Process audit vs internal audit: when each is the right tool
Most CFOs use the two terms interchangeably. They are not the same thing. Using one when you need the other is how companies end up with deep dives in places that did not need them and breadth gaps in places that did.
Halfway through a recent engagement, a CFO told us they had just commissioned a process audit of their procure-to-pay cycle. The auditor had returned a 60-page report identifying gaps in three-way matching, vendor master hygiene, and approval matrix application. Useful work. The CFO's question to us was whether the same auditor should now run a 'similar process audit' across the rest of the company's processes — revenue, payroll, inventory, treasury — until the entire operation was covered.
That question is the source of a common confusion. What the CFO was describing is not a process audit programme. It is an internal audit programme, executed one process at a time. The two are different in purpose, in design, and in the deliverable. Treating one as a tile for building the other produces a programme that covers everything but never produces the org-wide risk view that an internal audit function is supposed to deliver.
The definitional difference
A process audit is a deep, focused examination of one specific business process, end-to-end. The scope is narrow; the depth is high. Output is detailed: process maps, control gaps, recommended improvements, often with implementation guidance.
An internal audit is the systematic, risk-based examination of an organisation's control environment, governance, and operations against the audit committee's annual plan. The scope is broad; the depth varies by risk score. Output is a portfolio of findings across processes, with org-wide observations on themes — control culture, governance, regulatory exposure.
ICAI's Standards on Internal Audit (SIA framework) defines internal audit broadly as 'an independent management function which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto.' Process audit is a tool within that function, not a substitute for it.
When a process audit is the right tool
Four situations where a process audit fits.
Known weak area
Management has identified a specific process where something is going wrong. Revenue is being recognised but cash is not being collected. Payroll is producing repeated overpayments. Procurement is showing margin leakage that the standard cost model cannot explain.
The process audit goes deep on the suspected process, identifies the operational causes, and recommends fixes. The output is implementable: change this approval threshold, redesign this maker-checker step, automate this reconciliation.
This is the most common legitimate use of a process audit. It is targeted, time-bound, and operationally useful.
Post-incident review
An incident has occurred — a fraud, a regulatory penalty, a material customer complaint, a system outage with financial impact. The process audit reconstructs the chain of events, identifies the control failures, and recommends what would have caught it.
Post-incident process audits are typically requested by the audit committee or by the regulator. The deliverable becomes part of the incident response file.
Pre-acquisition target review
Before acquiring a company, the buyer's team commissions a focused process audit of the target's most material processes. Usually revenue recognition, customer contract review, and inventory valuation. The objective is to confirm that the target's reported numbers are supported by the processes that produce them.
Pre-acquisition process audits are tightly scoped — usually 4 to 6 weeks — and the output feeds the deal team rather than the target's audit committee.
Scaling a function
A function is moving from informal, founder-led operation to formalised process. The process audit documents the current state, identifies the points where formalisation will add value, and produces the to-be process design. Often used during the Series B to Series D growth phase, where the company is professionalising operations without yet having an internal audit function.
When an internal audit is the right tool
Five situations where the breadth of internal audit is what the organisation actually needs.
Annual coverage of the risk universe
The audit committee needs a view of the entire control environment, refreshed periodically. Internal audit, on a risk-based plan, covers the high-risk processes annually, the medium-risk processes every 18 to 24 months, and the low-risk processes every 3 to 5 years. The result is a portfolio of findings that lets the audit committee see where risk is concentrating across the organisation.
A process audit programme — running deep dives one process at a time — does not produce this view. By the time the eighth deep dive is completed, the findings from the first one are 18 months old, and the org-wide pattern is invisible.
Board reporting
The audit committee chair has to report to the board on the state of internal controls, the operation of the internal audit function, and material findings. This reporting requires a synthesis across processes — control culture, common themes, regulatory exposure, IT environment — that a process audit, by design, does not provide.
