KPMG's 2024 Digital Services Act (DSA) Audit Reports Benchmark

The Digital Services Act (DSA) is a landmark regulation aimed at creating a safer and more transparent online environment. It regulates online intermediaries and platforms, including marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms. The DSA's primary goals are to prevent illegal and harmful activities online, curb the spread of disinformation, ensure user safety, protect fundamental rights, and foster a fair and open online platform environment.

• Better protection of fundamental rights
• More control and easier reporting of illegal content
• Stronger protection of children online
• Less exposure to illegal content
• Increased transparency in content moderation decisions

The DSA designates platforms with over 45 million active monthly users in the EU as Very Large Online Platforms (VLOPs) or Very Large Online Search Engines (VLOSEs). In 2023, 17 platforms were designated as VLOPs, and 2 as VLOSEs. An additional 6 VLOPs were designated in 2024, bringing them under the audit obligation for 2024/2025.

The audit reports generally followed a consistent structure, including an independent assurance report, a description of the procedures performed, the scope of the report, detailed test procedures, and conclusions for each article. Most reports also included documents attesting to the auditors' compliance with Article 37(3).

All audit reports contained remarks, with only Wikimedia not having any negative sub-articles. The conclusions varied from positive with comments to negative or disclaimers of opinion.

The majority of the audit approaches were either substantive or mixed (control and substantive testing). This indicates a need for stronger internal controls to mitigate the risks of non-compliance with the DSA articles.

Most reports adhered to the ISAE 3000 assurance standard, with exceptions like Wikimedia and X. The differences in standards and report structures highlight the need for uniformity in future audits.

The European Commission (EC) launched formal investigations into 6 VLOPs and 1 VLOSE, leading to disclaimers of opinion in several reports. These investigations impacted the auditors' ability to obtain sufficient evidence for a conclusive opinion.

• Notice and Action Mechanisms (Article 16)
• Gaps in Terms and Conditions (Article 14)
• Transparency Reporting Obligations (Articles 24 & 42)

• Develop robust policies for risk management, content moderation, and transparency reporting.
• Enhance General IT Controls (GITC) to support automated controls and compliance features.

• Standardize record-keeping practices for datasets, compliance reports, and recommender systems.
• Implement tools to track compliance activities and minimize human errors.

• Maintain clear and accessible compliance records.
• Refine benchmarking methodologies to ensure they are unambiguous and testable.

• Establish clear workflows for marking cases as "DSA relevant" or as "suspicion of criminal offense."
• Harmonize multi-platform compliance strategies for companies operating multiple services.

The 2024 DSA audit reports highlight the need for platforms to improve internal controls, documentation, and governance frameworks to ensure compliance. Many platforms rely on substantive audit approaches due to evolving control environments, indicating a need for more structured compliance mechanisms. By aligning efforts with the DSA's objectives, platforms can enhance digital service accountability, safeguard user rights, and promote a safer, more transparent online space.