Audit & Assurance · Capital Market & SEBI Audit
Depository Participant (DP) Audit (NSDL / CDSL)
Every Depository Participant registered with NSDL or CDSL operates under a SEBI mandate to have its operations independently audited on a periodic basis — not as an annual formality, but as a running check on how client securities are held, transferred, and safeguarded.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Every Depository Participant registered with NSDL or CDSL operates under a SEBI mandate to have its operations independently audited on a periodic basis — not as an annual formality, but as a running check on how client securities are held, transferred, and safeguarded. A qualified internal auditor's report is filed with the depository as a condition of continuing to operate as a DP. At PNPC Global, we have supported capital-market intermediaries across India since 1986, and we conduct DP audits the way a depository actually expects them to be conducted — process-tested, exception-documented, and delivered on time, every audit cycle.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
A Depository Participant (DP) is an agent of a depository — NSDL (National Securities Depository Limited) or CDSL (Central Depository Services (India) Limited) — registered with SEBI under the SEBI (Depositories and Participants) Regulations, 2018 to offer dematerialised account services to investors. Banks, stockbroking firms, and financial institutions that offer demat accounts to clients typically operate as DPs. Because a DP holds and moves client securities in electronic form, SEBI and the depositories require every DP to be subject to a periodic internal audit conducted by a practising Chartered Accountant, Company Secretary, or Cost Accountant — commonly referred to in market parlance as the "DP audit" or "DP internal audit." The audit is distinct from the DP's statutory financial audit; it is a compliance and process audit focused specifically on depository operations.
The requirement traces to SEBI circulars issued under the Depositories Act, 1996 and the SEBI (Depositories and Participants) Regulations, 2018, which direct every DP to arrange for an internal audit of its operations by a qualified independent auditor on a periodic basis — under the relevant NSDL and CDSL bye-laws and operating circulars this has generally meant a half-yearly cadence, with the audit report for each half-year submitted to the depository — covering the full lifecycle of depository operations: account opening and Know Your Client (KYC) compliance, dematerialisation and rematerialisation of securities, off-market and on-market transfers, pledge and hypothecation of securities, nomination, transmission on death of a demat account holder, closure of accounts, and the DP's internal control and record-keeping practices. NSDL and CDSL each issue their own detailed audit checklists and reporting formats that operationalise the SEBI requirement, and a DP that operates under both depositories (a "dual DP") must have both audits conducted, generally covering the same period but reported separately in each depository's prescribed format.
The audit report is not filed away internally — it is submitted to the concerned depository (NSDL and/or CDSL) within the timeline prescribed by that depository's circulars, and any significant deviations, non-compliances, or exceptions noted by the auditor typically require the DP to submit an Action Taken Report (ATR) confirming that corrective steps have been taken. A pattern of unresolved exceptions across audit cycles draws depository and, in serious cases, SEBI scrutiny, since it signals weakening operational discipline around client securities. Separately, DPs above certain thresholds or with specified technology exposure are also required to undergo a distinct "Systems Audit" of their IT infrastructure by a CERT-In empanelled auditor — a different engagement from the internal/operations DP audit described here, though the two are often coordinated by the same compliance calendar.
For a DP's management and compliance officer, the DP audit functions as an early-warning system. Client securities are high-trust, high-value assets moving through electronic instructions with very short correction windows — an incorrectly processed transfer or a KYC gap discovered a year later is far harder to remediate than one caught within the same audit cycle. A well-run DP audit practice catches process drift — a branch skipping a verification step, a delegation of authority exceeding the sanctioned limit, a POA (Power of Attorney) misused beyond its stated scope — before it becomes a client grievance, an arbitration matter, or a SEBI inspection finding.
