Risk Advisory · Internal Controls & Process Improvement
Process Mapping, Re-engineering & Control Reviews
Most businesses do not lose money to fraud — they lose it quietly, every month, to broken handoffs, duplicated approvals, manual reconciliations, and controls that exist on paper but not in practice.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Most businesses do not lose money to fraud — they lose it quietly, every month, to broken handoffs, duplicated approvals, manual reconciliations, and controls that exist on paper but not in practice. PNPC Global maps how your business actually works today, identifies where process friction and control gaps are costing you time, money, and audit findings, and re-engineers the process into something faster, better controlled, and genuinely usable by your team. This is not a generic flowcharting exercise — it is a Chartered Accountant-led review that connects process design directly to financial control, statutory compliance, and the internal financial controls your Board is required to stand behind under the Companies Act 2013.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
Process Mapping, Re-engineering & Control Reviews is an advisory engagement that documents an organisation's key business processes as they actually operate — not as an org chart or SOP manual claims they operate — and then evaluates each process against two lenses: efficiency (is this the fastest, least wasteful way to get the work done) and control (does this process prevent, or at least detect, error, fraud, and non-compliance). The output is a current-state process map, a gap analysis against leading practice and statutory control requirements, and a re-engineered future-state process design with the specific control points, approval matrices, and system configurations needed to operate it safely.
The discipline draws on two distinct but complementary traditions. Business Process Re-engineering (BPR), as popularised by Hammer and Champy, asks a fundamental question: if we were designing this process from scratch today, with today's technology and today's business objectives, would it look like this? It is deliberately willing to challenge process steps that exist only because 'we have always done it this way' — redundant approvals, manual data re-entry between systems, sequential steps that could run in parallel, and reconciliations that exist to catch errors a well-designed system would prevent in the first place. Internal control review, by contrast, is grounded in the control frameworks Indian companies are statutorily required to operate — Internal Financial Controls over Financial Reporting (IFC-FR) under Section 134(5)(e) and Section 143(3)(i) of the Companies Act 2013, commonly benchmarked against the COSO Internal Control–Integrated Framework, and the segregation-of-duties, authorisation, and documentation principles that any competent statutory or internal auditor will test.
In practice these two lenses reinforce each other more often than they conflict. A process with unclear ownership, undocumented exception handling, and three redundant sign-offs is usually both slow and poorly controlled — the redundant sign-offs create a false sense of control while the absence of a documented approval matrix means no one can say with confidence who is actually accountable when something goes wrong. PNPC's engagement model is built around this overlap: we do not hand a client a process-efficiency deck that ignores control risk, and we do not hand over a controls checklist that ignores the fact that an unusable process gets bypassed by staff within weeks. Every re-engineered process we design specifies the control points explicitly — segregation of duties, authorisation limits per the Delegation of Authority (DOA) matrix, three-way matching, system-enforced approval workflows, and the evidence trail an auditor will expect to see.
This service is typically engaged around a specific trigger: an internal or statutory auditor has flagged recurring process or control findings; the business has outgrown the informal, founder-driven processes that worked at a smaller scale; an ERP implementation or system migration creates a natural opportunity to redesign rather than merely digitise existing inefficiency; a merger or acquisition requires two organisations' processes to be harmonised; or the Board and Audit Committee are seeking documented assurance on IFC design ahead of a statutory audit sign-off or an investor's due diligence. Because the review sits at the intersection of operations, finance, and compliance, it is most effective when led by a team that understands not just process design but the statutory and tax consequences of getting it wrong — which is the specific vantage point a practising CA firm brings that a pure management-consulting engagement typically does not.
