Submission of compliance for closure of observations raised during cyber audit

Central Depository Services Limited, vide Circular No. CDSL/IS/DP/POLCY/2026/245 dated April 09, 2026, has announced an important update regarding Submission of compliance for closure of observations raised during cyber audit.

Key Details of the Update –
• Depository Participants are required to ensure that any observation raised by the auditor during the cyber audit is remedied immediately and that such closure is certified by the auditor.
• The communiqué provides that the compliance for closure of findings identified during the audit must be submitted to CDSL within 3 months from the due date of submission of the audit report.
• For the audit period April to September 2025, Depository Participants have been specifically directed to submit the closure compliance / Action Taken Report (ATR) through the prescribed system workflow.
• The enclosed Annexure A User Manual sets out the operational process for submission, including mapping/registration of the IT Auditor through DP login, OTP-based authentication, selection of “Cyber Security Audit ATR”, auditor-side entry of compliance status, description of findings / reason for non-applicability, severity level, and upload of the ATR file. It further prescribes the Designated Officer workflow for entering management comments and target closure date before final submission to CDSL.
• The communiqué clarifies several validation conditions, including that only one auditor can be mapped for each submission, any change of auditor requires deletion of the earlier auditor before mapping a new one, and the audit report must be on the auditor’s letterhead with the auditor name, audit firm name, Cert-In empanelment expiry date, valid signature, DP Name, DP ID, and audit period clearly stated.
• It is also specifically required that the compliance status for each point must be clearly marked as Complied / Not Complied / Not Applicable, and each checkpoint sub-point must be duly filled and saved before submission to avoid incomplete or missing data in the system.

Actions if Any –
• Depository Participants must submit compliance for closure of cyber audit observations for the audit period April-September 2025 through the prescribed CDSL audit application process.
• Depository Participants must ensure that the IT Auditor is registered/mapped before submission and that the Action Taken Report is uploaded with all required details and declarations.
• The Designated Officer must complete the relevant fields, including management comments and target closure date, and submit the report to CDSL after saving all sections and confirming the declaration.

Compliance Deadline –
The compliance for closure of observations raised during the cyber audit for the period April-September 2025 must be submitted to Central Depository Services Limited on or before April 30, 2026. More generally, closure compliance for audit findings is required to be submitted within 3 months from the due date of submission of the cyber audit report.