Who needs a DP audit and when it applies
Any entity registered as a Depository Participant with NSDL and/or CDSL under the SEBI (Depositories and Participants) Regulations, 2018 — banks, broking firms, and standalone depository participants alike
DPs operating under both depositories (dual DPs) — each depository's audit and reporting requirements apply independently and both must be completed within their respective timelines
DPs that have recently commenced operations and need their first internal audit cycle scoped and scheduled correctly against the depository's prescribed periodicity from the outset
DPs expanding branch or sub-broker/authorised person networks, where each additional point of client interaction adds account-opening, KYC, and POA-execution risk that the audit must specifically test
DPs that have received an inspection observation, deficiency letter, or query from NSDL, CDSL, or SEBI and need a rigorous audit-and-remediation cycle to close outstanding points credibly
DPs preparing for a change in control, merger, or business transfer, where clean audit history and a demonstrable track record of timely ATR closure materially affects regulatory approval timelines
When this is not the right engagement
You need the DP's annual statutory financial audit under the Companies Act — that is a separate engagement from the depository-mandated operations audit described here, though PNPC can support both
You need the IT Systems Audit for DPs required to be performed by a CERT-In empanelled auditor — this is a distinct, technically specialised engagement with its own scope and empanelment requirement
You are a stockbroker or clearing member seeking a stock broker / trading member concurrent audit or half-yearly internal audit under exchange bye-laws — that is a related but separately scoped SEBI/exchange audit
You operate purely as an Authorised Person or sub-broker under a DP without being separately registered as a DP yourself — the audit obligation sits with the registered DP, not with each downstream authorised person individually
You are looking for investment or portfolio advisory services rather than a compliance/process audit of depository operations — DP audit is an assurance engagement, not an advisory one
DP Audit vs other capital-market and statutory audits a DP or broking entity may encounter
| Feature | DP Audit (NSDL/CDSL) | Statutory Financial Audit | Systems Audit (CERT-In) | Stock Broker Internal/Concurrent Audit |
|---|---|---|---|---|
| Governing framework | Depositories Act 1996 + SEBI (D&P) Regulations 2018 + NSDL/CDSL circulars | Companies Act 2013 / applicable entity statute | SEBI circulars on cyber security & cyber resilience for market infrastructure institutions/intermediaries | SEBI/exchange circulars on internal & concurrent audit of stock brokers |
| What it examines | Account opening, KYC, demat/remat, transfers, pledge, nomination, transmission, DP internal controls | True and fair view of financial statements | IT infrastructure, cyber security controls, data integrity, business continuity | Trading, settlement, margin, client fund segregation, contract notes |
| Who performs it | Practising CA / CS / CWA firm, independent of day-to-day DP operations | Statutory auditor appointed under company law | CERT-In empanelled auditor | Practising CA firm empanelled for the exchange's internal/concurrent audit |
| Typical periodicity | Periodic — generally half-yearly per NSDL/CDSL bye-laws and circulars | Annual | Periodic, per applicable SEBI cyber security circular timeline | Concurrent (ongoing) plus periodic internal audit reporting |
| Report goes to | NSDL and/or CDSL, in each depository's prescribed format | Registrar of Companies / shareholders | SEBI / depository / exchange as applicable | Stock exchange(s) where the entity is a member |
| Follow-up obligation | Action Taken Report (ATR) on exceptions, tracked to closure | Management response in Board report where applicable | Remediation plan for identified vulnerabilities | Exception reporting and closure tracking to the exchange |
| Primary risk if skipped | Depository deficiency memo, escalation to SEBI, risk to DP registration | Non-compliance under company law, inability to file financial statements | Cyber security non-compliance, potential regulatory action | Exchange disciplinary action, risk to trading membership |
This table is directional. The precise periodicity, checklist, and reporting format for a DP audit are prescribed by NSDL and CDSL circulars current at the time of the audit, and can differ between the two depositories for a dual DP. Always confirm the applicable cycle and format with your compliance officer and auditor before the audit window opens.
