HomeServicesAudit & AssuranceDepository Participant (DP) Audit (NSDL / CDSL)

Audit & Assurance · Capital Market & SEBI Audit

Depository Participant (DP) Audit (NSDL / CDSL)

Every Depository Participant registered with NSDL or CDSL operates under a SEBI mandate to have its operations independently audited on a periodic basis — not as an annual formality, but as a running check on how client securities are held, transferred, and safeguarded.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

Every Depository Participant registered with NSDL or CDSL operates under a SEBI mandate to have its operations independently audited on a periodic basis — not as an annual formality, but as a running check on how client securities are held, transferred, and safeguarded. A qualified internal auditor's report is filed with the depository as a condition of continuing to operate as a DP. At PNPC Global, we have supported capital-market intermediaries across India since 1986, and we conduct DP audits the way a depository actually expects them to be conducted — process-tested, exception-documented, and delivered on time, every audit cycle.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Depository Participant (DP) Audit (NSDL / CDSL) is

A Depository Participant (DP) is an agent of a depository — NSDL (National Securities Depository Limited) or CDSL (Central Depository Services (India) Limited) — registered with SEBI under the SEBI (Depositories and Participants) Regulations, 2018 to offer dematerialised account services to investors. Banks, stockbroking firms, and financial institutions that offer demat accounts to clients typically operate as DPs. Because a DP holds and moves client securities in electronic form, SEBI and the depositories require every DP to be subject to a periodic internal audit conducted by a practising Chartered Accountant, Company Secretary, or Cost Accountant — commonly referred to in market parlance as the "DP audit" or "DP internal audit." The audit is distinct from the DP's statutory financial audit; it is a compliance and process audit focused specifically on depository operations.

The requirement traces to SEBI circulars issued under the Depositories Act, 1996 and the SEBI (Depositories and Participants) Regulations, 2018, which direct every DP to arrange for an internal audit of its operations by a qualified independent auditor on a periodic basis — under the relevant NSDL and CDSL bye-laws and operating circulars this has generally meant a half-yearly cadence, with the audit report for each half-year submitted to the depository — covering the full lifecycle of depository operations: account opening and Know Your Client (KYC) compliance, dematerialisation and rematerialisation of securities, off-market and on-market transfers, pledge and hypothecation of securities, nomination, transmission on death of a demat account holder, closure of accounts, and the DP's internal control and record-keeping practices. NSDL and CDSL each issue their own detailed audit checklists and reporting formats that operationalise the SEBI requirement, and a DP that operates under both depositories (a "dual DP") must have both audits conducted, generally covering the same period but reported separately in each depository's prescribed format.

The audit report is not filed away internally — it is submitted to the concerned depository (NSDL and/or CDSL) within the timeline prescribed by that depository's circulars, and any significant deviations, non-compliances, or exceptions noted by the auditor typically require the DP to submit an Action Taken Report (ATR) confirming that corrective steps have been taken. A pattern of unresolved exceptions across audit cycles draws depository and, in serious cases, SEBI scrutiny, since it signals weakening operational discipline around client securities. Separately, DPs above certain thresholds or with specified technology exposure are also required to undergo a distinct "Systems Audit" of their IT infrastructure by a CERT-In empanelled auditor — a different engagement from the internal/operations DP audit described here, though the two are often coordinated by the same compliance calendar.

For a DP's management and compliance officer, the DP audit functions as an early-warning system. Client securities are high-trust, high-value assets moving through electronic instructions with very short correction windows — an incorrectly processed transfer or a KYC gap discovered a year later is far harder to remediate than one caught within the same audit cycle. A well-run DP audit practice catches process drift — a branch skipping a verification step, a delegation of authority exceeding the sanctioned limit, a POA (Power of Attorney) misused beyond its stated scope — before it becomes a client grievance, an arbitration matter, or a SEBI inspection finding.

Who needs a DP audit and when it applies

Any entity registered as a Depository Participant with NSDL and/or CDSL under the SEBI (Depositories and Participants) Regulations, 2018 — banks, broking firms, and standalone depository participants alike

DPs operating under both depositories (dual DPs) — each depository's audit and reporting requirements apply independently and both must be completed within their respective timelines

DPs that have recently commenced operations and need their first internal audit cycle scoped and scheduled correctly against the depository's prescribed periodicity from the outset

DPs expanding branch or sub-broker/authorised person networks, where each additional point of client interaction adds account-opening, KYC, and POA-execution risk that the audit must specifically test

DPs that have received an inspection observation, deficiency letter, or query from NSDL, CDSL, or SEBI and need a rigorous audit-and-remediation cycle to close outstanding points credibly

DPs preparing for a change in control, merger, or business transfer, where clean audit history and a demonstrable track record of timely ATR closure materially affects regulatory approval timelines

When this is not the right engagement

You need the DP's annual statutory financial audit under the Companies Act — that is a separate engagement from the depository-mandated operations audit described here, though PNPC can support both

