The MDIA, as part of the process of providing assistance to Service Providers and Innovative Technology Arrangements who are seeking recognition by the same authority, has issued its first round of consultation for 2019, the “Enhanced Systems Audit/or Guidelines”. Interested parties are now able to review these guidelines and provide consultation, the period for which is open from the 11th of February until the 25th of February.
Presently, the MDIA has two types of Systems Audits, one is intended for ITA applicants and the other is an ongoing audit for already-established ITAs. New applicants are subject to a Type 1 audit, where the Systems Auditor opines as to whether the description of the ITA is fairly presented and whether the controls included in the description are suitably designed to meet the applicable criteria. On the other hand, ITAs which are already active are periodically subject to a Type 2 audit which includes an opinion on the operating effectiveness of the controls during the period covered such audit.
Over and above these audits, the MDIA is now proposing the Enhanced Systems Audit (ESA) for High-Risk ITAs, this being the centre of focus of the newly published guidelines. The consultation document provides information on:
- who is eligible to perform an ESA.
- which ITAs will require an ESA for certification; and
- what the additional requirements are for an ESA with respect to a normal Systems Audit;
First and foremost, Systems Auditors have to fulfil certain requirements in order to be recognized as Enhanced Systems Auditors (ESA). In addition to the base requirement of being approved as a Systems Auditor by the MDIA, such service providers who wish to be recognised as ESA, must:
- Form part of a legal organisation which employs at least 250 persons with an annual revenue of not less than €10,000,000 sustained for the previous three (3) years.
- Be covered by a Professional Indemnity Insurance (PII) policy for an amount of at least €5,000,000.
Secondly, the MDIA has defined two forms of risks which determine why the ITA in question requires an ESA for certification. The ITA might either carry out tasks which may impact human life (safety-critical) in a direct or indirect manner; or another Lead Authority deems that the particular application area, class or category of the ITA may require additional scrutiny.
In cases where the ITA Applicant deems that a normal Systems Audit suffices, the Systems Auditor is still required to notify the Authority when he is of the opinion that an ESA is required due to the nature of the ITA.
Lastly, the consultation document sets out what the additional requirements are for ITA applicants who are to undergo an ESA. Such applicants must firstly state that only ESAs may audit their ITA, and, they must ensure that the Blueprint submitted includes a risk assessment and mitigation plans appropriate to the specific risks undertaken by the ITA. These are to be detailed by providing an ongoing Type 2 audit plan, setting out what needs to be audited and at what frequency (at least every 6 months). Additionally, the ITA shall also provide, in relation to the Forensic Node, further guarantees, security and capabilities as required.
Article by Dr Gabriel Fenech.
This publication is provided for your convenience and does not constitute legal advice.
This publication is protected by copyright © 2018 GTG Advocates.