| # | Stage & What PNPC Does | CA Advice Portals Never Give | Timeline |
|---|---|---|---|
| 1 | Engagement Scoping & Independence Check — confirming PNPC's independence from the DP's day-to-day operations | SEBI and depository circulars expect the internal auditor to be independent of the operations being reviewed. We confirm at the outset that our engagement team has no conflicting advisory or accounting role in the DP's depository operations for the period under review — a check that is often skipped when the DP simply hands the audit to its existing accounting firm without considering independence. | Week 1 |
| 2 | Checklist Alignment — mapping the current NSDL and/or CDSL audit checklist to your specific DP profile | NSDL and CDSL periodically revise their audit checklists and formats through circulars. We work from the checklist current as of the audit period — not a checklist from a prior cycle — and tailor it to your actual service profile: branch count, POA usage, whether you offer e-DIS, BSDA accounts, or basic services demat accounts, since each carries specific test points. | Week 1 |
| 3 | Account Opening & KYC Sample Testing — new accounts opened during the audit period | We do not test a token handful of files. We draw a risk-based sample across branches and account types, verifying PAN-Aadhaar linkage status, in-person verification (IPV) or its permitted digital equivalent, nomination capture, and whether the account opening form and supporting KYC documents match what is on the DP's back-office system exactly — mismatches here are among the most common exception categories. | Week 1–2 |
| 4 | Dematerialisation & Rematerialisation Testing — DRF processing and certificate handling | We trace a sample of dematerialisation requests from the physical certificate/DRF submission through to credit in the client's demat account, checking turnaround time against the prescribed processing window and verifying that certificates sent for demat were properly accounted for and not left in an unreconciled suspense status. | Week 2 |
| 5 | Transfer Instruction Testing — off-market and on-market transfers, DIS/e-DIS controls | Delivery Instruction Slip (DIS) and e-DIS controls are a recurring inspection focus area for depositories because a compromised or pre-signed DIS book is a direct route to unauthorised transfer of client securities. We test DIS book issuance controls, cheque-leaf-style numbering discipline, and — where e-DIS is offered — the authentication and audit trail behind each electronic instruction. | Week 2 |
| 6 | Pledge, Margin Pledge & POA Usage Review — post the SEBI margin pledge system reforms | Since SEBI's margin pledge/re-pledge framework replaced the earlier practice of clients transferring securities to broker demat accounts as margin, we specifically test whether pledge creation, invocation, and closure are being processed correctly through the pledge mechanism — and whether any residual POA usage for margin purposes has been discontinued as required. | Week 2–3 |
| 7 | Nomination, Transmission & Account Closure Testing — life-cycle events sampled from the period | Transmission of securities on the death of an account holder is a sensitive, document-heavy process with strict timelines and a real risk of grievance if mishandled. We sample transmission cases processed in the period against the documentation and turnaround standards prescribed by the depository, along with account closure requests to confirm they were processed without undue delay. | Week 3 |
| 8 | Internal Control & Segregation of Duties Assessment | We assess whether the DP's operational team has appropriate segregation between account opening, transaction processing, and reconciliation functions, and whether system access rights in the DP module align with each staff member's actual role — a control gap here is a recurring theme in depository inspection findings across the industry. | Week 3 |
| 9 | Grievance Redressal & SCORES Compliance Check | We verify that investor complaints received during the period — whether directly, through the depository, or via SEBI's SCORES portal — were logged, resolved, and reported within the prescribed timelines, and that the DP's grievance register reconciles with what was actually reported upstream. | Week 3 |
| 10 | Draft Findings & Exception Classification | Each exception is classified by severity and mapped to the specific checklist clause it relates to, in the format the depository expects — not a free-form narrative that the DP's compliance officer then has to manually re-map before submission. | Week 3–4 |
| 11 | Management Discussion & Draft ATR Preparation | We walk findings through with the compliance officer and relevant branch/operations heads before finalising the report, and assist in drafting the Action Taken Report (ATR) template so remediation commitments are specific, owned, and dated — not generic assurances that will be questioned in the next cycle. | Week 4 |
| 12 | Final Report Signing & Submission Support | The signed audit report is finalised in the depository's prescribed format and submitted within the applicable timeline. We track submission acknowledgement and retain the working papers that support each finding, in case the depository or SEBI raises a follow-up query later in the cycle. | Week 4 — submitted within the depository's prescribed timeline |
| 13 | Next-Cycle Compliance Calendar — carrying forward open exceptions | Every DP audit is followed by the next one. We carry forward unresolved exceptions into the next cycle's testing plan specifically to confirm closure, rather than treating each cycle as a fresh, disconnected exercise — this is what depositories look for when assessing whether a DP's control environment is genuinely improving. | Ongoing, every audit cycle |
Indicative cycle only. The exact periodicity, checklist content, and submission timeline for a DP audit are governed by the SEBI circulars and NSDL/CDSL operating circulars in force at the time of the audit, and PNPC confirms the applicable cycle with the client and the depository's current circulars before each engagement begins.
