overseas entity as well?
Yes, where in scope. For group structures with a UAE or overseas subsidiary, PNPC's presence in both India and the UAE (Dubai office) allows a coordinated assessment across jurisdictions under a single engagement — assessing whether continuity planning and fraud control standards are applied consistently at the subsidiary level, and whether the parent Board has adequate visibility into subsidiary-level risk, rather than requiring separate, disconnected reviews by unrelated local providers.
Can this be scoped narrowly — just fraud risk, or just business continuity — rather than both together?
Yes. While we recommend running both together where budget and time allow, given the overlap in root causes, we regularly scope either independently — a fraud risk assessment focused specifically on the finance function, for example, or a business continuity assessment focused only on IT and facilities. A narrower first engagement is often the right starting point for an organisation new to structured risk assessment, with the other half added in a subsequent phase.
What red flags does PNPC typically look for in the fraud risk assessment?
Common red flags include: a vendor master file with duplicate or suspiciously similar vendor names, vendors sharing an address or bank account with an employee, round-number or just-below-approval-threshold transaction patterns, dormant vendor accounts suddenly becoming active, journal entries posted and approved by the same individual, unusually high employee reimbursement claims relative to role, and related-party transactions not routed through the formal approval and disclosure process. We test for these patterns using available transaction data as part of the assessment, alongside the qualitative control-environment review.
Our Board already has cyber and D&O insurance. Does that reduce the need for this assessment?
Insurance transfers financial risk after a loss occurs; it does not prevent the disruption or the fraud from happening, and most policies have conditions, exclusions, and sub-limits that only become apparent when a claim is made. In our experience, insurers themselves increasingly ask about the existence of a tested BCP and documented fraud risk controls when underwriting or renewing cyber and crime insurance — so a completed assessment can also support better insurance terms, not merely reduce reliance on the policy.
What happens after the report — does PNPC help implement the recommendations, or just identify them?
Both, by design. The report includes specific, sequenced remediation recommendations — not just a description of each gap. Where the client wants implementation support (updating the BCP/DRP document, redesigning a specific control, reconfiguring ERP access rights, drafting a revised vendor-onboarding approval workflow), PNPC provides that as a follow-on engagement, kept appropriately separate from the assessment role where independence considerations require it.
Why should we choose PNPC for this over a specialist risk consultancy or a Big 4 firm?
A Big 4 firm brings brand recognition and large-team capacity, typically at a substantially higher fee, often with the day-to-day engagement led by junior staff. A specialist risk consultancy may bring strong continuity or fraud-analytics expertise without the Chartered Accountancy grounding to connect findings back to the actual Companies Act, SEBI, and tax implications with full technical accuracy. PNPC combines nearly four decades of practising CA experience — including the statutory audit, tax, and regulatory context that fraud and continuity findings inevitably touch — with a senior-partner-led engagement model and coordinated India-UAE coverage for group structures.
What does the full PNPC engagement include, end to end?
Scoping consultation aligned to your actual driver and risk profile; Business Impact Analysis with RTO/RPO quantification for critical processes; single-point-of-failure mapping across people, vendors, systems, and facilities; review and update of existing BCP/DRP documentation; fraud risk mapping using the Fraud Triangle framework; segregation-of-duties and system access-rights testing; a facilitated tabletop exercise; a rated, prioritised findings register with root-cause analysis; management response capture; a written report; a live presentation to the Audit Committee/Board; and a follow-up verification review within the agreed remediation period.
Can this assessment be triggered as an urgent, accelerated review rather than the standard 8–12 week cycle?
Yes. Where the trigger is time-sensitive — an active investor due diligence process with a tight timeline, or a recent near-miss the Board wants addressed urgently — we can scope an accelerated, focused review covering the highest-risk processes and the most material fraud opportunity areas first, with the full assessment following as a second phase. This trades some breadth for speed and is agreed explicitly at scoping, not assumed.
| Feature | Generic BCP Template Provider | Boutique Risk/Fraud Consultancy | PNPC Global |
|---|---|---|---|
| Business Impact Analysis depth | Often skipped or generic — same RTO/RPO applied to every process | Usually thorough for continuity, but rarely paired with a fraud lens | Full BIA with process-specific RTO/RPO, paired with fraud risk mapping using the same critical-process data |
| Fraud risk testing method | Not typically offered | Data-analytics driven, but often without statutory/regulatory grounding | Fraud Triangle-based mapping plus actual system access-rights and transaction testing, connected to Companies Act and SA 240 obligations |
| Statutory & tax grounding of findings | Not applicable — template-only providers | Often limited — risk expertise without deep CA/regulatory grounding | Senior CA-led — every finding connected to actual Companies Act, SEBI, and tax implications |
| Tabletop exercise included | Rarely, if ever | Sometimes, as a separate paid add-on | Included as a standard part of the engagement to test the plan, not just document it |
| Engagement continuity | One-time document delivery, no ongoing relationship | Variable — depends on consultancy size and retention | Same engagement partner from scoping through Board presentation and follow-up verification |
| India-UAE group coverage | Not available | Rarely available | Single coordinated engagement across Chennai, Bangalore, Hyderabad, and Dubai offices |
| Board presentation | Not offered — document delivered by email | Varies by consultancy | Engagement partner presents findings personally to the Audit Committee/Board |
| Follow-up verification | Not offered | Inconsistent, often re-priced separately | Built into the engagement scope as a standard follow-up review within the agreed remediation period |
What the PNPC package includes
- 01
Scoping consultation to align the assessment with your actual risk driver — regulatory obligation, near-miss incident, or pre-transaction readiness
- 02
Business Impact Analysis with Recovery Time Objective and Recovery Point Objective quantified for each genuinely critical process
- 03
Single-point-of-failure mapping across key personnel, sole-source vendors, facilities, and IT systems
- 04
Review and update of existing Business Continuity and Disaster Recovery Plan documentation against BIA findings
- 05
Fraud Triangle-based fraud risk mapping across finance, procurement, HR, and operational process areas
- 06
Segregation-of-duties testing against actual ERP/accounting system access rights, not just the policy document
- 07
Fraud scenario and red-flag analysis using available transaction data for the highest-opportunity process areas
- 08
Facilitated tabletop exercise simulating a realistic disruption scenario to test the plan in practice
- 09
Rated, prioritised findings register with root-cause analysis spanning both continuity and fraud risk domains
- 10
Management response capture before the report reaches the Audit Committee or Board
- 11
Live presentation to the Audit Committee / Risk Management Committee / Board by the engagement partner
- 12
Follow-up verification review within the agreed remediation period to confirm actual closure
- 13
India-UAE coordinated coverage for group structures with a Dubai or overseas subsidiary
- 14
Direct access to your engagement partner — by phone and WhatsApp — for questions between formal review cycles
Find out how your business would actually hold up through a disruption — and where it is genuinely exposed to fraud — before either question gets answered the hard way. Speak with a PNPC engagement partner, a practising Chartered Accountant who will map your real dependencies, test your real controls, and present findings your Audit Committee can act on immediately.