News

MDIA issues Systems Auditor Guidelines Consultation

The Systems Auditor does not necessarily need to be an accountant or an auditor with a practising certificate under the Accountancy Profession Act. On the contrary, any individual or legal organisation may register to act as a Systems Auditor, provided that such individual or legal organisation satisfies the requirements laid down in these guidelines. Individuals or legal organisations interested in performing System Audits must register themselves with the Malta Digital Innovation Authority, and once the registration process is successful will be eligible to start working with individuals or legal organisations that are subject to such System Audits, better known as Auditees.

When deciding whether to approve a Systems Auditor, the Authority will expect the applicant to be of good conduct, fit and proper. A Systems Auditor (whether an individual or a legal organisation) must be ordinarily resident or have its business set up in Malta or in any of the EU member states including the EEA. Apart from the residential criteria, a Systems Auditor must also adhere to additional academic and non-academic criteria (such as experience within the IT field) to be able to acquire such approval. On a more interesting note, the Authority is officially reserving the right to vary such requirements under certain circumstances given the fact that certain ITAs involve certain innovative technology whose System Auditors or Experts may not be completely familiar with.

Upon successful registration, the Systems Auditor will be allowed to perform two types of audits which shall be based upon recognised standards, in line with quality and ethical regulations. The guidelines also outline certain objectives which are designed to provide and assist the Systems Auditor with an audit framework, based on 5 key principles being; security, process integrity, availability, confidentiality and protection of personal data. Lastly, one must appreciate that the Systems Auditor is completely independent from the audit client, which commences from the moment the audit team begins to perform the audit services to that moment when the audit report is issued.

The guidelines also take into consideration the role of the Subject Matter Experts whose function is that of assisting the Systems Auditor in specific technical fields during the Systems Audit. The Authority expects there to be at least 2 Subject Matter Experts which must be recognised by the same entity as part of the Systems Auditor registration process. In addition, the Systems Auditor is expected to confirm in the Audit Report that such Experts possess the necessary skills to accurately assist the Systems Auditor to perform the audit of the Innovative Technology Arrangement. The Subject Matter Expert should also satisfy certain minimum standards listed in the guidelines to hold such a position which is largely responsible for security testing. 

Both the Systems Auditors and Subject Matter Experts shall be required to undertake a competence assessment consisting of a series of questions aimed at verifying their knowledge on the subject matter. Upon completion of such assessment, an approval will be awarded and is valid for 2 years from the date of issuance.

The Systems Auditor and Subject Matter Experts are expected to keep records of their audits, since the Authority may carry out quality reviews on any of these records including the audit reports, supporting documents and internal documents that support the whole audit process. Any breach will allow the Authority to suspend the individual from practising for up to 5 years.  Interestingly, in just the same way the Authority may approve a Systems Auditor and Subject Matter Expert, the authority may also remove or suspend a Systems Auditor from the approved list in cases of unsatisfactory performance (listed in the guidelines). The Authority may revoke the approval once due notice is given to the Systems Auditor.

System Audit Reports

The Authority has published guidance in relation to the way reports are to be drawn up by Systems Auditors offering guidance in relation to their contents, format and objectives. The final systems report shall be signed by the Systems Auditor and by the Subject Matter Experts respectively. Each audit report issued by the Systems Auditor must be filed with the Authority within 30 days from the date of the report along with the registration fee. The Authority may request clarifications or additional information concerning any audit report.

For more information on the Guidelines on Systems Auditors, Subject Matter Experts and related areas please contact Dr Ian Gauci on igauci@gtgadvocates.com and Dr Sean Xerri de Caro on sxerridecaro@afilexion.com.