Expert Guide
A complete walkthrough — Business Process Audit
Reading this guide locally — Across Vepery, on the Kilpauk-Periyamet corridor that passes through Vepery.
What is a business process audit and how does it differ from internal and operational audit
Definitional anchor under the IIA Standards and ICAI SIA framework
A business process audit is a structured, evidence-based examination of one or more end-to-end business processes (revenue-to-cash, procure-to-pay, hire-to-retire, record-to-report, plant-and-asset, IT general controls) against a benchmark control framework — most commonly the COSO 2013 Internal Control Integrated Framework (5 components and 17 principles) and SA 315 risk-of-material-misstatement assessment used by statutory auditors. The Institute of Internal Auditors (IIA) International Professional Practices Framework defines internal auditing as an independent, objective assurance and consulting activity designed to add value and improve operations; a process audit is a tactical sub-set focused on individual process families rather than the enterprise-wide annual internal-audit plan. ICAI Standards on Internal Audit (SIA 110 to SIA 740) — mandatory from 1 April 2024 — codify the engagement framework: SIA 310 (planning), SIA 320 (evidence), SIA 330 (documentation), SIA 360 (communication), SIA 390 (monitoring) and SIA 740 (reporting). A process audit follows the same SIA discipline but with a narrower scope and faster cycle than the full annual internal audit.
Process audit versus operational audit versus internal audit
Operational audit is the broader genus — an examination of operational efficiency and effectiveness across functions, often without a structured benchmark framework. Internal audit (in the IIA and ICAI sense) is a continuous independent assurance function reporting to the audit committee, covering financial, operational and compliance dimensions over a multi-year plan. Process audit is a hybrid: it borrows the structured-framework discipline of internal audit and the operational-efficiency orientation of operational audit, but focuses on one or two process families in a single engagement. The Companies Act 2013 Section 138 mandates internal audit for prescribed companies (those crossing turnover and borrowings thresholds under Rule 13 of the Companies (Accounts) Rules 2014), and Section 143(3)(i) requires the statutory auditor to report on the adequacy of Internal Financial Controls over Financial Reporting (IFC-FR) — a process-audit lens is the natural sub-tool used by both internal and statutory auditors to discharge these mandates.
When does an SME need a process audit
An SME typically commissions a process audit at one of five trigger points: (a) onboarding a new ERP or core system, where the migration is a natural moment to redesign and document processes; (b) preparing for external funding (PE, debt, IPO) where investors expect documented internal controls; (c) after a fraud or material misstatement incident, where the board demands a root-cause and remediation review; (d) ahead of a statutory audit where the auditor has flagged IFC inadequacies in the prior year; (e) on a periodic-improvement basis aligned with ISO 9001:2015 clause 9.2 internal audit and clause 10.2 continual improvement. The OECD Principles of Corporate Governance (2023 revision) treat documented internal-control systems as a board-responsibility item; a process audit is the operational expression of that responsibility at the SME scale.
Section 138 and Section 143(3)(i) Companies Act framework
Section 143(12) fraud reporting and the process audit signal
Section 143(12) of the Companies Act 2013 read with Rule 13 of the Companies (Audit and Auditors) Rules 2014 requires the statutory auditor to report fraud — fraud involving amounts of ₹1 crore or above (the threshold notified in 2018, prior threshold was lower) is reportable to the Central Government via Form ADT-4 within 60 days; fraud below the threshold is reported to the audit committee or board. Process audit findings often surface red-flag indicators that the statutory auditor uses to assess whether Section 143(12) is triggered — control gaps, suspicious transactions, override patterns. A robust process-audit framework reduces both the incidence of fraud and the surprise-element at the statutory-auditor stage; the audit-committee chair typically requires the process auditor and statutory auditor to coordinate quarterly to ensure no Section 143(12) surprise.
Section 138 internal audit mandate
Section 138 of the Companies Act 2013 read with Rule 13 of the Companies (Accounts) Rules 2014 mandates internal audit for prescribed companies — every listed company; every unlisted public company with paid-up capital of ₹50 crore or more, turnover of ₹200 crore or more, outstanding loans or borrowings from banks or public financial institutions exceeding ₹100 crore, or outstanding deposits exceeding ₹25 crore; and every private company with turnover of ₹200 crore or more or outstanding loans or borrowings from banks or public financial institutions exceeding ₹100 crore. The internal auditor can be a Chartered Accountant, Cost Accountant or such other professional as may be decided by the Board; the scope, functioning, periodicity and methodology are determined by the audit committee or board in consultation with the internal auditor. Process audit is the operational sub-tool used by the internal auditor to discharge the Section 138 mandate.
Section 143(3)(i) IFC over financial reporting opinion
Section 143(3)(i) of the Companies Act 2013, inserted with effect from 1 April 2014, requires the statutory auditor to state in the audit report whether the company has adequate internal financial controls with reference to financial statements in place and the operating effectiveness of such controls. The Companies (Amendment) Act 2017 substituted 'internal financial controls' with 'internal financial controls with reference to financial statements' (IFC-FR), narrowing the scope from the broader Section 134(5)(e) board-statement (which still references internal financial controls broadly). The ICAI Guidance Note on Audit of Internal Financial Controls over Financial Reporting (2015, periodically updated) provides the operational framework — adopting COSO 2013 as the benchmark, with mapping to the Indian regulatory context. Process audit findings feed directly into the Section 143(3)(i) statutory-auditor work-stream.