You need the IT Systems Audit for DPs required to be performed by a CERT-In empanelled auditor — this is a distinct, technically specialised engagement with its own scope and empanelment requirement

You are a stockbroker or clearing member seeking a stock broker / trading member concurrent audit or half-yearly internal audit under exchange bye-laws — that is a related but separately scoped SEBI/exchange audit

You operate purely as an Authorised Person or sub-broker under a DP without being separately registered as a DP yourself — the audit obligation sits with the registered DP, not with each downstream authorised person individually

You are looking for investment or portfolio advisory services rather than a compliance/process audit of depository operations — DP audit is an assurance engagement, not an advisory one

Structure Comparison

DP Audit vs other capital-market and statutory audits a DP or broking entity may encounter

FeatureDP Audit (NSDL/CDSL)Statutory Financial AuditSystems Audit (CERT-In)Stock Broker Internal/Concurrent Audit
Governing frameworkDepositories Act 1996 + SEBI (D&P) Regulations 2018 + NSDL/CDSL circularsCompanies Act 2013 / applicable entity statuteSEBI circulars on cyber security & cyber resilience for market infrastructure institutions/intermediariesSEBI/exchange circulars on internal & concurrent audit of stock brokers
What it examinesAccount opening, KYC, demat/remat, transfers, pledge, nomination, transmission, DP internal controlsTrue and fair view of financial statementsIT infrastructure, cyber security controls, data integrity, business continuityTrading, settlement, margin, client fund segregation, contract notes
Who performs itPractising CA / CS / CWA firm, independent of day-to-day DP operationsStatutory auditor appointed under company lawCERT-In empanelled auditorPractising CA firm empanelled for the exchange's internal/concurrent audit
Typical periodicityPeriodic — generally half-yearly per NSDL/CDSL bye-laws and circularsAnnualPeriodic, per applicable SEBI cyber security circular timelineConcurrent (ongoing) plus periodic internal audit reporting
Report goes toNSDL and/or CDSL, in each depository's prescribed formatRegistrar of Companies / shareholdersSEBI / depository / exchange as applicableStock exchange(s) where the entity is a member
Follow-up obligationAction Taken Report (ATR) on exceptions, tracked to closureManagement response in Board report where applicableRemediation plan for identified vulnerabilitiesException reporting and closure tracking to the exchange
Primary risk if skippedDepository deficiency memo, escalation to SEBI, risk to DP registrationNon-compliance under company law, inability to file financial statementsCyber security non-compliance, potential regulatory actionExchange disciplinary action, risk to trading membership

This table is directional. The precise periodicity, checklist, and reporting format for a DP audit are prescribed by NSDL and CDSL circulars current at the time of the audit, and can differ between the two depositories for a dual DP. Always confirm the applicable cycle and format with your compliance officer and auditor before the audit window opens.

