Process Audit by Internal Auditor, Schemes and Mind Maps of Process Control

Contains the list of processes organization have along with risk area and typical IA observations

Typology: Schemes and Mind Maps

2025/2026

Uploaded on 03/16/2026

prashant-pal-1
prashant-pal-1 🇮🇳

2 documents

1 / 19

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
INTERNAL AUDIT
PROCESS & RISK REFERENCE COMPENDIUM
Covering 8 Sectors | 15+ Process Cycles | Risks, Controls & Audit Observations
FMCG | Healthcare | Real Estate | Hospitality | Green Energy | IT/ITES | Manufacturing | Education
Prepared for Prashant Pal | CA | Internal Audit & Risk Advisory
CONTENTS
1. Common / Cross-Sector Process Cycles
2. FMCG (Fast Moving Consumer Goods)
3. Healthcare & Pharmaceuticals
4. Real Estate & Construction
5. Hospitality (Hotels & Restaurants)
6. Green / Renewable Energy Generation
7. Information Technology & ITES
8. Manufacturing & Engineering
9. Education & EdTech
HOW TO USE THIS DOCUMENT
Each sector section contains a four-column matrix: Process / Sub-process Key Risks Key Controls Typical Audit
Observations. This is structured to mirror a risk-and-control matrix (RCM), which is the working document used in every internal
audit and IFC engagement.
Process column: The business process or sub-process being audited (e.g. Vendor Onboarding, Revenue Recognition).
Key Risks column: The significant risks that could materialise if controls fail financial, operational, compliance, or
reputational.
Key Controls column: The controls expected to mitigate the risks preventive, detective, automated, or manual.
Audit Observations column: Typical findings raised in practice what auditors commonly discover when controls are absent
or ineffective.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13

Partial preview of the text

Download Process Audit by Internal Auditor and more Schemes and Mind Maps Process Control in PDF only on Docsity!

INTERNAL AUDIT

PROCESS & RISK REFERENCE COMPENDIUM

Covering 8 Sectors | 15+ Process Cycles | Risks, Controls & Audit Observations

FMCG | Healthcare | Real Estate | Hospitality | Green Energy | IT/ITES | Manufacturing | Education

Prepared for Prashant Pal | CA | Internal Audit & Risk Advisory

CONTENTS

1. Common / Cross-Sector Process Cycles

2. FMCG (Fast Moving Consumer Goods)

3. Healthcare & Pharmaceuticals

4. Real Estate & Construction

5. Hospitality (Hotels & Restaurants)

6. Green / Renewable Energy Generation

7. Information Technology & ITES

8. Manufacturing & Engineering

9. Education & EdTech

HOW TO USE THIS DOCUMENT

Each sector section contains a four-column matrix: Process / Sub-process → Key Risks → Key Controls → Typical Audit

Observations. This is structured to mirror a risk-and-control matrix (RCM), which is the working document used in every internal

audit and IFC engagement.

Process column: The business process or sub-process being audited (e.g. Vendor Onboarding, Revenue Recognition).

Key Risks column: The significant risks that could materialise if controls fail — financial, operational, compliance, or

reputational.

Key Controls column: The controls expected to mitigate the risks — preventive, detective, automated, or manual.

Audit Observations column: Typical findings raised in practice — what auditors commonly discover when controls are absent

or ineffective.

Section 1 — Common / Cross-Sector Process Cycles

The following process cycles exist in virtually every organisation regardless of sector. Mastery of these is the foundation of any

internal audit practice.

1.1 Procure-to-Pay (P2P)

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

Vendor

Onboarding

  • Fictitious or duplicate vendors created
  • Vendors related to employees (undisclosed)
  • Incomplete KYC / documentation
  • Blacklisted vendors onboarded - Mandatory vendor registration form with supporting documents - Background check / KYC verification - Dual approval for new vendor activation in ERP - Periodic vendor master review and deduplication - Vendor master contains duplicate entries with slight name variations - Related-party vendors not disclosed to management - Vendors onboarded without valid PAN / GST registration - No periodic review of inactive vendors — zombie vendor risk

