HomeServicesTransformation & TechIT Governance & Compliance Reviews

Transformation & Tech · IT Risk & Technology Assurance

IT Governance & Compliance Reviews

IT governance failures rarely announce themselves as IT problems first.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

IT governance failures rarely announce themselves as IT problems first. They surface as a qualified audit opinion on Internal Financial Controls, a CERT-In breach-reporting deadline missed by a founder who did not know it existed, a data-fiduciary obligation under the Digital Personal Data Protection Act that nobody in finance had mapped, or a due-diligence data room that cannot produce evidence of access controls over the accounting system. PNPC Global reviews IT governance and technology risk the way a practising CA reviews financial controls — because the same discipline that produces a clean statutory audit opinion is what produces a defensible IT governance framework. Since 1986 we have sat on the finance and assurance side of hundreds of Indian and UAE businesses; our IT governance reviews are built on that vantage point, not on a generic cybersecurity checklist bought off a shelf.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What IT Governance & Compliance Reviews is

IT Governance & Compliance Reviews are a structured assessment of how an organisation plans, controls, and safeguards its information technology environment against recognised governance frameworks and applicable Indian regulatory requirements. In practice this means evaluating IT policies, access controls, data protection practices, vendor and third-party risk management, business continuity and disaster recovery arrangements, change management discipline, and incident response readiness against benchmarks such as ISO/IEC 27001 (information security management systems), COBIT (Control Objectives for Information and Related Technologies, a governance and management framework widely referenced by internal auditors), and the specific statutory and regulatory obligations that apply to Indian entities — including the Digital Personal Data Protection Act 2023 (DPDP Act), CERT-In's cybersecurity incident reporting directions, sector-specific RBI and SEBI IT governance and outsourcing circulars for regulated entities, and the Internal Financial Controls (IFC) requirements under Section 134(5) of the Companies Act 2013 to the extent IT general controls affect financial reporting.

The review is not a penetration test or a technical vulnerability scan, though findings from such technical assessments (where already available) are used as inputs. It is a governance and controls review — examining whether IT decision-making has proper oversight (Board or management committee involvement in technology risk), whether policies exist and are actually followed in practice, whether access to financial and customer data is appropriately restricted and monitored, whether third-party vendors and cloud service providers are contractually and operationally managed for risk, and whether the organisation could demonstrate compliance if a regulator, auditor, or investor asked for evidence tomorrow. For companies preparing for statutory audit, board of directors' certification of IFC adequacy, an investor due-diligence process, an ISO 27001 certification effort, or building out a formal audit and risk committee, this is precisely the review that produces defensible, evidence-backed answers.

Why a CA firm, rather than a pure cybersecurity or IT audit firm, delivers this differently: the financial reporting, statutory compliance, and regulatory-notification consequences of an IT governance gap are frequently the most material consequences a business faces — more material, in many cases, than the technical vulnerability itself. A missed CERT-In reporting deadline (mandated within six hours of noticing a covered incident under CERT-In's 2022 directions) carries direct regulatory exposure. A weak IT general control environment can result in a qualified or adverse Internal Financial Controls opinion in the statutory auditor's report — with direct consequences for the company's credibility with lenders, investors, and the Board. A DPDP Act non-compliance in how customer or employee personal data is processed carries its own penalty framework once the Act's provisions and rules are brought into force and become operative. We review technology risk through the same statutory-consequence lens we apply to every other compliance area — because that is the lens that determines what actually matters to your Board, your auditor, and your regulator.

The deliverable is a structured findings report — gaps identified against the chosen framework(s) and applicable law, risk-rated, with a prioritised remediation roadmap — plus, where the engagement scope includes it, support implementing the highest-priority remediations and periodic follow-up reviews. We do not issue an ISO 27001 certificate (that requires an accredited certification body) or a CERT-In empanelled auditor's technical security audit certificate (that requires a CERT-In empanelled auditor for specific mandated purposes) unless the specific engagement is scoped and staffed for that distinct purpose; our core IT governance review is the internal-facing readiness and controls assessment that typically precedes and prepares an organisation for those external certifications, or that stands alone as good governance practice and Board-level assurance.

When an IT Governance & Compliance Review adds real value

Your statutory auditor's Internal Financial Controls assessment has flagged IT general control weaknesses (access management, change management, backup/recovery) that need to be remediated before the next audit cycle

You are preparing for an institutional funding round or M&A due diligence and need to demonstrate a defensible technology governance and data protection posture to investors or acquirers

You process personal data of Indian customers or employees at meaningful scale and need to assess your readiness against the Digital Personal Data Protection Act 2023 and its rules as they come into force

Your Board or Audit Committee has asked for independent assurance on cybersecurity and IT risk — a common and increasingly expected governance practice, particularly for companies with institutional investors or listed-company aspirations

You are pursuing ISO 27001 certification (or SOC 2, for businesses selling to international enterprise customers) and want a readiness gap assessment before engaging a certification body

You are a regulated entity (NBFC, payment aggregator, insurance intermediary, or similar) subject to RBI or SEBI IT governance, outsourcing, or cybersecurity framework circulars and need a compliance review against those specific requirements

A recent security incident, near-miss, or vendor data breach has exposed the absence of a formal incident response plan, and you need both remediation and support determining whether CERT-In reporting obligations were triggered

You rely heavily on cloud service providers, SaaS vendors, or outsourced IT/BPO providers and have never formally assessed third-party and vendor risk across that stack

When this is not the right engagement

You need a technical penetration test or vulnerability scan of your applications and network infrastructure — that is a specialised technical security testing engagement; we can recommend and coordinate with a qualified technical security partner, and incorporate their findings into a governance review, but our engagement itself is a controls and governance assessment, not a technical exploit-based test

You need formal ISO 27001 certification issued in your company's name — that requires an accredited certification body to conduct the certification audit; PNPC's review prepares you for that certification but does not itself issue it

You need a CERT-In empanelled auditor's certificate for a specific regulatory purpose (for example, certain RBI-mandated cybersecurity audits) — that requires engaging an auditor specifically empanelled by CERT-In for that purpose; we can advise on scoping and readiness but flag clearly where a CERT-In empanelled auditor is a hard statutory requirement

