Transformation & Tech · IT Risk & Technology Assurance
IT Governance & Compliance Reviews
IT governance failures rarely announce themselves as IT problems first.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
IT governance failures rarely announce themselves as IT problems first. They surface as a qualified audit opinion on Internal Financial Controls, a CERT-In breach-reporting deadline missed by a founder who did not know it existed, a data-fiduciary obligation under the Digital Personal Data Protection Act that nobody in finance had mapped, or a due-diligence data room that cannot produce evidence of access controls over the accounting system. PNPC Global reviews IT governance and technology risk the way a practising CA reviews financial controls — because the same discipline that produces a clean statutory audit opinion is what produces a defensible IT governance framework. Since 1986 we have sat on the finance and assurance side of hundreds of Indian and UAE businesses; our IT governance reviews are built on that vantage point, not on a generic cybersecurity checklist bought off a shelf.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
IT Governance & Compliance Reviews are a structured assessment of how an organisation plans, controls, and safeguards its information technology environment against recognised governance frameworks and applicable Indian regulatory requirements. In practice this means evaluating IT policies, access controls, data protection practices, vendor and third-party risk management, business continuity and disaster recovery arrangements, change management discipline, and incident response readiness against benchmarks such as ISO/IEC 27001 (information security management systems), COBIT (Control Objectives for Information and Related Technologies, a governance and management framework widely referenced by internal auditors), and the specific statutory and regulatory obligations that apply to Indian entities — including the Digital Personal Data Protection Act 2023 (DPDP Act), CERT-In's cybersecurity incident reporting directions, sector-specific RBI and SEBI IT governance and outsourcing circulars for regulated entities, and the Internal Financial Controls (IFC) requirements under Section 134(5) of the Companies Act 2013 to the extent IT general controls affect financial reporting.
The review is not a penetration test or a technical vulnerability scan, though findings from such technical assessments (where already available) are used as inputs. It is a governance and controls review — examining whether IT decision-making has proper oversight (Board or management committee involvement in technology risk), whether policies exist and are actually followed in practice, whether access to financial and customer data is appropriately restricted and monitored, whether third-party vendors and cloud service providers are contractually and operationally managed for risk, and whether the organisation could demonstrate compliance if a regulator, auditor, or investor asked for evidence tomorrow. For companies preparing for statutory audit, board of directors' certification of IFC adequacy, an investor due-diligence process, an ISO 27001 certification effort, or building out a formal audit and risk committee, this is precisely the review that produces defensible, evidence-backed answers.
Why a CA firm, rather than a pure cybersecurity or IT audit firm, delivers this differently: the financial reporting, statutory compliance, and regulatory-notification consequences of an IT governance gap are frequently the most material consequences a business faces — more material, in many cases, than the technical vulnerability itself. A missed CERT-In reporting deadline (mandated within six hours of noticing a covered incident under CERT-In's 2022 directions) carries direct regulatory exposure. A weak IT general control environment can result in a qualified or adverse Internal Financial Controls opinion in the statutory auditor's report — with direct consequences for the company's credibility with lenders, investors, and the Board. A DPDP Act non-compliance in how customer or employee personal data is processed carries its own penalty framework once the Act's provisions and rules are brought into force and become operative. We review technology risk through the same statutory-consequence lens we apply to every other compliance area — because that is the lens that determines what actually matters to your Board, your auditor, and your regulator.
The deliverable is a structured findings report — gaps identified against the chosen framework(s) and applicable law, risk-rated, with a prioritised remediation roadmap — plus, where the engagement scope includes it, support implementing the highest-priority remediations and periodic follow-up reviews. We do not issue an ISO 27001 certificate (that requires an accredited certification body) or a CERT-In empanelled auditor's technical security audit certificate (that requires a CERT-In empanelled auditor for specific mandated purposes) unless the specific engagement is scoped and staffed for that distinct purpose; our core IT governance review is the internal-facing readiness and controls assessment that typically precedes and prepares an organisation for those external certifications, or that stands alone as good governance practice and Board-level assurance.
