CORAA
ਲਾਈਵ ਡੈਮੋ ਬੁੱਕ ਕਰੋਮੁਫ਼ਤ ਟ੍ਰਾਇਲ ਸ਼ੁਰੂ ਕਰੋ
Resources · DPDPA 2023 · Audit impact

DPDP Act 2023 Audit Impact.

The Digital Personal Data Protection Act 2023 reshapes audit work for Indian Chartered Accountants in two directions: a new SDF audit assurance service line (mandatory by 2027 for Significant Data Fiduciaries), and a new compliance obligation on the CA firm itself (firms are Data Fiduciaries for their own and clients’ personal data). This page covers both.

Two lanes — opportunity + obligation

opportunity
Lane 1: SDF audit as a new service line
Significant Data Fiduciaries — large banks, telecom, social media, e-commerce, healthcare aggregators — will require periodic independent audit under DPDPA Section 10. ICAI is positioning DISA-certified CAs as the primary cohort. New fee opportunity for firms with information-systems audit competence.
obligation
Lane 2: CA firm own compliance
Every CA firm is a Data Fiduciary in respect of its clients’ PII (employee KYC, payroll, bank statements) and its own employees. Section 8(5) reasonable security, 72-hour breach notification, data principal rights, processor due diligence — all apply to the firm itself.

Lane 1 — Building an SDF audit practice

The SDF audit (under DPDPA Section 10(2)(c)) is expected to become mandatory once the Data Protection Board is fully operational — industry expectation is May 2027. The scope, frequency and form of the audit will be prescribed by the DPDP Rules (being notified in stages). Firms building capability now have a 6-12 month lead.

Capability stack

  • DISA / CISA certification for at least one partner / manager — information-systems audit is the foundation. ICAI’s Diploma in Information Systems Audit (DISA) is the natural pathway for CAs.
  • Knowledge of DPDPA + DPDP Rules — read the Act + every Rule notification. Subscribe to MeitY notifications.
  • Adjacent standards — ISO/IEC 27001 (information security), ISO/IEC 27701 (privacy information management), NIST Privacy Framework. Helps benchmark client controls.
  • Cross-functional teaming — privacy lawyer for legal interpretation, security engineer for technical control testing, CA for governance / process testing.

Likely audit scope (illustrative — final scope per DPDP Rules)

  1. Consent management — how the SDF collects, records, refreshes, revokes consent (Section 6). Audit trail of every consent event.
  2. Lawful purpose verification — every processing activity tied to a specified purpose with documented basis.
  3. Data principal rights — access, correction, erasure, grievance redressal mechanism (Sections 11-15). Test that requests are actioned within prescribed timelines.
  4. Security safeguards — Section 8(5) reasonable security: encryption, access control, audit logging, incident response.
  5. Breach notification — 72-hour notification timeline (Section 8(6)). Test the breach detection + escalation process.
  6. Cross-border transfer compliance — Section 16 country-list compliance.
  7. Data retention — purpose limitation and erasure on completion of purpose.
  8. Processor due diligence — third-party processor contracts, processor security testing.
  9. DPO function — DPO appointment, qualifications, independence, reporting line.
  10. Data Protection Impact Assessments (DPIA) — for high-risk processing activities, DPIA documentation reviewed.

Lane 2 — Your firm’s own DPDP compliance

Every CA firm processes substantial personal data — client employee KYC, bank statements, GST data, payroll registers, partner / staff records, vendor KYC. Under DPDPA Section 4, the firm is a Data Fiduciary for this data and must comply with the Act.

10-point firm self-assessment

  1. Personal data inventory. Map every category of personal data the firm holds — client employee KYC, bank statements, payroll, GST returns, partner KYC, staff records, candidate CVs.
  2. Lawful purpose statement. For each category, document the specific lawful purpose (audit, tax filing, employment) and the basis (consent for marketing; legitimate use for client engagement).
  3. Consent collection. Where consent is needed (marketing, newsletter, careers), collect and record it. Consent must be free, specific, informed, unconditional, unambiguous, withdrawable.
  4. Notice. Provide DPDPA-compliant notice at point of collection — purpose, categories of data, contact details of DPO / grievance officer, complaint mechanism.
  5. Security safeguards. Encrypted storage, access control by role, audit logs, MFA for sensitive systems, security awareness training.
  6. Breach response plan. Documented IRP with 72-hour notification timeline. Designate a Breach Coordinator. Test the plan annually.
  7. Data principal request handling. Workflow for access / correction / erasure requests, responded within prescribed timeline.
  8. Processor due diligence. All third-party processors (CORAA, Tally cloud, payroll vendor, email marketing) — execute DPDPA-compliant Data Processing Agreement.
  9. Retention limits. Working papers — 7 years per SA 230 + ICAI guidance. Client KYC — duration of engagement + 7 years. Delete after retention period.
  10. Annual privacy review. Self-assessment annually. Document gaps and remediation.
CORAA + DPDPA

Process client data on infrastructure built for DPDP.

CORAA is DPDPA-aligned by design — India-only hosting (Azure South India), AES-256 encryption at rest, TLS 1.3 in transit, per-tenant data isolation, no foundation-model training on customer data, 72-hour breach notification commitment, and 30-day deletion on contract termination. The standard CORAA Master Subscription Agreement includes a DPDPA-compliant Data Processing Agreement. Your firm passes processor due diligence on CORAA from day one.

