Deloitte Internet Regulation Updater
The final audit rules for conducting the independent audits of the designated very large online platforms and search engines (“VLOPSE”) required by the Digital Services Act (DSA) have been published. We set out some key points below.
The annual independent audit is a critical component of the DSA risk management lifecycle. The Delegated Act on the performance of independent audit (“Delegated Act”) sets expectations for the scope and approach that auditors should follow. At the same time, understanding the requirements of the Delegated Act provides insights into what platforms and DSA Compliance Functions should be focusing on.
Headline points: what has changed and what remains
There is no change to the requirement that the audit be conducted to a “reasonable assurance” standard or “through the period” from the application date. Those in scope will need to continue with their preparations for the first audit, ensuring that they have an auditable controls framework and are set up for successful execution of the audit. Audit preparation remains a big lift and a high priority.
Criteria for audit
The Delegated Act confirms that the audit criteria will be based on the internal benchmarks that VLOPSE management uses to evaluate its compliance. This change aligns with the recommendations made by numerous audit providers and platforms, as submitted through the public consultation on the draft Delegated Act.
Any suggestion that the auditor can or should substitute its own criteria for those of management have been removed. Nevertheless, auditors may still make a remark on the benchmarks chosen by management, via a ‘positive with comments’ audit conclusion.
What kind of remark and when it would be made is something that can be explored between VLOPSE management and their chosen auditor.
Digital service providers will need to articulate their internal benchmarks for compliance with all the obligations of the DSA. This should be based on clear interpretations of the legal requirements as applied to the business in its operational context.
Scope of audit
Under the Delegated Act (Article 5(1)), the pre-audit information requirements have been expanded. The auditor needs to assess any information about decision-making structures, governance, the competency of the DSA Compliance Function and other teams, relevant IT systems, data sources, processing, and storage, and the interactions between algorithmic systems. Such information should be provided to the auditor in advance of the audit.
This specificity may capture a broader range of information than was originally anticipated by VLOPSE who will need to factor this into their audit readiness programs.
The final Delegated Act expects auditors to consider the risk profile of the VLOPSEs in the design of their methodology, and to ensure that any evidence based on samples of data is representative of the risks faced by particular groups. Examples of particular groups include minors, vulnerable groups and minorities.
In particular, auditors are expected to consider whether the service is available to or predominantly used by minors when assessing the risk profile, including assessing age assurance tools and their effectiveness.
The final Delegated Act has clarified how risk mitigation reports are to be audited. Auditors must assess how the VLOPSE identified and analysed the systemic risks relevant to their service before and after mitigations were put in place. Most notably, the Delegated Act makes it clear the design and “execution” of mitigation measures should be considered. This will need to be factored in as risk mitigations are being specified and executed by VLOPSEs following their first systemic risk assessment.
To support the performance of the audit, the final Delegated Act states in Article 5(3) that VLOPSEs must make resources, assistance and explanations available to the auditor. This obligation has been expanded to cover circumstances where information is held by third party contractors.
It would be sensible for VLOPSE to consider their current dependencies on third parties and the relevant data they may hold. Special considerations will need to be made where the information requests relates to personal data that the third party contractor is processing on behalf of the VLOPSE, or where it is assisting in processes like content moderation.
If you would like more information or to discuss the DSA and other internet regulation, please contact Deloitte’s Internet Regulation team.
Joey Conway, Internet Regulation Partner, Legal Lead
Nick Seeber, Partner, Global Internet Regulation Lead
Mark Cankett, Regulatory Assurance Partner, Global Lead for Algorithm and AI Assurance, Deloitte
Curtis Barnes, Manager, Regulatory Assurance, Deloitte
Nia Thomas, Associate, Deloitte Legal
Content from Deloitte's Internet Regulation blog can now be sent direct to your inbox. Choose the topic and frequency by subscribing here and selecting Internet Regulation.