When an IT Governance & Compliance Review adds real value
Your statutory auditor's Internal Financial Controls assessment has flagged IT general control weaknesses (access management, change management, backup/recovery) that need to be remediated before the next audit cycle
You are preparing for an institutional funding round or M&A due diligence and need to demonstrate a defensible technology governance and data protection posture to investors or acquirers
You process personal data of Indian customers or employees at meaningful scale and need to assess your readiness against the Digital Personal Data Protection Act 2023 and its rules as they come into force
Your Board or Audit Committee has asked for independent assurance on cybersecurity and IT risk — a common and increasingly expected governance practice, particularly for companies with institutional investors or listed-company aspirations
You are pursuing ISO 27001 certification (or SOC 2, for businesses selling to international enterprise customers) and want a readiness gap assessment before engaging a certification body
You are a regulated entity (NBFC, payment aggregator, insurance intermediary, or similar) subject to RBI or SEBI IT governance, outsourcing, or cybersecurity framework circulars and need a compliance review against those specific requirements
A recent security incident, near-miss, or vendor data breach has exposed the absence of a formal incident response plan, and you need both remediation and support determining whether CERT-In reporting obligations were triggered
You rely heavily on cloud service providers, SaaS vendors, or outsourced IT/BPO providers and have never formally assessed third-party and vendor risk across that stack
When this is not the right engagement
You need a technical penetration test or vulnerability scan of your applications and network infrastructure — that is a specialised technical security testing engagement; we can recommend and coordinate with a qualified technical security partner, and incorporate their findings into a governance review, but our engagement itself is a controls and governance assessment, not a technical exploit-based test
You need formal ISO 27001 certification issued in your company's name — that requires an accredited certification body to conduct the certification audit; PNPC's review prepares you for that certification but does not itself issue it
You need a CERT-In empanelled auditor's certificate for a specific regulatory purpose (for example, certain RBI-mandated cybersecurity audits) — that requires engaging an auditor specifically empanelled by CERT-In for that purpose; we can advise on scoping and readiness but flag clearly where a CERT-In empanelled auditor is a hard statutory requirement
Your business has no digital footprint of consequence — a single-location retail business with no online transactions, no customer database, and no cloud systems is unlikely to need a formal IT governance review at this stage; the cost is unlikely to be justified until genuine technology and data complexity exists
You need hands-on IT infrastructure implementation, network engineering, or software development — our review identifies and prioritises what needs to be fixed; the technical build-out itself is typically executed by your internal IT team or a technical implementation partner, with PNPC available to validate against the agreed control design
You are looking only for a generic, templated cybersecurity policy document with no assessment of your actual environment — a review that is not grounded in your real systems, data flows, and vendor landscape will not hold up under audit or regulatory scrutiny, and we do not offer this as a standalone product
Approaches to IT governance and compliance assurance — how they compare
| Approach | Who Leads It | Statutory/Regulatory Literacy | Typical Outcome | Best Suited For |
|---|---|---|---|---|
| Generic cybersecurity vendor audit | Technical security consultancy | Low — focused on technical vulnerabilities, not statutory/regulatory obligations | A technical findings list (vulnerabilities, patch gaps) with limited linkage to DPDP Act, CERT-In, or IFC requirements | Businesses that already have governance and compliance covered and need a purely technical assessment |
| Big-4 or large IT audit firm engagement | Dedicated IT audit practice, typically at enterprise pricing | High, but often priced and scoped for large enterprises with dedicated in-house IT/security teams | Comprehensive but expensive; may be disproportionate for a mid-sized or owner-managed business | Large, complex, or regulated enterprises with the budget and internal capacity to act on extensive findings |
| Internal IT team self-assessment | In-house CTO/IT manager | Variable — depends entirely on the internal team's regulatory awareness alongside technical skill | Can be thorough on technical controls but frequently misses statutory notification deadlines and Companies Act/DPDP linkages that sit outside a typical IT team's remit | Organisations with a strong, regulation-aware internal IT/security leader who wants an independent second opinion rather than a full external review |
| PNPC IT Governance & Compliance Review | Practising CA firm, statutory-consequence-first, framework-literate (ISO 27001, COBIT) and India-regulation-literate (DPDP Act, CERT-In, IFC, RBI/SEBI circulars) | High — every finding is mapped to the specific statutory or regulatory consequence, not generic best practice alone | A risk-rated, prioritised remediation roadmap that a Board, auditor, or investor can rely on as evidence of governance discipline | Owner-managed businesses, startups, and mid-sized enterprises without a large dedicated IT audit function, especially those also managing statutory audit, Companies Act, and India-UAE compliance with PNPC |
| Do nothing / defer | No one | N/A | IT governance gaps remain undocumented and unaddressed until surfaced by an incident, an auditor's IFC observation, or an investor's diligence question — at which point remediation is reactive and more costly | Only appropriate for genuinely early-stage, low-complexity businesses with minimal digital footprint — not a sustainable posture as the business scales |
This table is directional. The right approach depends on your sector, regulatory status (regulated entity or not), data sensitivity, existing IT maturity, and whether formal certification (ISO 27001, SOC 2) is a near-term objective. A scoping conversation with a PNPC CA is the right starting point before choosing an approach.
