ECG responds to the EC call for feedback on the Digital Services Act audit methodology draft delegated regulation
The ECG has provided feedback on the EC’s draft delegated regulation on the methodology for the audits of very large online platforms (VLOPs) and very large online search engines (VLOSEs) as required under the Digital Services Act. The ECG recognises that many of the articles of the DSA are clear and auditable, particularly in relation to what is expected of the auditor in relation to a VLOP’s/VLOSE’s processes and controls over governance, oversight, and the appointment of a Chief Compliance Officer. The ECG also proposes solutions for the following issues and would be pleased to offer technical support to the European Commission in the finalisation of the methodology:
(1) the draft Delegated Regulations should refer to ISAE 3000 (Revised), or equivalent standards - without this, the proposals could give rise to incomplete, confusing, and even contradictory, direction to auditors;
(2) an independent expert body should be set up to develop acceptable and consistent industry standards and criteria and benchmarks. The auditing organisation should not be responsible for developing its own compliance benchmark; and
(3) a supplemental compliance framework should be developed, and the auditing organisation should perform audit procedures to obtain evidence to determine whether the VLOP’s/VLOSE’s identification and description of their performance against the compliance framework is consistent with the provided policies, processes, and controls, and whether such descriptions are free from material error or omission which might otherwise render them misleading.