How it works
#Stage & What PNPC DoesCA Advice Portals Never GiveTimeline
1Engagement Scoping & Independence Check — confirming PNPC's independence from the DP's day-to-day operationsSEBI and depository circulars expect the internal auditor to be independent of the operations being reviewed. We confirm at the outset that our engagement team has no conflicting advisory or accounting role in the DP's depository operations for the period under review — a check that is often skipped when the DP simply hands the audit to its existing accounting firm without considering independence.Week 1
2Checklist Alignment — mapping the current NSDL and/or CDSL audit checklist to your specific DP profileNSDL and CDSL periodically revise their audit checklists and formats through circulars. We work from the checklist current as of the audit period — not a checklist from a prior cycle — and tailor it to your actual service profile: branch count, POA usage, whether you offer e-DIS, BSDA accounts, or basic services demat accounts, since each carries specific test points.Week 1
3Account Opening & KYC Sample Testing — new accounts opened during the audit periodWe do not test a token handful of files. We draw a risk-based sample across branches and account types, verifying PAN-Aadhaar linkage status, in-person verification (IPV) or its permitted digital equivalent, nomination capture, and whether the account opening form and supporting KYC documents match what is on the DP's back-office system exactly — mismatches here are among the most common exception categories.Week 1–2
4Dematerialisation & Rematerialisation Testing — DRF processing and certificate handlingWe trace a sample of dematerialisation requests from the physical certificate/DRF submission through to credit in the client's demat account, checking turnaround time against the prescribed processing window and verifying that certificates sent for demat were properly accounted for and not left in an unreconciled suspense status.Week 2
5Transfer Instruction Testing — off-market and on-market transfers, DIS/e-DIS controlsDelivery Instruction Slip (DIS) and e-DIS controls are a recurring inspection focus area for depositories because a compromised or pre-signed DIS book is a direct route to unauthorised transfer of client securities. We test DIS book issuance controls, cheque-leaf-style numbering discipline, and — where e-DIS is offered — the authentication and audit trail behind each electronic instruction.Week 2
6Pledge, Margin Pledge & POA Usage Review — post the SEBI margin pledge system reformsSince SEBI's margin pledge/re-pledge framework replaced the earlier practice of clients transferring securities to broker demat accounts as margin, we specifically test whether pledge creation, invocation, and closure are being processed correctly through the pledge mechanism — and whether any residual POA usage for margin purposes has been discontinued as required.Week 2–3
7Nomination, Transmission & Account Closure Testing — life-cycle events sampled from the periodTransmission of securities on the death of an account holder is a sensitive, document-heavy process with strict timelines and a real risk of grievance if mishandled. We sample transmission cases processed in the period against the documentation and turnaround standards prescribed by the depository, along with account closure requests to confirm they were processed without undue delay.Week 3
8Internal Control & Segregation of Duties AssessmentWe assess whether the DP's operational team has appropriate segregation between account opening, transaction processing, and reconciliation functions, and whether system access rights in the DP module align with each staff member's actual role — a control gap here is a recurring theme in depository inspection findings across the industry.Week 3
9Grievance Redressal & SCORES Compliance CheckWe verify that investor complaints received during the period — whether directly, through the depository, or via SEBI's SCORES portal — were logged, resolved, and reported within the prescribed timelines, and that the DP's grievance register reconciles with what was actually reported upstream.Week 3
10Draft Findings & Exception ClassificationEach exception is classified by severity and mapped to the specific checklist clause it relates to, in the format the depository expects — not a free-form narrative that the DP's compliance officer then has to manually re-map before submission.Week 3–4
11Management Discussion & Draft ATR PreparationWe walk findings through with the compliance officer and relevant branch/operations heads before finalising the report, and assist in drafting the Action Taken Report (ATR) template so remediation commitments are specific, owned, and dated — not generic assurances that will be questioned in the next cycle.Week 4
12Final Report Signing & Submission SupportThe signed audit report is finalised in the depository's prescribed format and submitted within the applicable timeline. We track submission acknowledgement and retain the working papers that support each finding, in case the depository or SEBI raises a follow-up query later in the cycle.Week 4 — submitted within the depository's prescribed timeline
13Next-Cycle Compliance Calendar — carrying forward open exceptionsEvery DP audit is followed by the next one. We carry forward unresolved exceptions into the next cycle's testing plan specifically to confirm closure, rather than treating each cycle as a fresh, disconnected exercise — this is what depositories look for when assessing whether a DP's control environment is genuinely improving.Ongoing, every audit cycle

Indicative cycle only. The exact periodicity, checklist content, and submission timeline for a DP audit are governed by the SEBI circulars and NSDL/CDSL operating circulars in force at the time of the audit, and PNPC confirms the applicable cycle with the client and the depository's current circulars before each engagement begins.

Document Checklist
DP Registration & Governance Documents

SEBI Certificate of Registration as a Depository Participant, and NSDL/CDSL participant agreement(s)

Board-approved policies relevant to depository operations — KYC policy, POA usage policy, DIS/e-DIS issuance policy, risk management policy

Organisation chart for the depository operations function, showing reporting lines and segregation between account opening, processing, and reconciliation roles

Details of branches, franchisees, and authorised persons through which DP services are offered, current as of the audit period

Previous DP audit report(s) and Action Taken Report(s), including any outstanding open exceptions carried forward

Account Opening & KYC Records

Sample of new account opening forms and supporting KYC documents for accounts opened during the audit period, as selected by the auditor

PAN and Aadhaar verification records / KYC Registration Agency (KRA) records for the sampled accounts

In-person verification (IPV) records or evidence of the permitted digital IPV equivalent used

Nomination forms captured (or nomination opt-out declarations) for the sampled accounts

Basic Services Demat Account (BSDA) eligibility working, where BSDA accounts are offered

Transaction Processing Records

Dematerialisation Request Form (DRF) register and supporting certificate movement records for the period

Rematerialisation requests processed during the period, with turnaround evidence

Delivery Instruction Slip (DIS) book issuance register, including cheque-leaf-style numbering and client acknowledgement

e-DIS authentication logs and audit trail, where e-DIS is offered to clients

Off-market and on-market transfer instruction records for the sampled period

Pledge, POA & Margin Records

Power of Attorney documents executed by clients in favour of the DP/broker, and evidence of their current, permitted scope of use

Margin pledge and re-pledge creation, invocation, and closure records processed through the depository's pledge system

Any residual instances of securities movement for margin purposes outside the prescribed pledge mechanism, with explanation

Life-Cycle Event Records

Transmission requests processed on the death of an account holder during the period, with supporting legal heir/succession documentation

Account closure requests and confirmation of turnaround against the prescribed timeline

Freeze/unfreeze instructions processed on client accounts, with supporting authorisation

Compliance & Grievance Records

Investor grievance register, including complaints received directly, via the depository, and via SEBI SCORES, with resolution status and timelines

Internal control and reconciliation reports — client holding statements reconciled against the depository's records

System access rights listing for staff with access to the DP module, mapped to their operational role

Any correspondence, deficiency memo, or query received from NSDL, CDSL, or SEBI during the period, with the DP's response