| # | Stage & What PNPC Does | Why This Matters (What Generic IT Audits Miss) | Timeline |
|---|---|---|---|
| 1 | Scoping & Framework Selection — agreeing which frameworks and regulations apply | We do not apply a single generic checklist. We first establish which frameworks are actually relevant — ISO 27001 if certification is a goal, COBIT for governance structure, DPDP Act for personal data handling, CERT-In directions if you operate any Indian IT infrastructure, RBI/SEBI circulars if you are a regulated entity — because reviewing against the wrong or incomplete framework set produces a report that looks thorough but misses what actually matters to your regulator. | Week 1 |
| 2 | Governance Structure Review — Board/management oversight of technology risk | We assess whether technology risk is genuinely visible at Board or Audit Committee level, or whether it exists only as an operational IT-team concern with no governance oversight — a gap that directly affects the credibility of your IFC certification and Board's own risk-oversight duty under the Companies Act. | Week 1–2 |
| 3 | Policy & Documentation Review — existence and actual adherence, not just existence | A policy document that exists on a shared drive but that no one follows is worse than no policy at all in an audit or regulatory context, because it demonstrates the organisation knew the standard and did not enforce it. We test adherence, not just existence — interviewing staff and sampling actual practice against the documented policy. | Week 2–3 |
| 4 | Access Control & Identity Management Assessment | We review who has access to financial systems, customer data, and core business applications, whether access is provisioned and revoked on a documented approval basis, and whether privileged/administrative access is separately controlled and logged — this is consistently the single most common IT general control weakness we find, and the one statutory auditors query most often under IFC testing. | Week 2–4 |
| 5 | Data Protection & DPDP Act Readiness Assessment | We map your actual personal data flows — what personal data you collect, from whom, why, where it is stored, who can access it, and whether consent, purpose limitation, and data-fiduciary obligations under the DPDP Act 2023 are addressed — rather than relying on a generic 'we have a privacy policy' assumption. | Week 3–4 |
| 6 | Third-Party & Vendor Risk Review | We assess your cloud service providers, SaaS vendors, outsourced IT/BPO arrangements, and payment processors for contractual data protection commitments, security certifications held by the vendor, and whether you have any visibility into their incident notification obligations to you — a gap that regularly surfaces only after a vendor-side breach affects your data. | Week 3–5 |
| 7 | Business Continuity & Disaster Recovery Review | We assess whether backup, recovery, and business continuity arrangements are documented, tested (not just assumed to work), and realistic for your actual recovery time expectations — an area where many organisations discover gaps only during an actual outage. | Week 4–5 |
| 8 | Incident Response & CERT-In Readiness Review | We assess whether you have a documented incident response plan, whether staff know what constitutes a reportable cybersecurity incident under CERT-In's directions, and whether the six-hour reporting clock and required reporting channels are understood — this is a specific, time-bound statutory obligation that generic IT audits frequently do not address at all. | Week 4–5 |
| 9 | Change Management & IT General Controls Testing | For companies where IT systems feed financial reporting, we test whether changes to core financial and business-critical systems follow a documented approval, testing, and deployment process — this maps directly to the IT general controls testing your statutory auditor performs as part of the IFC assessment. | Week 5–6 |
| 10 | Risk-Rated Findings Report & Remediation Roadmap | Every finding is rated by likelihood and impact and mapped explicitly to the specific standard or regulation it relates to (an ISO 27001 control reference, a DPDP Act obligation, a CERT-In direction, an IFC control objective) — so the report is directly usable as evidence for your Board, auditor, or investor, not a generic narrative. | Week 6–7 |
| 11 | Management Response & Prioritisation Workshop | We walk through findings with management and the Board/Audit Committee, agree realistic remediation timelines against actual budget and resource constraints, and formally document management's response to each finding — the documented response itself becomes part of your governance evidence trail. | Week 7–8 |
| 12 | Remediation Support (Where in Scope) | For the highest-priority findings, PNPC can support drafting or revising policies, designing the access control and approval workflows, and coordinating with technical implementation partners for the hands-on build — while PNPC validates the result against the agreed control design. | Week 8 onward, scope-dependent |
| 13 | Follow-Up Review & Periodic Reassessment | IT governance is not a one-time exercise — frameworks are updated, DPDP Act rules and enforcement guidance evolve, CERT-In directions are refreshed, and your own technology stack changes. We recommend an annual or milestone-triggered follow-up review, not a one-time report that goes stale. | Annually, or at major technology/regulatory change events |
Realistic end-to-end timeline for a full governance review with findings report: 6–8 weeks for a mid-sized single-entity business; longer for multi-entity, multi-jurisdiction, or regulated-sector engagements. A narrower, scope-limited review (for example, DPDP Act readiness only, or IFC-linked IT general controls only) can typically be completed in 3–4 weeks. Timelines are illustrative and depend on organisational size, system complexity, and how quickly requested documentation and stakeholder interviews can be scheduled.
