ITA System Audit: Key Principles and Reporting

06 November 2018

Key Principles

The newly formed Malta Digital Innovation Authority (MDIA) has recently issued guidelines for prospective systems auditors, comprising of the requirements they would have to fulfil to carry out audits on Innovative Technology Arrangements (ITAs). The guidelines focus on five key principles which have their foundation in the AICPA SOC2 auditing guidelines. The SOC 2 report is one of the most common compliance requirements that technology-based companies must meet and as a respected industry standard.

  • Security – The system must be protected and completely secure from unauthorised access (both physical and logical).
  • Availability – The system is available for operational use as committed and/or agreed.
  • Processing Integrity – The system processing is complete, accurate, timely, and authorised.
  • Confidentiality – The system will protect any information or data that is designated as confidential.
  • Privacy – The system will collect, use, retain, disclose, or dispose of personal information in full conformity with the commitments in the organisations privacy notice.

The SOC 2 audit report will also provide assurance regarding the suitability of the design and the effectiveness of the controls the ITA has implemented, to the MDIA. The audit can be categorised into two different sets:

  • Type I is an audit and a report that is carried out on a certain and specified date and takes an in depth look at the control design.
  • Type II is an audit and a report that is carried out over a certain period of time, usually six months. The focus of this Type is to ascertain the operational effectiveness of the controls that are in place.

The Type I audit is typically carried when an ITA is in the process of applying to be certified by the Authority; or when deemed necessary by the Authority, or other Lead Authority in Malta. The Type II audit is carried out periodically during the operational lifetime of an ITA; or on the request of the Authority or other Lead Authority in Malta.

 

Ensuring Compliance

To ensure full compliance with SOC 2, it is imperative that any new functions or changes to the design are reviewed in full by security teams. In addition to this, any unusual activities must be monitored carefully whilst ensuring that appropriate alerting processes are in place including swift corrective processes where applicable. There must also be a full audit trail in place that is retrievable upon demand.

But SOC 2 is not just about ticking boxes and fulfilling requirements on paper, it is about developing, implementing and maintaining clearly defined policies and procedures that build trust with stakeholders and regulatory bodies. Furthermore, it is a matter of best practices as well as ensuring that structured policies, procedures, and practices become a standard throughout the blockchain technology industry.

 

Get help from BDO Malta

For businesses looking to voluntarily register their ITA with the MDIA, it is likely that they would require guidance to set up the necessary controls and standards.

BDO Malta can assist businesses and ITAs with seeking voluntary registration with MDIA in a number of ways:

 

System Audit

BDO Malta will be applying to become registered System Auditors when applications are made available. As registered System Auditors, we can then perform both Type I and Type II audits as requested by the MDIA.

 

Readiness assessment

BDO Malta can assess the state of an entity’s’ SOC 2 readiness by evaluating the kind of ITA that is being offered, the specific Control Objectives that are applicable, and any controls that are relevant to the delivery of the service. Additionally, processes, privacy, information security, procedures, system configuration, and organisational structure are examined and evaluated in detail.

 

Remediation

Once any gaps or shortcomings have been identified, BDO Malta can help with the remediation of them. Through audit scoping, compiling the ITA system description, risk management, control selection, and the definition of control effectiveness metrics, clients can have a full overview of where they stand in terms of compliance with the requirements.

 

To find out more about the guidelines, ITAs or the MDIA, or getting assistance with MDIA registration, contact us today.