CORAA Trust Centre →Privacy PolicyData Protection details

Frequently asked questions

What is the DPDP Act 2023?+
The Digital Personal Data Protection Act 2023 is India's comprehensive personal data protection law, notified on 11 August 2023. It governs the processing of digital personal data within India and by entities outside India that process data in connection with offering goods or services within India. Rules under the Act are being notified in stages.
What is a Significant Data Fiduciary (SDF)?+
Under DPDPA Section 10, the Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary based on (a) volume and sensitivity of personal data processed, (b) risk of harm to data principals, (c) potential impact on sovereignty / integrity of India, (d) risk to electoral democracy, (e) security of the State, and (f) public order. SDFs have heightened obligations including mandatory Data Protection Officer (DPO), data protection impact assessment, and PERIODIC INDEPENDENT AUDIT.
When does the SDF audit obligation kick in?+
DPDPA Section 10(2)(c) requires SDFs to undertake "data audit and other measures as may be prescribed". The DPDP Rules (notified in stages from 2025-2026) will prescribe the audit cadence and scope. Industry expectation: SDF audits become mandatory by May 2027 once the Data Protection Board of India is fully operational. Many SDF candidates (large banks, telecom, social media, e-commerce, healthcare aggregators) have already begun voluntary compliance audits.
Who can conduct an SDF audit?+
The DPDP Rules are expected to allow independent professionals with appropriate competence — Chartered Accountants under ICAI (with Information Systems Audit / DISA qualification preferred), Information Systems Auditors registered with ICAI / ISACA (CISA), Cost Accountants, and certain notified specialist firms. ICAI is positioning DISA-certified CAs as the primary cohort. Lawyers (with privacy specialisation) are also expected to be eligible.
What is the scope of an SDF audit?+
Based on the framework as it stands: (a) consent management — how the SDF collects, records, refreshes and revokes consent under Section 6; (b) lawful purpose verification — every processing activity tied to a specified purpose; (c) data principal rights — access, correction, erasure, grievance redressal mechanisms under Sections 11-15; (d) security safeguards — Section 8(5) reasonable security; (e) breach notification — 72-hour timeline; (f) cross-border data transfer compliance — country-of-destination notification list (Section 16); (g) data retention limits; (h) processor due diligence; (i) DPO appointment and functioning.
Does the DPDP Act apply to my CA firm itself?+
Yes. Every CA firm in India is a Data Fiduciary in respect of its clients' personal data (Form 16A details, employee KYC, bank statements, salary registers, MIS) and its own employees' / partners' personal data. The firm must (a) collect personal data only for a specified purpose with consent, (b) appoint a DPO if it grows to SDF scale, (c) maintain security safeguards, (d) notify breaches to the affected data principals and the Board within 72 hours, (e) honour data principal rights (access, correction, erasure, grievance).
What is the breach notification timeline?+
DPDPA Section 8(6) and Section 33 of the DPDP Rules — every Data Fiduciary must intimate the affected Data Principal AND the Data Protection Board of India within 72 hours of becoming aware of a personal data breach. For SDFs, additional details about root cause and remediation are required within 14 days. Failure to notify attracts a separate penalty.
What are the penalties under DPDPA?+
DPDPA Section 33 (Schedule) — failure to take reasonable security safeguards: up to ₹250 crore. Failure to notify breach: up to ₹200 crore. Failure to comply with SDF obligations: up to ₹150 crore. Children-related contraventions: up to ₹200 crore. Each contravention is a separate penalty. The Data Protection Board adjudicates after inquiry.
How does DPDP intersect with audit work?+
Two intersections. (1) ASSURANCE OBLIGATION — CA firms are eligible to provide SDF audit assurance to their clients (a new service line distinct from statutory / tax audit). (2) AUDIT-DATA HANDLING — During statutory and tax audits, CAs receive vast volumes of client personal data (employee KYC, payroll registers, bank statements, customer / vendor lists). The CA firm is a Data Processor for the client (which is the Data Fiduciary). Section 8 processor obligations apply.
Should my firm offer DPDP audit as a service?+
It depends on firm capacity and capability. DPDP audit requires (a) information-systems audit competence (DISA-certified CA or CISA-certified auditor), (b) understanding of the entity's data architecture, (c) testing skills around access controls, encryption, breach response. For mid-tier firms, DPDP audit can be a meaningful growth opportunity from FY 2027-28 onwards. Smaller firms should consider partnering with a specialist or co-sourcing with a DISA-certified colleague.
Does CORAA process client personal data?+
Yes. CORAA processes client data on behalf of CA firms for audit purposes — including personal data of the client's employees / customers / vendors that appears in ledgers, vouchers, and working papers. CORAA acts as a Data Processor under DPDPA Section 8. Customer data is hosted entirely in India (Azure South India region), encrypted at rest (AES-256) and in transit (TLS 1.3), never used to train foundation models, and subject to 30-day deletion on contract termination. See the CORAA Trust Centre for the full data-handling commitments.

Audit infrastructure that’s already DPDPA-compliant.

India-only hosting, no foundation-model training on customer data, contractual processor commitments, ISO 27001 + SOC 2 Type II.

Trust CentreTalk to CORAAPricing