Purchase

Requisition & PO

  • Purchases initiated without proper need justification
  • DOA bypass — approvals below authorised threshold
  • Split purchases to avoid approval limits
  • Purchases from non- approved vendor list - Documented purchase requisition process with budget check - ERP-enforced DOA hierarchy for PO approval - System alert for split PO detection - Approved vendor list enforced in ERP - POs raised after goods receipt (retroactive POs) - Multiple small POs to same vendor on same day to avoid DOA threshold - Purchases made outside approved vendor list without exception approval - No budget availability check before PO creation

Goods Receipt &

3 - Way Match

  • Payments made without goods receipt confirmation
  • GRN manipulation — quantity or quality mismatch
  • Goods received without inspection - 3 - way match: PO + GRN + Invoice before payment - Independent GRN by stores / warehouse team - Quality inspection report for material goods - System block on payment if 3-way match fails - 3 - way match bypassed by manual journal override - GRN raised by the same person who raised the PO — SoD failure - Partial deliveries fully invoiced and paid - No tolerance limit configured in ERP for quantity variance

Invoice

Processing &

Payment

  • Duplicate payments on same invoice
  • Fraudulent invoices from fictitious vendors
  • Early payment without credit period expiry
  • Payments to bank accounts not matching vendor master - Invoice uniqueness check in ERP (vendor + invoice no + amount) - Bank account change requires dual approval + confirmation to vendor - Payment run review by finance manager before release - Cheque/NEFT signatory limit controls - Duplicate invoices paid due to different invoice number formats - Bank account changed by single user without second approval - Advances paid to vendors without utilisation tracking - Payment terms not updated in ERP — early payments reducing working capital

1.2 Order-to-Cash (O2C)

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

Customer

Onboarding &

Credit

  • Sales to customers without credit limit evaluation
  • Bad debts from unchecked customers
  • Fictitious customer accounts created - Credit evaluation and approval process with documented criteria - Credit limit set in ERP; orders blocked beyond limit - Customer KYC verification before activation - Periodic review of credit limits vs payment history - Credit limits set without formal evaluation — based on relationship - Credit limit overrides by sales team without finance approval - Customer accounts with no transactions active for 2+ years - No formal process to review and revise credit limits annually

Order

Management

  • Orders accepted beyond production/service capacity - Sales order approval workflow in ERP - Manual price overrides by sales executives not subject to approval - Orders accepted for customers on credit hold

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

Separation & Exit • Full and final settlement

errors or delays

  • Access not revoked on separation — IT and physical
  • Assets not recovered on exit - Exit clearance checklist covering IT, admin, finance, HR - Access revocation on last working day (IT policy) - Full and final settlement calculation reviewed by finance - Asset recovery confirmation before settling dues - System access not revoked within 24 hours of separation - Company assets (laptop, SIM) not recovered — no tracking register - Gratuity and leave encashment calculated incorrectly - Exit interview not conducted — flight risk not identified

1.4 Fixed Assets Management

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

Asset

Capitalisation

  • Revenue expenses capitalised to inflate asset base
  • Assets capitalised without commissioning
  • Incorrect asset classification affecting depreciation - Capitalisation policy with threshold (e.g. items above ₹5,000 capitalised) - Commissioning certificate before capitalisation in ERP - Asset category matrix with useful life and depreciation rate - Finance review of capital vs revenue treatment - Software maintenance costs capitalised as intangible assets - Capital work-in-progress (CWIP) not transferred to fixed assets on commissioning — understates depreciation - Assets impaired but not written down - Useful life not reviewed periodically as required by Ind AS 16

Physical

Verification

  • Assets on books but not physically present (ghost assets)
  • Assets present but not on books (unrecorded assets)
  • Assets mislocated — at employee homes or unauthorised locations - Annual physical verification of all fixed assets - Unique asset tagging (barcodes/RFID) - Reconciliation of physical count with asset register - Surprise verification for high-value portable assets - Last physical verification done 3+ years ago - Large number of 'not found' assets not written off — inflated asset base - Laptops and mobile phones assigned to ex-employees still active in asset register - No tagging for land and buildings — verification not possible