When a process mapping and control review engagement fits
Statutory or internal auditor has repeatedly flagged the same process or control finding — recurring findings usually indicate a process design flaw, not a one-off human error, and need re-engineering rather than another reminder memo
Rapid headcount or revenue growth has outpaced the informal, founder-driven processes that worked when the business was smaller — approvals, reconciliations, and handoffs that once fit on a WhatsApp thread now need documented ownership
Board or Audit Committee needs documented evidence of Internal Financial Controls (IFC) design and operating effectiveness under Section 134(5)(e) and Section 143(3)(i) of the Companies Act 2013 ahead of statutory audit sign-off
Preparing for a fundraise, acquisition, or IPO — a documented, controlled process environment materially de-risks financial and operational due diligence and reduces the scope for post-deal valuation adjustments
ERP implementation, system migration, or new accounting software rollout is planned — this is the single best window to re-engineer a broken process rather than digitise it as-is and carry the inefficiency forward for years
Merger, acquisition, or multi-entity integration requires two or more organisations' processes — procure-to-pay, order-to-cash, payroll — to be harmonised into one control environment
Recurring reconciliation breaks, duplicate payments, delayed month-end close, or unexplained margin or inventory variances point to an underlying process design or control gap rather than a one-off transaction error
Multi-location or multi-entity operations where management can no longer personally observe every branch, warehouse, or subsidiary and needs the process itself — not personal oversight — to carry the control
When a lighter-touch alternative may fit better
Very early-stage business with a handful of transactions per month and a founder who is still personally across every approval — a light SOP documentation exercise is often more proportionate than a full re-engineering engagement
A single, isolated process error has occurred and there is no evidence of a systemic design flaw — a root-cause review of that one incident may be sufficient without mapping the entire process landscape
The organisation is looking purely for a point-in-time statutory or tax compliance check — a compliance health-check or Internal Audit engagement targets that need more directly than a process re-engineering exercise
Management has not yet secured genuine leadership buy-in for change — a re-engineered process that leadership will not enforce reverts to the old informal way of working within weeks, wasting the engagement
The business is planning a complete platform or ERP replacement within the next few months — it is usually more efficient to design the future-state process together with the new system implementation rather than as two separate exercises
Budget and timeline only stretch to fixing one clearly identified bottleneck — a scoped, single-process improvement engagement may deliver more value per rupee than a full cross-functional review
Process Mapping & Control Review vs related assurance and advisory engagements
| Feature | Process Mapping & Re-engineering | Internal Audit | IFC Review (Sec 134(5)(e)) | Statutory Audit | ERP Implementation Advisory |
|---|---|---|---|---|---|
| Primary objective | Redesign process for efficiency + control | Test whether existing controls operate effectively | Opine on design and operating effectiveness of IFC-FR | Opinion on true and fair view of financial statements | Configure system to run the business process |
| Orientation | Forward-looking — designs the future-state process | Backward-looking — tests what already happened | Point-in-time assessment of current control design | Backward-looking — annual, on completed transactions | Forward-looking — system build and go-live |
| Typical trigger | Growth, recurring findings, M&A, ERP change, IFC gaps | Statutory threshold (Sec 138) or governance requirement | Board/Audit Committee assurance requirement | Statutory requirement — every company, annually | Business decision to adopt or replace a system |
| Governing reference | COSO framework, BPR methodology, DOA principles | Section 138 + Rule 13, Standards on Internal Audit (ICAI) | Section 134(5)(e), Section 143(3)(i), Companies Act 2013 | Section 139–148, Standards on Auditing (SA) | Vendor implementation methodology, no statutory basis |
| Output | Current-state map, gap analysis, re-engineered future-state process with control points | Audit Committee report with rated findings | IFC documentation, RCM, testing evidence, gap remediation plan | Independent Auditor's Report with an opinion | Configured, tested, live system |
| Who typically commissions | CFO/COO, Board, Audit Committee | Board, on Audit Committee recommendation | Board / Audit Committee / statutory auditor requirement | Shareholders at AGM, on Board recommendation | CFO/CTO, IT steering committee |
| Relationship to the others | Feeds IFC documentation; findings often originate from Internal Audit; frequently paired with ERP rollout | Often the trigger that surfaces the need for re-engineering | Relies on process maps and RCM this engagement produces | Relies on the control environment this engagement strengthens | Should ideally follow, not precede, process redesign |
| Frequency | Project-based, revisited on major business change (typically every 2–3 years) | Continuous / quarterly cycles per approved annual plan | Annual, alongside statutory audit cycle | Annual, at financial year end | One-time project, with periodic upgrades |
These engagements are complementary, not substitutes for one another. A mature governance environment typically runs process re-engineering as the foundation, Internal Audit as the ongoing test of whether the redesigned controls are actually operating, and IFC review and statutory audit as the annual assurance layers on top. The right sequencing and scope for your organisation should be confirmed with a practising CA based on your specific risk profile, growth stage, and audit findings history.
