Expert Guide
A complete walkthrough — Business Process Audit
Reading this guide locally — Across Kottivakkam, in the coastal residential and it support micro-market of Kottivakkam.
What is a business process audit and how does it differ from internal and operational audit
Definitional anchor under the IIA Standards and ICAI SIA framework
A business process audit is a structured, evidence-based examination of one or more end-to-end business processes (revenue-to-cash, procure-to-pay, hire-to-retire, record-to-report, plant-and-asset, IT general controls) against a benchmark control framework — most commonly the COSO 2013 Internal Control Integrated Framework (5 components and 17 principles) and SA 315 risk-of-material-misstatement assessment used by statutory auditors. The Institute of Internal Auditors (IIA) International Professional Practices Framework defines internal auditing as an independent, objective assurance and consulting activity designed to add value and improve operations; a process audit is a tactical sub-set focused on individual process families rather than the enterprise-wide annual internal-audit plan. ICAI Standards on Internal Audit (SIA 110 to SIA 740) — mandatory from 1 April 2024 — codify the engagement framework: SIA 310 (planning), SIA 320 (evidence), SIA 330 (documentation), SIA 360 (communication), SIA 390 (monitoring) and SIA 740 (reporting). A process audit follows the same SIA discipline but with a narrower scope and faster cycle than the full annual internal audit.
Process audit versus operational audit versus internal audit
Operational audit is the broader genus — an examination of operational efficiency and effectiveness across functions, often without a structured benchmark framework. Internal audit (in the IIA and ICAI sense) is a continuous independent assurance function reporting to the audit committee, covering financial, operational and compliance dimensions over a multi-year plan. Process audit is a hybrid: it borrows the structured-framework discipline of internal audit and the operational-efficiency orientation of operational audit, but focuses on one or two process families in a single engagement. The Companies Act 2013 Section 138 mandates internal audit for prescribed companies (those crossing turnover and borrowings thresholds under Rule 13 of the Companies (Accounts) Rules 2014), and Section 143(3)(i) requires the statutory auditor to report on the adequacy of Internal Financial Controls over Financial Reporting (IFC-FR) — a process-audit lens is the natural sub-tool used by both internal and statutory auditors to discharge these mandates.
When does an SME need a process audit
An SME typically commissions a process audit at one of five trigger points: (a) onboarding a new ERP or core system, where the migration is a natural moment to redesign and document processes; (b) preparing for external funding (PE, debt, IPO) where investors expect documented internal controls; (c) after a fraud or material misstatement incident, where the board demands a root-cause and remediation review; (d) ahead of a statutory audit where the auditor has flagged IFC inadequacies in the prior year; (e) on a periodic-improvement basis aligned with ISO 9001:2015 clause 9.2 internal audit and clause 10.2 continual improvement. The OECD Principles of Corporate Governance (2023 revision) treat documented internal-control systems as a board-responsibility item; a process audit is the operational expression of that responsibility at the SME scale.
Engagement deliverables, timeline and audit-defence positioning
Continuous improvement and the multi-cycle engagement model
A single process-family audit at ₹18,000 is the entry point; the typical SME engagement matures into a multi-cycle annual programme covering the five major process families (revenue-to-cash, procure-to-pay, hire-to-retire, record-to-report, IT general controls) on a rolling basis, with quarterly SIA 390 follow-up reviews on prior recommendations. Over a 24-month horizon, the SME develops a documented internal-control library, a tested process-map repository in BPMN 2.0, a measured closure-rate KPI for prior recommendations, and a Section 143(3)(i) IFC defence file. The ISO 9001 clause 9.2 internal audit requirement and the ISO 27001:2022 clause 9.2 internal audit requirement are also satisfied by this rolling programme; the SME is effectively running an Integrated Management System internal-audit programme without explicit certification, and can pursue formal certification later when commercially warranted.
Standard deliverables in a process audit engagement
A FilingPro business-process-audit engagement at ₹18,000 one-time fee for a single process family delivers: (a) the engagement letter under SIA 110 with scope, methodology, period and timeline; (b) the as-is BPMN 2.0 process map for the audited process family, with swimlane-level role clarity; (c) the COSO 2013 17-principles assessment matrix, identifying which principles are designed-effectively, designed-but-not-operating, or designed-deficient; (d) the segregation-of-duties matrix at process-step level; (e) the findings register with observation-cause-effect-recommendation entries, risk-rated high/medium/low; (f) the to-be BPMN 2.0 process map with the recommended redesign; (g) the management-response register with target-dates; (h) the executive summary for board / audit-committee presentation. The full engagement cycle is typically 4 to 6 weeks for a single process family.
Cycle timeline by phase
Week 1 (planning under SIA 310): kickoff meeting, engagement-letter finalisation, document-request list issuance, entity-level understanding through interviews with key process owners (typically 6-8 hours of process-owner time). Week 2 (process mapping and risk assessment): walkthrough sessions for each major process step, as-is BPMN 2.0 map drafting, preliminary risk-and-control-matrix population. Week 3 (testing under SIA 320): control walkthroughs, sample-based reperformance for key controls, ITGC testing where applicable (access management, change management). Week 4 (analysis and to-be design): finding consolidation, root-cause analysis, to-be process redesign. Weeks 5-6 (reporting and management response under SIA 740): draft report issuance, management response collection, final report finalisation, board / audit-committee presentation. Follow-up under SIA 390 happens at quarterly cadence post-engagement.