1.5 Treasury & Cash Management

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

Bank

Reconciliation

  • Unidentified reconciling items concealing fraud
  • Timing differences used to manipulate cash balance
  • Stale cheques not reversed - Monthly bank reconciliation by person independent of cash handling - Reconciliation reviewed and approved by CFO / Finance Head - Stale cheque reversal policy (typically 3 months) - Direct bank confirmation for material accounts - Bank reconciliation prepared but not reviewed or signed off - Old uncleared cheques not investigated — concealing payments - Multiple bank accounts with no centralised visibility - Cash book maintained manually — no ERP integration

Petty Cash • Petty cash

misappropriation

  • Duplicate reimbursements
  • Expenses without supporting vouchers - Petty cash float limit with imprest system - All petty cash expenses supported by original bills - Petty cash custodian different from approver - Surprise cash count by finance team - Petty cash expenses approved by custodian themselves — SoD failure - Same bills submitted multiple times across different periods - Cash balances not counted and reconciled regularly - Petty cash used for personal expenses of employees

Section 2 — FMCG (Fast Moving Consumer Goods)

FMCG organisations are characterised by high-volume, low-margin transactions, complex distribution networks, trade promotions,

and significant inventory and logistics operations. Key audit focus areas: distribution channel controls, trade spend, and inventory

management.

2.1 Supply Chain & Distribution

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

Distributor /

Channel Partner

Management

  • Fictitious distributors receiving stock and margin
  • Distributor claims without physical stock movement
  • Channel conflict — parallel imports, grey market - Distributor onboarding with KYC, trade licence, GST verification - Primary and secondary sales reconciliation - GPS-tracked delivery confirmation - Periodic distributor performance review - Primary sales booked without secondary (retailer) sales data — channel stuffing - Distributors returning outdated stock not accounted for - Distributor claims for promotional material not verified with physical evidence - No reconciliation of stock at distributor level with company records

Trade Promotions

& Schemes

  • Scheme payments made for non-qualifying transactions
  • Duplicate or inflated claims from distributors
  • Promotional goods (free goods) not accounted for - Scheme design documented and approved before launch - Claims verified against primary sales data in system - Free goods issued through ERP with separate accounting - Scheme audit by sales finance team - Trade promotion spend 8-12% of revenue but with minimal documentation - Same scheme claim submitted by multiple distributors for same event - Return on scheme spend never calculated — no effectiveness measurement - Free goods issued manually outside ERP — not tracked

Logistics &

Freight

  • Freight overbilling by transport vendors
  • Fuel pilferage in company-owned fleet
  • Route deviation increasing logistics cost - Freight rate master approved by procurement; payable only per approved rate - GPS tracking for all vehicles - Route optimisation software with deviation alerts - Freight bill audit before payment - Freight charged per actual distance but GPS data shows shorter route - Multiple freight invoices for same trip with different reference numbers - No competitive tendering for freight contracts above threshold - Demurrage charges paid without investigation of root cause

2.2 Manufacturing & Quality (FMCG)

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

Raw Material

Procurement

  • Adulterated or substandard inputs affecting product quality
  • Vendor concentration risk — single source dependency
  • Price variance — purchases above approved rate - Approved vendor list with quality certification requirements - Incoming quality inspection with sampling standards - 3 - way match for raw material purchases - Price variance report reviewed monthly - Purchases from non-approved vendors during shortage without documented approval - Quality inspection reports signed without actual testing - Significant price variance between purchase rate and approved rate with no explanation - Raw material shelf life not monitored — expired materials used in production

Production &

Batch Control

  • Batch formula tampering — under- filling or ingredient substitution
  • Production wastage not recorded accurately
  • Counterfeit product risk
    • Batch manufacturing records (BMR) for each production run
    • Yield monitoring — actual vs standard yield variance investigation - Batch records incomplete or filled post-production - Excess wastage written off without investigation - No investigation of yield variance beyond 2% — significant loss potential

Section 3 — Healthcare & Pharmaceuticals

Healthcare organisations face unique risks around drug inventory, regulatory compliance (CDSCO, MCI, PCPNDT, NABH), patient

billing, and insurance claims. Pharmaceutical companies have additional risks around clinical trials, batch recall, and narcotic

controls.