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
New DP RegistrationSEBI certificate of registration granted, NSDL/CDSL participant agreement executedWe help set up the audit compliance calendar from Day 1 — mapping the first audit cycle deadline against the actual date of commencing operations, so the first audit is neither missed nor scoped against the wrong period.First-cycle audit missed or mis-scoped due to unclear commencement date, creating an avoidable early deficiency with the depository.
Each Audit CycleDepository's prescribed periodicity (generally half-yearly)Full-scope testing across account opening, transactions, pledge, transmission, and internal controls, with findings classified in the depository's prescribed format and submitted within the applicable timeline.Late or incomplete submission draws a deficiency memo from the depository; a pattern of lateness or unresolved exceptions can trigger enhanced monitoring or SEBI reference.
Post-Audit Exception HandlingExceptions noted in the audit reportWe assist in drafting a specific, owned, dated Action Taken Report and help the compliance officer implement the underlying process fix — not just the paperwork response.Generic or unimplemented ATRs are flagged in the next audit cycle as recurring exceptions, which depositories view as an escalating control weakness.
Branch / Business ExpansionNew branches, franchisees, or authorised persons addedWe factor expanded points of client interaction into the next audit's sampling plan, since each new branch introduces fresh account-opening and KYC execution risk that the existing testing plan may not have covered.Newly added branches operating outside established control discipline until the next audit catches process drift — by which point client-facing errors may already have occurred.
Inspection or SEBI QueryNSDL/CDSL inspection or a direct SEBI query/noticeWe support the DP in responding to inspection observations, and where relevant, conduct a focused review of the specific area flagged before the response is submitted, so the reply is grounded in verified facts.An inadequately supported response to an inspection finding can escalate into a formal SEBI proceeding, adjudication, or in severe cases, action affecting the DP's registration.
Change in Control / M&AMerger, business transfer, or change in DP's controlling shareholdersWe assist in compiling the audit history and exception-closure track record that regulatory approval processes typically require, and flag any unresolved items that should be closed before the transaction is filed.Unresolved audit exceptions surfacing during regulatory review of the change-in-control application can delay or complicate approval.
Cessation of DP BusinessVoluntary surrender of DP registration or business wind-downWe support the final audit cycle and closure documentation required by the depository before registration is surrendered, ensuring client account migration and record retention obligations are addressed.Incomplete closure documentation or unmigrated client accounts can leave residual regulatory and client-grievance exposure even after the DP formally exits the business.

This lifecycle view is indicative and directional — the exact triggers, timelines, and reporting formats applicable to your DP are governed by the SEBI circulars and the specific NSDL/CDSL operating circulars in force at the relevant time. Confirm current requirements with your compliance officer and auditor before each cycle.

Frequently asked
What is a DP audit, in plain terms?

It is a periodic, independent check — performed by a practising CA, CS, or CWA — of how a Depository Participant (a bank or broking firm offering demat accounts) handles client securities: opening accounts correctly, processing dematerialisation and transfers accurately, using Powers of Attorney within their permitted scope, and keeping proper records. The auditor reports findings to NSDL and/or CDSL in a prescribed format, and the DP must fix and report back on anything flagged.

Practitioner noteMany DPs treat this as a routine paperwork exercise handed to whichever CA firm is convenient. Depositories increasingly look at the pattern across cycles — recurring exceptions signal a control environment that is not improving, and that gets noticed.
Who is legally required to get a DP audit done?

Every entity registered as a Depository Participant with NSDL and/or CDSL under the SEBI (Depositories and Participants) Regulations, 2018 is required, under SEBI and depository circulars, to have its depository operations audited periodically by an independent qualified auditor. This applies equally to banks and broking firms offering demat services as DPs.

Practitioner noteIf your entity is a dual DP — registered with both NSDL and CDSL — you need two audits, generally covering the same period, each reported in that depository's own prescribed format. We plan both engagements together so the underlying fieldwork is not duplicated unnecessarily.
How often does the DP audit need to be conducted?

The periodicity is prescribed by NSDL and CDSL bye-laws and circulars and has generally been on a half-yearly cycle for DP internal/concurrent audits (covering the half-years ended September 30 and March 31), though the exact cadence and reporting deadline should always be confirmed against the specific NSDL and CDSL circulars in force at the time — depositories do revise timelines and formats from time to time.

Practitioner noteWe do not rely on the periodicity from a prior year's engagement letter. Before scoping each cycle, we confirm the currently applicable circular so the client is never audited against an outdated timeline.
Who can conduct a DP audit — does it have to be a Chartered Accountant?

SEBI and depository circulars permit the internal audit of DP operations to be conducted by a practising Chartered Accountant, Company Secretary, or Cost Accountant, provided the auditor is independent of the day-to-day depository operations being reviewed. PNPC conducts these audits through senior CAs with capital-market audit experience.

Practitioner noteIndependence is not just a formality — if the same firm prepares the DP's day-to-day operational records or advises on the processes being tested, that creates a conflict the depository can flag. We confirm independence explicitly at engagement acceptance.
What exactly does a DP auditor test?