Your business has no digital footprint of consequence — a single-location retail business with no online transactions, no customer database, and no cloud systems is unlikely to need a formal IT governance review at this stage; the cost is unlikely to be justified until genuine technology and data complexity exists

You need hands-on IT infrastructure implementation, network engineering, or software development — our review identifies and prioritises what needs to be fixed; the technical build-out itself is typically executed by your internal IT team or a technical implementation partner, with PNPC available to validate against the agreed control design

You are looking only for a generic, templated cybersecurity policy document with no assessment of your actual environment — a review that is not grounded in your real systems, data flows, and vendor landscape will not hold up under audit or regulatory scrutiny, and we do not offer this as a standalone product

Structure Comparison

Approaches to IT governance and compliance assurance — how they compare

ApproachWho Leads ItStatutory/Regulatory LiteracyTypical OutcomeBest Suited For
Generic cybersecurity vendor auditTechnical security consultancyLow — focused on technical vulnerabilities, not statutory/regulatory obligationsA technical findings list (vulnerabilities, patch gaps) with limited linkage to DPDP Act, CERT-In, or IFC requirementsBusinesses that already have governance and compliance covered and need a purely technical assessment
Big-4 or large IT audit firm engagementDedicated IT audit practice, typically at enterprise pricingHigh, but often priced and scoped for large enterprises with dedicated in-house IT/security teamsComprehensive but expensive; may be disproportionate for a mid-sized or owner-managed businessLarge, complex, or regulated enterprises with the budget and internal capacity to act on extensive findings
Internal IT team self-assessmentIn-house CTO/IT managerVariable — depends entirely on the internal team's regulatory awareness alongside technical skillCan be thorough on technical controls but frequently misses statutory notification deadlines and Companies Act/DPDP linkages that sit outside a typical IT team's remitOrganisations with a strong, regulation-aware internal IT/security leader who wants an independent second opinion rather than a full external review
PNPC IT Governance & Compliance ReviewPractising CA firm, statutory-consequence-first, framework-literate (ISO 27001, COBIT) and India-regulation-literate (DPDP Act, CERT-In, IFC, RBI/SEBI circulars)High — every finding is mapped to the specific statutory or regulatory consequence, not generic best practice aloneA risk-rated, prioritised remediation roadmap that a Board, auditor, or investor can rely on as evidence of governance disciplineOwner-managed businesses, startups, and mid-sized enterprises without a large dedicated IT audit function, especially those also managing statutory audit, Companies Act, and India-UAE compliance with PNPC
Do nothing / deferNo oneN/AIT governance gaps remain undocumented and unaddressed until surfaced by an incident, an auditor's IFC observation, or an investor's diligence question — at which point remediation is reactive and more costlyOnly appropriate for genuinely early-stage, low-complexity businesses with minimal digital footprint — not a sustainable posture as the business scales

This table is directional. The right approach depends on your sector, regulatory status (regulated entity or not), data sensitivity, existing IT maturity, and whether formal certification (ISO 27001, SOC 2) is a near-term objective. A scoping conversation with a PNPC CA is the right starting point before choosing an approach.

How it works
#Stage & What PNPC DoesWhy This Matters (What Generic IT Audits Miss)Timeline
1Scoping & Framework Selection — agreeing which frameworks and regulations applyWe do not apply a single generic checklist. We first establish which frameworks are actually relevant — ISO 27001 if certification is a goal, COBIT for governance structure, DPDP Act for personal data handling, CERT-In directions if you operate any Indian IT infrastructure, RBI/SEBI circulars if you are a regulated entity — because reviewing against the wrong or incomplete framework set produces a report that looks thorough but misses what actually matters to your regulator.Week 1
2Governance Structure Review — Board/management oversight of technology riskWe assess whether technology risk is genuinely visible at Board or Audit Committee level, or whether it exists only as an operational IT-team concern with no governance oversight — a gap that directly affects the credibility of your IFC certification and Board's own risk-oversight duty under the Companies Act.Week 1–2
3Policy & Documentation Review — existence and actual adherence, not just existenceA policy document that exists on a shared drive but that no one follows is worse than no policy at all in an audit or regulatory context, because it demonstrates the organisation knew the standard and did not enforce it. We test adherence, not just existence — interviewing staff and sampling actual practice against the documented policy.Week 2–3
4Access Control & Identity Management AssessmentWe review who has access to financial systems, customer data, and core business applications, whether access is provisioned and revoked on a documented approval basis, and whether privileged/administrative access is separately controlled and logged — this is consistently the single most common IT general control weakness we find, and the one statutory auditors query most often under IFC testing.Week 2–4
5Data Protection & DPDP Act Readiness AssessmentWe map your actual personal data flows — what personal data you collect, from whom, why, where it is stored, who can access it, and whether consent, purpose limitation, and data-fiduciary obligations under the DPDP Act 2023 are addressed — rather than relying on a generic 'we have a privacy policy' assumption.Week 3–4
6Third-Party & Vendor Risk ReviewWe assess your cloud service providers, SaaS vendors, outsourced IT/BPO arrangements, and payment processors for contractual data protection commitments, security certifications held by the vendor, and whether you have any visibility into their incident notification obligations to you — a gap that regularly surfaces only after a vendor-side breach affects your data.Week 3–5
7Business Continuity & Disaster Recovery ReviewWe assess whether backup, recovery, and business continuity arrangements are documented, tested (not just assumed to work), and realistic for your actual recovery time expectations — an area where many organisations discover gaps only during an actual outage.Week 4–5
8Incident Response & CERT-In Readiness ReviewWe assess whether you have a documented incident response plan, whether staff know what constitutes a reportable cybersecurity incident under CERT-In's directions, and whether the six-hour reporting clock and required reporting channels are understood — this is a specific, time-bound statutory obligation that generic IT audits frequently do not address at all.Week 4–5
9Change Management & IT General Controls TestingFor companies where IT systems feed financial reporting, we test whether changes to core financial and business-critical systems follow a documented approval, testing, and deployment process — this maps directly to the IT general controls testing your statutory auditor performs as part of the IFC assessment.Week 5–6
10Risk-Rated Findings Report & Remediation RoadmapEvery finding is rated by likelihood and impact and mapped explicitly to the specific standard or regulation it relates to (an ISO 27001 control reference, a DPDP Act obligation, a CERT-In direction, an IFC control objective) — so the report is directly usable as evidence for your Board, auditor, or investor, not a generic narrative.Week 6–7
11Management Response & Prioritisation WorkshopWe walk through findings with management and the Board/Audit Committee, agree realistic remediation timelines against actual budget and resource constraints, and formally document management's response to each finding — the documented response itself becomes part of your governance evidence trail.Week 7–8
12Remediation Support (Where in Scope)For the highest-priority findings, PNPC can support drafting or revising policies, designing the access control and approval workflows, and coordinating with technical implementation partners for the hands-on build — while PNPC validates the result against the agreed control design.Week 8 onward, scope-dependent
13Follow-Up Review & Periodic ReassessmentIT governance is not a one-time exercise — frameworks are updated, DPDP Act rules and enforcement guidance evolve, CERT-In directions are refreshed, and your own technology stack changes. We recommend an annual or milestone-triggered follow-up review, not a one-time report that goes stale.Annually, or at major technology/regulatory change events