| # | Stage & What PNPC Does | What Generic Consultants Skip | Timeline |
|---|---|---|---|
| 1 | Scoping & Objective Alignment | We start by clarifying why this engagement is happening now — a recurring audit finding, a growth inflection, an ERP decision, an IFC gap, or an M&A integration — because the trigger determines scope, depth, and the specific control framework we benchmark against. A vague 'review our processes' brief without a clear trigger produces a vague, low-impact deliverable. | Week 1 |
| 2 | Process & Entity Universe Mapping | We build a complete inventory of the processes, locations, and entities in scope — procure-to-pay, order-to-cash, inventory and fixed assets, payroll and HR, treasury, financial close, and any process specific to your sector — and prioritise by materiality and known risk, not an arbitrary alphabetical order. | Week 1–2 |
| 3 | Current-State Process Walkthroughs | We sit with the actual process owners — not just the department head — and document how the process genuinely runs today, including the informal workarounds and exceptions that never made it into the SOP manual. This is where most of the real findings surface, and it is the step most frequently rushed by low-cost consultants who rely on interviewing management alone. | Week 2–4 |
| 4 | Process Mapping — 'As-Is' Documentation | Each process is documented as a formal swimlane/flowchart showing every handoff, system touchpoint, approval, and decision point, cross-referenced to the Delegation of Authority matrix and the accounting entries each step generates. This becomes the baseline against which every future audit or system change can be measured. | Week 3–5 |
| 5 | Gap Analysis — Efficiency & Control | Every process step is tested against two questions: does it add value or is it redundant/duplicative, and does it prevent or detect error, fraud, or non-compliance. Gaps are classified by type — segregation-of-duties gap, missing authorisation, manual workaround masking a system limitation, redundant approval, unreconciled handoff — and rated by risk and effort to remediate. | Week 4–6 |
| 6 | Benchmarking Against Leading Practice | We benchmark the current-state process against the COSO Internal Control–Integrated Framework components and against how comparable businesses in your sector and scale run the same process — so recommendations are grounded in what actually works at your stage of growth, not a generic textbook ideal that assumes far larger teams and systems. | Week 5–6 |
| 7 | Future-State Process Design | We design the re-engineered process — eliminating redundant steps, closing control gaps, specifying the exact approval matrix and system configuration needed, and building in the evidence trail your statutory and internal auditors will expect to see. Every redesigned process includes a one-page control summary, not just a flowchart. | Week 6–8 |
| 8 | Risk & Control Matrix (RCM) Documentation | For each re-engineered process, we prepare a formal Risk and Control Matrix mapping identified risks to the specific controls that mitigate them — the exact artefact your statutory auditor or Internal Auditor will request when testing IFC design effectiveness under Section 143(3)(i). | Week 7–8 |
| 9 | SOP Drafting & DOA Alignment | The future-state process is translated into a usable Standard Operating Procedure document, and the Delegation of Authority matrix is updated to reflect any changed approval thresholds or ownership — an SOP that contradicts the DOA matrix is a control gap in itself, and we ensure the two are consistent. | Week 8–9 |
| 10 | Management Presentation & Sign-off | Findings and the future-state design are presented to management and, where relevant, the Audit Committee — with an honest assessment of implementation effort, sequencing, and any system dependency — before a single process changes. We do not hand over a report and walk away; we secure explicit sign-off on the implementation roadmap. | Week 9–10 |
| 11 | Implementation Support & Change Management | Re-engineered processes fail without change management — we support the rollout with process owner training, updated approval workflows in your ERP/accounting system where applicable, and a defined cut-over date so the old and new process do not run in parallel indefinitely. | Week 10–14, project-dependent |
| 12 | Post-Implementation Testing | Approximately 60–90 days after go-live, we test whether the redesigned controls are actually operating as designed — not just whether the SOP was signed — using the same sampling discipline an Internal Auditor would apply. Gaps found here are cheap to fix; gaps found a year later, in a statutory audit, are not. | 60–90 days post go-live |
| 13 | Handover to Ongoing Internal Audit / Compliance Calendar | The RCM and process documentation this engagement produces becomes the foundation for your ongoing Internal Audit programme (where applicable) and IFC documentation — we hand over a living set of documents your team and your auditors can use going forward, not a one-time report that gathers dust. | Project close |
Realistic timeline for a focused single-process review: 6–8 weeks from scoping to future-state design sign-off. A multi-process, multi-location engagement (e.g., procure-to-pay plus order-to-cash plus payroll across 3 locations) typically runs 10–16 weeks end-to-end including implementation support. Post-implementation testing is best scheduled 60–90 days after go-live to give the redesigned process time to bed in.