3.1 Hospital Operations

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

Patient

Registration &

Billing

  • Inflated billing — services not rendered charged to patient
  • Insurance fraud — claims for non- performed procedures
  • Revenue leakage — services rendered but not billed - Patient billing generated from clinical system (not manual) - Discharge summary reviewed by billing team vs clinical records - Insurance pre- authorisation obtained before planned procedures - Daily revenue reconciliation: clinical system vs billing system vs cash - Manual service entries in billing not linked to clinical notes - TPA (insurance) claims for services not supported by medical records - Day care procedures billed as inpatient to claim higher insurance package - Billing team incentivised on collections — conflict of interest

Drug &

Consumable

Management

  • Drug pilferage from pharmacy
  • Expired drugs dispensed to patients
  • Narcotic drugs mismanaged — regulatory risk - Indent-based dispensing linked to prescription and patient record - FEFO followed in pharmacy inventory management - Narcotic register maintained as per Narcotic Drugs and Psychotropic Substances Act - Perpetual inventory with daily reconciliation for high-value drugs - Drugs dispensed without valid prescription entry in HMS - Narcotic register not maintained daily — count reconciliation gaps - Returned drugs from patients re- entered into stock without quality check - High-value drugs (oncology, anaesthesia) not under perpetual inventory

OT / Procedure

Scheduling

  • Surgical kits misused or under-reported
  • Implants used but not charged to patient
  • Ghost procedures — billing for surgeries not performed - OT checklist linking implant usage to patient billing - Surgeon and anaesthesiologist sign-off on procedure record - Implant serial number recorded in patient file and billing system - Video recording of OT (in select facilities for compliance) - Implants used in surgery not entered in implant register - Surgical kits opened and items consumed but not recorded - Difference between OT utilisation log and billing record — unbilled procedures - High-value implants procured from vendor recommended by surgeon — kickback risk

3.2 Pharmaceutical Manufacturing

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

GMP Compliance

& Quality

  • Non-GMP production leading to CDSCO action or product recall
  • Batch failure due to inadequate testing
  • Data integrity risk — lab results manipulated - Batch Manufacturing Record (BMR) and Batch Packing Record (BPR) for each batch - QC testing of every batch before release - 21 CFR Part 11 compliant electronic records (for export-oriented units) - Deviation management and CAPA process - BMR not completed contemporaneously — filled retrospectively - Out-of-specification (OOS) results investigated informally — no written investigation - Audit trail disabled in LIMS — data integrity failure - Stability samples not retained for required period

Narcotic &

Controlled

Substances

  • Diversion of controlled substances for illegal use - Restricted access to controlled substance storage - Controlled substance balance not tallying with register

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

  • Regulatory penalties for record gaps
  • Theft from production or warehouse - Double-lock system with dual custodians - Daily reconciliation of controlled substance register - Annual government inspection readiness - Access to controlled substance store not limited to authorised personnel - Destructions of rejected controlled substance batches not witnessed by regulatory officer - Controlled substance register not maintained in prescribed format

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

  • Demand letters issued not aligned with construction milestones
  • Post-dated cheques mismanaged - Demand schedule tied to construction milestone certificates - PDC register maintained and reviewed monthly - Collections reconciled to booking records daily - PDC not deposited on due dates — working capital impact - Customer payment receipts not issued promptly

Section 5 — Hospitality (Hotels & Restaurants)

Hospitality businesses face unique risks in revenue management (rooms, F&B, banquets), cash-heavy operations, perishable

inventory, channel management (OTA commissions), and guest experience-linked compliance (FSSAI, fire safety, PCIDSS for card

payments).

5.1 Front Office & Revenue

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

Room Revenue &

Reservations

  • Reservation manipulation — blocking rooms for personal use
  • OTA commission overbilled
  • Rate below approved rack rate without authorisation
  • Walk-in revenue not captured — cash pilferage - Rate plan master maintained by revenue manager, not front office - OTA commission reconciliation against channel-wise booking report - Complimentary room authorisation by GM only - Night audit report reconciling occupancy vs revenue - Front office team overriding rate without authorisation — discounts to known guests - Complimentary rooms given at operational level without GM approval - OTA commission invoices not matched against actual bookings before payment - Night audit not performed daily — revenue discrepancies not detected promptly

F&B Revenue

(Restaurant & Bar)

