Blockchain (DLT) System Audits

Blockchain (DLT) System Audits

System Audits are mandatory for Issuers and Service Providers applying for a licence under the Virtual Financial Assets (VFA)  Act and for Innovative Technology Arrangements (ITA) seeking a voluntary certification under Malta Digital Innovation Authority (MDIA) certification process and guidelines which focus on five key principles:  

  • Security – The system must be protected and completely secure from unauthorised access (both physical and logical).
  • Availability – The system is available for operational use as committed and/or agreed.
  • Processing Integrity – The system processing is complete, accurate, timely, and authorised.
  • Confidentiality – The system will protect any information or data that is designated as confidential.
  • Privacy – The system will collect, use, retain, disclose, or dispose of personal information in full conformity with the commitments in the organisations privacy notice.


The system audit can be categorised into two different sets:


Type I Systems Audit

  • Carried out on a certain and specified date and takes an in depth look at the control design.

  • Typically carried when an ITA is in the process of applying to be certified by the Authority; or when deemed necessary by the Authority, or other Lead Authority in Malta


Type II Systems Audit

  • Carried out over a certain period of time, usually six months. The focus of this Type is to ascertain the operational effectiveness of the controls that are in place.

  • Carried out periodically during the operational lifetime of an ITA; or on the request of the Authority or other Lead Authority in Malta (e.g. MFSA)


BDO Malta can provide the following services to businesses requiring a mandatory Systems Audit under the VFA Act, and to businesses voluntarily registering their ITA with the MDIA:


Readiness assessment

BDO Malta can assess the state of an entity’s SOC 2 readiness by evaluating the kind of ITA that is being offered, the specific Control Objectives that are applicable, and any controls that are relevant to the delivery of the service. Additionally, processes, privacy, information security, procedures, system configuration, and organisational structure are examined and evaluated in detail, prior to a System Audit being conducted.