Certificate of Incorporation, Memorandum & Articles of Association, and group/holding structure chart for entities in scope
Board and Audit Committee composition, terms of reference, and minutes of the last 4–6 meetings referencing process or control matters
Existing Delegation of Authority (DOA) matrix — approval limits by role, transaction type, and value
Any prior internal audit, statutory audit management letter, or IFC review findings relating to the processes in scope
Organisation chart and reporting lines for the functions being reviewed
Any existing Standard Operating Procedures (SOPs), process manuals, or workflow diagrams for the processes in scope
System-generated workflow configuration exports where approvals are routed through an ERP or accounting system
Job descriptions for roles involved in the processes under review, to map segregation of duties
List of exceptions, workarounds, or manual overrides currently in use that are not captured in formal SOPs
Any change-management or process-improvement initiatives attempted in the last 2–3 years, including why they succeeded or stalled
Trial balance and general ledger extracts for the period covering the processes in scope
Sample purchase orders, sales invoices, goods receipt notes, delivery challans, and payment vouchers for the review period
Bank statements and bank reconciliation statements for accounts relevant to the processes reviewed
Reconciliation reports (vendor, customer, inventory, inter-company) for the review period, including any recurring unreconciled items
Details of duplicate payments, write-offs, or unexplained variances identified in the last 12 months
List of ERP/accounting systems and other business applications supporting the processes in scope, including hosting environment
System user-access matrix — who has access to which modules and at what permission level, for the processes under review
Details of any system limitations currently being worked around manually (e.g., approvals outside the system, spreadsheet-based tracking)
IT change-management log for any recent modifications to workflow, approval configuration, or master data controls
GST returns, TDS returns, PF/ESI challans, and other statutory filings connected to the processes in scope, where relevant to control design
List of licences, registrations, and regulatory approvals whose compliance depends on the process being reviewed
Details of any regulatory notice, show-cause, or penalty in the last 3 years traceable to a process or control gap
Related-party transaction records and supporting Board/shareholder approvals under Section 188, where the process touches related parties
Access to process owners and operational staff for walkthrough interviews — not management summaries alone
Availability of the Audit Committee/Board sponsor for scoping and final sign-off meetings
Contact details for the IT/ERP team, where system reconfiguration will be part of the re-engineered process
Nomination of an internal project coordinator to schedule interviews, gather documents, and track implementation actions
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Scoping & Discovery (Week 1–4) | Decision to commission the review | Objective alignment, process universe mapping, and current-state walkthroughs with actual process owners — not management summaries alone. This is where undocumented workarounds and true segregation-of-duties gaps surface. | Scoping based on management's assumption of how a process runs, rather than reality, produces a redesign that misses the actual failure points and gets rejected by staff at rollout. |
| Design (Week 4–9) | Gap analysis complete | Future-state process design, Risk and Control Matrix (RCM) documentation, and SOP/DOA alignment — every redesigned process specifies exact approval points, system configuration, and the evidence trail auditors will expect. | A redesign that improves efficiency but does not explicitly document control points produces a process that is fast but still fails an IFC or Internal Audit test — and needs to be redone. |
| Implementation (Week 9–14) | Management sign-off on future-state design | Change management support — process owner training, updated system approval workflows, and a defined cut-over date so old and new processes do not run in parallel indefinitely. | Re-engineered processes without change management revert to the old informal way of working within weeks — staff bypass the new controls under time pressure, and the engagement's value is lost. |
| Post-Implementation Testing (Day 60–90 post go-live) | Redesigned process has been live for a full operating cycle | Sample testing of whether the redesigned controls are actually operating as designed, using the same rigour an Internal Auditor would apply — gaps are cheap to fix at this stage. | Skipping post-implementation testing means the first real test of the new process is the next statutory or internal audit — by which time any gap has already generated a finding, and possibly a financial misstatement. |
| Ongoing Monitoring (Annual Cycle) | Handover to Internal Audit / compliance calendar | The RCM and process documentation feed directly into the ongoing Internal Audit programme (Section 138, where applicable) and the annual IFC assessment under Section 134(5)(e) and Section 143(3)(i). | Process documentation that is not maintained goes stale within a year as staff, systems, or volumes change — the next audit tests a process that no longer matches what is documented, generating avoidable findings. |
| Business Change Trigger (As Needed) | Growth, M&A, ERP change, new regulation | Any material change — a new product line, an acquired entity, an ERP migration, a new regulatory requirement — is reviewed against the existing process design before go-live, not discovered as a gap afterward. | Processes designed for yesterday's scale and yesterday's regulation quietly become tomorrow's audit finding, control failure, or compliance penalty as the business changes underneath them. |
| Full Re-assessment (Every 2–3 Years) | Scheduled review or significant drift observed | A full current-state re-mapping and gap analysis, comparable to the original engagement, to catch the cumulative informal drift that occurs even in well-run organisations over a multi-year period. | Even well-controlled processes drift as people change roles and informal shortcuts creep back in; skipping periodic re-assessment allows small deviations to compound into a materially weaker control environment. |
What exactly is Business Process Re-engineering, in plain terms?
It is the deliberate redesign of how a piece of work gets done — from the moment it starts to the moment it finishes — with the explicit goal of making it faster, less error-prone, and better controlled. Rather than tweaking an existing process at the margins, it asks whether the process would look the same if you were designing it today, from scratch, with your current team size, systems, and objectives. Very often the honest answer is no — and the redesign removes steps that exist only because 'we have always done it this way'.