  • KOT (Kitchen Order Ticket) manipulation — voids and cancellations
  • Cash sales not rung through POS
  • Bartender pilferage — under-pouring or theft of spirits - KOT void and cancellation requires manager override with reason - All orders mandatory through POS before preparation - Bottle-for-bottle exchange policy for spirits - Surprise cash count against POS Z-report daily - High void/cancellation rate on cash transactions — pilferage signal - Manual KOTs raised for select tables — revenue bypassing POS - Bar stock physical count not matched against consumption and opening stock - Recipe-based cost of goods not benchmarked — actual consumption much higher

Banquet & Events • Event overbooking

leading to customer dissatisfaction

  • Advance deposits for events not accounted for
  • Banquet revenue leakage — additional services not billed - Banquet booking system with confirmed booking and deposit policy - Event BEO (Banquet Event Order) signed by client with full scope - Post-event billing reviewed against BEO before invoice dispatch - Deposit receipts issued and tracked in system - Banquet advances received in cash — not deposited or recorded - Additional services consumed during event not billed - BEO signed but not updated when event scope changes — under- billing - Cancellation forfeitures not enforced per contract terms

5.2 Food & Beverage Operations

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

Kitchen &

Perishable

Inventory

  • Perishable wastage above norm — theft or poor planning
  • Purchases inflated by kitchen team
  • FSSAI compliance failure - Daily food cost report against revenue (cost %) - Receiving inspection with quantity and quality check - FEFO in cold storage with daily temperature logs - FSSAI records (food logs, pest control, hygiene) maintained - Food cost % consistently above industry benchmark (28–32%) without explanation - Perishable purchases made by kitchen in-charge from preferred vendors without procurement involvement - Cold storage temperature records not maintained — food safety risk - Pest control contract active but visit records not maintained

Recipe Costing &

Menu Pricing

  • Menu prices not covering cost — margin erosion
  • Recipe not followed — inconsistent quality and cost - Standardised recipe cards for all menu items - Quarterly menu engineering review — cost vs sales mix - Actual vs standard food cost variance analysis - No standardised recipes — food cost varies widely by shift - Menu prices not reviewed for 2+ years despite input cost inflation - Portion control not enforced — high variability in cost per cover

Section 6 — Green / Renewable Energy Generation

Renewable energy companies (solar, wind, hydro, biomass) face risks in project commissioning, energy generation and offtake

(PPA compliance), O&M performance, regulatory compliance (CERC/SERC), and ESG data integrity. This is a rapidly growing

sector with significant audit complexity.

6.1 Project Development & EPC

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

EPC Contract

Management

  • EPC contractor delay leading to COD (Commercial Operation Date) miss
  • Variation orders inflating EPC cost
  • Substandard equipment or installation - Milestone-based EPC payment schedule tied to independent engineer certification - Variation order approval process with financial threshold and technical justification - Third-party quality inspection during installation (panels, inverters, cabling) - Performance bank guarantee from EPC contractor - Milestone payments released without independent engineer certification - Variation orders approved by project team without commercial review - Equipment specifications changed post-LOI to lower-cost alternatives - Performance guarantee not invoked despite EPC delay — commercial lapse

Land & Regulatory

Compliance

  • Land acquisition disputes delaying project
  • Environmental clearance not obtained or lapsed
  • Grid connectivity approvals delayed - Legal due diligence on land titles before acquisition - Environmental Impact Assessment for projects above threshold - Pre-COD regulatory checklist reviewed by legal team - Land documents not verified for encumbrances - Forest land used without Stage II clearance - Grid evacuation line commissioned late — generation loss not quantified - DISCOM interconnection agreement not executed before COD

6.2 Operations & Maintenance

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

Energy

Generation & PPA

Compliance

  • Generation shortfall vs PPA commitment — penalty risk
  • Meter tampering or metering inaccuracy
  • Grid unavailability losses not documented for force majeure claim - SCADA monitoring with real-time generation visibility - Independent third-party meter testing annually - Grid curtailment logs maintained and reported to DISCOM/RLDC - Monthly PPA compliance report reviewed by commercial team - Generation data from SCADA not reconciled with DISCOM meter reading - Grid curtailment hours not documented — force majeure claim not possible - CUF (Capacity Utilisation Factor) below P90 projections for 2+ years — O&M performance issue - Meter calibration records not maintained