Existing IT policy, information security policy, data protection/privacy policy, and acceptable use policy, if any currently exist
Organisation chart showing who owns IT, information security, and data protection decisions, and whether any Board or management committee has formal technology risk oversight
Minutes of any Board or Audit Committee discussion of technology or cybersecurity risk in the last 12–24 months, if available
Any prior IT audit, penetration test, or security assessment reports, along with evidence of remediation actions taken
Business continuity plan and disaster recovery plan documentation, if formalised
List of all core business and financial systems in use (accounting/ERP, CRM, payroll, HRMS, e-commerce platform, custom applications), including whether cloud-hosted or on-premise
List of cloud service providers and major SaaS vendors used, with details of the data each stores or processes
Current access control practice — how user accounts are provisioned, approved, and revoked, and whether privileged/admin access is separately logged
Network and infrastructure diagram or description, even informal, showing how systems connect and where data resides
Details of any backup arrangement — frequency, storage location, and whether recovery has ever been tested
Description of what categories of personal data are collected (customer, employee, vendor) and for what stated purposes
Copy of any current privacy policy or consent mechanism used on customer-facing platforms
List of any personal data shared with third parties, including cross-border transfers if applicable
Data retention practice — how long personal data is kept and whether deletion/purging is systematised or manual
Any prior data subject complaint, breach, or near-miss incident involving personal data, with details of how it was handled
List of all outsourced IT, BPO, cloud infrastructure, and payment processing vendors, with copies of key contracts if available
Evidence of vendor security certifications (ISO 27001, SOC 2, PCI-DSS where relevant) held by critical vendors, if collected
Any vendor-side breach notification received in the past, and how it was managed internally
Due diligence or onboarding checklist currently used (if any) when engaging a new technology vendor
Confirmation of regulatory status — whether the entity is an NBFC, payment aggregator, insurance intermediary, or otherwise subject to RBI/SEBI-specific IT governance or outsourcing circulars
Statutory auditor's management letter or prior-year IFC observations relevant to IT general controls, if available
Details of any prior CERT-In reportable incident, or any internal assessment of whether an incident met the reporting threshold
List of jurisdictions in which the company operates or holds data, relevant to cross-border data transfer and applicable law considerations
A plain-language statement of what triggered the review — an audit observation, funding round, incident, Board request, certification goal, or proactive governance practice
Whether ISO 27001 or SOC 2 certification is a near-term objective, and if so, target timeline
Budget range available for remediation (policy work, technical controls, potential tooling), even an approximate range
Names and roles of the internal stakeholders who will be involved in interviews — IT/technical staff, finance, HR (for employee data), and any Board/Audit Committee representative
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Scoping & Assessment (Week 1–4) | Decision to conduct a governance review | Framework selection, governance structure review, policy and access control assessment, data protection and vendor risk review — building the full current-state picture against applicable standards and law. | A review scoped against the wrong or incomplete framework set produces findings that look thorough but miss the specific obligations (DPDP Act, CERT-In, IFC) that actually carry regulatory or audit consequence. |
| Findings & Remediation Planning (Week 5–8) | Assessment complete | Risk-rated findings report mapped explicitly to the relevant standard or regulation, management response workshop, and a realistic, budget-aware remediation roadmap agreed with the Board or leadership team. | Findings presented without statutory mapping or realistic prioritisation are often shelved — the report exists but nothing changes, leaving the same exposure the review was meant to address. |
| Remediation Execution (Month 2–4) | Roadmap approved | PNPC supports policy drafting, access control redesign, and coordination with technical implementation partners for the highest-priority items; validates the technical build against the agreed control design. | Remediation executed without governance oversight can drift from the agreed design, particularly for access control and data protection changes that need to survive future audit testing. |
| Evidence Consolidation (Month 3–5) | Remediation substantially complete | Consolidation of evidence — updated policies, access logs, vendor contract amendments, tested backup/recovery records — into an audit-ready evidence pack for statutory auditors, the Board, or investor due diligence. | Remediation without evidence consolidation leaves the organisation unable to demonstrate compliance when actually asked — the improvements exist but cannot be proven on demand. |
| Certification Pursuit (If in Scope) | Business decides to pursue ISO 27001 or SOC 2 | Readiness gap assessment against the specific certification standard, coordination with an accredited certification body, and support through the certification audit process (Stage 1 and Stage 2 for ISO 27001). | Approaching a certification body without a prior readiness assessment risks a failed or significantly delayed certification audit, with associated cost and reputational impact. |
| Incident Event | A cybersecurity incident occurs | Rapid assessment of whether CERT-In reporting thresholds are met and the six-hour reporting clock applies, activation of the incident response plan, and post-incident review to strengthen controls. | A missed CERT-In reporting deadline carries direct regulatory exposure; an unmanaged incident response also risks greater data loss, business disruption, and reputational harm than a well-rehearsed response. |
| Statutory Audit Cycle | Annual financial statement audit | Coordination with the statutory auditor's IT general controls testing for the IFC assessment; evidence of remediated access control, change management, and backup practices presented proactively. | Unaddressed IT general control weaknesses can result in a qualified or adverse IFC opinion in the auditor's report under Section 134(5) of the Companies Act, with direct Board and investor-relations consequences. |
| Recurring Review | Annual, or at major technology/regulatory change | Framework and regulatory landscape refreshed (DPDP Act rules evolving, CERT-In direction updates, new vendors or systems onboarded); governance review repeated to confirm continued adequacy. | Frameworks and regulations continue to evolve after the first review; a governance posture assessed once and never revisited becomes stale and can silently drift out of compliance as the business and regulatory landscape change. |
What exactly is an IT Governance & Compliance Review, and how is it different from a cybersecurity audit?
It is a structured assessment of how your organisation governs and controls its technology environment — policies, access controls, data protection practices, vendor risk, business continuity, and incident response — measured against recognised frameworks (ISO 27001, COBIT) and applicable Indian law (the DPDP Act, CERT-In directions, Companies Act Internal Financial Controls requirements, and sector-specific RBI/SEBI circulars where relevant). A cybersecurity audit or penetration test is a technical assessment of specific vulnerabilities in your systems and network. Our review is broader and governance-focused — it asks whether the right oversight, policies, and controls exist and are actually followed, not only whether a specific system has an exploitable flaw.
