Commission Delegated Regulation (EU) 2024/436 of 20 October 2023 supplementing Regulation (EU) 2022/2065 of the European Parliament and of the Council, by laying down rules on the performance of audits for very large online platforms and very large online search engines

This Regulation lays down rules on the performance of audits pursuant to Article 37 of Regulation (EU) 2022/2065, as regards:

1. the procedural steps for ensuring that the auditing organisation to be selected fulfils the conditions laid down in Article 37(3) of Regulation (EU) 2022/2065;

2. the procedural steps for cooperation and assistance by the audited provider in the performance of audits, including accessing relevant information with a view to obtaining audit evidence;

3. the definition and selection of auditing methodologies;

4. the templates for the audit report and the audit implementation report.

For the purpose of this Regulation, the following definitions shall apply:

1. ‘auditing organisation’ means an individual organisation, a consortium or other combination of organisations, including any sub-contractors, that the audited provider has contracted to perform an independent audit in accordance with Article 37 of Regulation (EU) 2022/2065;

2. ‘audited service’ means a very large online platform or a very large online search engine designated in accordance with Article 33 of Regulation (EU) 2022/2065;

3. ‘audited provider’ means the provider of an audited service which is subject to independent audits pursuant to Article 37(1) of that Regulation;

4. ‘audited obligation or commitment’ means an obligation or commitment referred to in Article 37(1) of Regulation (EU) 2022/2065 which forms the subject matter of the audit;

5. ‘audit criteria’ means the criteria against which the auditing organisation assesses compliance with each audited obligation or commitment;

6. ‘audit evidence’ means any information used by an auditing organisation to support the audit findings and conclusions and to issue an audit opinion, including data collected from documents, databases or IT systems, interviews or testing performed;

7. ‘misstatement’ means an intentional or unintentional omission, misrepresentation or error in the declarations or data reported or provided by the audited provider to the auditing organisation, or in the testing environment made available by the audited provider to the auditing organisation;

8. ‘audit risk’ means the risk that the auditing organisation issues an incorrect audit opinion or reaches an incorrect conclusion concerning the audited provider’s compliance with an audited obligation or commitment, considering detection risks, inherent risks and control risks with respect to that audited obligation or commitment;

9. ‘detection risk’ means the risk that the auditing organisation does not detect a misstatement that is relevant for the assessment of the audited provider’s compliance with an audited obligation or commitment;

10. ‘inherent risk’ means the risk of non-compliance intrinsically related to the nature, the design, the activity and the use of the audited service, as well as the context in which it is operated, and the risk of non-compliance related to the nature of the audited obligation or commitment;

11. ‘control risk’ means the risk that a misstatement is not prevented, detected and corrected in a timely manner by means of the audited provider’s internal controls;

12. ‘materiality threshold’ means the threshold beyond which deviations or misstatements by the audited provider, individually or aggregated, would reasonably affect the audit findings, conclusions and opinions;

13. ‘reasonable level of assurance’ means a high but not absolute level of assurance, which allows the auditing organisation to assert in its audit opinion and audit conclusions whether the audited provider complies with the audited obligations or commitments, based on sufficient and appropriate evidence;

14. ‘internal control’ means any measures, including processes and tests, that are designed, implemented and maintained by the audited provider, including its compliance officers and management body, to monitor and ensure the audited provider’s compliance with the audited obligation or commitment;

15. ‘vetted researcher’ means a researcher vetted in accordance with Article 40(8) of Regulation (EU) 2022/2065;

16. ‘audit procedure’ means any technique applied by the auditing organisation in the performance of the audit, including data collection, the choice and application of methodologies, such as tests and substantive analytical procedures, and any other action taken to collect and analyse information to collect audit evidence and formulate audit conclusions, not including the issuing of an audit opinion or of the audit report;

17. ‘test’ means an audit methodology consisting in measurements, experiments or other checks, including checks of algorithmic systems, through which the auditing organisation assesses the audited provider’s compliance with the audited obligation or commitment;

18. ‘substantive analytical procedure’ means an audit methodology used by the auditing organisation to assess information to infer audit risks or compliance with the audited obligation or commitment.