Audits. Not something that usually cause much ruckus. But with the Digital Services Act around the corner, there has been quite some excitement around what the first comprehensive audits of the very large online platformsAn online platform refers to a digital service that enables interactions between two or more sets of users who are distinct but interdependent and use the service to communicate via the internet. The phrase "online platform" is a broad term used to refer to various internet services such as marketplaces, search engines, social media, etc. In the DSA, online platforms... will look like.
Recap: What are audits under the DSA?
If you are a VLOP or VLOSE, you will be subject to annual DSA compliance audits carried out by independent auditors. The audits will cover your compliance with all DSA obligations, including risk assessments and mitigation measures.
On the 5th of May, the Commission opened a consultation on the Draft Delegated Act of Audits which specifies the methodology and approach the auditors should take in their assessments. The Commission aims to adopt the rules by the end of the year.
Expectations & timelines
Overall, the delegated act shows that the Commission expects a lot from audits and sets a high bar with the methodology and level of assurance it requires. This will be no easy feat for auditors as there are limited benchmarks and standards that exist in this space. Take the example of assessing the service’s foreseeable or actual negative impact on physical health of users – few studies and indicators exist to assess this, making the auditing of compliance with this obligation challenging.
The first audit reports will be due August 2024 and should be made public by the VLOP/VLOSE within three months of receipt, i.e., latest by November 2024. Between now and then, you will have to find your auditor, negotiate contracts, organise all the documentation, and begin the process with your auditor. This means you have quite a lot to do in a very short time. So, here’s what you need to get started.
What you need to know to get prepared
Choosing an auditor
The auditors you choose will be held to a high standard of competence, requiring proven objectivity and expertise in risk management. They need to be independent and have no conflict of interest with the VLOP/VLOSE or any person connected to them. This means:
- Not providing non-audit services to the VLOP/VLOSE in the 12 months before the start of the audit
- Committing to not providing the VLOP/VLOSE with non-audit services for the 12 months after the audit.
- Not providing auditing services for longer than 10 consecutive years.
- Not providing the audit in return for fees dependent on the results of the audit.
Since DSA audits are completely novel, there are no established actors who have carried out an audit of this magnitude in the online platform space. Platforms will therefore need to make a serious assessment to ensure the auditor(s) they choose meet these strong independence requirements and competence standards. It may be that the established firms do not have all the relevant skillsets in house and consortiums with smaller specialised audit or consulting firms need to be formed.
Getting started & audit risk assessments
The first audits will cover the period from August 2023 to August 2024. The Delegated Act provides an annex of templates that can be used to create an inventory of the required data and explanations needed to perform the audit.
Before carrying out the audit, the auditor will also have to conduct an audit risk assessmentIt refers to the process of identifying, analyzing, and evaluating the severity and probability of risks and threats associated with business or product development, deployment, and maintenance. In the context of the DSA, very large online platforms are required to annually assess the systemic risks stemming from the design, functioning or use of the platforms, including any actual or foreseeable... – another element borrowed from standard auditing procedures in the financial sector. This step allows auditors to assess how comprehensive the audit work must be to reach a reasonable level of assurance. Essentially, it helps auditors assess their risk of expressing an inappropriate audit opinion.
This audit risk is assessed by considering the environment of your service, specifically looking at the inherent risks, control risks, and detection risks. Essentially, these risks relate to the nature of your service, the controls you implement, and the risk that your auditor does not detect problems. This means the risk assessment would consider your service as well as the auditor’s own capabilities.
Reaching a reasonable level of assurance
The draft Act calls for a reasonable level of assurance by the auditor. This is a concept that has been adopted from the financial industry and while it may seem ‘reasonable’, it is the highest level of assurance that there is in the industry.
Normally, with a limited level of assurance the auditor would need to check if the platform’s internal data and findings around their systems for the compliance with the DSA are coherent, make sense, and carry out some limited verification. However, a reasonable level of assurance demands that the auditor independently verify all the statements and analysis done by the platforms.
Take the example of implementing notice and actionNotice-and-action is a mechanism that allows users to notify or flag illegal content to an online service. Under the DSA, notice and action mechanisms are mandatory for all hosting service providers and they must be easy to access and user-friendly. mechanisms – for a very large video sharing platform with billions of videos, it would be impossible to check every data point. Thus, auditors will very likely only be considering samples of data in their analysis. To know what sample size to use and what methods to deploy, they need to assess their risk of not detecting a problem in order to be able to provide a reasonable level of assurance that their conclusions are correct.
The audit methods mentioned in the delegated act also indicate that a rigorous approach is expected. The internal controls and compliance of the VLOP/VLOSE for each DSA obligation and commitment needs to include performance of test and substantive analytical procedures.
Conclusion
Recognising the diversity in systemic risks, types of platforms, and existing auditing methodologies, the regulations allow for consortiums of different entities to come together to perform these audits. It is difficult to imagine that this task could be done alone, especially considering the high degree of assurance that the DSA demands as well as the lack of established benchmarks in this sector. Given that the first audit will already include the period starting from August 2023 – only 3 months away-, it is crucial to begin thinking about the auditors you want to work with.
How can Tremau help you?
Tremau’s team of experts has niche skills in assessing trust & safetyThe field and practices that manage challenges related to content- and conduct-related risk, including but not limited to consideration of safety-by-design, product governance, risk assessment, detection, response, quality assurance, and transparency. See also: Safety by design tools and ecosystems. If you need help in understanding the risk environment of online platforms, appropriate mitigation measures, recommender systems, and more, Tremau’s advisory team can help. From putting together AI auditing methodologies, to building a next generation trust & safety platform, Tremau’s team is uniquely positioned to assist you with your projects.