How is this different from just hiring a management consultant to improve our operations?
A general management consultant typically optimises for speed and cost. PNPC's engagement is led by practising Chartered Accountants, which means every redesigned process is evaluated simultaneously against the internal financial control requirements your Board is statutorily accountable for under Section 134(5)(e) and Section 143(3)(i) of the Companies Act 2013, and against the tax and GST consequences the process touches — TDS deduction points, GST input credit reconciliation, related-party transaction approvals under Section 188. A process that is fast but breaks a statutory control requirement is not actually an improvement.
Is this the same as an Internal Audit?
No, though the two are closely related and often feed each other. Internal Audit tests whether existing controls are operating effectively — it looks backward at what has already happened, typically through sampling. Process Mapping and Re-engineering looks forward — it redesigns the process itself, including the control points, before testing whether it operates correctly. In practice, recurring Internal Audit findings are one of the most common triggers for commissioning a process re-engineering engagement, and the Risk and Control Matrix this engagement produces becomes a key input into the next Internal Audit cycle.
Which processes typically get reviewed in an engagement like this?
The most common candidates are procure-to-pay, order-to-cash, inventory and fixed-asset management, payroll and HR onboarding/exit, treasury and banking operations, and the month-end/year-end financial close. Sector-specific processes are added depending on the business — shop-floor production controls for manufacturers, project accounting for real estate and construction, loan origination and collections for NBFCs, or reconciliation between marketplace and books for e-commerce businesses. We scope the specific list with you at the start of the engagement based on where the pain or risk is greatest.
How long does a typical engagement take?
A focused review of a single process — say, procure-to-pay at one location — typically runs 6–8 weeks from scoping to a signed-off future-state design. A multi-process, multi-location engagement, such as procure-to-pay plus order-to-cash plus payroll across three branches, typically runs 10–16 weeks end-to-end including implementation support. Post-implementation testing is best scheduled 60–90 days after go-live, once the redesigned process has had time to bed in under real operating conditions.
What does the final deliverable actually look like?
You receive a current-state process map (swimlane/flowchart format), a gap analysis document classifying each finding by type and risk rating, a future-state process design with explicit control points and an updated Delegation of Authority matrix, a formal Risk and Control Matrix (RCM) mapping risks to mitigating controls, and an updated SOP document your team can actually follow. Where the review touches an ERP or accounting system, we also provide the specific workflow/approval configuration required to enforce the new design in the system, not just on paper.
We already have SOP documents for most of our processes. Do we still need this?
Often, yes — the gap we most commonly find is between the documented SOP and how the process actually runs day to day. Staff develop workarounds when a system limitation, an unavailable approver, or a genuine process flaw makes the documented steps impractical, and these workarounds rarely make it back into the SOP. A walkthrough with actual process owners, not just a read of the existing document, is the only reliable way to find this gap — which is exactly what our current-state mapping step is designed to surface.
Do you only work with large companies, or is this relevant for a smaller, growing business too?
It is highly relevant for growing businesses specifically — this is usually the exact inflection point where informal, founder-driven processes stop scaling. A business that has grown from 10 to 80 employees in two years, or added a second location, often finds that approvals which used to happen over a quick conversation now need a documented, system-enforced process because the founder can no longer personally review every transaction. Catching this early, before a statutory audit finding or an investor due diligence process surfaces it, is materially cheaper than fixing it under pressure later.
How does this connect to Internal Financial Controls (IFC) that our Board has to certify?
Under Section 134(5)(e) of the Companies Act 2013, the Board's report must state that the company has laid down internal financial controls and that these controls are adequate and were operating effectively. Under Section 143(3)(i), the statutory auditor must separately opine on the adequacy and operating effectiveness of the company's internal financial controls over financial reporting — though a private company that is not a subsidiary or holding company of a public company, and that meets the small-turnover and low-borrowing conditions specified in the MCA's Companies (Audit and Auditors) Rules exemption, is excluded from this specific auditor-reporting requirement (the Board's own obligation under Section 134(5)(e) still applies). Whether your company qualifies for that exemption should be confirmed with your statutory auditor. Both requirements depend on having documented processes and a Risk and Control Matrix that ties specific risks to specific controls — which is precisely the artefact this engagement produces. Without it, the IFC assessment each year becomes a rushed, undocumented exercise that is difficult for the Board to stand behind with confidence.
What is a Risk and Control Matrix (RCM) and why does it matter so much?