Realistic end-to-end timeline for a full governance review with findings report: 6–8 weeks for a mid-sized single-entity business; longer for multi-entity, multi-jurisdiction, or regulated-sector engagements. A narrower, scope-limited review (for example, DPDP Act readiness only, or IFC-linked IT general controls only) can typically be completed in 3–4 weeks. Timelines are illustrative and depend on organisational size, system complexity, and how quickly requested documentation and stakeholder interviews can be scheduled.

Document Checklist
Governance & Policy Documentation

Existing IT policy, information security policy, data protection/privacy policy, and acceptable use policy, if any currently exist

Organisation chart showing who owns IT, information security, and data protection decisions, and whether any Board or management committee has formal technology risk oversight

Minutes of any Board or Audit Committee discussion of technology or cybersecurity risk in the last 12–24 months, if available

Any prior IT audit, penetration test, or security assessment reports, along with evidence of remediation actions taken

Business continuity plan and disaster recovery plan documentation, if formalised

Systems & Technical Environment

List of all core business and financial systems in use (accounting/ERP, CRM, payroll, HRMS, e-commerce platform, custom applications), including whether cloud-hosted or on-premise

List of cloud service providers and major SaaS vendors used, with details of the data each stores or processes

Current access control practice — how user accounts are provisioned, approved, and revoked, and whether privileged/admin access is separately logged

Network and infrastructure diagram or description, even informal, showing how systems connect and where data resides

Details of any backup arrangement — frequency, storage location, and whether recovery has ever been tested

Data & Personal Data Handling

Description of what categories of personal data are collected (customer, employee, vendor) and for what stated purposes

Copy of any current privacy policy or consent mechanism used on customer-facing platforms

List of any personal data shared with third parties, including cross-border transfers if applicable

Data retention practice — how long personal data is kept and whether deletion/purging is systematised or manual

Any prior data subject complaint, breach, or near-miss incident involving personal data, with details of how it was handled

Vendor & Third-Party Risk

List of all outsourced IT, BPO, cloud infrastructure, and payment processing vendors, with copies of key contracts if available

Evidence of vendor security certifications (ISO 27001, SOC 2, PCI-DSS where relevant) held by critical vendors, if collected

Any vendor-side breach notification received in the past, and how it was managed internally

Due diligence or onboarding checklist currently used (if any) when engaging a new technology vendor

Regulatory & Compliance Baseline

Confirmation of regulatory status — whether the entity is an NBFC, payment aggregator, insurance intermediary, or otherwise subject to RBI/SEBI-specific IT governance or outsourcing circulars

Statutory auditor's management letter or prior-year IFC observations relevant to IT general controls, if available

Details of any prior CERT-In reportable incident, or any internal assessment of whether an incident met the reporting threshold

List of jurisdictions in which the company operates or holds data, relevant to cross-border data transfer and applicable law considerations

Business Context & Objectives

A plain-language statement of what triggered the review — an audit observation, funding round, incident, Board request, certification goal, or proactive governance practice

Whether ISO 27001 or SOC 2 certification is a near-term objective, and if so, target timeline

Budget range available for remediation (policy work, technical controls, potential tooling), even an approximate range

Names and roles of the internal stakeholders who will be involved in interviews — IT/technical staff, finance, HR (for employee data), and any Board/Audit Committee representative

