The rise of audits as a regulatory tool for tech

As technology evolves, so do challenges in effectively regulating it. In an era where there is increasing focus on effective oversight of digital platforms, legislators are turning to audits as a go-to tool. This blog explores the reasons behind the growing adoption of audits in digital regulation, focusing on key legislative frameworks such as the EU's Digital Services Act (DSA) and the UK's Online Safety Act (OSA), and also explores the scope of audits in AI and other digital regulation. It also includes some practical tips for businesses navigating these new audit regimes.

Audits in context

Audits in digital regulation typically fall into three categories: internal audits, external audits and regulator-driven information gathering. 

• Internal audits: audits typically conducted by a business’ assurance function to self-assess compliance, helping it identify and address compliance or controls gaps proactively. 
• External audits: audits performed by independent third party auditors who provide an objective assessment of a business’ compliance to a specified standard. 
• Regulator-driven information gathering: regulatory bodies may also be empowered to conduct or direct audits or reviews of a business’ compliance, which may involve direct access to a business’ systems and records. 

This blog focuses on the second and third categories, while touching on the first in the context of existing regulation.

Why audits? 

Audits have been used as a regulatory tool since at least the 19th century, initially emerging in the context of financial oversight. The UK’s Companies Act of 1844 was one of the first to mandate external audits for corporate financial records to protect shareholders and enhance accountability. In the United States, the role of audits expanded following the creation of the Securities and Exchange Commission (SEC) in 1934.

The rise of digital platforms has ushered in challenges that traditional regulatory frameworks may struggle to address. In particular, the complexity of new technologies presents challenges for regulators seeking to understand the operation of systems, and their compliance with laws, in an efficient and accurate manner. 

External audits are increasingly being encouraged, and in some cases required, as a potential means to address these challenges. There are various factors that may be contributing to a growing recognition of audits as essential tools within the digital regulatory toolkit:

• Accountability and transparency: The belief that independent audits can increase trust by involving external examiners who offer objective insights into an organization’s practices and compliance measures, offering a comparative basis for public scrutiny. 
• Cost effectiveness: The belief that audits enable companies to independently manage compliance assessments, reducing the regulatory burden while ensuring a thorough review process. This theoretically allows regulatory bodies to focus their resources on higher-priority tasks, such as developing standards, reviewing audit results and enforcement. On the other hand, audits place significant financial and operational demands on businesses, particularly smaller operations that may struggle to allocate the necessary resources without compromising growth-focused priorities.
• Standardization: The belief that independent audits can bring a uniform approach to assessing compliance, applying consistent criteria across the industry, and making it easier to identify trends, spot systemic risks and ensure fair enforcement across the board. Standardization, however, is an area in need of development in this space, as discussed in the next section. This can present challenges in industries without existing standardization and may risk incentivizing certain practices even where no genuine ‘best practice’ standard yet exists.

DSA and OSA audits

The DSA, which fully came into effect in February 2024, is a landmark digital regulation (to learn more about the DSA, read our DSA Decoded Blog Services). Audits form a key component of the DSA’s compliance and enforcement architecture, requiring very large online platforms and search engines (VLOPSEs), ie those with over 45 million active EU users, to undergo annual external audits conducted by independent third party auditors. The first round of audits were finalized in mid-2024, focusing on the platforms' compliance approach to illegal content and systemic risks, transparency in advertising and the protection of user rights – capturing the obligations under Chapter III of the DSA. Audit reports and implementation reports, the latter addressing how VLOPs and VLOSEs would remediate gaps, were published in November 2024.

The delegated regulation on the performance of DSA audits (DR), adopted by the European Commission in October 2023, outlines the audit procedures and framework to guide VLOPSEs and auditing organizations in preparation of the audit reports. Despite the global significance of the DSA’s audit regime, key concerns remain about implementation and verification, particularly due to the lack of standard methodologies or benchmarks in the DR, its overambitious expectations and challenges related to auditor independence and eligibility.