SEBI Certificate of Registration as a Depository Participant, and NSDL/CDSL participant agreement(s)
Board-approved policies relevant to depository operations — KYC policy, POA usage policy, DIS/e-DIS issuance policy, risk management policy
Organisation chart for the depository operations function, showing reporting lines and segregation between account opening, processing, and reconciliation roles
Details of branches, franchisees, and authorised persons through which DP services are offered, current as of the audit period
Previous DP audit report(s) and Action Taken Report(s), including any outstanding open exceptions carried forward
Sample of new account opening forms and supporting KYC documents for accounts opened during the audit period, as selected by the auditor
PAN and Aadhaar verification records / KYC Registration Agency (KRA) records for the sampled accounts
In-person verification (IPV) records or evidence of the permitted digital IPV equivalent used
Nomination forms captured (or nomination opt-out declarations) for the sampled accounts
Basic Services Demat Account (BSDA) eligibility working, where BSDA accounts are offered
Dematerialisation Request Form (DRF) register and supporting certificate movement records for the period
Rematerialisation requests processed during the period, with turnaround evidence
Delivery Instruction Slip (DIS) book issuance register, including cheque-leaf-style numbering and client acknowledgement
e-DIS authentication logs and audit trail, where e-DIS is offered to clients
Off-market and on-market transfer instruction records for the sampled period
Power of Attorney documents executed by clients in favour of the DP/broker, and evidence of their current, permitted scope of use
Margin pledge and re-pledge creation, invocation, and closure records processed through the depository's pledge system
Any residual instances of securities movement for margin purposes outside the prescribed pledge mechanism, with explanation
Transmission requests processed on the death of an account holder during the period, with supporting legal heir/succession documentation
Account closure requests and confirmation of turnaround against the prescribed timeline
Freeze/unfreeze instructions processed on client accounts, with supporting authorisation
Investor grievance register, including complaints received directly, via the depository, and via SEBI SCORES, with resolution status and timelines
Internal control and reconciliation reports — client holding statements reconciled against the depository's records
System access rights listing for staff with access to the DP module, mapped to their operational role
Any correspondence, deficiency memo, or query received from NSDL, CDSL, or SEBI during the period, with the DP's response
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| New DP Registration | SEBI certificate of registration granted, NSDL/CDSL participant agreement executed | We help set up the audit compliance calendar from Day 1 — mapping the first audit cycle deadline against the actual date of commencing operations, so the first audit is neither missed nor scoped against the wrong period. | First-cycle audit missed or mis-scoped due to unclear commencement date, creating an avoidable early deficiency with the depository. |
| Each Audit Cycle | Depository's prescribed periodicity (generally half-yearly) | Full-scope testing across account opening, transactions, pledge, transmission, and internal controls, with findings classified in the depository's prescribed format and submitted within the applicable timeline. | Late or incomplete submission draws a deficiency memo from the depository; a pattern of lateness or unresolved exceptions can trigger enhanced monitoring or SEBI reference. |
| Post-Audit Exception Handling | Exceptions noted in the audit report | We assist in drafting a specific, owned, dated Action Taken Report and help the compliance officer implement the underlying process fix — not just the paperwork response. | Generic or unimplemented ATRs are flagged in the next audit cycle as recurring exceptions, which depositories view as an escalating control weakness. |
| Branch / Business Expansion | New branches, franchisees, or authorised persons added | We factor expanded points of client interaction into the next audit's sampling plan, since each new branch introduces fresh account-opening and KYC execution risk that the existing testing plan may not have covered. | Newly added branches operating outside established control discipline until the next audit catches process drift — by which point client-facing errors may already have occurred. |
| Inspection or SEBI Query | NSDL/CDSL inspection or a direct SEBI query/notice | We support the DP in responding to inspection observations, and where relevant, conduct a focused review of the specific area flagged before the response is submitted, so the reply is grounded in verified facts. | An inadequately supported response to an inspection finding can escalate into a formal SEBI proceeding, adjudication, or in severe cases, action affecting the DP's registration. |
| Change in Control / M&A | Merger, business transfer, or change in DP's controlling shareholders | We assist in compiling the audit history and exception-closure track record that regulatory approval processes typically require, and flag any unresolved items that should be closed before the transaction is filed. | Unresolved audit exceptions surfacing during regulatory review of the change-in-control application can delay or complicate approval. |
| Cessation of DP Business | Voluntary surrender of DP registration or business wind-down | We support the final audit cycle and closure documentation required by the depository before registration is surrendered, ensuring client account migration and record retention obligations are addressed. | Incomplete closure documentation or unmigrated client accounts can leave residual regulatory and client-grievance exposure even after the DP formally exits the business. |
This lifecycle view is indicative and directional — the exact triggers, timelines, and reporting formats applicable to your DP are governed by the SEBI circulars and the specific NSDL/CDSL operating circulars in force at the relevant time. Confirm current requirements with your compliance officer and auditor before each cycle.