The audit covers the full depository operations lifecycle: account opening and KYC compliance, dematerialisation and rematerialisation of securities, off-market and on-market transfer instructions (including DIS and e-DIS controls), pledge and margin pledge processing, Power of Attorney usage, nomination, transmission on death of an account holder, account closure, grievance redressal, and the DP's internal controls and record-keeping around all of the above.

Practitioner noteWe test each area against a risk-based sample, not a token handful of files. Account opening and DIS/POA controls are typically where the most consequential exceptions surface, because they touch client authorisation directly.
What is the difference between a DP audit and the DP's statutory financial audit?

The statutory financial audit, conducted under the Companies Act, examines whether the DP's financial statements give a true and fair view. The DP audit is a separate, depository-mandated compliance and process audit that examines specifically how depository operations — account opening, transfers, pledges, and so on — are being conducted, independent of the entity's overall financial reporting.

Practitioner noteWe recommend clients keep these as clearly separated engagements in their compliance calendar, even when the same firm is engaged for both, because the scope, testing approach, and reporting format are entirely different.
What is the difference between the DP audit and the Systems Audit?

The DP (internal/operations) audit reviews depository operational processes and controls. The Systems Audit is a separate, technically specialised review of the DP's IT infrastructure, cyber security controls, and data integrity, required to be conducted by a CERT-In empanelled auditor under SEBI's cyber security and cyber resilience framework for market intermediaries. They have different scopes, different auditor qualification requirements, and are typically reported separately.

Practitioner notePNPC conducts DP operations audits; for the Systems Audit specifically, the auditor must hold current CERT-In empanelment, which is a distinct technical accreditation — we can help coordinate the overall compliance calendar even where the systems audit is performed by a specialised IT audit partner.
What happens if exceptions are found during the audit?

Exceptions are classified by severity and reported to the depository in the prescribed format. The DP is typically required to submit an Action Taken Report (ATR) confirming what corrective action has been or will be taken, with a timeline for closure. Exceptions that remain unresolved into subsequent audit cycles attract closer depository — and potentially SEBI — attention.

Practitioner noteWe help draft ATRs with specific, owned, dated commitments rather than generic assurances. A vague ATR response is often flagged just as quickly as the original exception.
What happens if a DP misses the audit submission deadline?

A missed or delayed submission is itself flagged by the depository and can result in a deficiency communication. Depositories treat consistent timeliness of audit submission as one indicator of a DP's overall compliance discipline, and repeated lateness can contribute to enhanced monitoring of that participant.

Practitioner noteWe build the audit into the DP's compliance calendar at least one full cycle in advance, with document requests sent out early enough that fieldwork is not compressed against the deadline.
Does a small or newly registered DP with very few accounts still need a full audit?

Yes. The audit requirement attaches to DP registration itself, not to a minimum account or transaction volume threshold. A newly registered DP with a modest client base still needs its operations audited on the applicable periodicity from the point operations commence.

Practitioner noteFor newly registered DPs, we scope the first audit cycle carefully against the actual date operations began, rather than the registration date, since the two are not always the same and this affects what period the first audit should cover.
How is the audit sample selected — does the auditor check every account and transaction?

No. Given the transaction volumes most DPs process, the audit uses a risk-based sampling approach across account opening, transfers, pledges, and other tested areas, rather than a full population review. Sample sizes and selection criteria are documented so the basis for the audit opinion is defensible.

Practitioner noteWe weight sampling toward higher-risk areas — new branches, POA-heavy accounts, high-value transfers — rather than sampling purely at random, because that is where process weaknesses are statistically more likely to surface.
What is a Power of Attorney (POA) in the DP context, and why does the audit focus on it so heavily?

A POA is an authorisation a client gives their broker/DP to operate the demat account on their behalf for specified, limited purposes — for example, transferring securities for pay-in against a sale. POA misuse — operating beyond its stated scope — has historically been a significant source of client grievances and regulatory action in the industry, which is why depository audits test POA usage closely, especially after SEBI's margin pledge reforms narrowed the permissible use of POA for margin purposes.

Practitioner noteWe specifically check whether any residual securities movement is still happening through POA for purposes that should now be routed through the margin pledge/re-pledge mechanism instead — a lag here is one of the more common findings we see.
What are e-DIS and DIS, and what does the audit check about them?

A Delivery Instruction Slip (DIS) is the physical instrument a client signs to instruct the DP to transfer securities out of their demat account; e-DIS is the electronic equivalent, using an authenticated digital instruction instead of a physical slip. Because a DIS or e-DIS instruction can move securities out of a client's account, the audit checks DIS book issuance controls (numbering, client acknowledgement, safe custody) and, where e-DIS is offered, the authentication mechanism and audit trail behind each electronic instruction.

Practitioner noteA pre-signed or loosely controlled DIS book is one of the classic vectors for unauthorised transfer disputes. We test issuance registers specifically for gaps in sequential control and client acknowledgement.
What documents does PNPC need from us to start the audit?