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Scoping & Assessment (Week 1–4)Decision to conduct a governance reviewFramework selection, governance structure review, policy and access control assessment, data protection and vendor risk review — building the full current-state picture against applicable standards and law.A review scoped against the wrong or incomplete framework set produces findings that look thorough but miss the specific obligations (DPDP Act, CERT-In, IFC) that actually carry regulatory or audit consequence.
Findings & Remediation Planning (Week 5–8)Assessment completeRisk-rated findings report mapped explicitly to the relevant standard or regulation, management response workshop, and a realistic, budget-aware remediation roadmap agreed with the Board or leadership team.Findings presented without statutory mapping or realistic prioritisation are often shelved — the report exists but nothing changes, leaving the same exposure the review was meant to address.
Remediation Execution (Month 2–4)Roadmap approvedPNPC supports policy drafting, access control redesign, and coordination with technical implementation partners for the highest-priority items; validates the technical build against the agreed control design.Remediation executed without governance oversight can drift from the agreed design, particularly for access control and data protection changes that need to survive future audit testing.
Evidence Consolidation (Month 3–5)Remediation substantially completeConsolidation of evidence — updated policies, access logs, vendor contract amendments, tested backup/recovery records — into an audit-ready evidence pack for statutory auditors, the Board, or investor due diligence.Remediation without evidence consolidation leaves the organisation unable to demonstrate compliance when actually asked — the improvements exist but cannot be proven on demand.
Certification Pursuit (If in Scope)Business decides to pursue ISO 27001 or SOC 2Readiness gap assessment against the specific certification standard, coordination with an accredited certification body, and support through the certification audit process (Stage 1 and Stage 2 for ISO 27001).Approaching a certification body without a prior readiness assessment risks a failed or significantly delayed certification audit, with associated cost and reputational impact.
Incident EventA cybersecurity incident occursRapid assessment of whether CERT-In reporting thresholds are met and the six-hour reporting clock applies, activation of the incident response plan, and post-incident review to strengthen controls.A missed CERT-In reporting deadline carries direct regulatory exposure; an unmanaged incident response also risks greater data loss, business disruption, and reputational harm than a well-rehearsed response.
Statutory Audit CycleAnnual financial statement auditCoordination with the statutory auditor's IT general controls testing for the IFC assessment; evidence of remediated access control, change management, and backup practices presented proactively.Unaddressed IT general control weaknesses can result in a qualified or adverse IFC opinion in the auditor's report under Section 134(5) of the Companies Act, with direct Board and investor-relations consequences.
Recurring ReviewAnnual, or at major technology/regulatory changeFramework and regulatory landscape refreshed (DPDP Act rules evolving, CERT-In direction updates, new vendors or systems onboarded); governance review repeated to confirm continued adequacy.Frameworks and regulations continue to evolve after the first review; a governance posture assessed once and never revisited becomes stale and can silently drift out of compliance as the business and regulatory landscape change.
Frequently asked
What exactly is an IT Governance & Compliance Review, and how is it different from a cybersecurity audit?

It is a structured assessment of how your organisation governs and controls its technology environment — policies, access controls, data protection practices, vendor risk, business continuity, and incident response — measured against recognised frameworks (ISO 27001, COBIT) and applicable Indian law (the DPDP Act, CERT-In directions, Companies Act Internal Financial Controls requirements, and sector-specific RBI/SEBI circulars where relevant). A cybersecurity audit or penetration test is a technical assessment of specific vulnerabilities in your systems and network. Our review is broader and governance-focused — it asks whether the right oversight, policies, and controls exist and are actually followed, not only whether a specific system has an exploitable flaw.

Practitioner noteWe frequently see businesses that have commissioned a technical penetration test and treated it as complete governance assurance. A clean penetration test result says nothing about whether your Board has oversight of technology risk, whether your data-processing practices meet DPDP Act obligations, or whether your access controls would survive an IFC audit query. The two exercises are complementary, not substitutes.
Why would a Chartered Accountancy firm, rather than a specialist cybersecurity firm, conduct this review?

Because the consequences that matter most for most Indian businesses are statutory and financial-reporting consequences, not purely technical ones — a qualified Internal Financial Controls opinion, a missed CERT-In reporting deadline, a DPDP Act non-compliance, or an investor due-diligence red flag. We review technology risk through the same statutory-consequence lens we apply to every other compliance area, because that lens is what determines whether a finding is a genuine priority or a lower-order technical observation. We work alongside specialist technical security partners for deep technical testing, incorporating their findings into the broader governance picture.

Practitioner noteThe single most common gap we find in businesses that have only engaged a technical security vendor is the absence of any link between technical findings and the specific regulatory or audit consequence — the report exists, but no one in finance or on the Board understands what it means for the statutory audit or the DPDP Act obligations.
Is this review mandatory under Indian law, or is it a voluntary governance practice?

There is no single statute that mandates 'an IT Governance & Compliance Review' by that name for most companies. However, several underlying obligations effectively require the substance of what this review covers: Section 134(5) of the Companies Act 2013 requires directors to state that internal financial controls are adequate and operating effectively, which for most companies today includes IT general controls over financial systems; CERT-In's 2022 directions impose mandatory incident reporting obligations on a broad range of entities operating IT systems in India; the DPDP Act 2023 imposes data-fiduciary obligations on entities processing personal data of individuals in India, with rules and enforcement mechanisms continuing to be operationalised; and regulated entities (NBFCs, payment aggregators, and others) face specific RBI or SEBI IT governance and cybersecurity circular requirements. The review itself is not mandated by name, but the underlying compliance it verifies substantially is.

Practitioner noteWe are careful never to overstate a single blanket mandate — applicability depends heavily on your sector, whether you are a regulated entity, and your data processing profile. We map the specific obligations that actually apply to your business in the scoping stage rather than assuming a one-size-fits-all regulatory list.
Our statutory auditor flagged IT general control weaknesses in the management letter. Is this the right service to address that?

Yes — this is one of the most common and direct triggers for this engagement. We review the specific IT general controls your auditor tested (access provisioning and revocation, change management approval, backup and recovery, segregation of duties in system permissions) and design a remediation plan that directly addresses the auditor's observations, so the following year's audit does not repeat the same finding.

Practitioner noteWe ask to see the actual management letter language, not a summary, before scoping — auditors phrase IT general control findings with specific technical language that determines exactly what needs to be remediated and how the remediation should be evidenced for the next audit cycle.
What is COBIT, and why does it matter for a mid-sized business, not just large enterprises?

COBIT (Control Objectives for Information and Related Technologies) is a widely referenced IT governance and management framework, maintained by ISACA, that structures how an organisation should govern technology decisions, manage risk, and measure performance against business objectives. It is commonly used by internal and external auditors as a reference point when assessing IT governance maturity. While large enterprises often adopt COBIT formally and comprehensively, mid-sized businesses benefit from applying its core governance principles — clear ownership, documented processes, measurable controls — proportionately, without needing the full enterprise-scale implementation.

Practitioner noteWe do not recommend a full COBIT implementation for most mid-sized clients — that is disproportionate. We use it as a reference framework to structure our review and ensure governance gaps are identified systematically, applying the principles at a scale appropriate to the business.
What is ISO/IEC 27001, and does PNPC issue the certification?