An RCM is a structured document that lists, for each process, the specific risks that could occur (e.g., payment made to a fictitious vendor, revenue recognised before delivery, inventory shrinkage going undetected) alongside the specific control that is designed to prevent or detect that risk (e.g., three-way match between purchase order, goods receipt, and invoice before payment approval). It is the standard artefact statutory auditors and internal auditors use to test control design and, subsequently, operating effectiveness. Without a documented RCM, every audit cycle has to reconstruct this mapping from scratch through interviews — slower, less consistent, and more prone to gaps being missed.
Can this engagement be combined with an ERP implementation or migration?
Yes, and it is one of the most effective times to run it. Implementing a new ERP or accounting system without first re-engineering the underlying process typically results in the new system simply automating the old inefficiency — the same redundant approvals and manual workarounds, just inside a more expensive system. Running process re-engineering ahead of or alongside the system implementation means the future-state process design directly informs how the new system's workflows, approval hierarchies, and access controls are configured.
What is segregation of duties, and why does it come up so often in these reviews?
Segregation of duties is the principle that no single individual should control every stage of a transaction — initiation, approval, custody of the asset, and recording — because a single person controlling all stages creates both fraud opportunity and error risk that no one else is positioned to catch. It is one of the most fundamental internal control principles and one of the most common gaps we find in growing businesses, where a small finance team means the same person raises a payment, approves it, and reconciles the bank statement. Re-engineering typically resolves this either by redistributing responsibilities across existing staff or, where headcount genuinely does not allow it, by introducing a compensating control such as a mandatory secondary review.
How do you handle a process that spans multiple locations or entities?
We map each location's variant of the process separately during the current-state walkthrough stage, because processes that are supposedly 'standardised' across locations frequently diverge in practice — different approval thresholds, different documentation habits, different system usage. The future-state design then either harmonises the process into one standard version applied everywhere, or, where a genuine business reason requires local variation, documents the variation explicitly with its own control points rather than leaving it undocumented.
Does the review cover IT and system controls, or only manual/paper processes?
Both. Most processes today run through some combination of manual steps and system workflows, and a control that exists on paper but is not enforced by the system (or vice versa) is a common gap. We review the system access matrix, workflow configuration, and any manual workarounds being used to bypass a system limitation, alongside the manual approval and documentation steps. Where IT general controls (user access management, change management, backup and business continuity) are materially relevant to the process, we flag them, though a dedicated ITGC/IS audit is a separate, deeper engagement if that is the primary concern.
What does 'gap analysis' actually involve — how do you decide something is a gap?
Each documented process step is tested against two questions: first, does this step add genuine value, or is it redundant, duplicative, or a manual workaround for a system limitation; second, does this step prevent or detect error, fraud, or non-compliance, and is that control actually operating as intended (not just documented). Gaps are then classified by type — segregation-of-duties gap, missing or informal authorisation, unreconciled handoff between systems or teams, redundant approval that adds delay without adding control — and rated by risk severity and the effort required to remediate.
How much does this typically cost, and how is it priced?
PNPC prices this as a fixed-fee, scope-defined engagement — the fee depends on the number of processes, locations, and entities in scope, and whether implementation support and post-implementation testing are included. The exact fee and scope are confirmed in writing before any work begins, following the scoping conversation. We are not the cheapest option in the market; the value is in a CA-led review that connects process efficiency directly to statutory control obligations, not a generic operations consulting deliverable.
Who from our organisation needs to be involved, and how much of their time does it take?
The engagement needs genuine access to the actual process owners and operational staff who perform the work daily — not just a summary from the department head — because that is where the real gaps and workarounds surface. Typically this means a series of structured interviews of 60–90 minutes per process per location during the discovery phase, plus availability for a validation session once the current-state map is drafted, and sign-off meetings with the Audit Committee/Board sponsor at scoping and at future-state design approval. We schedule this to minimise disruption, but genuine engagement from process owners is not optional for a credible outcome.
What happens if we implement the recommendations but staff go back to the old way of working?
This is the single most common reason a re-engineering exercise fails to deliver value, and it is why our engagement explicitly includes implementation support and change management — process owner training, a defined cut-over date so the old and new process do not run in parallel indefinitely, and post-implementation testing 60–90 days after go-live to confirm the new process is actually being followed, not just that the SOP was signed off. A redesign without this follow-through is, in our experience, reliably abandoned under the first real deadline pressure.
Is process re-engineering mandatory under any Indian statute?
There is no standalone statute that mandates 'process re-engineering' as a named exercise. However, the underlying obligation to maintain adequate and effective internal financial controls is a statutory requirement under Section 134(5)(e) and Section 143(3)(i) of the Companies Act 2013, and companies crossing the thresholds under Section 138 read with Rule 13 of the Companies (Accounts) Rules, 2014 must maintain an Internal Audit function that will test those controls. Process mapping and re-engineering is the practical mechanism by which many organisations actually meet these underlying statutory obligations, even though the exercise itself is not separately named in the law.