Broadly: DP registration and participant agreement documents, governance policies relevant to depository operations, the previous audit report and ATR, and — for the sampled period — account opening/KYC files, DRF and transfer records, DIS/e-DIS registers, pledge and POA records, transmission and closure files, and the grievance register. The full checklist is shared at engagement kickoff and tailored to your specific service profile.

Practitioner noteThe single biggest cause of delay in a DP audit is documentation not being centrally available — spread across branches without a consolidated register. We recommend DPs maintain a running, centrally accessible log of these records between audit cycles, not just assemble them when the auditor asks.
Can PNPC conduct the DP audit if it also handles our statutory or tax audit?

It depends on whether that role creates an independence conflict with the specific depository operations being tested. Where PNPC's other engagement with the DP touches the same processes under review, we assess independence carefully before accepting the DP audit engagement, and will decline or restructure the engagement where independence cannot be maintained.

Practitioner noteWe would rather flag a potential independence issue at proposal stage than have it questioned later by the depository. This is a standing discipline in how we accept capital-market assurance engagements.
What is BSDA and does it affect the audit?

A Basic Services Demat Account (BSDA) is a category of demat account with reduced or waived charges for eligible small investors, subject to holding-value thresholds prescribed by SEBI/depositories. The audit checks whether accounts classified as BSDA actually meet the eligibility criteria at the relevant testing date and whether the DP's system correctly reclassifies accounts when eligibility changes.

Practitioner noteBSDA misclassification is usually an operational oversight rather than intentional — but it still shows up as a compliance exception, and depositories expect the DP's system to track eligibility on an ongoing basis, not just at account opening.
What happens during transmission of a demat account after the holder's death — and why does the audit check it closely?

Transmission is the process of transferring securities in a deceased account holder's demat account to the legal heir(s) or nominee, based on prescribed documentation (death certificate, succession documents or nomination, and identity/KYC of the claimant). It is a sensitive, document-heavy, and time-bound process, and errors or delays directly affect grieving families — which is why depositories expect it to be handled with particular care and the audit tests it specifically.

Practitioner noteWe sample transmission cases specifically for documentation completeness and turnaround time against the prescribed standard — this is one area where a paperwork gap has a real, immediate impact on a client, not just a technical compliance point.
Is the DP audit report made public or shared with clients of the DP?

No. The DP audit report is a confidential submission made to the concerned depository (NSDL and/or CDSL) as part of the DP's regulatory reporting obligations. It is not a public document and is not routinely shared with the DP's individual clients.

Practitioner noteThat said, in the event of a client grievance or arbitration, relevant extracts or the underlying findings can become relevant evidence — which is another reason the audit needs to be conducted rigorously and documented properly, not treated as a low-stakes formality.
What is the cost of a DP audit engagement with PNPC?

PNPC agrees a fixed, written fee for each DP audit engagement, scoped to the DP's branch count, transaction volume, and whether one or two depositories are involved. The fee is confirmed in writing before the engagement begins — there is no standard published rate, since scope varies materially between a single-branch DP and a multi-branch dual DP.

Practitioner noteAsk for a written engagement letter and fee confirmation before any DP audit begins — with the scope, sample basis, and deliverable format specified. This protects both the DP and the auditor if questions arise later about what was and was not covered.
What if our DP audit uncovers a serious issue, like unauthorised transfer of client securities?

A serious finding — such as evidence of unauthorised transfer, POA misuse beyond its permitted scope, or a material control breakdown — is reported to the depository as a significant exception, and the DP is expected to take immediate corrective and, where relevant, client-remediation action. Depending on severity, the depository may escalate the matter to SEBI. PNPC documents such findings factually and supports the DP's compliance officer in preparing an appropriately serious response.

Practitioner noteWe do not soften the classification of a serious finding to make the report look better — that only shifts the problem to a later, more damaging discovery. Our engagement letter is explicit that findings are reported as assessed.
How does PNPC keep up with changes in NSDL/CDSL audit circulars between cycles?

NSDL and CDSL periodically issue operating circulars that update audit checklists, formats, and timelines. PNPC's capital-market audit team tracks current circulars from both depositories as part of our practice discipline, and we confirm the applicable version before scoping each audit cycle rather than reusing a prior cycle's checklist by default.

Practitioner noteThis is one of the most common gaps we see when a DP audit has been done by a firm without regular capital-market audit exposure — testing against an outdated checklist that the depository has since superseded.
Can the DP audit be combined across NSDL and CDSL if we are a dual DP?

The underlying fieldwork — account opening samples, transfer testing, pledge review — can often be planned as a single coordinated exercise for efficiency, but each depository requires its own report in its own prescribed format, submitted to that depository directly. The two audits are not interchangeable or substitutable for each other.

Practitioner noteWe plan dual-DP engagements as one coordinated fieldwork cycle with two separately finalised reports, which reduces disruption to your operations team compared to running two entirely separate audits sequentially.
What is the role of the DP's compliance officer during the audit?