ISO/IEC 27001 is the internationally recognised standard for an Information Security Management System (ISMS) — a systematic approach to managing sensitive company and customer information so that it remains secure. Certification against ISO 27001 requires an audit by an accredited certification body, which PNPC is not; PNPC's role is to conduct a readiness gap assessment, help remediate identified gaps, and prepare your documentation and controls so that when you do engage a certification body, the Stage 1 and Stage 2 audits proceed smoothly rather than surfacing gaps for the first time.

Practitioner noteWe have seen businesses approach a certification body directly without a readiness assessment and fail or significantly delay Stage 1 as a result. The cost of a proper readiness review is consistently lower than the cost, delay, and reputational friction of a failed certification audit.
What is the Digital Personal Data Protection Act 2023, and how does it affect our IT governance obligations?

The DPDP Act 2023 is India's principal data protection statute, establishing obligations for entities (termed 'Data Fiduciaries') that determine the purpose and means of processing personal data of individuals ('Data Principals') in India. Core obligations include obtaining valid consent (or relying on specified legitimate uses), limiting processing to the stated purpose, implementing reasonable security safeguards to prevent personal data breaches, and notifying the Data Protection Board and affected individuals in the event of a breach, in the manner and timeline the rules prescribe. The Act's detailed rules and the Data Protection Board's operational framework have continued to be finalised and phased in since the Act's passage, so specific compliance timelines and enforcement mechanics should be verified as current at the time of your review rather than assumed static.

Practitioner noteBecause rules and enforcement guidance under the DPDP Act have continued to evolve since the Act was passed, we treat DPDP readiness as a living compliance area rather than a one-time checklist — we recommend revisiting your DPDP posture at least annually, or immediately upon any significant rule notification or enforcement guidance.
What are CERT-In's cybersecurity incident reporting directions, and what is the six-hour rule?

CERT-In (the Indian Computer Emergency Response Team) issued directions in 2022 under Section 70B of the Information Technology Act 2000 that require a broad category of entities to report specified types of cybersecurity incidents to CERT-In within six hours of noticing the incident or being brought to notice of the incident, and to maintain certain logs for a prescribed retention period. The categories of reportable incidents include data breaches, ransomware attacks, unauthorised access to critical systems, and several other specified event types. This is a genuinely time-bound obligation — most organisations without a documented incident response plan have no practical way to identify, escalate, and report within that window.

Practitioner noteWe treat CERT-In readiness as a specific, testable item in our review — not a general awareness question. We ask: does your organisation actually know what constitutes a reportable incident, who is authorised to file the report, and what evidence needs to be preserved? Most businesses discover in this exercise that the answer is 'no one is quite sure,' which is precisely the gap the review is meant to surface before an actual incident forces the question.
We are an NBFC / payment aggregator / SEBI-regulated intermediary. Does this review cover our sector-specific IT governance obligations?

Yes, where relevant to your specific regulatory status. RBI and SEBI have issued sector-specific circulars addressing IT governance, cybersecurity frameworks, outsourcing of IT services, and business continuity for regulated entities — the specific requirements vary meaningfully by the type of regulated entity and the applicable circular in force. We scope the review to include the specific circular(s) applicable to your registration category as part of the initial framework-selection stage, rather than treating regulated entities the same as unregulated businesses.

Practitioner noteSector-specific circulars are updated periodically, and applicability depends on your exact regulatory category and licence type. We verify the current, applicable circular set for your specific registration at the scoping stage rather than relying on a general assumption about what 'NBFC IT governance rules' currently require.
How does this review connect to our Internal Financial Controls (IFC) certification under the Companies Act?

Section 134(5)(e) of the Companies Act 2013 requires directors of most companies to state in the Board's report that the company has adequate internal financial controls in place and that such controls were operating effectively during the year. Where financial reporting relies on IT systems (which is the case for virtually every company today), IT general controls — access management, change management, backup and recovery — form part of what the statutory auditor tests and what the Board is certifying. Our review directly supports this certification by identifying and helping remediate IT general control weaknesses before they surface as an audit finding or, worse, an inaccurate Board certification.

Practitioner noteWe coordinate directly with the statutory auditor's IFC testing scope wherever PNPC or an affiliated firm is also the statutory auditor, or wherever the client's separate auditor is willing to share testing scope — this alignment materially reduces duplicate work and surfaces IT general control gaps earlier in the audit cycle rather than at year-end.
How long does a full IT Governance & Compliance Review take?

A full review — scoping, governance structure review, policy and access control assessment, data protection and vendor risk review, business continuity and incident response review, and a risk-rated findings report — typically takes 6–8 weeks for a mid-sized single-entity business. A narrower, scope-limited review focused on a single area (for example, DPDP Act readiness only, or IT general controls linked to the IFC assessment only) can typically be completed in 3–4 weeks. Multi-entity, multi-jurisdiction, or regulated-sector engagements generally take longer.

Practitioner noteThe biggest timeline variable in our experience is document and stakeholder availability, not the review methodology itself — a client who can promptly produce policy documents and make staff available for interviews moves through the process considerably faster than one where each request takes weeks to fulfil.
What does the review actually produce — a document, or something we can act on?

A structured, risk-rated findings report where every finding is explicitly mapped to the specific standard or regulation it relates to (an ISO 27001 control clause, a DPDP Act obligation, a CERT-In direction, a Companies Act IFC control objective), together with a prioritised, realistic remediation roadmap. We also run a management response workshop with your leadership team or Board/Audit Committee to agree remediation ownership and timelines — the documented management response itself becomes part of your governance evidence trail for future audits or due diligence.

Practitioner noteWe deliberately avoid a report that reads as a generic narrative with vague recommendations. Every finding in our reports states precisely which framework clause or legal provision it relates to, why it matters in consequence terms (not just theoretically), and what a reasonable remediation timeline looks like given typical resource constraints.
Do you also implement the remediations, or only identify them?

Both, depending on the engagement scope agreed. For policy drafting, access control workflow redesign, and governance documentation, PNPC typically leads the work directly. For hands-on technical implementation (configuring specific security tooling, network-level changes, application code changes), we coordinate with your internal IT team or a technical implementation partner and validate the result against the agreed control design — similar to how we approach implementation oversight in our broader Digital Transformation Advisory engagements.