The COSO 2013 framework — five components and seventeen principles
Component 1 — Control Environment (Principles 1 to 5)
The Control Environment component is the foundation — Principle 1 (commitment to integrity and ethical values), Principle 2 (board oversight independence), Principle 3 (management establishes structures, reporting lines and authorities), Principle 4 (commitment to attract, develop and retain competent individuals), and Principle 5 (holds individuals accountable for internal control responsibilities). In a process audit, the Control Environment is typically tested through a tone-at-the-top survey, board / audit-committee minutes review, code-of-conduct dissemination evidence, and HR competency framework. The Indian IFC framework picks up these principles via Schedule IV (Code for Independent Directors) and the SEBI Listing Obligations and Disclosure Requirements Regulations 2015 for listed entities; non-listed SMEs typically have an attenuated control environment, and the process audit's recommendations focus on closing this gap.
Component 2 — Risk Assessment (Principles 6 to 9)
Risk Assessment under COSO 2013 — Principle 6 (specifies objectives with sufficient clarity), Principle 7 (identifies risks), Principle 8 (assesses fraud risk), Principle 9 (identifies and assesses changes that could significantly impact) — runs parallel to SA 315 (revised 2021) risk-of-material-misstatement assessment used in statutory audit. The convergence point is the inherent risk and control risk taxonomy: inherent risk is the susceptibility of an assertion or process to misstatement before considering controls; control risk is the risk that a misstatement could occur and not be prevented or detected on a timely basis by the internal control system. Process audit applies this taxonomy at the process-step level, producing a risk-heat-map that the audit committee uses to prioritise process redesigns and resource-allocation for remediation.
Component 3 — Control Activities (Principles 10 to 12)
Control Activities — Principle 10 (selects and develops control activities), Principle 11 (selects and develops general control activities over technology), Principle 12 (deploys through policies and procedures) — is where process audit findings are most concrete. Control activities are categorised as preventive (e.g. segregation of duties, authorisation matrices) versus detective (e.g. reconciliations, exception reports), and as manual versus automated. The COSO 2013 Principle 11 explicitly carved out technology general controls (access management, change management, computer operations) as a distinct domain, reflecting the post-SOX experience that ITGCs are a foundational layer for application-level controls. ITIL v4 (service value system, change enablement, incident management) and ISO 27001:2022 Annex A controls provide the operational vocabulary at the ITGC layer; process audit cross-references these to COSO Principle 11.
COSO ERM 2017 and its overlay on process audit
Comparing COSO ERM 2017 with ISO 31000:2018 and the IIA model
Three major risk-management frameworks operate in parallel: COSO ERM 2017 (US-originated, principles-based, 5 components and 20 principles), ISO 31000:2018 Risk Management Guidelines (international standard, principle-process-framework triad, 8 principles), and the IIA 3-lines-of-defence model (governance-oriented, three roles: first-line operational, second-line risk-and-compliance oversight, third-line independent assurance). Process audit can draw on any of the three: COSO ERM 2017 is preferred where the audit-committee charter explicitly references it; ISO 31000:2018 is preferred where the SME is also pursuing ISO 9001 or ISO 27001 certification and wants a coherent ISO architecture; the IIA model is preferred where the audit-committee is structuring its third-line assurance function. The three are not mutually exclusive — many mature SMEs combine ISO 31000 process discipline with the IIA governance architecture and COSO 2013 control vocabulary.
Fraud risk assessment under COSO ERM 2017 and SA 240
Fraud risk is a particular sub-set of risk-assessment under both COSO ERM 2017 (Principle 12 — assesses risk in objective-setting context) and SA 240 (revised) — The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements. The fraud-triangle (Donald Cressey, 1953) — pressure, opportunity, rationalisation — has been extended to a fraud-diamond (capability added) and a fraud-pentagon (arrogance added). Process audit applies these models at the process-step level — identifying which steps create opportunity for fraud (typically segregation-of-duties gaps), which positions create capability (typically privileged-access or master-data-maintenance roles), and which environments create pressure (typically aggressive sales-incentive structures). The output is a fraud-risk register that complements the COSO ERM principles assessment.
Risk appetite, risk tolerance and the audit-committee charter
COSO ERM 2017 Principle 7 (defines desired culture) and Principle 8 (commits to core values) culminate in the documented risk-appetite and risk-tolerance statements that the audit committee approves. Risk appetite is the amount and type of risk the entity is willing to accept in pursuit of its strategic objectives; risk tolerance is the acceptable variation in performance relative to the achievement of objectives. The process audit's findings on individual process controls are calibrated against the risk-appetite — a control gap may be unacceptable in one process family (e.g. cash-handling) but tolerable in another (e.g. employee expense reporting up to a defined threshold). The ICAI Guidance Note on Audit of Internal Financial Controls 2015, Appendix VI, provides illustrative documentation patterns aligned to this risk-appetite calibration.
What Kottivakkam clients usually ask next: For Kottivakkam engagements specifically — for the professional and salaried population of Kottivakkam navigating personal-tax and home-office GST.