Lead Forensics

The DSA & Audits

Audits. Not something that usually cause much ruckus. But with the Digital Services Act around the corner, there has been quite some excitement around what the first comprehensive audits of the very large online platforms will look like. 

Recap: What are audits under the DSA?

If you are a VLOP or VLOSE, you will be subject to annual DSA compliance audits carried out by independent auditors. The audits will cover your compliance with all DSA obligations, including risk assessments and mitigation measures. 

On the 5th of May, the Commission opened a consultation on the Draft Delegated Act of Audits which specifies the methodology and approach the auditors should take in their assessments. The Commission aims to adopt the rules by the end of the year.

Expectations & timelines

Overall, the delegated act shows that the Commission expects a lot from audits and sets a high bar with the methodology and level of assurance it requires. This will be no easy feat for auditors as there are limited benchmarks and standards that exist in this space. Take the example of assessing the service’s foreseeable or actual negative impact on physical health of users – few studies and indicators exist to assess this, making the auditing of compliance with this obligation challenging.  

The first audit reports will be due August 2024 and should be made public by the VLOP/VLOSE within three months of receipt, i.e., latest by November 2024. Between now and then, you will have to find your auditor, negotiate contracts, organise all the documentation, and begin the process with your auditor. This means you have quite a lot to do in a very short time. So, here’s what you need to get started.  

What you need to know to get prepared

Choosing an auditor

The auditors you choose will be held to a high standard of competence, requiring proven objectivity and expertise in risk management. They need to be independent and have no conflict of interest with the VLOP/VLOSE or any person connected to them. This means: 

  • Not providing non-audit services to the VLOP/VLOSE in the 12 months before the start of the audit 
  • Committing to not providing the VLOP/VLOSE with non-audit services for the 12 months after the audit.
  • Not providing auditing services for longer than 10 consecutive years.
  • Not providing the audit in return for fees dependent on the results of the audit.

Since DSA audits are completely novel, there are no established actors who have carried out an audit of this magnitude in the online platform space. Platforms will therefore need to make a serious assessment to ensure the auditor(s) they choose meet these strong independence requirements and competence standards. It may be that the established firms do not have all the relevant skillsets in house and consortiums with smaller specialised audit or consulting firms need to be formed.

Getting started & audit risk assessments

The first audits will cover the period from August 2023 to August 2024. The Delegated Act provides an annex of templates that can be used to create an inventory of the required data and explanations needed to perform the audit. 

Before carrying out the audit, the auditor will also have to conduct an audit risk assessment – another element borrowed from standard auditing procedures in the financial sector. This step allows auditors to assess how comprehensive the audit work must be to reach a reasonable level of assurance. Essentially, it helps auditors assess their risk of expressing an inappropriate audit opinion.

This audit risk is assessed by considering the environment of your service, specifically looking at the inherent risks, control risks, and detection risks.  Essentially, these risks relate to the nature of your service, the controls you implement, and the risk that your auditor does not detect problems. This means the risk assessment would consider your service as well as the auditor’s own capabilities.

Reaching a reasonable level of assurance

The draft Act calls for a reasonable level of assurance by the auditor. This is a concept that has been adopted from the financial industry and while it may seem ‘reasonable’, it is the highest level of assurance that there is in the industry. 

Normally, with a limited level of assurance the auditor would need to check if the platform’s internal data and findings around their systems for the compliance with the DSA are coherent, make sense, and carry out some limited verification. However, a reasonable level of assurance demands that the auditor independently verify all the statements and analysis done by the platforms.

Take the example of implementing notice and action mechanisms – for a very large video sharing platform with billions of videos, it would be impossible to check every data point. Thus, auditors will very likely only be considering samples of data in their analysis. To know what sample size to use and what methods to deploy, they need to assess their risk of not detecting a problem in order to be able to provide a reasonable level of assurance that their conclusions are correct.

The audit methods mentioned in the delegated act also indicate that a rigorous approach is expected. The internal controls and compliance of the VLOP/VLOSE for each DSA obligation and commitment needs to include performance of test and substantive analytical procedures. 


Recognising the diversity in systemic risks, types of platforms, and existing auditing methodologies, the regulations allow for consortiums of different entities to come together to perform these audits. It is difficult to imagine that this task could be done alone, especially considering the high degree of assurance that the DSA demands as well as the lack of established benchmarks in this sector. Given that the first audit will already include the period starting from August 2023 – only 3 months away-, it is crucial to begin thinking about the auditors you want to work with. 

How can Tremau help you?

Tremau’s team of experts has niche skills in assessing trust & safety tools and ecosystems. If you need help in understanding the risk environment of online platforms, appropriate mitigation measures, recommender systems, and more, Tremau’s advisory team can help. From putting together AI auditing methodologies, to building a next generation trust & safety platform, Tremau’s team is uniquely positioned to assist you with your projects. 


Stay ahead of the curve – sign up to receive the latest policy and tech advice impacting your business.

Share This Post

Further articles

Tremau in the News

GenAI and the risk for public opinion – Interview to Theos Evgeniou

Please find the full interview on Forbes.fr En parlant de risques, les craintes sont aujourd’hui focalisées sur le potentiel bouleversement des élections européennes puis américaines… Theos Evgeniou, Chief Innovation Officer at Tremau: “La technologie a déjà été utilisée pour impacter les électeurs et les élections, même avant l’arrivée de l’IA générative. Il est vrai, cependant,

Global Regulations

Online service providers should prepare for tough new laws in Australia

On Wednesday evening (Sydney time), Australia’s Federal Court extended an interim injunction mandating X Corp to hide posts containing copies of a live-streamed stabbing attack in a Sydney church.  The injunction followed an official removal notice issued by the eSafety Commissioner, ordering that X remove the posts from its platform globally. Having already geo-blocked the

Join our community

Stay ahead of the curve – sign up to receive the latest policy and tech advice impacting your business.