Practitioner noteWe are candid that PNPC is not a hands-on network security or software engineering shop. Where deep technical remediation is required, we recommend the right technical partner and stay engaged to ensure the remediation actually closes the governance gap identified, rather than handing off and losing visibility.
How much does an IT Governance & Compliance Review cost?

Fees depend on scope — a full review across all areas (governance, access control, data protection, vendor risk, business continuity, incident response) for a mid-sized single-entity business is typically a fixed fee agreed upfront based on organisational size and system complexity. A narrower, scope-limited review costs proportionately less. Remediation support, where in scope, is generally structured as an additional phase, either fixed-fee or milestone-based. We provide a written scope and fee proposal before any engagement begins — there is no standard published price because system complexity and regulatory exposure vary significantly by business.

Practitioner noteWe scope proportionately to actual risk and complexity — a single-entity business with a handful of SaaS tools and no regulated-entity status needs a materially smaller engagement than a multi-entity, RBI-regulated group. Ask for a scoping conversation rather than assuming cost from a generic quote.
We are a startup with under 20 employees and use mostly off-the-shelf SaaS tools. Is this review relevant at our stage?

It can be, particularly if you are approaching a funding round (investors increasingly ask data-room questions about data protection and access control practices), if you process any meaningful volume of customer personal data, or if you are preparing for your first statutory audit. For a genuinely early-stage business with minimal data sensitivity and no near-term funding or audit trigger, a lighter-touch review — focused on the highest-risk areas only — may be more proportionate than the full engagement, and we will scope it that way rather than oversell.

Practitioner noteWe regularly right-size this engagement for early-stage clients — sometimes combining a focused DPDP Act and access-control review with our broader startup Virtual CFO or Digital Transformation Advisory work, rather than proposing a standalone full governance review that is disproportionate to the company's current stage.
What is the single most common finding PNPC encounters in these reviews?

Access control weaknesses — specifically, financial and customer-data systems where access is not provisioned through a documented approval process, where former employees' access is not promptly revoked, and where privileged/administrative access is not separately logged or restricted. This single control area is consistently the most common finding across both statutory audit IFC testing and our broader governance reviews, and it is often the fastest and least costly gap to remediate relative to the risk it represents.

Practitioner noteWe ask every client the same simple diagnostic question early in scoping: 'if an employee left today, how would you know exactly what systems they still have access to?' The quality and speed of the answer is usually a strong early indicator of overall access control maturity.
Does the review cover cloud service providers like AWS, Azure, or Google Cloud specifically?

Yes, as part of the third-party and vendor risk review. We assess your configuration and usage of cloud infrastructure (not the cloud provider's own infrastructure security, which is the provider's responsibility under the shared-responsibility model most cloud providers operate) — access management to your cloud accounts, data residency and storage location, backup configuration, and whether security certifications held by the provider are relevant to your specific compliance needs (for example, data residency requirements that may apply to certain regulated sectors).

Practitioner noteWe consistently find businesses that assume 'the cloud provider handles security' without understanding the shared-responsibility model — the provider secures the underlying infrastructure, but configuration of access controls, data classification, and backup policy within your account remains the client's responsibility, and that is where most real-world gaps sit.
What happens if the review finds a serious, urgent gap — do you wait until the final report to flag it?

No. If we identify a genuinely urgent gap during the review — for example, an active unpatched vulnerability in production, a completely absent access revocation process, or evidence of an unreported incident that may meet CERT-In's reporting threshold — we flag it immediately to management, not at the final report stage. Time-sensitive findings, particularly anything with a statutory reporting clock attached, are escalated as soon as identified.

Practitioner noteWe treat a potential CERT-In reporting-threshold event discovered mid-review as an immediate escalation, not a report-stage finding — the six-hour reporting clock does not pause for the convenience of our review timeline.
Can this review help us respond to a specific data breach or security incident that has already occurred?

Yes, though the immediate incident response itself (containment, technical investigation, and any required CERT-In notification) is typically a more urgent, time-boxed engagement than the standard governance review. We can support the immediate response — assessing reporting obligations and coordinating with technical incident responders — and then, once the immediate incident is contained, conduct a focused post-incident governance review to identify and remediate the underlying control gaps that allowed the incident to occur.

Practitioner noteWe treat post-incident engagements with urgency on two fronts simultaneously: meeting any statutory reporting deadline, and beginning root-cause analysis quickly enough that the evidence trail (logs, access records) has not degraded by the time the deeper review begins.
We operate entities in both India and the UAE. Does the review cover both jurisdictions?

Yes — with offices in Chennai, Bangalore, Hyderabad, and Dubai, we assess both the Indian entity's obligations (DPDP Act, CERT-In, Companies Act IFC linkage, RBI/SEBI circulars where applicable) and, where the UAE entity is in scope, relevant UAE data protection requirements (including obligations under UAE federal data protection law and any applicable free zone-specific data protection regulations, such as those in DIFC or ADGM, which differ from UAE mainland requirements). Cross-border data transfer between the two entities is specifically assessed, since it carries distinct compliance considerations on both sides.

Practitioner noteIndia-UAE groups frequently transfer customer or employee data between entities without having formally assessed the cross-border transfer implications on either side. We treat this as a specific line item in any multi-jurisdiction engagement rather than assuming domestic-only compliance is sufficient.
Is this review a one-time exercise, or should it be repeated periodically?

It should be repeated periodically — we recommend at least an annual review, and additionally whenever a significant trigger occurs: a new core system is adopted, a new jurisdiction of operation is added, a significant regulatory update is issued (a new DPDP Act rule, an updated CERT-In direction, a new RBI/SEBI circular), or a security incident occurs. IT governance frameworks and the underlying regulatory landscape continue to evolve, and a governance posture assessed once and never revisited becomes stale.

Practitioner noteWe structure most engagements with an initial full review followed by a lighter-touch annual refresh, rather than a full review repeated every year — this keeps ongoing cost proportionate while still catching material changes in your risk and regulatory landscape.
Who at PNPC actually delivers this review — is it the same team that does our statutory audit?