The compliance officer is typically the primary point of coordination — assembling documents, facilitating access to branch records and systems, and being the first point of discussion on draft findings before the report is finalised. A well-prepared compliance officer materially speeds up the audit and improves the quality of the ATR that follows.

Practitioner noteWe work closely with the compliance officer throughout, not just at the start and end of the engagement — flagging emerging observations as fieldwork progresses so there are no surprises at the draft-report stage.
Does a DP audit look at Aadhaar-based KYC and PAN-Aadhaar linkage specifically?

Yes. Account opening and KYC testing includes checking that the prescribed identity and address verification steps were completed and documented for sampled accounts, and that PAN and Aadhaar-linked KYC requirements applicable at the time of account opening were met, consistent with SEBI/KRA (KYC Registration Agency) norms in force.

Practitioner noteKYC requirements have been amended by SEBI and KRA circulars over time. We test against the requirement in force on the date each sampled account was opened, not the requirement in force on the date of the audit — the two can differ for older accounts.
What if the DP has no exceptions at all — is a clean report unusual?

A genuinely clean report is possible for a well-run DP with disciplined processes, but auditors are expected to test rigorously rather than aim for a clean outcome. A report with zero findings across a large, complex DP operation, cycle after cycle, can itself invite depository scrutiny of the audit's rigor rather than being taken purely as reassurance.

Practitioner noteWe would rather report a small number of genuinely tested, well-documented findings than present an unrealistically clean report that does not reflect the depth of testing actually performed.
Does PNPC only serve DPs in South India, or can it audit a DP with a pan-India branch network?

PNPC's capital-market audit practice operates from our Chennai, Bangalore, and Hyderabad offices, and we coordinate fieldwork across branch locations outside these cities as required by the engagement, including remote/digital evidence review for branches where an on-site visit is not practical for every cycle.

Practitioner noteFor DPs with a wide branch footprint, we agree an on-site versus remote-review sampling plan upfront, so coverage across locations is documented and defensible, not left to convenience.
How does PNPC's DP audit differ from a generic CA firm just filling out the checklist?

We scope each engagement around your actual risk profile — branch mix, POA usage, e-DIS adoption, BSDA proportion — rather than mechanically ticking a generic checklist. We track open exceptions across cycles until genuinely closed, confirm the current depository circular before each engagement rather than reusing a prior format, and engage directly with your compliance officer through fieldwork rather than only at kickoff and report delivery.

Practitioner noteThe value of a DP audit compounds over cycles when the same firm carries institutional memory of what was flagged before and verifies it was actually fixed — that continuity is difficult to replicate if the audit is re-tendered to a different, unfamiliar firm every cycle.
Can PNPC also help with the broader SEBI/capital-market compliance calendar beyond the DP audit itself?

Yes. PNPC's audit and assurance practice also supports related capital-market engagements — stock broker internal and concurrent audits, Ind AS and company audits for broking/DP entities, and internal financial controls reviews — so a client's overall capital-market compliance calendar can be coordinated by one practising CA team rather than split across unrelated firms with no shared context.

Practitioner noteWe see the most value where the DP audit, the statutory audit, and any internal financial controls work are planned together — findings in one engagement are often directly relevant context for the others, and a fragmented approach loses that connection.
What if our DP registration is new and we have not yet completed a full audit period of operations by the first audit deadline?

In that situation, the first audit is typically scoped to cover the actual period of operations to date, even if shorter than a full standard cycle, so the DP is not left without any audit coverage simply because a full period has not yet elapsed. The precise treatment should be confirmed with the depository given the specific circumstances.

Practitioner noteWe proactively raise this scoping question with the depository or reference the applicable circular rather than assuming a default treatment, since getting the first cycle's period wrong creates confusion for every subsequent cycle's comparison.
Does the DP audit cover freeze and unfreeze instructions on client accounts?

Yes. Where a client account has been frozen — whether on the client's own request, on instruction from a regulatory or law-enforcement authority, or under the depository's own risk framework — the audit checks that the freeze was applied and lifted only on proper authorisation, and that the DP's records clearly evidence who authorised each freeze or unfreeze action and why.

Practitioner noteFreeze/unfreeze authorisation is an area where informal, undocumented instructions sometimes slip through, particularly for urgent requests. We test specifically for a documented authorisation trail, not just the system log of the action itself.
Are authorised persons and sub-brokers directly covered by the DP audit?

The DP audit obligation rests with the registered Depository Participant. Where the DP sources business through authorised persons or sub-brokers, the audit tests the DP's oversight of those channels — how account-opening and KYC files sourced through them are reviewed and controlled by the DP itself — rather than auditing the authorised person as a separately regulated entity in its own right.

Practitioner noteA DP that has expanded rapidly through an authorised-person network without correspondingly strengthening its own oversight and sampling of files from that channel is one of the more common risk patterns we look for.
How does PNPC handle a DP audit for an entity that is also a stock broker with its own separate broker audit obligations?