ICAI Standards on Internal Audit (SIA 110 to SIA 740)
Evidence under SIA 320 and documentation under SIA 330
SIA 320 (internal-audit evidence) establishes the principle that the internal auditor should obtain sufficient and appropriate evidence to support findings and conclusions. Evidence categories — physical inspection, observation, inquiry and confirmation, recalculation and reperformance, analytical procedures — broadly mirror SA 500 categories used in statutory audit. SIA 330 (internal-audit documentation) requires that working papers be sufficient to enable an experienced internal auditor with no previous connection to the audit to understand the work performed, the evidence obtained and the conclusions reached. Process-audit working papers typically include: BPMN process maps (as-is and to-be), walkthrough memoranda, segregation-of-duties matrices, control-test logs, exception reports, interview notes, and the management-response register. The SIA 330 standard also addresses retention — typically seven years, aligned to the Companies Act records-retention horizon.
Reporting under SIA 740 and follow-up under SIA 390
SIA 740 (reporting results to the auditee) requires that the internal-audit report communicate findings, recommendations and management responses in a structured manner. The typical report structure: executive summary, scope and methodology, summary of findings by risk-rating (high, medium, low), detailed findings each with observation-cause-effect-recommendation-management-response-target-date, and appendices (process maps, working papers index). SIA 390 (monitoring and reporting of prior-engagement issues) requires the internal auditor to follow up on prior recommendations to verify implementation; this transforms the process audit from a point-in-time deliverable to a continuous-improvement engagement. The audit committee typically reviews the SIA 390 follow-up report quarterly and tracks closure rate as a KPI.
Structure and effective date
The ICAI Standards on Internal Audit (SIAs) were initially issued as a recommendatory framework; the Council of ICAI in 2018 announced their elevation to mandatory status for internal-audit engagements conducted by Chartered Accountants, with effective dates rolled out through 2024. The current structure groups SIAs into four series: SIA 100 series (general principles), SIA 200 series (planning), SIA 300 series (performing), SIA 400 series (reporting and follow-up), with key standards including SIA 110 (framework governing internal audits), SIA 230 (objectives of internal audit), SIA 310 (planning the internal audit), SIA 320 (internal-audit evidence), SIA 330 (internal-audit documentation), SIA 360 (communication with management), SIA 390 (monitoring and reporting of prior-engagement issues) and SIA 740 (reporting results to the auditee). A process audit conducted by a Chartered Accountant follows the SIA discipline end-to-end.
Engagement deliverables, timeline and audit-defence positioning
Cycle timeline by phase
Week 1 (planning under SIA 310): kickoff meeting, engagement-letter finalisation, document-request list issuance, entity-level understanding through interviews with key process owners (typically 6-8 hours of process-owner time). Week 2 (process mapping and risk assessment): walkthrough sessions for each major process step, as-is BPMN 2.0 map drafting, preliminary risk-and-control-matrix population. Week 3 (testing under SIA 320): control walkthroughs, sample-based reperformance for key controls, ITGC testing where applicable (access management, change management). Week 4 (analysis and to-be design): finding consolidation, root-cause analysis, to-be process redesign. Weeks 5-6 (reporting and management response under SIA 740): draft report issuance, management response collection, final report finalisation, board / audit-committee presentation. Follow-up under SIA 390 happens at quarterly cadence post-engagement.
Audit-defence positioning of process-audit deliverables
The process-audit deliverables serve a dual purpose — operational improvement (the primary objective) and audit-defence (a derivative benefit). At the statutory-audit stage under SA 315, the SA 315 revised standard requires the statutory auditor to understand the entity's risk-assessment process and control activities. Where a documented process audit exists, the statutory auditor's understanding-the-entity work is materially accelerated, and the IFC opinion under Section 143(3)(i) is supported by contemporaneous third-party documentation. At a GST audit under Section 65 CGST, the process-audit working papers are persuasive evidence that the registered person maintains adequate internal controls, supporting the burden of proof on turnover, ITC and refund assertions. At an income-tax assessment, the process-audit file supports the genuineness-of-transactions assertion under Sections 68 to 69D.
Continuous improvement and the multi-cycle engagement model
A single process-family audit at ₹18,000 is the entry point; the typical SME engagement matures into a multi-cycle annual programme covering the five major process families (revenue-to-cash, procure-to-pay, hire-to-retire, record-to-report, IT general controls) on a rolling basis, with quarterly SIA 390 follow-up reviews on prior recommendations. Over a 24-month horizon, the SME develops a documented internal-control library, a tested process-map repository in BPMN 2.0, a measured closure-rate KPI for prior recommendations, and a Section 143(3)(i) IFC defence file. The ISO 9001 clause 9.2 internal audit requirement and the ISO 27001:2022 clause 9.2 internal audit requirement are also satisfied by this rolling programme; the SME is effectively running an Integrated Management System internal-audit programme without explicit certification, and can pursue formal certification later when commercially warranted.
What Vepery clients usually ask next: Where Vepery differs: for the professional and salaried population of Vepery navigating personal-tax and home-office GST.