The engagement is led by a practising Chartered Accountant with experience across statutory audit, Internal Financial Controls testing, and technology governance, supported where needed by team members with hands-on IT and information security assessment experience. Where PNPC is also your statutory auditor, we coordinate (subject to the independence requirements applicable to statutory audit engagements) so that IT general control findings inform, rather than duplicate, the audit's own IFC testing.

Practitioner noteWhere independence rules require separation between the statutory audit team and an advisory engagement team for the same client, we structure the engagement teams accordingly and are transparent about that separation from the outset — this is a standard professional requirement, not a limitation specific to this service.
Can this review help us if we are considering cyber insurance?

Yes, indirectly. Cyber insurance underwriters increasingly ask detailed questions about access controls, incident response readiness, backup practices, and data protection measures as part of underwriting and premium determination. A documented governance review with evidence of remediated gaps can materially strengthen a cyber insurance application and may support more favourable underwriting terms, though PNPC does not itself arrange or broker insurance policies.

Practitioner noteWe have seen clients use our findings report and remediation evidence directly in cyber insurance underwriting conversations, with underwriters responding positively to documented, evidenced governance practices rather than a self-reported questionnaire alone.
What is the difference between this review and PNPC's Digital Transformation Advisory service?

Digital Transformation Advisory is forward-looking — it helps you plan, sequence, and implement new systems and process automation, with governance and control design built in from the start. IT Governance & Compliance Reviews are assessment-focused — they evaluate your existing environment (new or old) against governance frameworks and statutory obligations and produce a remediation roadmap. In practice the two are complementary: a governance review often surfaces the need for a broader systems transformation, and a transformation project should incorporate governance and control design as a core workstream, which our transformation advisory already does.

Practitioner noteWe do not force a client to pick one framing over the other. If your immediate need is an assessment of what exists today against a specific standard or regulation, this is an IT Governance & Compliance Review. If your immediate need is planning a new system or process, that is Digital Transformation Advisory — we will recommend whichever matches your actual situation, and often a client engages both at different points.
Does the review look at physical security of IT infrastructure, or only digital/logical controls?

Primarily digital and logical controls — access management, data protection, network and application-level governance — since that is where the majority of statutory and regulatory risk for most Indian businesses concentrates today, particularly with widespread cloud adoption. Where a business maintains meaningful on-premise infrastructure (a server room, physical data centre, or similar), we include a proportionate physical security review of that specific environment as part of the broader scoping discussion.

Practitioner noteMost of our client base today runs predominantly on cloud infrastructure with minimal on-premise hardware, so physical security review is typically a smaller component of scope than it would have been a decade ago — but we do not skip it entirely where relevant on-premise infrastructure genuinely exists.
If we fail to act on the findings, what is PNPC's ongoing responsibility?

Our responsibility is to deliver an accurate, professionally rigorous assessment and a realistic remediation roadmap, and to be clear and direct with your Board or leadership about the risk of unaddressed findings — including flagging genuinely urgent items outside the normal reporting cadence, as noted above. We do not have an ongoing monitoring or enforcement role beyond the engagement scope agreed; if remediation is not acted on, that is a management and Board decision and risk-acceptance matter, which we document clearly so it is an informed decision rather than an overlooked one.

Practitioner noteWe always ensure risk-acceptance decisions (choosing not to remediate a specific finding) are explicitly documented with the rationale and the decision-maker's name — this protects both the client's governance record and our own professional record of having raised the issue clearly.
Can a small NGO or Section 8 company that handles donor and beneficiary data benefit from this review?

Yes, particularly where the organisation processes beneficiary personal data (which can include sensitive categories depending on the nature of the NGO's work) or handles donor payment information. NGOs are not exempt from DPDP Act obligations simply by virtue of their non-profit status where they process personal data as a data fiduciary, and donor and grant-funder due diligence increasingly asks about data protection practices. We scope these reviews proportionately to the NGO's actual scale and data sensitivity.

Practitioner noteWe have found that NGOs sometimes assume regulatory data protection obligations apply only to for-profit or large commercial entities — this is not a safe assumption under the DPDP Act's data-fiduciary framework, and we flag this explicitly during scoping conversations with non-profit clients.
How does PNPC keep the review current given how quickly technology risk and regulation evolve?

We treat the frameworks and regulatory references used in each review as a living reference set, updated at the time of each engagement — ISO 27001 and COBIT are periodically revised, DPDP Act rules and Data Protection Board guidance continue to be operationalised, CERT-In directions are refreshed, and RBI/SEBI circulars are updated regularly for regulated sectors. Every engagement begins by confirming the current, applicable version of each relevant standard or regulation, rather than relying on a static internal checklist that may reference an outdated version.

Practitioner noteWe explicitly avoid over-relying on a fixed internal template for this reason — the framework and regulatory reference set is deliberately revalidated at the start of every engagement rather than reused unchanged from the prior client's review.
What is the difference between IT governance and IT security — are we buying two things or one?

IT security is the set of technical and procedural measures that protect systems and data from unauthorised access, loss, or disruption — firewalls, encryption, patching, access controls. IT governance is the broader oversight layer that decides how security (and technology generally) is planned, resourced, measured, and accounted for at the Board and management level, and ensures the organisation can demonstrate that oversight to a regulator or auditor. You need both, and they are not substitutes for each other — strong technical security with no governance oversight leaves the Board unable to demonstrate accountability; strong governance language with weak underlying technical security is equally exposed. Our review sits primarily in the governance layer, informed by technical security findings where available.

Practitioner noteWe are careful to distinguish these two terms explicitly in every engagement kickoff, because clients sometimes commission a governance review expecting a technical security audit, or vice versa — clarifying the distinction upfront avoids a mismatch between expectation and deliverable.
Can PNPC review our IT governance as part of preparing for a listed-company (IPO) transition?

Yes — this is a common trigger for larger, later-stage clients. A company preparing for a public listing faces materially higher governance expectations, including more rigorous IFC certification scrutiny, SEBI Listing Obligations and Disclosure Requirements (LODR) considerations relevant to technology risk disclosure, and heightened investor and analyst attention to cybersecurity and data governance practices. We scope IPO-readiness IT governance reviews specifically around the elevated standard a listed company (and its Audit Committee) is expected to meet, distinct from the standard private-company review.