Many DPs are also stock brokers or clearing members with their own SEBI/exchange-mandated internal and concurrent audit obligations. The DP audit and the broker audit are separate engagements with separate scopes and reporting lines, but PNPC coordinates the overall audit calendar for such composite entities so that account-level data — particularly around margin pledge, which touches both trading and depository operations — is tested consistently across both engagements.

Practitioner noteMargin pledge sits exactly at the intersection of the broker's trading-side controls and the DP's depository-side controls. We flag any inconsistency we find between the two audits to the client's compliance officer directly, since it is often the same underlying process viewed from two different regulatory angles.
What records must a DP retain, and for how long, to support a future audit?

DPs are required to maintain proper records of client accounts, transactions, and related documentation as prescribed under SEBI and depository regulations and record-retention circulars. Retention periods vary by document type and applicable regulation. PNPC advises clients to confirm current retention requirements with reference to the specific SEBI/NSDL/CDSL circulars in force, since these have been updated over time and vary by record category.

Practitioner noteWe flag any record we cannot locate during an audit as an exception in its own right — a documented control that cannot be evidenced is, for audit purposes, treated the same as a control that did not operate.
Can the DP audit findings affect our SEBI registration or NISM certification requirements for staff?

Findings from a DP audit are separate from individual staff certification requirements under NISM (National Institute of Securities Markets), but a pattern of serious or repeated exceptions relating to how depository operations are handled by specific staff can prompt the DP to review whether relevant personnel hold the applicable NISM certification and are adequately trained, as part of its own remediation response.

Practitioner noteWe occasionally flag, as an observation rather than a formal audit exception, where staff handling sensitive processes such as DIS verification or transmission appear under-trained — it is a useful early signal even outside the strict scope of the checklist.
Does PNPC provide a management letter in addition to the formal audit report submitted to the depository?

Yes. Alongside the formal report filed with NSDL/CDSL in their prescribed format, PNPC provides the DP's management and compliance officer with a supplementary management letter that explains findings in plain language, prioritises them by practical urgency, and sets out our specific recommendations for closing each one — beyond what the prescribed regulatory format itself requires.

Practitioner noteThe prescribed depository format is necessarily structured and terse. The management letter is where we can be direct about which two or three issues actually deserve the compliance team's attention first.
Why PNPC Global
FeatureGeneric Accounting FirmChecklist-Only AuditorPNPC Global
Capital-market audit experienceLimited or none — DP audit treated as an occasional one-offFamiliar with the checklist format onlyDedicated audit & assurance practice with capital-market and SEBI-regulated entity experience
Independence assessmentRarely formally consideredNot typically assessedIndependence from DP operations explicitly confirmed at engagement acceptance
Checklist currencyMay reuse an outdated checklistUses whatever checklist was last suppliedConfirms the current NSDL/CDSL circular checklist before each engagement
Sampling approachToken sample, minimal documentationFollows a fixed template regardless of risk profileRisk-based sampling weighted to POA, e-DIS, and new-branch exposure
Exception follow-throughReport delivered, no cycle-to-cycle trackingExceptions repeated across cycles unaddressedOpen exceptions carried forward and specifically re-tested until closed
ATR supportLeft entirely to the DP's compliance teamNot offeredAssists in drafting specific, owned, dated Action Taken Reports
Dual-DP coordination (NSDL + CDSL)Two disconnected engagementsNot typically coordinatedCoordinated fieldwork with two separately finalised, depository-specific reports
Access to your engagement CAVariable, often junior staff-ledSupport-ticket style, limited follow-upDirect access to the engagement CA by phone/WhatsApp through and beyond the audit cycle

What the PNPC package includes

  1. 01

    Engagement scoping and formal independence assessment before acceptance

  2. 02

    Current NSDL and/or CDSL audit checklist confirmation for the applicable period

  3. 03

    Risk-based sample selection across account opening, transfers, pledges, and transmission

  4. 04

    Full-scope testing of KYC, DRF/RRF processing, DIS/e-DIS controls, POA usage, and internal controls

  5. 05

    Grievance redressal and SCORES compliance verification

  6. 06

    Exception classification in the depository's prescribed reporting format

  7. 07

    Draft findings discussion with the compliance officer and process owners before finalisation

  8. 08

    Action Taken Report (ATR) drafting support with specific, dated, owned remediation commitments

  9. 09

    Cycle-to-cycle tracking of open exceptions through to verified closure

  10. 10

    Coordinated dual-DP engagement planning for entities registered with both NSDL and CDSL

  11. 11

    Working paper retention to support the DP in the event of a depository or SEBI follow-up query

  12. 12

    Direct access to your engagement CA throughout the audit cycle and beyond

Speak directly with a PNPC Chartered Accountant who audits Depository Participants the way depositories actually expect — risk-based testing, exceptions tracked to genuine closure, and continuity from one audit cycle to the next, not a re-tendered checklist exercise every cycle.

← Back to Audit & Assurance
Talk to a CA