At a glance
An audit moves personal data through several stages — client and promoter KYC at planning, an employee sample during fieldwork, bank confirmations, and working papers reviewed by the team and a senior reviewer. The DPDP Act applies throughout: notice, a lawful basis for what you collect, access limited to people on the file, and a retention clock for the working papers — under the profession’s own quality-control rule, ordinarily seven years from your audit report date — reconciled with the Act’s erasure duty, not layered on top of it.
Educational resource only. This explains how India’s Digital Personal Data Protection Act, 2023 (DPDP Act) applies to building a document workflow for statutory audit engagements; it is not formal legal advice.
The situation
An engagement letter and a risk assessment are where most firms start thinking about an audit — not a data flow. But between planning and sign-off, a typical statutory audit collects and moves more personal data than almost anything else a CA practice does: promoter and director KYC, an HR-and-payroll sample pulled for compliance testing, bank and debtor confirmation letters naming individuals, and working papers that get reviewed by more people than any other file in the practice. None of that pauses the client’s DPDP obligations, and — because the practice itself is deciding why and how that data is used for the engagement — it doesn’t pause the firm’s either.
What personal data moves through an audit engagement
A single audit touches identity data, financial data and other people’s data — often people who never dealt with the firm directly. Across a typical statutory audit:
- Client and promoter/director KYC — PAN, Aadhaar, DIN (Director Identification Number), address proof, collected at planning or carried over from onboarding.
- Employee and payroll data — sampled during fieldwork for statutory-compliance testing (PF, ESI, TDS), even though the firm’s engagement is with the company, not its staff.
- Third-party confirmations — bank balance confirmations, debtor/creditor circularisation letters, which name individuals and accounts outside the client entity.
- Working papers — the file itself, containing extracts of all of the above, reviewed by the engagement team and, for larger clients, an Engagement Quality Control Reviewer (EQCR).
- Related-party detail — director and promoter family transactions, disclosed for Companies Act purposes but personal data all the same.
The obligation that actually bites: DPDP doesn’t pause for fieldwork
Fieldwork tends to run on ad hoc requests and shared drives — exactly the habits the DPDP Act is written against. The client relationship already has a lawful basis for the engagement (consent at onboarding, or the audit itself as a legal obligation the client is subject to). What fieldwork adds is scale: more people requesting documents, more channels being used under deadline pressure, and — with the HR sample and third-party confirmations — personal data belonging to people who aren’t your client’s signatory and never agreed to anything with your firm directly. That data still needs a lawful basis (it flows from the client’s own legitimate-use ground for employment and financial-obligation processing, not a fresh consent your firm collects), and it still needs the same security and access discipline as everything else in the file.
Step-by-step: building a DPDP-clean audit workflow
Fix the workflow once, at the process level, rather than case by case per engagement.
- Add a DPDP line to the engagement letter. Name the categories of personal data the audit will involve (promoter KYC, employee sample, third-party confirmations), why, and who on the engagement team will access it.
- Route every fieldwork request through one channel. Replace ad hoc WhatsApp and personal-email document asks with a single portal or shared, access-controlled folder — the same fix that closes most of a practice’s general exposure, detailed in the client document collection guide below.
- Limit working-paper access to the engagement team. Not the whole firm — the partner, manager and staff actually assigned, plus the EQCR reviewer where one applies.
- Mask what circularisation doesn’t need. A bank confirmation letter needs the account and balance, not a scanned Aadhaar sitting in the same folder from an unrelated request.
- Set the retention clock at file closure, not on the fly. Log the auditor’s report date — that’s what starts the retention clock explained below — rather than leaving each file’s retention date to memory.
- Purge on schedule. Build the seven-year purge into the firm’s actual calendar or DMS retention rule, not a mental note.
Where SQC 1’s retention clock fits alongside your DPDP duty
Audit documentation runs on its own clock, and it’s shorter than the general client-record retention this hub’s overview covers. The Institute of Chartered Accountants of India’s (ICAI) Standard on Quality Control (SQC) 1 sets the retention period for engagement documentation — the working papers — at ordinarily no shorter than seven years from the date of the auditor’s report (or the group auditor’s report, if later). That’s distinct from the six-year Income Tax Act and eight-year Companies Act clocks that apply to the client’s own books of account, covered in this hub’s overview article. Both are “legal obligation” bases under the DPDP Act (Section 7) for holding the data that long — the point isn’t to delete sooner, it’s to actually purge the working-paper file once seven years from report date has passed, instead of letting it sit indefinitely because no one owns the deletion step.
Common slip-ups during fieldwork
Almost all of it traces back to speed over process during a tight reporting season.
- Bank confirmation letters and account-holder detail forwarded over personal email between team members working remotely.
- The full working-paper folder shared with the whole team rather than just the assigned engagement staff.
- HR sample data retained on a staff laptop long after the compliance test is signed off.
- No logged auditor’s-report date, so nobody knows when the seven-year working-paper clock actually started.
- Treating “it’s just for the audit” as a blanket basis — the audit relationship covers audit purposes; it doesn’t authorise using the same data for a separate advisory engagement without a fresh basis.
Group audits: sharing data with component auditors
A group audit routinely means personal data crossing firm boundaries — the principal auditor relying on a component auditor’s work for a subsidiary means the two firms are exchanging working papers, KYC extracts and sometimes the employee-sample data described above, not just a summary opinion. Where a group has subsidiaries audited by a different firm (a component auditor), the principal auditor’s reliance on that work typically involves reviewing the component auditor’s working papers, which can include the same categories of personal data — promoter KYC, employee samples, third-party confirmations — collected by an entirely separate firm under its own engagement. That exchange is a genuine inter-firm data flow, not an internal file-sharing question, and deserves the same discipline the firm applies to any external processor relationship: route the exchange through a controlled channel rather than ad hoc email between partners, limit what’s shared to what reliance actually requires (not the component auditor’s entire working-paper file where a summary extract would do), and be clear between the two firms about each one’s own retention clock for the shared material once the group audit concludes.
FAQ
Does sharing working papers with a component auditor in a group audit need special handling?
Yes — treat it as a genuine inter-firm data exchange, not routine internal sharing. Route it through a controlled channel, limit what’s shared to what reliance actually needs, and clarify each firm’s own retention period for the shared material.
Does the DPDP Act require separate consent from every employee sampled during fieldwork?
No — the client’s own legitimate-use ground for employment and statutory-compliance processing (Section 7) covers that flow; your firm processes it as part of the engagement, not on a fresh consent it collects from each employee.
How long must audit working papers be retained?
Ordinarily no shorter than seven years from the date of the auditor’s report, per ICAI’s SQC 1 — a firm-specific clock, distinct from the client’s own six- or eight-year record-retention duty under tax and company law.
Can bank confirmation and circularisation letters be emailed?
Nothing bans it outright, but a shared, access-controlled channel is a closer fit — it avoids the letters sitting scattered across personal inboxes for years past the engagement.
Who should have access to the working-paper file?
Only the assigned engagement team and, where applicable, the EQCR reviewer — not the whole firm by default.