Practitioner noteIPO-readiness reviews typically surface a longer remediation list than a standard private-company review, simply because the bar is genuinely higher — we flag this expectation gap early so the company can plan remediation timelines realistically against the IPO timetable rather than discovering the gap during the actual listing due-diligence process.
Does this review cover email security and phishing-resistance specifically?

Yes, as part of the broader access control and incident-readiness assessment — email remains one of the most common initial attack vectors for the kinds of incidents that trigger CERT-In reporting obligations and data breaches. We assess whether basic email authentication controls (SPF, DKIM, DMARC configuration), multi-factor authentication on email accounts, and staff awareness/training practices are in place, though a full technical phishing-simulation exercise is a more specialised technical engagement we can recommend a partner for if warranted.

Practitioner noteWe have seen a disproportionate number of real-world incidents at client organisations trace back to a compromised email account with no multi-factor authentication — it is one of the highest-return, lowest-cost remediation items we typically recommend as an immediate action, ahead of the full report.
How does the review treat 'Bring Your Own Device' (BYOD) practices where staff use personal phones and laptops for work?

We assess whether a BYOD policy exists, whether it addresses access to company email, financial systems, and customer data from personal devices, and whether basic controls (device passcodes, remote-wipe capability for company data, restrictions on storing sensitive data locally) are in place or even feasible given your current tooling. BYOD is common in Indian mid-sized businesses and startups, and it is frequently an unaddressed gap precisely because it does not involve company-owned hardware and so does not appear on a typical asset inventory.

Practitioner noteBYOD gaps are particularly relevant to DPDP Act readiness — if personal data is accessible or stored on an employee's personal device with no policy or technical control, that materially complicates your ability to demonstrate 'reasonable security safeguards' as a data fiduciary if a device is lost or compromised.
We just completed a funding round and our investors asked us to formalise IT governance as a condition. How quickly can PNPC help us close that condition?

This is a common post-funding scenario, and we typically prioritise it for rapid turnaround — a focused review addressing the specific conditions or representations in the investment/shareholders' agreement (rather than the full end-to-end review) can often be scoped and delivered within 3–4 weeks, depending on the specific commitments made in the funding documents and the current state of your systems.

Practitioner noteWe ask to see the exact language of the investor condition or covenant before scoping, since funding agreements sometimes specify a particular standard (for example, 'ISO 27001 certified within 12 months' versus 'a documented information security policy') — the precise wording materially changes both scope and realistic timeline.
Why PNPC Global
FeatureGeneric Cybersecurity VendorLarge IT Audit FirmPNPC Global
Statutory/Regulatory LiteracyLow — focused on technical vulnerabilities, limited linkage to DPDP Act, CERT-In, or IFC requirementsHigh, but often priced and scoped for large enterprises with dedicated internal governance teamsHigh — every finding mapped explicitly to the statutory or regulatory consequence, scoped proportionately for mid-sized and owner-managed businesses
Linkage to Statutory Audit & IFCGenerally nonePresent, but as a separate large-firm workstream, often disconnected from the same firm's statutory audit teamDirect — the same CA-led lens applied to your statutory audit's IFC testing is applied to this review
DPDP Act & CERT-In ReadinessRarely addressed with legal precisionAddressed, but often as a generic overlay rather than mapped to your specific data flowsMapped to your actual personal data flows and IT footprint, not a generic checklist
Pricing ProportionalityVariable, often technical-scope-only pricingEnterprise-scale pricing, frequently disproportionate for mid-sized businessesScoped and fixed-fee proportionate to your actual size, sector, and regulatory exposure
Remediation SupportTypically ends at the technical findings reportAvailable, but at large-firm rates and pacePNPC leads policy and governance remediation directly; coordinates technical partners for hands-on build, validating the result
India-UAE CoordinationRare, unless specifically a cross-border technology firmAvailable at large multinational firms, at corresponding costNative — offices in Chennai, Bangalore, Hyderabad, and Dubai coordinate both sides as one engagement
Ongoing RelationshipProject-based, typically ends at deliveryProject-based, periodic re-engagement at full enterprise ratesFrequently continues as an annual governance refresh, integrated with your existing statutory audit and compliance relationship with PNPC

What the PNPC package includes

  1. 01

    Framework and regulatory scoping — ISO 27001, COBIT, DPDP Act, CERT-In directions, Companies Act IFC linkage, and sector-specific RBI/SEBI circulars, mapped to what actually applies to your business

  2. 02

    Governance structure review assessing genuine Board/Audit Committee oversight of technology risk, not just operational IT-team ownership

  3. 03

    Access control and identity management assessment — provisioning, revocation, and privileged-access logging, the single most common finding area

  4. 04

    Data protection and DPDP Act readiness assessment mapped to your actual personal data flows, not a generic privacy-policy checklist

  5. 05

    Third-party and vendor risk review covering cloud providers, SaaS vendors, and outsourced IT/BPO arrangements

  6. 06

    Business continuity, disaster recovery, and incident response readiness review, including CERT-In six-hour reporting-obligation preparedness

  7. 07

    IT general controls testing aligned directly to your statutory auditor's Internal Financial Controls assessment scope

  8. 08

    Risk-rated findings report with every finding explicitly mapped to the specific standard or legal provision it relates to

  9. 09

    Management response workshop producing a documented, Board-ready remediation roadmap and risk-acceptance record

  10. 10

    Remediation support for policy and governance work, with coordination and validation for technical implementation where needed

  11. 11

    India-UAE coordinated review for group entities, addressing cross-border data transfer considerations on both sides

  12. 12

    Direct access to your engagement CA — not a support ticket queue or a generic account manager

Speak directly with a PNPC Chartered Accountant who reviews technology risk the same way we review financial controls — grounded in what your Board, your statutory auditor, and Indian law actually require, not a generic cybersecurity checklist.

← Back to Transformation & Tech
Talk to a CA