Operating alongside the DSA, the 2022 Code of Practice on Disinformation (EU CoP), which has been signed by a broad range of actors including major online platforms such as Google, Meta and TikTok, is a voluntary and co-regulatory instrument. It monitors platforms across areas such as political advertising, financial disinformation and misleading content. While the EU CoP is voluntary, it will soon become a recognized Code of Conduct under the DSA. As a result, any commitments undertaken voluntarily under the EU CoP will form part of the DSA audit. 

Similar to the DSA, the OSA empowers Ofcom to issue notices requiring providers to commission an audit of the provider’s compliance. Unlike the DSA, however, such audits are not automatically mandated. In a consultation undertaken in November 2023, Ofcom sought feedback on a proposal to impose an annual risk management audit requirement alongside its information gathering powers. Ofcom is also consulting on plans to assess the accuracy of proactive content moderation technologies through an audit-based assessment.

As other jurisdictions look to adopt laws related to content moderation, the approach of the OSA and DSA to audits may influence policy approaches globally.

Auditing AI systems 

Artificial intelligence is another context where legislators are looking to audits as a potential regulatory tool. Some academics and third sector stakeholders have emphasized the importance of AI auditability is important for assessing compliance with standards in areas such as ethics and data security.

The EU AI Act enables third party Notified Bodies and Market Surveillance Authorities to, under particular risk and monitoring conditions, access a system provider’s technical documentation, source code and training datasets - to be assessed for a reasonable assurance of compliance under various fairness, biases and accuracy principles. This is a relatively novel audit requirement. 

In the United States, the New York City Department of Consumer and Worker Protection in November 2022 implemented regulations mandating employers utilizing AI in hiring practices to undergo independent audits to verify that their systems are free from racial or gender biases. By contrast, in California, a bill proposing mandatory annual third-party audits for AI models was vetoed by Governor Newsom in September 2024. The main criticism of the proposed auditing requirement, and the stringent obligations of the bill as a whole, were the substantial compliance costs and potential impacts on innovation, with Governor Newsom calling for adaptable and differentiated oversight to avoid a disproportionate regulatory burden on smaller developers – a reminder that one size does not fit all.

Other digital regulation with audit requirements

Audits are gaining traction as a critical oversight mechanism in various domains of digital regulation. 

• In the domain of cybersecurity, the NIST Framework, mandated for federal agencies and voluntarily adopted by the private sector, requires regular audits to ensure compliance and maintain strong defences against cyber threats. 
• Similarly, the NIS2 Directive 2022 in the EU equips national competent authorities with the power to demand ad hoc and regular independent audits of ‘essential entities’, alongside the authority to issue requests for information and conduct the audits themselves. 
• The regulations proposed by the California Privacy Protection Agency (CPPA) in November 2024 mandate annual independent cybersecurity audits for certain businesses that meet revenue and personal data processing thresholds.

By embedding audits into compliance structures, these regulations may set a precedent for their expansion into other areas, such as algorithmic transparency and ethical AI use. 

Practical tips for tech businesses

As audits become an increasingly common feature of digital regulation, tech companies should proactively prepare to manage risks. Specifically, we recommend:

1. Advocate thoughtfully: Engage in regulatory consultations to provide feedback on proposed audit requirements, particularly to highlight disproportionate burdens to the innovation focused approach of emerging technologies.
2. Prepare for audit obligations: If subject to audits, ensure robust internal compliance and assurance systems are in place, and allocate resources to meet external audit demands effectively–including explaining legal requirements to external auditors who may be new to the regulatory regime in question.
3. Plan for adverse outcomes: Develop contingency plans to address findings from negative audits, including transparent remediation strategies and stakeholder communication to rebuild trust.
4. Leverage audit insights: Use audit reports constructively to identify areas for improvement, streamline operations and enhance compliance efforts, turning audits into a tool for innovation and growth.

With preparation and strategic engagement, businesses can better navigate the challenges and opportunities audits bring. Our team at Freshfields has extensive experience guiding businesses through complex regulatory landscapes, from advising on compliance with established frameworks like the OSA, DSA, and privacy laws to preparing for emerging audit requirements. We help clients anticipate challenges, develop practical strategies and leverage audits as opportunities to strengthen trust and innovation. Reach out to explore how we can support your organization in staying ahead of regulatory developments.