Why would a Chartered Accountancy firm, rather than a specialist cybersecurity firm, conduct this review?
Because the consequences that matter most for most Indian businesses are statutory and financial-reporting consequences, not purely technical ones — a qualified Internal Financial Controls opinion, a missed CERT-In reporting deadline, a DPDP Act non-compliance, or an investor due-diligence red flag. We review technology risk through the same statutory-consequence lens we apply to every other compliance area, because that lens is what determines whether a finding is a genuine priority or a lower-order technical observation. We work alongside specialist technical security partners for deep technical testing, incorporating their findings into the broader governance picture.
Is this review mandatory under Indian law, or is it a voluntary governance practice?
There is no single statute that mandates 'an IT Governance & Compliance Review' by that name for most companies. However, several underlying obligations effectively require the substance of what this review covers: Section 134(5) of the Companies Act 2013 requires directors to state that internal financial controls are adequate and operating effectively, which for most companies today includes IT general controls over financial systems; CERT-In's 2022 directions impose mandatory incident reporting obligations on a broad range of entities operating IT systems in India; the DPDP Act 2023 imposes data-fiduciary obligations on entities processing personal data of individuals in India, with rules and enforcement mechanisms continuing to be operationalised; and regulated entities (NBFCs, payment aggregators, and others) face specific RBI or SEBI IT governance and cybersecurity circular requirements. The review itself is not mandated by name, but the underlying compliance it verifies substantially is.
Our statutory auditor flagged IT general control weaknesses in the management letter. Is this the right service to address that?
Yes — this is one of the most common and direct triggers for this engagement. We review the specific IT general controls your auditor tested (access provisioning and revocation, change management approval, backup and recovery, segregation of duties in system permissions) and design a remediation plan that directly addresses the auditor's observations, so the following year's audit does not repeat the same finding.
What is COBIT, and why does it matter for a mid-sized business, not just large enterprises?
COBIT (Control Objectives for Information and Related Technologies) is a widely referenced IT governance and management framework, maintained by ISACA, that structures how an organisation should govern technology decisions, manage risk, and measure performance against business objectives. It is commonly used by internal and external auditors as a reference point when assessing IT governance maturity. While large enterprises often adopt COBIT formally and comprehensively, mid-sized businesses benefit from applying its core governance principles — clear ownership, documented processes, measurable controls — proportionately, without needing the full enterprise-scale implementation.
What is ISO/IEC 27001, and does PNPC issue the certification?
ISO/IEC 27001 is the internationally recognised standard for an Information Security Management System (ISMS) — a systematic approach to managing sensitive company and customer information so that it remains secure. Certification against ISO 27001 requires an audit by an accredited certification body, which PNPC is not; PNPC's role is to conduct a readiness gap assessment, help remediate identified gaps, and prepare your documentation and controls so that when you do engage a certification body, the Stage 1 and Stage 2 audits proceed smoothly rather than surfacing gaps for the first time.
What is the Digital Personal Data Protection Act 2023, and how does it affect our IT governance obligations?
The DPDP Act 2023 is India's principal data protection statute, establishing obligations for entities (termed 'Data Fiduciaries') that determine the purpose and means of processing personal data of individuals ('Data Principals') in India. Core obligations include obtaining valid consent (or relying on specified legitimate uses), limiting processing to the stated purpose, implementing reasonable security safeguards to prevent personal data breaches, and notifying the Data Protection Board and affected individuals in the event of a breach, in the manner and timeline the rules prescribe. The Act's detailed rules and the Data Protection Board's operational framework have continued to be finalised and phased in since the Act's passage, so specific compliance timelines and enforcement mechanics should be verified as current at the time of your review rather than assumed static.
What are CERT-In's cybersecurity incident reporting directions, and what is the six-hour rule?
CERT-In (the Indian Computer Emergency Response Team) issued directions in 2022 under Section 70B of the Information Technology Act 2000 that require a broad category of entities to report specified types of cybersecurity incidents to CERT-In within six hours of noticing the incident or being brought to notice of the incident, and to maintain certain logs for a prescribed retention period. The categories of reportable incidents include data breaches, ransomware attacks, unauthorised access to critical systems, and several other specified event types. This is a genuinely time-bound obligation — most organisations without a documented incident response plan have no practical way to identify, escalate, and report within that window.
We are an NBFC / payment aggregator / SEBI-regulated intermediary. Does this review cover our sector-specific IT governance obligations?
Yes, where relevant to your specific regulatory status. RBI and SEBI have issued sector-specific circulars addressing IT governance, cybersecurity frameworks, outsourcing of IT services, and business continuity for regulated entities — the specific requirements vary meaningfully by the type of regulated entity and the applicable circular in force. We scope the review to include the specific circular(s) applicable to your registration category as part of the initial framework-selection stage, rather than treating regulated entities the same as unregulated businesses.