O&M Performance • Preventive maintenance

skipped — increased breakdowns

  • Spare parts procurement inflated or fictitious
  • O&M contractor performance not monitored against SLA - Preventive maintenance schedule in CMMS (Computerised Maintenance Management System) - Spare parts procurement through approved vendor process - Monthly O&M SLA review with penalty / bonus calculation - String-level and inverter- level monitoring for solar - Preventive maintenance schedule exists but actual adherence not tracked - Spare parts procured from O&M contractor at inflated prices without market comparison - SLA penalties never invoked despite repeated performance shortfalls - Inverter availability below 98% SLA without formal non-conformance raised

ESG Data &

Sustainability

Reporting

  • Incorrect generation or emissions data in sustainability report - Generation data from SCADA as primary source; reconciled with DISCOM meter - GHG savings calculated using incorrect emission factor (outdated grid emission factor used)

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

  • GHG savings overstated
  • RECs (Renewable Energy Certificates) not claimed or incorrectly reported - GHG calculation per GHG Protocol Scope 2 methodology - REC registration and issuance tracked in RRAS / I-REC system - ESG data reviewed by independent assurance provider (BRSR / GRESB) - RECs generated but not registered on RRAS within validity period — expired unclaimed - ESG report boundary inconsistent — some assets excluded without disclosure - Water consumption at project sites not tracked — BRSR P6 gap

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

  • Backup restoration tested quarterly - No offsite backup — single point of failure

Section 8 — Manufacturing & Engineering

Manufacturing companies face risks across production planning, quality control, scrap management, safety compliance (Factories

Act), and energy/utility efficiency. Heavy engineering adds project-based revenue recognition and long-cycle contract risks.

8.1 Production & Quality

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

Production

Planning &

Scheduling

  • Overproduction — excess inventory tied up in working capital
  • Underproduction — supply shortfalls and customer penalties
  • Material shortage causing line stoppage - MRP (Material Requirements Planning) in ERP linked to sales forecast - Weekly production planning meeting with sales, procurement, and production - Safety stock levels defined and monitored in ERP - Daily production report vs plan reviewed by plant head - Production plan based on ad hoc inputs, not system-generated MRP - No feedback loop between actual production and plan — deviations not investigated - Safety stock levels not reviewed for 12+ months — stockouts risk - Machine downtime not tracked against production loss

Quality Control &

Rejection

  • Substandard finished goods shipped to customers — returns and warranty claims
  • Rejection manipulated to hide production inefficiency
  • Rework costs not tracked - In-process quality inspection at each production stage - Final inspection certificate before dispatch - Rejection analysis report with root cause and CAPA - Customer rejection register tracked vs internal rejection - Final inspection done by production team — not independent QC - Rejection rate consistently above standard — root cause never investigated - Rework treated as normal production cost — distorting standard cost - Customer complaints not linked back to internal rejection/rework data

Scrap

Management

  • Scrap theft — saleable scrap removed from site
  • Scrap proceeds not accounted for fully
  • Scrap classification manipulation - Scrap weighment at gate with security witness - Scrap sale through competitive tendering or rate contract - Scrap sale proceeds deposited directly to company account - Scrap generation reconciled to material consumption and production output - Scrap sold below market rate to related vendor - Scrap generation not reconciled with production records — significant gap - No competitive process for scrap buyer selection - Security not present at scrap weighment — under-weighing possible

8.2 Environment, Health & Safety (EHS)

Process / Sub-

process

Key Risks Key Controls Typical Audit Observations

Statutory Safety

Compliance

  • Factories Act non- compliance — penalties and closure risk
  • Industrial accident liability
  • Contractor workforce safety gaps - Annual Factories Act returns filed on time - HIRA (Hazard Identification and Risk Assessment) for each job type - Permit-to-work system for high-risk activities - Contractor safety induction and PPE compliance monitoring - Factories Act licence not renewed — operating without valid licence - HIRA conducted as a one-time exercise — not reviewed after process changes - Permit-to-work system exists but not enforced for routine high-risk tasks - Accident near-misses not reported — no leading indicator tracking

End of Document | Prashant Pal | Internal Audit & Risk Advisory Reference Compendium