What is a DP audit, in plain terms?
It is a periodic, independent check — performed by a practising CA, CS, or CWA — of how a Depository Participant (a bank or broking firm offering demat accounts) handles client securities: opening accounts correctly, processing dematerialisation and transfers accurately, using Powers of Attorney within their permitted scope, and keeping proper records. The auditor reports findings to NSDL and/or CDSL in a prescribed format, and the DP must fix and report back on anything flagged.
Who is legally required to get a DP audit done?
Every entity registered as a Depository Participant with NSDL and/or CDSL under the SEBI (Depositories and Participants) Regulations, 2018 is required, under SEBI and depository circulars, to have its depository operations audited periodically by an independent qualified auditor. This applies equally to banks and broking firms offering demat services as DPs.
How often does the DP audit need to be conducted?
The periodicity is prescribed by NSDL and CDSL bye-laws and circulars and has generally been on a half-yearly cycle for DP internal/concurrent audits (covering the half-years ended September 30 and March 31), though the exact cadence and reporting deadline should always be confirmed against the specific NSDL and CDSL circulars in force at the time — depositories do revise timelines and formats from time to time.
Who can conduct a DP audit — does it have to be a Chartered Accountant?
SEBI and depository circulars permit the internal audit of DP operations to be conducted by a practising Chartered Accountant, Company Secretary, or Cost Accountant, provided the auditor is independent of the day-to-day depository operations being reviewed. PNPC conducts these audits through senior CAs with capital-market audit experience.
What exactly does a DP auditor test?
The audit covers the full depository operations lifecycle: account opening and KYC compliance, dematerialisation and rematerialisation of securities, off-market and on-market transfer instructions (including DIS and e-DIS controls), pledge and margin pledge processing, Power of Attorney usage, nomination, transmission on death of an account holder, account closure, grievance redressal, and the DP's internal controls and record-keeping around all of the above.
What is the difference between a DP audit and the DP's statutory financial audit?
The statutory financial audit, conducted under the Companies Act, examines whether the DP's financial statements give a true and fair view. The DP audit is a separate, depository-mandated compliance and process audit that examines specifically how depository operations — account opening, transfers, pledges, and so on — are being conducted, independent of the entity's overall financial reporting.
What is the difference between the DP audit and the Systems Audit?
The DP (internal/operations) audit reviews depository operational processes and controls. The Systems Audit is a separate, technically specialised review of the DP's IT infrastructure, cyber security controls, and data integrity, required to be conducted by a CERT-In empanelled auditor under SEBI's cyber security and cyber resilience framework for market intermediaries. They have different scopes, different auditor qualification requirements, and are typically reported separately.
What happens if exceptions are found during the audit?
Exceptions are classified by severity and reported to the depository in the prescribed format. The DP is typically required to submit an Action Taken Report (ATR) confirming what corrective action has been or will be taken, with a timeline for closure. Exceptions that remain unresolved into subsequent audit cycles attract closer depository — and potentially SEBI — attention.
What happens if a DP misses the audit submission deadline?