How does this review connect to our Internal Financial Controls (IFC) certification under the Companies Act?
Section 134(5)(e) of the Companies Act 2013 requires directors of most companies to state in the Board's report that the company has adequate internal financial controls in place and that such controls were operating effectively during the year. Where financial reporting relies on IT systems (which is the case for virtually every company today), IT general controls — access management, change management, backup and recovery — form part of what the statutory auditor tests and what the Board is certifying. Our review directly supports this certification by identifying and helping remediate IT general control weaknesses before they surface as an audit finding or, worse, an inaccurate Board certification.
How long does a full IT Governance & Compliance Review take?
A full review — scoping, governance structure review, policy and access control assessment, data protection and vendor risk review, business continuity and incident response review, and a risk-rated findings report — typically takes 6–8 weeks for a mid-sized single-entity business. A narrower, scope-limited review focused on a single area (for example, DPDP Act readiness only, or IT general controls linked to the IFC assessment only) can typically be completed in 3–4 weeks. Multi-entity, multi-jurisdiction, or regulated-sector engagements generally take longer.
What does the review actually produce — a document, or something we can act on?
A structured, risk-rated findings report where every finding is explicitly mapped to the specific standard or regulation it relates to (an ISO 27001 control clause, a DPDP Act obligation, a CERT-In direction, a Companies Act IFC control objective), together with a prioritised, realistic remediation roadmap. We also run a management response workshop with your leadership team or Board/Audit Committee to agree remediation ownership and timelines — the documented management response itself becomes part of your governance evidence trail for future audits or due diligence.
Do you also implement the remediations, or only identify them?
Both, depending on the engagement scope agreed. For policy drafting, access control workflow redesign, and governance documentation, PNPC typically leads the work directly. For hands-on technical implementation (configuring specific security tooling, network-level changes, application code changes), we coordinate with your internal IT team or a technical implementation partner and validate the result against the agreed control design — similar to how we approach implementation oversight in our broader Digital Transformation Advisory engagements.
How much does an IT Governance & Compliance Review cost?
Fees depend on scope — a full review across all areas (governance, access control, data protection, vendor risk, business continuity, incident response) for a mid-sized single-entity business is typically a fixed fee agreed upfront based on organisational size and system complexity. A narrower, scope-limited review costs proportionately less. Remediation support, where in scope, is generally structured as an additional phase, either fixed-fee or milestone-based. We provide a written scope and fee proposal before any engagement begins — there is no standard published price because system complexity and regulatory exposure vary significantly by business.
We are a startup with under 20 employees and use mostly off-the-shelf SaaS tools. Is this review relevant at our stage?
It can be, particularly if you are approaching a funding round (investors increasingly ask data-room questions about data protection and access control practices), if you process any meaningful volume of customer personal data, or if you are preparing for your first statutory audit. For a genuinely early-stage business with minimal data sensitivity and no near-term funding or audit trigger, a lighter-touch review — focused on the highest-risk areas only — may be more proportionate than the full engagement, and we will scope it that way rather than oversell.
What is the single most common finding PNPC encounters in these reviews?
Access control weaknesses — specifically, financial and customer-data systems where access is not provisioned through a documented approval process, where former employees' access is not promptly revoked, and where privileged/administrative access is not separately logged or restricted. This single control area is consistently the most common finding across both statutory audit IFC testing and our broader governance reviews, and it is often the fastest and least costly gap to remediate relative to the risk it represents.
Does the review cover cloud service providers like AWS, Azure, or Google Cloud specifically?
Yes, as part of the third-party and vendor risk review. We assess your configuration and usage of cloud infrastructure (not the cloud provider's own infrastructure security, which is the provider's responsibility under the shared-responsibility model most cloud providers operate) — access management to your cloud accounts, data residency and storage location, backup configuration, and whether security certifications held by the provider are relevant to your specific compliance needs (for example, data residency requirements that may apply to certain regulated sectors).
What happens if the review finds a serious, urgent gap — do you wait until the final report to flag it?
No. If we identify a genuinely urgent gap during the review — for example, an active unpatched vulnerability in production, a completely absent access revocation process, or evidence of an unreported incident that may meet CERT-In's reporting threshold — we flag it immediately to management, not at the final report stage. Time-sensitive findings, particularly anything with a statutory reporting clock attached, are escalated as soon as identified.
Can this review help us respond to a specific data breach or security incident that has already occurred?
Yes, though the immediate incident response itself (containment, technical investigation, and any required CERT-In notification) is typically a more urgent, time-boxed engagement than the standard governance review. We can support the immediate response — assessing reporting obligations and coordinating with technical incident responders — and then, once the immediate incident is contained, conduct a focused post-incident governance review to identify and remediate the underlying control gaps that allowed the incident to occur.
We operate entities in both India and the UAE. Does the review cover both jurisdictions?