How is this relevant to a company preparing for a fundraise or acquisition?
Financial and operational due diligence in a fundraise or acquisition routinely tests exactly the things this engagement documents — segregation of duties, approval trails, reconciliation discipline, and whether controls described to the investor actually operate as described. A documented process environment with a current Risk and Control Matrix materially shortens diligence timelines and reduces the scope for the investor's advisers to raise findings that get used to negotiate a lower valuation or additional warranties. Undertaking this review proactively, well before a term sheet, is significantly cheaper and less stressful than doing it reactively under diligence deadline pressure.
Does PNPC also implement the recommended system changes, or only recommend them?
PNPC's core deliverable is the process design, the RCM, and the SOP/DOA documentation, along with change management support for rollout. Where system reconfiguration is required — updating an ERP's approval workflow, for example — we specify the exact configuration needed and work alongside your IT team or ERP implementation partner to ensure it is built correctly; PNPC is not typically the party doing the hands-on system coding itself unless that is separately scoped as part of a broader engagement.
What is the difference between a control gap and an efficiency gap, and does it matter which is which?
A control gap is a point in the process where error, fraud, or non-compliance could occur, or already has occurred, without being reliably prevented or detected — for example, a payment approved by the same person who raised it. An efficiency gap is a point where the process is slower or more resource-intensive than necessary without adding any corresponding control benefit — for example, three sequential sign-offs for a routine, low-value purchase order. The distinction matters because control gaps are generally the higher priority to fix and are the ones your auditors will test, while efficiency gaps affect cost and speed but not, on their own, financial statement integrity.
Can this review help us identify where fraud or cash leakage might be occurring?
The process mapping and control gap analysis frequently surfaces the structural weaknesses — missing segregation of duties, unreconciled handoffs, informal approval overrides — that create the opportunity for fraud or leakage to occur, and closing those gaps is a genuine preventive benefit. However, this engagement is not a forensic investigation: if you already suspect a specific fraud has occurred, a targeted forensic audit engagement with evidence-gathering standards appropriate for potential legal or disciplinary action is the more precise tool, and we would recommend that route instead or alongside this one.
How often should we revisit process maps once they are documented?
A full re-assessment is generally advisable every 2–3 years, or sooner if triggered by a material business change — a new product line, an acquired entity, an ERP migration, a significant headcount increase, or a new regulatory requirement affecting the process. Even well-controlled processes drift over time as people change roles and informal shortcuts creep back in; the documentation itself should also be reviewed annually as part of the ongoing Internal Audit or IFC assessment cycle, even without a major trigger event.
What is the COSO framework, and do we need to formally adopt it?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control–Integrated Framework is the most widely referenced framework globally for designing and evaluating internal controls, structured around five components — control environment, risk assessment, control activities, information and communication, and monitoring activities. Indian statutory and internal auditors commonly benchmark IFC assessments against COSO's structure, even though the Companies Act itself does not mandate COSO by name. You do not need to formally 'adopt' COSO as a certification; we use it as the reference structure to ensure the control environment we design is complete and defensible against what an auditor will expect to see.
Will this engagement disrupt our day-to-day operations while it is underway?
The discovery and design phases require structured interview time from process owners but do not require operations to pause — walkthroughs are scheduled around the team's existing workload, and current processes continue to run unchanged until the future-state design is signed off and a deliberate cut-over is planned. Some short-term disruption is expected during the actual implementation and change-management phase, as staff learn the new process, which is why we recommend a defined cut-over date and, where practical, a phased rollout rather than switching every process simultaneously.
Do you provide this service for businesses in the UAE as well as India?
Yes. PNPC has offices in Chennai, Bangalore, Hyderabad, and Dubai, and the underlying methodology — process mapping, gap analysis, control redesign — applies equally in the UAE, adapted to the relevant regulatory context, including UAE Corporate Tax record-keeping requirements, VAT compliance touchpoints, and any sector-specific regulation (financial free zones, DIFC/ADGM entities, and so on). For groups with both an Indian and a UAE entity, we can run a coordinated review across both jurisdictions under one engagement rather than splitting the work between two separate advisers who never compare notes.
What is the single biggest mistake companies make when trying to do this themselves without external help?
The most common mistake is documenting the process as management believes it runs, based on the original SOP or an interview with the department head, rather than walking the floor with the actual staff performing the work. The second most common mistake is treating the exercise as a documentation project rather than a redesign project — producing a beautiful flowchart of the existing broken process instead of asking whether the process itself needs to change. Both mistakes produce a deliverable that looks professional but does not close the actual gaps.
