DPDP-Safe Prompt Templates for Indian CA Firms: 25 Tested Patterns That Don't Expose Client Data
The Digital Personal Data Protection Act 2023 made one specific AI workflow pattern indefensible: pasting client data into ChatGPT, Claude, Perplexity, Grok, or any other public LLM. Section 8(5) requires "reasonable security safeguards" for personal data. Section 33 imposes penalties up to ₹250 crore. Pasting payroll data with employee PAN + Aadhaar + bank accounts into a US-hosted public LLM is not a reasonable safeguard. It's a contractual breach with your client and likely a DPDPA failure on the firm's part.
But CAs still want AI productivity. The solution isn't "don't use AI" — it's "use AI WITHOUT exposing client data." This post is the practical 25-prompt library that shows how. Each prompt extracts the AI value without leaking sensitive information.
If you've followed the series — Adopting AI in Audit, Hallucinations, NotebookLM + Claude Projects — this is the operational playbook for safe public-LLM use.
The DPDPA risk pattern most CAs miss
Three patterns we see frequently in CA firm AI usage that create DPDPA exposure:
Pattern 1: Pasting tally / ERP exports
"Analyse this trial balance" + paste of 200 lines including employee names, vendor PANs, customer GSTINs. Even if you delete personal identifiers visually, the structured data context (e.g., "Vendor A pays out ₹X.XX") implies relationships that may identify individuals.
Pattern 2: Pasting reconciliation snippets
"Match this GSTR-2A row to this book entry" + screenshot or paste of the row. Each row may contain GSTIN, vendor name, invoice number — all personal data of the vendor's principal officer if it's a proprietorship or LLP.
Pattern 3: Pasting client emails or memos
"Summarise what management said about going concern" + paste of email chain. Names, designations, sometimes phone numbers — all PII of identifiable individuals.
The fix isn't "ask the LLM nicely to forget." It's to never put the data in.
The 4-step DPDP-safe prompt design
Before sending any prompt to a public LLM, run it through 4 checks:
Step 1 — Inventory the data
What categories of personal / confidential data are about to enter the prompt?
- Names (employee, customer, vendor)
- PAN, Aadhaar, bank accounts, GSTIN
- Financial figures (specific amounts, contracts, salaries)
- Email content, phone, address
- Confidential business strategy / pending litigation
Step 2 — Substitute or anonymise
For each category, either:
- Synthetic substitution: replace real names with "Vendor A", "Customer B", "Employee 1"
- Range substitution: replace specific amount with range "₹1-2 cr range" or "approximately"
- Categorical substitution: replace specific entity with category "a related party", "a top-10 vendor"
Step 3 — Strip headers
Remove PAN, Aadhaar, GSTIN, IFSC entirely. The LLM doesn't need them to help you.
Step 4 — Verify before pasting
Read the proposed prompt once before sending. Confirm no real PII / financial figures remain.
This takes 30-60 seconds per prompt. It eliminates the DPDPA risk.
25 Tested DPDP-Safe Prompt Templates
Engagement Planning (Templates 1-5)
Template 1 — Engagement letter draft
Draft an SA 210 engagement letter for [type of audit] of a [private
limited / public / listed] company in [industry]. Approximate turnover
[range, not specific]. Single signing partner. Following standard ICAI
guidance.
What's safe: no client name, no specific figures, just industry + size range.
Template 2 — Risk assessment memo
Draft an SA 315 (Revised 2020) risk assessment memo for a [size range]
manufacturing company. Identify significant risks based on the industry,
typical year-end pressures, and common Indian regulatory considerations.
Template 3 — Engagement letter sub-letter for tax audit
Draft a tax audit engagement under Section 44AB for a company with
turnover above ₹1 crore. Standard ICAI format. Reference Form 3CB-3CD.
Template 4 — Materiality memo
For an unlisted manufacturing company with profit before tax around ₹20-25
cr range and turnover around ₹200-250 cr range, suggest materiality at
overall, performance, and trivial levels per SA 320 implementation guidance.
For the actual computation, use the Materiality Calculator — no client data needed.
Template 5 — Acceptance criteria checklist
List the engagement acceptance criteria from SA 220 + ICAI Code of
Ethics. Format as a checklist. Include independence + competence + capacity.
Research & Standards Reference (Templates 6-10)
Template 6 — SA paragraph lookup
What does SA [number] paragraph [number] require? Quote the exact text
if possible. If you don't have the exact text, say so.
Template 7 — SA comparison
Compare SA 240 and SA 550 requirements. Where do they overlap? Where do
they require different procedures?
Template 8 — CARO 2020 clause check
For CARO 2020 clause [number], what's the reporting requirement? What
audit procedures support a positive response? What language is appropriate
for a deviation observation?
Template 9 — Section / Act lookup
What does Section [number] of the Companies Act 2013 / Income Tax Act
1961 require? Cite the section text and any relevant rules / explanations.
Template 10 — Threshold lookup
What's the threshold for [topic] under [relevant section]? Confirm the
current amount and any recent amendments. If unsure, suggest where to
verify.
For computation against verified thresholds, use CORAA calculators.
Drafting (Templates 11-15)
Template 11 — CARO observation language
Draft a CARO 2020 clause [number] observation for a deviation involving
[type of issue — described generically, no specific figures or names].
Use professional Indian audit language.
Template 12 — KAM paragraph
Draft an SA 701 KAM paragraph for [topic — e.g., revenue recognition /
ECL / going concern]. Use the standard structure: why this matter, what
audit approach, outcome.
Template 13 — Management Representation Letter language
Draft an MRL paragraph under SA 580 for [specific representation topic].
Use Indian SA terminology and dating conventions.