A missed or delayed submission is itself flagged by the depository and can result in a deficiency communication. Depositories treat consistent timeliness of audit submission as one indicator of a DP's overall compliance discipline, and repeated lateness can contribute to enhanced monitoring of that participant.
Does a small or newly registered DP with very few accounts still need a full audit?
Yes. The audit requirement attaches to DP registration itself, not to a minimum account or transaction volume threshold. A newly registered DP with a modest client base still needs its operations audited on the applicable periodicity from the point operations commence.
How is the audit sample selected — does the auditor check every account and transaction?
No. Given the transaction volumes most DPs process, the audit uses a risk-based sampling approach across account opening, transfers, pledges, and other tested areas, rather than a full population review. Sample sizes and selection criteria are documented so the basis for the audit opinion is defensible.
What is a Power of Attorney (POA) in the DP context, and why does the audit focus on it so heavily?
A POA is an authorisation a client gives their broker/DP to operate the demat account on their behalf for specified, limited purposes — for example, transferring securities for pay-in against a sale. POA misuse — operating beyond its stated scope — has historically been a significant source of client grievances and regulatory action in the industry, which is why depository audits test POA usage closely, especially after SEBI's margin pledge reforms narrowed the permissible use of POA for margin purposes.
What are e-DIS and DIS, and what does the audit check about them?
A Delivery Instruction Slip (DIS) is the physical instrument a client signs to instruct the DP to transfer securities out of their demat account; e-DIS is the electronic equivalent, using an authenticated digital instruction instead of a physical slip. Because a DIS or e-DIS instruction can move securities out of a client's account, the audit checks DIS book issuance controls (numbering, client acknowledgement, safe custody) and, where e-DIS is offered, the authentication mechanism and audit trail behind each electronic instruction.
What documents does PNPC need from us to start the audit?
Broadly: DP registration and participant agreement documents, governance policies relevant to depository operations, the previous audit report and ATR, and — for the sampled period — account opening/KYC files, DRF and transfer records, DIS/e-DIS registers, pledge and POA records, transmission and closure files, and the grievance register. The full checklist is shared at engagement kickoff and tailored to your specific service profile.
Can PNPC conduct the DP audit if it also handles our statutory or tax audit?
It depends on whether that role creates an independence conflict with the specific depository operations being tested. Where PNPC's other engagement with the DP touches the same processes under review, we assess independence carefully before accepting the DP audit engagement, and will decline or restructure the engagement where independence cannot be maintained.
What is BSDA and does it affect the audit?
A Basic Services Demat Account (BSDA) is a category of demat account with reduced or waived charges for eligible small investors, subject to holding-value thresholds prescribed by SEBI/depositories. The audit checks whether accounts classified as BSDA actually meet the eligibility criteria at the relevant testing date and whether the DP's system correctly reclassifies accounts when eligibility changes.
What happens during transmission of a demat account after the holder's death — and why does the audit check it closely?
Transmission is the process of transferring securities in a deceased account holder's demat account to the legal heir(s) or nominee, based on prescribed documentation (death certificate, succession documents or nomination, and identity/KYC of the claimant). It is a sensitive, document-heavy, and time-bound process, and errors or delays directly affect grieving families — which is why depositories expect it to be handled with particular care and the audit tests it specifically.
Is the DP audit report made public or shared with clients of the DP?
No. The DP audit report is a confidential submission made to the concerned depository (NSDL and/or CDSL) as part of the DP's regulatory reporting obligations. It is not a public document and is not routinely shared with the DP's individual clients.
What is the cost of a DP audit engagement with PNPC?
PNPC agrees a fixed, written fee for each DP audit engagement, scoped to the DP's branch count, transaction volume, and whether one or two depositories are involved. The fee is confirmed in writing before the engagement begins — there is no standard published rate, since scope varies materially between a single-branch DP and a multi-branch dual DP.
What if our DP audit uncovers a serious issue, like unauthorised transfer of client securities?
A serious finding — such as evidence of unauthorised transfer, POA misuse beyond its permitted scope, or a material control breakdown — is reported to the depository as a significant exception, and the DP is expected to take immediate corrective and, where relevant, client-remediation action. Depending on severity, the depository may escalate the matter to SEBI. PNPC documents such findings factually and supports the DP's compliance officer in preparing an appropriately serious response.