Can a smaller version of this be done as a quick diagnostic before committing to a full engagement?
Yes. We can run a scoped diagnostic review — typically a 1–2 week rapid assessment of one or two priority processes — to surface the most material gaps and give management and the Board a clear, evidence-based business case for whether a fuller engagement is warranted, and at what scope. This is a common and sensible way to start for organisations that are not yet certain how deep the issue runs.
How do you ensure the redesigned process actually reduces, not adds, work for our team?
This is one of the explicit design tests we apply — a re-engineered process that adds steps or approval layers without a corresponding, clearly articulated control justification has failed the efficiency half of the brief, regardless of how well-controlled it looks on paper. Wherever we recommend a new control point, we identify what it replaces or consolidates elsewhere in the process, so the net effect on the team's workload is transparent and, in most well-executed engagements, net-positive rather than simply additive.
What qualifications does the team conducting this review actually have?
PNPC's process and control review engagements are led by Chartered Accountants with practising experience in statutory audit, internal audit, and IFC assessment, supported by team members with relevant sector and systems experience where the engagement requires it (for example, ERP-specific expertise for a system-heavy process review). This CA-led structure is deliberate — it ensures the process redesign is evaluated not just for operational efficiency but for its statutory and tax consequences from the outset, rather than those consequences being discovered later by a separate auditor.
Why should we engage PNPC rather than a generic process-consulting firm?
A generic process consultant optimises for speed and cost reduction. PNPC is a practising Chartered Accountancy firm with four decades of statutory audit, internal audit, and tax practice — which means the process we design for you is evaluated simultaneously against the Companies Act control requirements your Board must certify, the tax and GST consequences embedded in the transaction flow, and the documentation your next statutory or internal auditor will actually test. We do not hand you a report and disappear; we support implementation, test post-go-live whether the redesign held, and hand the Risk and Control Matrix over to your ongoing Internal Audit and IFC programme so the investment compounds year after year rather than expiring the day the report is delivered.
PNPC Global vs typical alternatives for process mapping and control review work
| Dimension | Generic Management Consultant | In-House Project Team | PNPC Global |
|---|---|---|---|
| Statutory control lens (Sec 134(5)(e), 143(3)(i)) | Rarely built in — efficiency-only focus | Depends entirely on in-house expertise available | Built in by default — CA-led from scoping onward |
| Tax and GST consequence awareness in process design | Typically outside scope | Depends on internal finance team's depth | Integrated — same firm handles your tax and audit work |
| Actual process-owner walkthroughs vs management interviews only | Varies by firm and engagement price point | Internal bias — staff less candid with own management | Standard practice — direct floor-level access is non-negotiable |
| Risk and Control Matrix (RCM) handed over as reusable artefact | Not always a standard deliverable | Rarely formalised without external structure | Standard deliverable, feeds ongoing Internal Audit/IFC cycle |
| Post-implementation testing (60–90 days) | Frequently an unscoped extra | Rarely done systematically without a push | Included as a non-negotiable part of the engagement |
| India + UAE coordinated capability | Rare — most are India-only or UAE-only | Not applicable for cross-border groups | Offices in Chennai, Bangalore, Hyderabad, and Dubai |
| Continuity into next year's audit and compliance cycle | Engagement typically ends at report delivery | Depends on staff retention and documentation discipline | RCM and SOPs handed to ongoing retainer, audit, and compliance work |
What the PNPC package includes
- 01
Scoping and objective alignment session to confirm the trigger, priority processes, and success criteria before any fieldwork begins
- 02
Current-state process walkthroughs conducted directly with process owners, not management summaries alone
- 03
Formal swimlane/flowchart process maps cross-referenced to your Delegation of Authority matrix
- 04
Gap analysis rating every finding on both efficiency and control dimensions, benchmarked against the COSO framework
- 05
Future-state process redesign with explicit control points, approval matrices, and system configuration requirements
- 06
Formal Risk and Control Matrix (RCM) — the reusable artefact your statutory and internal auditors will reference for years
- 07
Updated SOP documentation and DOA alignment so the process on paper matches the process in practice
- 08
Implementation and change-management support through go-live, including process owner training
- 09
Post-implementation testing 60–90 days after rollout to confirm the redesigned controls are genuinely operating
- 10
Direct handover of documentation into your ongoing Internal Audit programme and annual IFC assessment cycle
Talk to a PNPC Chartered Accountant before your next audit finding repeats itself — book a scoping conversation and get a clear view of what your process gaps are actually costing you.