Yes — with offices in Chennai, Bangalore, Hyderabad, and Dubai, we assess both the Indian entity's obligations (DPDP Act, CERT-In, Companies Act IFC linkage, RBI/SEBI circulars where applicable) and, where the UAE entity is in scope, relevant UAE data protection requirements (including obligations under UAE federal data protection law and any applicable free zone-specific data protection regulations, such as those in DIFC or ADGM, which differ from UAE mainland requirements). Cross-border data transfer between the two entities is specifically assessed, since it carries distinct compliance considerations on both sides.
Is this review a one-time exercise, or should it be repeated periodically?
It should be repeated periodically — we recommend at least an annual review, and additionally whenever a significant trigger occurs: a new core system is adopted, a new jurisdiction of operation is added, a significant regulatory update is issued (a new DPDP Act rule, an updated CERT-In direction, a new RBI/SEBI circular), or a security incident occurs. IT governance frameworks and the underlying regulatory landscape continue to evolve, and a governance posture assessed once and never revisited becomes stale.
Who at PNPC actually delivers this review — is it the same team that does our statutory audit?
The engagement is led by a practising Chartered Accountant with experience across statutory audit, Internal Financial Controls testing, and technology governance, supported where needed by team members with hands-on IT and information security assessment experience. Where PNPC is also your statutory auditor, we coordinate (subject to the independence requirements applicable to statutory audit engagements) so that IT general control findings inform, rather than duplicate, the audit's own IFC testing.
Can this review help us if we are considering cyber insurance?
Yes, indirectly. Cyber insurance underwriters increasingly ask detailed questions about access controls, incident response readiness, backup practices, and data protection measures as part of underwriting and premium determination. A documented governance review with evidence of remediated gaps can materially strengthen a cyber insurance application and may support more favourable underwriting terms, though PNPC does not itself arrange or broker insurance policies.
What is the difference between this review and PNPC's Digital Transformation Advisory service?
Digital Transformation Advisory is forward-looking — it helps you plan, sequence, and implement new systems and process automation, with governance and control design built in from the start. IT Governance & Compliance Reviews are assessment-focused — they evaluate your existing environment (new or old) against governance frameworks and statutory obligations and produce a remediation roadmap. In practice the two are complementary: a governance review often surfaces the need for a broader systems transformation, and a transformation project should incorporate governance and control design as a core workstream, which our transformation advisory already does.
Does the review look at physical security of IT infrastructure, or only digital/logical controls?
Primarily digital and logical controls — access management, data protection, network and application-level governance — since that is where the majority of statutory and regulatory risk for most Indian businesses concentrates today, particularly with widespread cloud adoption. Where a business maintains meaningful on-premise infrastructure (a server room, physical data centre, or similar), we include a proportionate physical security review of that specific environment as part of the broader scoping discussion.
If we fail to act on the findings, what is PNPC's ongoing responsibility?
Our responsibility is to deliver an accurate, professionally rigorous assessment and a realistic remediation roadmap, and to be clear and direct with your Board or leadership about the risk of unaddressed findings — including flagging genuinely urgent items outside the normal reporting cadence, as noted above. We do not have an ongoing monitoring or enforcement role beyond the engagement scope agreed; if remediation is not acted on, that is a management and Board decision and risk-acceptance matter, which we document clearly so it is an informed decision rather than an overlooked one.
Can a small NGO or Section 8 company that handles donor and beneficiary data benefit from this review?
Yes, particularly where the organisation processes beneficiary personal data (which can include sensitive categories depending on the nature of the NGO's work) or handles donor payment information. NGOs are not exempt from DPDP Act obligations simply by virtue of their non-profit status where they process personal data as a data fiduciary, and donor and grant-funder due diligence increasingly asks about data protection practices. We scope these reviews proportionately to the NGO's actual scale and data sensitivity.
How does PNPC keep the review current given how quickly technology risk and regulation evolve?
We treat the frameworks and regulatory references used in each review as a living reference set, updated at the time of each engagement — ISO 27001 and COBIT are periodically revised, DPDP Act rules and Data Protection Board guidance continue to be operationalised, CERT-In directions are refreshed, and RBI/SEBI circulars are updated regularly for regulated sectors. Every engagement begins by confirming the current, applicable version of each relevant standard or regulation, rather than relying on a static internal checklist that may reference an outdated version.
What is the difference between IT governance and IT security — are we buying two things or one?
IT security is the set of technical and procedural measures that protect systems and data from unauthorised access, loss, or disruption — firewalls, encryption, patching, access controls. IT governance is the broader oversight layer that decides how security (and technology generally) is planned, resourced, measured, and accounted for at the Board and management level, and ensures the organisation can demonstrate that oversight to a regulator or auditor. You need both, and they are not substitutes for each other — strong technical security with no governance oversight leaves the Board unable to demonstrate accountability; strong governance language with weak underlying technical security is equally exposed. Our review sits primarily in the governance layer, informed by technical security findings where available.
Can PNPC review our IT governance as part of preparing for a listed-company (IPO) transition?