How does PNPC keep up with changes in NSDL/CDSL audit circulars between cycles?
NSDL and CDSL periodically issue operating circulars that update audit checklists, formats, and timelines. PNPC's capital-market audit team tracks current circulars from both depositories as part of our practice discipline, and we confirm the applicable version before scoping each audit cycle rather than reusing a prior cycle's checklist by default.
Can the DP audit be combined across NSDL and CDSL if we are a dual DP?
The underlying fieldwork — account opening samples, transfer testing, pledge review — can often be planned as a single coordinated exercise for efficiency, but each depository requires its own report in its own prescribed format, submitted to that depository directly. The two audits are not interchangeable or substitutable for each other.
What is the role of the DP's compliance officer during the audit?
The compliance officer is typically the primary point of coordination — assembling documents, facilitating access to branch records and systems, and being the first point of discussion on draft findings before the report is finalised. A well-prepared compliance officer materially speeds up the audit and improves the quality of the ATR that follows.
Does a DP audit look at Aadhaar-based KYC and PAN-Aadhaar linkage specifically?
Yes. Account opening and KYC testing includes checking that the prescribed identity and address verification steps were completed and documented for sampled accounts, and that PAN and Aadhaar-linked KYC requirements applicable at the time of account opening were met, consistent with SEBI/KRA (KYC Registration Agency) norms in force.
What if the DP has no exceptions at all — is a clean report unusual?
A genuinely clean report is possible for a well-run DP with disciplined processes, but auditors are expected to test rigorously rather than aim for a clean outcome. A report with zero findings across a large, complex DP operation, cycle after cycle, can itself invite depository scrutiny of the audit's rigor rather than being taken purely as reassurance.
Does PNPC only serve DPs in South India, or can it audit a DP with a pan-India branch network?
PNPC's capital-market audit practice operates from our Chennai, Bangalore, and Hyderabad offices, and we coordinate fieldwork across branch locations outside these cities as required by the engagement, including remote/digital evidence review for branches where an on-site visit is not practical for every cycle.
How does PNPC's DP audit differ from a generic CA firm just filling out the checklist?
We scope each engagement around your actual risk profile — branch mix, POA usage, e-DIS adoption, BSDA proportion — rather than mechanically ticking a generic checklist. We track open exceptions across cycles until genuinely closed, confirm the current depository circular before each engagement rather than reusing a prior format, and engage directly with your compliance officer through fieldwork rather than only at kickoff and report delivery.
Can PNPC also help with the broader SEBI/capital-market compliance calendar beyond the DP audit itself?
Yes. PNPC's audit and assurance practice also supports related capital-market engagements — stock broker internal and concurrent audits, Ind AS and company audits for broking/DP entities, and internal financial controls reviews — so a client's overall capital-market compliance calendar can be coordinated by one practising CA team rather than split across unrelated firms with no shared context.
What if our DP registration is new and we have not yet completed a full audit period of operations by the first audit deadline?
In that situation, the first audit is typically scoped to cover the actual period of operations to date, even if shorter than a full standard cycle, so the DP is not left without any audit coverage simply because a full period has not yet elapsed. The precise treatment should be confirmed with the depository given the specific circumstances.
Does the DP audit cover freeze and unfreeze instructions on client accounts?
Yes. Where a client account has been frozen — whether on the client's own request, on instruction from a regulatory or law-enforcement authority, or under the depository's own risk framework — the audit checks that the freeze was applied and lifted only on proper authorisation, and that the DP's records clearly evidence who authorised each freeze or unfreeze action and why.
Are authorised persons and sub-brokers directly covered by the DP audit?
The DP audit obligation rests with the registered Depository Participant. Where the DP sources business through authorised persons or sub-brokers, the audit tests the DP's oversight of those channels — how account-opening and KYC files sourced through them are reviewed and controlled by the DP itself — rather than auditing the authorised person as a separately regulated entity in its own right.
How does PNPC handle a DP audit for an entity that is also a stock broker with its own separate broker audit obligations?