Risk universe identification
Internal audit, particularly in its first cycle, builds and maintains a risk universe: the full inventory of risks the organisation faces, scored by likelihood and impact, mapped to processes and controls. This work is the precondition for risk-based audit planning. A process audit can sample a slice of this universe but does not build it.
SOX-like obligations
Indian listed companies have IFC obligations under Section 134, and companies with US-listed parents have SOX obligations from the parent. Both regimes require an internal control assessment that covers the entire financial reporting environment, not a single process. Internal audit, with the breadth to test controls across processes, is the right vehicle. A process audit covering only one process is not a SOX or IFC equivalent.
Continuous improvement and tracking
Internal audit findings are tracked through to remediation. The audit committee receives a periodic report on open findings, age, owner, and target closure date. This management discipline applies across processes and across audit cycles. A process audit produces findings; an internal audit function tracks them.
The common substitution problem
We have run engagements where a company describes its work as 'process audit' but is functionally trying to do internal audit. The CFO has a list of 20 processes, an annual budget, and an audit partner. The audit partner runs one process audit per quarter. Over five years, every process is covered once.
This pattern misses three things.
First, the risk universe is never explicitly built. The audit scope is implicit in the list of processes, but no formal exercise scores risks against likelihood and impact. The audit committee never sees a heat map; they see eight individual reports.
Second, the cycle time is wrong. High-risk processes need annual coverage. A five-year rotation covers them once when they should be covered five times.
Third, the integrative work — common themes across processes, control culture, governance observations — does not get done. Each report is an island.
The fix is not to abandon process audits. They have a place. The fix is to wrap them inside an internal audit function that builds the risk universe, sets the annual plan, and synthesises the findings into board-ready conclusions.
The reverse substitution problem
The opposite substitution also occurs. A company has an internal audit function, but the function is running at process-audit depth across too many processes per year, with insufficient time for any one of them. The audits become surface-level. The findings are generic — 'improve segregation of duties', 'enhance maker-checker discipline' — and the operational value is low.
When an internal audit function is producing process-audit-style depth across only 20% of its plan, the depth is in the wrong place. The risk-based plan should drive deeper testing on the highest-risk processes and lighter coverage on the lower-risk ones. Uniform depth is a sign the planning has not been done.
How to know which one you need
Three questions for the CFO and audit committee chair.
Is there a specific problem you are trying to solve? If yes — a known weak area, a recent incident, a target to be acquired — process audit fits.
Do you need a view of the entire control environment? If yes — annual coverage, board reporting, IFC obligations — internal audit fits.
Are you trying to build or test capability in a new function? Process audit during the build phase, internal audit once the function is mature enough to test.
The answer to all three is often a sequence: process audit for the immediate problem, internal audit for the ongoing programme.
What audit committees should review
When the audit committee receives an annual plan, four checks.
Has a risk universe been built and scored? Show it.
Is the audit allocation correlated with the risk score? Higher-risk processes should receive more audit hours.
Are the deliverables synthesised across the year? Quarterly board reports should be more than a stack of process audit reports.
Are findings tracked through to remediation? Open findings older than the policy threshold should be a standing agenda item.
Process audit is a scalpel. Internal audit is a stethoscope. Both are useful. Confusing one for the other is how you end up over-engineering a problem you understood and under-investigating a problem you did not know you had.
What we recommend most often
For mid-size growth-stage companies that have neither an internal audit function nor a structured process audit cadence, the sequence is: build the risk universe first (6 to 8 weeks), set the annual internal audit plan against the universe, and run two or three process audits within the plan during the first year for the highest-risk processes. By year two, the company has a functioning internal audit programme with the discipline of process audit applied to the riskiest slices.
This sequence works because it builds the org-wide view before going deep, which is the opposite of how most companies arrive at us. Most companies have gone deep first. They have process audit findings on three or four processes and no risk universe to connect them. Building the universe in retrospect is harder than building it first.
References
