1. The assessment of the audited provider’s compliance with Article 34 of Regulation (EU) 2022/2065 shall include, but not be limited to, an analysis of all of the following:
(a)
whether the audited provider has diligently identified, analysed, and assessed the systemic risks in the Union referred to in Article 34(1), first subparagraph, of Regulation (EU) 2022/2065, including by assessing:
(i)
how the audited provider identified the risks that are linked to its service, taking into account regional and linguistic aspects of the use made of its service, including when specific to a Member State, and whether the risks are appropriately identified;
(ii)
how the audited provider analysed and assessed each risk, including how it considered the probability and severity of the risks, and whether the assessment was appropriate;
(iii)
how the audited provider identified, analysed and assessed the factors referred to in Article 34(2), first subparagraph, of Regulation (EU) 2022/2065, whether they were appropriately identified, and to what extent such factors influence the risks identified in paragraph 1 of that Article;
(iv)
what sources of information the audited provider used, how it collected the information, including whether and how it relied on scientific and technical insights;
(v)
whether and how the audited provider tested assumptions on risks with groups most impacted by the specific risks;
(b)
whether the risk assessment was performed within the timeframes set out in Article 34(1), second subparagraph, of Regulation (EU) 2022/2065 and, where applicable, within the timeframes set for activities established as risk mitigation measures for the detection of systemic risks pursuant to Article 35(1), point (f) of that Regulation;
(c)
how the audited provider identified functionalities that are likely to have a critical impact on the risks for which risk assessments shall be conducted prior to their deployment, pursuant to Article 34(1), second subparagraph, of Regulation (EU) 2022/2065, whether those functionalities were correctly identified, and whether the risk assessment was appropriately conducted;
(d)
whether the audited provider correctly identified the supporting documentation that should be preserved with respect to the risk assessment and whether it has put in place the necessary means to ensure the preservation of that documentation for at least three years, pursuant to Article 34(3) of Regulation (EU) 2022/2065, and whether the documentation was preserved accordingly.
2. Without prejudice to any other analysis necessary for reaching a reasonable level of assurance, methodologies for auditing compliance with Article 34 of Regulation (EU) 2022/2065 shall include at least an assessment by the auditing organisation of the following elements:
(a)
the internal controls that the audited provider has put in place to monitor the performance of risk assessments regarding each factor referred to in Article 34(2), first subparagraph, of Regulation (EU) 2022/2065; such assessment shall:
(i)
be based on substantive analytical procedures, for those internal controls;
(ii)
be based on tests of whether those internal controls are reliable and diligently conceived, executed and monitored;
(iii)
evaluate how the compliance officer or officers performed their tasks with respect to Article 41(3), points (b), (d), (e) and, where applicable, (f), of Regulation (EU) 2022/2065 and how the management body of the audited provider was involved in the decisions related to risk management pursuant to Article 41(6) and (7) of that Regulation;
(b)
the actions, means and processes put in place by the audited provider to ensure compliance with Article 34 of Regulation (EU) 2022/2065 and the results thereof; such assessment shall be based on:
(i)
substantive analytical procedures;
(ii)
tests, including of algorithmic systems, where the auditing organisation has reasonable doubts, following the results of the substantive analytical procedures and the assessment of internal controls, or where the auditing organisation deems necessary to perform tests in its choice of methodology pursuant to article 10(1).
3. Information analysed by the auditing organisation in support of the assessment carried out pursuant to this Article shall consist of, but not be limited to:
(a)
the risk assessment report for the relevant audited period, which has been drawn up by the audited including, where necessary, confidential information that is not part of the information published pursuant to Article 42(2) of that Regulation, and all supporting documents;
(b)
where relevant, other risk assessments reports of the audited provider and their supporting documents;
(c)
information submitted by the audited provider pursuant to Article 5;
(d)
all relevant transparency reports of the audited provider referred to in Article 15(1) of Regulation (EU) 2022/2065;
(e)
any other test results, documentation, evidence, statements made in response to written or oral questions addressed by the auditing organisation to the personnel of the audited provider, and observations made on premises, where applicable;
(f)
other relevant evidence, including based on information made available by the audited provider;
(g)
where available, reports referred to in Article 35(2) of Regulation (EU) 2022/2065 and guidance from the Commission, including guidelines issued pursuant to Article 35(3) of that Regulation and any other relevant guidance issued by the Commission with respect to the application of Regulation (EU) 2022/2065.
4. Information analysed by the auditing organisation may comprise, as appropriate, information referred to in Article 42(4) of Regulation (EU) 2022/2065, including from audit, risk assessment and risk mitigation reports, concerning other very large online platforms or very large online search engines, or data and research made publicly available by vetted researchers pursuant to Article 40(8), point (g), of the Regulation.