Yes — this is a common trigger for larger, later-stage clients. A company preparing for a public listing faces materially higher governance expectations, including more rigorous IFC certification scrutiny, SEBI Listing Obligations and Disclosure Requirements (LODR) considerations relevant to technology risk disclosure, and heightened investor and analyst attention to cybersecurity and data governance practices. We scope IPO-readiness IT governance reviews specifically around the elevated standard a listed company (and its Audit Committee) is expected to meet, distinct from the standard private-company review.
Does this review cover email security and phishing-resistance specifically?
Yes, as part of the broader access control and incident-readiness assessment — email remains one of the most common initial attack vectors for the kinds of incidents that trigger CERT-In reporting obligations and data breaches. We assess whether basic email authentication controls (SPF, DKIM, DMARC configuration), multi-factor authentication on email accounts, and staff awareness/training practices are in place, though a full technical phishing-simulation exercise is a more specialised technical engagement we can recommend a partner for if warranted.
How does the review treat 'Bring Your Own Device' (BYOD) practices where staff use personal phones and laptops for work?
We assess whether a BYOD policy exists, whether it addresses access to company email, financial systems, and customer data from personal devices, and whether basic controls (device passcodes, remote-wipe capability for company data, restrictions on storing sensitive data locally) are in place or even feasible given your current tooling. BYOD is common in Indian mid-sized businesses and startups, and it is frequently an unaddressed gap precisely because it does not involve company-owned hardware and so does not appear on a typical asset inventory.
We just completed a funding round and our investors asked us to formalise IT governance as a condition. How quickly can PNPC help us close that condition?
This is a common post-funding scenario, and we typically prioritise it for rapid turnaround — a focused review addressing the specific conditions or representations in the investment/shareholders' agreement (rather than the full end-to-end review) can often be scoped and delivered within 3–4 weeks, depending on the specific commitments made in the funding documents and the current state of your systems.
| Feature | Generic Cybersecurity Vendor | Large IT Audit Firm | PNPC Global |
|---|---|---|---|
| Statutory/Regulatory Literacy | Low — focused on technical vulnerabilities, limited linkage to DPDP Act, CERT-In, or IFC requirements | High, but often priced and scoped for large enterprises with dedicated internal governance teams | High — every finding mapped explicitly to the statutory or regulatory consequence, scoped proportionately for mid-sized and owner-managed businesses |
| Linkage to Statutory Audit & IFC | Generally none | Present, but as a separate large-firm workstream, often disconnected from the same firm's statutory audit team | Direct — the same CA-led lens applied to your statutory audit's IFC testing is applied to this review |
| DPDP Act & CERT-In Readiness | Rarely addressed with legal precision | Addressed, but often as a generic overlay rather than mapped to your specific data flows | Mapped to your actual personal data flows and IT footprint, not a generic checklist |
| Pricing Proportionality | Variable, often technical-scope-only pricing | Enterprise-scale pricing, frequently disproportionate for mid-sized businesses | Scoped and fixed-fee proportionate to your actual size, sector, and regulatory exposure |
| Remediation Support | Typically ends at the technical findings report | Available, but at large-firm rates and pace | PNPC leads policy and governance remediation directly; coordinates technical partners for hands-on build, validating the result |
| India-UAE Coordination | Rare, unless specifically a cross-border technology firm | Available at large multinational firms, at corresponding cost | Native — offices in Chennai, Bangalore, Hyderabad, and Dubai coordinate both sides as one engagement |
| Ongoing Relationship | Project-based, typically ends at delivery | Project-based, periodic re-engagement at full enterprise rates | Frequently continues as an annual governance refresh, integrated with your existing statutory audit and compliance relationship with PNPC |
What the PNPC package includes
- 01
Framework and regulatory scoping — ISO 27001, COBIT, DPDP Act, CERT-In directions, Companies Act IFC linkage, and sector-specific RBI/SEBI circulars, mapped to what actually applies to your business
- 02
Governance structure review assessing genuine Board/Audit Committee oversight of technology risk, not just operational IT-team ownership
- 03
Access control and identity management assessment — provisioning, revocation, and privileged-access logging, the single most common finding area
- 04
Data protection and DPDP Act readiness assessment mapped to your actual personal data flows, not a generic privacy-policy checklist
- 05
Third-party and vendor risk review covering cloud providers, SaaS vendors, and outsourced IT/BPO arrangements
- 06
Business continuity, disaster recovery, and incident response readiness review, including CERT-In six-hour reporting-obligation preparedness
- 07
IT general controls testing aligned directly to your statutory auditor's Internal Financial Controls assessment scope
- 08
Risk-rated findings report with every finding explicitly mapped to the specific standard or legal provision it relates to
- 09
Management response workshop producing a documented, Board-ready remediation roadmap and risk-acceptance record
- 10
Remediation support for policy and governance work, with coordination and validation for technical implementation where needed
- 11
India-UAE coordinated review for group entities, addressing cross-border data transfer considerations on both sides
- 12
Direct access to your engagement CA — not a support ticket queue or a generic account manager
Speak directly with a PNPC Chartered Accountant who reviews technology risk the same way we review financial controls — grounded in what your Board, your statutory auditor, and Indian law actually require, not a generic cybersecurity checklist.