Internet Regulation Updater: We bring together below Deloitte’s combined perspective as both an advisor and an external audit firm on the draft rules

Enjoy our posts? Please subscribe (see below).

The EU Commission has published the draft rules for conducting the independent audits of the designated very large online platforms and search engines (VLOP/SEs).

The annual independent audit is a critical component of the DSA. The draft rules describe expectations for the scope, depth, and approach of the audit. This has major implications for providers of VLOPs/VLOSEs, as well as the audit firms.

The consultation runs to 2 June which means parties need to get their responses in rapidly.

Headline points: 

1. Level of assurance

The expectation: The audit needs to be performed in a manner and for a duration that allows the auditor to assess the provider’s compliance to a reasonable level of assurance. This means that the auditor should have a high (although not absolute) level of confidence that there have been no misstatements which were not detected in the audit.

The implication: Reasonable assurance is the highest level of assurance typically provided in the context of regulation. Audit procedures will need to be commensurate to support the practitioner in attaining this. The rules do allow for derogation from the reasonable assurance standard, but the audit firm will need to explain the circumstances and reasons for that.

2. Controls, benchmarks and approach

The expectation: Well ahead of the audit period, the digital service provider must provide the auditor with its internal controls, as well as the “benchmarks” it used to assert or monitor its compliance with each obligation.

The implication: Digital service providers will need to form a clear idea of what they think the standard for compliance is for each obligation. This will need to be done in advance and should be provided to the auditor well ahead of the audit fieldwork commencing.

3. Audit methodologies

The expectation: The auditor needs to formulate and put in place appropriate methodologies sufficient to support the auditor to attain reasonable assurance. The audit report will include justifications for the methodology, sampling techniques, and sample sizes used. The rules envisage a combination of methodologies and the potential for the auditor to engage with other audit specialists who can provide discrete aspects of the overall audit within their field of expertise.

The implication: Auditors will need to have a strong idea regarding the methods, techniques and procedures needed to test compliance with each obligation. These will need to be thorough in nature, not only examining and testing internal controls, but also performing substantive analytical procedures as appropriate to attain reasonable assurance. Where an audit firm does not have the requisite expertise, it will need to consider engaging other experts. 

 4. Auditor competence and independence

The expectation: Prior to appointment and selection of the auditor, the provider must confirm that the auditor is sufficiently qualified and independent. Each individual member of the audit team must be individually independent, as well as qualified for their specific role.

The implication: The provider itself needs to assess and assure itself that the auditor (including any other audit specialists that are engaged for discrete aspects of the audit – see above) is independent and that it does have the relevant expertise. We’d expect this to be a focus of the new DSA Compliance Officer who is charged with organising and supervising the audit.

5. Audit opinion and reporting

The expectation: An audit report template is provided in the rules. An audit opinion needs to be provided for every provision. Audit opinions can be positive, positive with comments or negative. It is proposed that positive with comments is reserved for situations where the auditor:

• Recommends improvements that do not have a substantive effect on its conclusion;
• Has applied criteria which are different from the benchmarks for compliance communicated by the provider.

The auditor should also provide an overall opinion as to the result of the audit. A negative opinion on even one auditable obligation will result in an overall negative audit opinion.

The implication: The bar to attaining an overall positive audit opinion is high, requiring a positive opinion on every individual obligation.

6. Audit periods

The expectation: In year one, the audit period commences from the application date (four months after designation) i.e. from late August 2023. Thereafter, subsequent audits should pick up immediately after where the last audit period ended to ensure continuity. Audits should align with the yearly risk assessment life cycle (the first risk assessment should be complete by the application date in August).  

The implication: The Commission expects the audit to be a comprehensive review across the audit period with no time unaccounted for. Providers and auditors will need to maintain records of when the audit period commenced and ended and there may be some adjustments required to align the audit with the risk assessment life cycle, particularly in year 1 when the cadence has not yet been established.

If you would like more information or to discuss the DSA and other internet regulation, please contact Deloitte’s Internet Regulation team. 

Your contacts

Joey Conway, Internet Regulation Partner, Legal Lead 

Nick Seeber, Partner, Global Internet Regulation Lead

Mark Cankett, Regulatory Assurance Partner, Global Lead for Algorithm and AI Assurance, Deloitte

Curtis Barnes, Manager, Regulatory Assurance, Deloitte

Shreya Sapra, Senior Associate, Regulatory Assurance, Deloitte

Content from Deloitte's Internet Regulation blog can now be sent direct to your inbox. Choose the topic and frequency by subscribing here and selecting Internet Regulation.