Template 14 — Form 3CD narrative
For Form 3CD clause [number], draft the narrative language for a typical
[private / public] company audit. Indicate where specific amounts need
to be inserted.
Template 15 — Audit report modification language
Draft a qualified opinion paragraph under SA 705 for [type of deviation,
described generically]. Use the standard "except for" structure.
Communication & Memos (Templates 16-20)
Template 16 — Section 143(12) initial communication letter
Draft the 2-day initial communication letter to the Audit Committee
under Section 143(12) for a suspected fraud matter (described generically,
no specific amounts or persons). Follow ICAI implementation guidance.
See the Form ADT-4 deep dive for the substantive workflow.
Template 17 — Audit Committee meeting agenda
Draft an Audit Committee meeting agenda for a listed entity covering:
quarterly limited review, internal audit observations, related-party
transactions, risk register update.
Template 18 — Engagement closure memo
Draft an SA 230 engagement closure memo confirming the final audit file
assembly within 60 days, with index of working papers retained.
Template 19 — Predecessor-auditor communication
Draft a predecessor-auditor communication under SA 510 for a new audit
engagement. Cover: knowledge of prior issues, going concern, management
integrity, regulatory communications.
Template 20 — Subsequent events letter
Draft an SA 560 subsequent events letter to management covering
adjusting vs non-adjusting events and management's responsibilities.
Working Paper Templates (Templates 21-25)
Template 21 — SA 240 fraud risk memo
Draft the SA 240 engagement-team-discussion memo on fraud risk. Include
revenue recognition presumed fraud risk + management override of
controls. Identify typical audit responses.
Template 22 — Related party identification memo (SA 550)
Draft an SA 550 related-party identification memo. Include: how relations
were identified, completeness procedures, controls testing, and
substantive procedures for the transactions identified.
Template 23 — Going concern memo (SA 570)
Draft an SA 570 going concern memo. Include: management's assessment,
key indicators considered, auditor's evaluation, conclusion. Use the
"no material uncertainty exists" template (modify if needed).
Template 24 — Sampling working paper (SA 530)
Draft an SA 530 sampling working paper template for [tests of controls /
tests of details]. Include: population definition, sampling method,
sample size formula, seed, selection method, results, projection.
For the actual sampling formula + seed, use the Sampling Calculator.
Template 25 — Section 143(12) Form ADT-4 preparation memo
Draft a memo documenting the auditor's process for filing Form ADT-4
under Section 143(12). Include: date of "reasonable belief", communication
trail, management response, auditor's evaluation, ADT-4 filing date.
What to NEVER put in a public LLM
Just to be explicit:
- ❌ Real client names (use "Client A" or category like "private manufacturing")
- ❌ Real employee names (use "Employee 1" or category like "junior staff")
- ❌ PAN, Aadhaar, GSTIN, IFSC, account numbers
- ❌ Specific monetary amounts (use ranges like "₹1-2 crore range" or "above ₹2 lakh")
- ❌ Specific dates that uniquely identify (use "year-end" or "mid-period")
- ❌ Email content from / to identifiable persons
- ❌ Pending litigation specifics
- ❌ Pending regulatory enquiry specifics
- ❌ Trial balance / ledger exports (use ranges + categories)
- ❌ Working papers as files (containing PII / financial data)
SA 230 documentation when AI is used
Even with DPDP-safe prompting, the working paper should document AI use. Suggested template:
AI assistance used in preparation of this working paper:
- Tool: [Claude Pro / ChatGPT Plus / Perplexity Pro] version [version],
accessed [date]
- Substantive prompt: [summary of prompt used, anonymised]
- Output: [substantive output preserved or summarised]
- Verification: [what was verified against source — SA paragraph,
Section text, etc.]
- Changes: [what the auditor changed from the LLM output, with reason]
- Conclusion: [auditor's final position, which is the responsibility
of the auditor not the AI]
- Auditor: [name, date, sign]
This documentation makes the AI use defensible at peer review or NFRA inspection. It demonstrates that the auditor took professional responsibility and did the verification work.
The hybrid approach for actual client work
For the work that requires client data (the work these templates explicitly avoid):
- Use audit-grade tools like CORAA — India-hosted, contractually committed no-data-training, audit-trail-by-default
- These tools process the actual ledger / GST / payroll data within the firm's secure perimeter
- The public LLMs (Claude, ChatGPT, NotebookLM) handle the narrative / research / drafting layer using these templates
Combined cost (small firm): ₹3-5K / month for public LLMs + ₹30-60K / year for audit-grade tools. Combined value: 10-20× in time savings + DPDPA + audit defensibility.
See The Economics of AI in CA Practice for the full math.
Bottom line
DPDPA + ICAI confidentiality obligations make pasting client data into public LLMs a real risk for CA firms. The risk is unevenly understood — many firms still do this without realising the exposure.
The solution: design every prompt to extract AI value WITHOUT exposing client data. The 25 templates above show how:
- Use category descriptions instead of specific names
- Use ranges instead of specific amounts
- Strip PAN / Aadhaar / GSTIN / IFSC entirely
- Run the 4-step DPDP-safe design before every prompt
For actual client-data analysis (ledger, voucher, GST data) — use audit-grade tools that are India-hosted, not public LLMs.
For more on the architecture and tool choices:
- Adopting AI in Audit — 7-rule framework
- Claude for Indian Audit Work
- NotebookLM + Claude Projects workflow
- Hosting your own LLM in India
- DPDP Audit Impact for CA Firms
For the broader Audit Prompt Library on CORAA's University — 30+ tested prompts for Indian audit work.
Try CORAA → Audit-grade AI that handles the client-data work the public LLMs can't safely. India-hosted, DPDPA-aligned, audit-trail-by-default. See pricing · Audit Prompt Library · DPDP Audit Impact.