Many DPs are also stock brokers or clearing members with their own SEBI/exchange-mandated internal and concurrent audit obligations. The DP audit and the broker audit are separate engagements with separate scopes and reporting lines, but PNPC coordinates the overall audit calendar for such composite entities so that account-level data — particularly around margin pledge, which touches both trading and depository operations — is tested consistently across both engagements.
What records must a DP retain, and for how long, to support a future audit?
DPs are required to maintain proper records of client accounts, transactions, and related documentation as prescribed under SEBI and depository regulations and record-retention circulars. Retention periods vary by document type and applicable regulation. PNPC advises clients to confirm current retention requirements with reference to the specific SEBI/NSDL/CDSL circulars in force, since these have been updated over time and vary by record category.
Can the DP audit findings affect our SEBI registration or NISM certification requirements for staff?
Findings from a DP audit are separate from individual staff certification requirements under NISM (National Institute of Securities Markets), but a pattern of serious or repeated exceptions relating to how depository operations are handled by specific staff can prompt the DP to review whether relevant personnel hold the applicable NISM certification and are adequately trained, as part of its own remediation response.
Does PNPC provide a management letter in addition to the formal audit report submitted to the depository?
Yes. Alongside the formal report filed with NSDL/CDSL in their prescribed format, PNPC provides the DP's management and compliance officer with a supplementary management letter that explains findings in plain language, prioritises them by practical urgency, and sets out our specific recommendations for closing each one — beyond what the prescribed regulatory format itself requires.
| Feature | Generic Accounting Firm | Checklist-Only Auditor | PNPC Global |
|---|---|---|---|
| Capital-market audit experience | Limited or none — DP audit treated as an occasional one-off | Familiar with the checklist format only | Dedicated audit & assurance practice with capital-market and SEBI-regulated entity experience |
| Independence assessment | Rarely formally considered | Not typically assessed | Independence from DP operations explicitly confirmed at engagement acceptance |
| Checklist currency | May reuse an outdated checklist | Uses whatever checklist was last supplied | Confirms the current NSDL/CDSL circular checklist before each engagement |
| Sampling approach | Token sample, minimal documentation | Follows a fixed template regardless of risk profile | Risk-based sampling weighted to POA, e-DIS, and new-branch exposure |
| Exception follow-through | Report delivered, no cycle-to-cycle tracking | Exceptions repeated across cycles unaddressed | Open exceptions carried forward and specifically re-tested until closed |
| ATR support | Left entirely to the DP's compliance team | Not offered | Assists in drafting specific, owned, dated Action Taken Reports |
| Dual-DP coordination (NSDL + CDSL) | Two disconnected engagements | Not typically coordinated | Coordinated fieldwork with two separately finalised, depository-specific reports |
| Access to your engagement CA | Variable, often junior staff-led | Support-ticket style, limited follow-up | Direct access to the engagement CA by phone/WhatsApp through and beyond the audit cycle |
What the PNPC package includes
- 01
Engagement scoping and formal independence assessment before acceptance
- 02
Current NSDL and/or CDSL audit checklist confirmation for the applicable period
- 03
Risk-based sample selection across account opening, transfers, pledges, and transmission
- 04
Full-scope testing of KYC, DRF/RRF processing, DIS/e-DIS controls, POA usage, and internal controls
- 05
Grievance redressal and SCORES compliance verification
- 06
Exception classification in the depository's prescribed reporting format
- 07
Draft findings discussion with the compliance officer and process owners before finalisation
- 08
Action Taken Report (ATR) drafting support with specific, dated, owned remediation commitments
- 09
Cycle-to-cycle tracking of open exceptions through to verified closure
- 10
Coordinated dual-DP engagement planning for entities registered with both NSDL and CDSL
- 11
Working paper retention to support the DP in the event of a depository or SEBI follow-up query
- 12
Direct access to your engagement CA throughout the audit cycle and beyond
Speak directly with a PNPC Chartered Accountant who audits Depository Participants the way depositories actually expect — risk-based testing, exceptions tracked to genuine closure, and continuity from one audit cycle to the next, not a re-tendered checklist exercise every cycle.