Building a DPDP Audit Programme: A Guide for Internal Auditors at BFSI Organisations

Internal audit's role in DPDP is to independently verify that the compliance programme is real — not to implement it. That is a harder job than it sounds when evidence is scattered, unstructured, and sometimes fabricated after the fact.

Audit scope under DPDP

A DPDP audit programme must cover every obligation the Act creates for a data fiduciary. For BFSI organisations, this translates into seven distinct audit areas, each with its own evidence requirements and risk profile.

• ROPA completeness and accuracy: Every processing activity involving personal data must be documented in the Register of Processing Activities. The audit tests whether the register matches the reality of what systems actually process. A ROPA that lists 12 activities when IT runs 40 systems handling personal data is not a compliance artefact — it is a liability.
• DPIA coverage and timing: High-risk processing requires a Data Protection Impact Assessment completed before processing begins. The audit verifies that DPIAs exist for all high-risk activities and that completion dates precede processing start dates.
• Consent management controls: Where consent is the legal basis, the organisation must be able to produce consent records for named data principals. The audit tests whether consent can be retrieved, whether withdrawal mechanisms work, and whether processing actually stops after withdrawal.
• Gap assessment and CAPA tracking: Compliance gaps identified through self-assessment or external review must have documented corrective and preventive actions with target dates. The audit tests whether CAPAs are tracked to closure and whether evidence supports the closure decision.
• Policy governance: Privacy policies must be current, reviewed at defined intervals, approved by appropriate authority, and communicated to relevant personnel. The audit tests review dates, approval records, and distribution evidence.
• Third-party processor oversight: Every processor handling personal data on behalf of the fiduciary requires a Data Processing Agreement with specific DPDP-compliant clauses. The audit tests whether DPAs exist, whether they contain required terms, and whether processor compliance is monitored.
• Breach detection readiness: The organisation must demonstrate the ability to detect a breach within 72 hours and notify the Data Protection Board. The audit tests incident response plans, detection capabilities, notification templates, and simulation results.

Test procedures for each area

Audit procedures must be specific enough to produce repeatable results. General inquiries like "do you maintain a ROPA?" produce compliance theatre. Specific procedures produce evidence.

ROPA testing: Select a random sample of five processing activities from the ROPA. For each activity, verify that the legal basis is documented with a specific statutory reference — not just "legitimate interest" without further elaboration. Check that the DPO review timestamp exists and falls within the last 12 months. Compare the ROPA entry against the IT system inventory and verify that the data flows described in the ROPA match the actual system architecture. Where discrepancies exist, document them as findings.

DPIA testing: For every DPIA on file, verify that the completion date precedes the processing start date. Cross-reference against project management records or system go-live dates. A DPIA completed three months after a system went live is not a compliant DPIA — it is retrospective documentation. Test whether the DPIA identifies specific risks and whether mitigation measures are implemented and evidenced.

Consent testing: Select five named customers at random. Request the consent record for each. Measure the time required to produce the record. If the organisation cannot produce a consent record for a named individual within a reasonable timeframe, the consent management system is not functioning as described.

Gap and CAPA testing: Pull the gap assessment findings register. Select all findings marked as "closed" in the last quarter. For each, verify that closure evidence exists — not just a status change in a tracking system, but an artefact demonstrating the remediation action was completed.

Red flags auditors find

Experienced internal auditors develop pattern recognition for compliance programmes that exist on paper but not in practice. These are the most common red flags in DPDP programmes:

• Processing activities visible in IT systems that do not appear in the ROPA
• DPIAs with completion dates after the processing start date
• Consent records that cannot be produced for named customers within a reasonable timeframe
• Gap findings marked as closed without supporting evidence of remediation
• Policies not reviewed since before the DPDP Rules 2025 came into effect
• DPO review timestamps that cluster on a single date — suggesting bulk backdating
• Processor DPAs that are template copies without entity-specific terms
• Breach response plans that have never been tested through simulation

Reporting to the Audit Committee

The Audit Committee does not need a list of every ROPA entry or DPIA finding. It needs a risk-rated view of the organisation's DPDP compliance posture — what is working, what is not, and what the regulatory exposure looks like.

Structure audit reports around risk-rated findings linked to specific regulatory obligations. Each finding should reference the DPDP section it relates to, the severity of the gap, the evidence reviewed, and a clear remediation timeline with an accountable owner. Avoid generic recommendations like "improve data protection practices" — every recommendation should be specific enough to be testable in the next audit cycle.

A single compliance assurance score — derived from ROPA completeness, DPIA coverage, evidence sufficiency, and gap remediation progress — gives the committee a dashboard metric they can track quarter over quarter. The score must be computed from auditable inputs, not self-reported status updates. When the score drops, the committee should be able to drill into which dimension caused the decline and what the remediation plan is.

Effective audit reporting also distinguishes between systemic issues and isolated findings. A single missing DPIA is an isolated finding. DPIAs consistently completed after processing starts is a systemic issue that indicates a broken process, not a one-time oversight.