Analysis: Applying the Principles of Audit to Online Harms Regulation

Technology Policy Internet Policy

Analysis: Applying the Principles of Audit to Online Harms Regulation

Posted on: 30th July 2020
By Multiple Authors
Max Beverton-Palmer
Director of the Internet Policy Unit
Rosie Beacon
Policy Analyst

This note is a companion analysis that supports the recommendations set out in our report "Online Harms: Bring in the Auditors".

Background on audit

Financial audit involves three core elements

  1. A risk assessment 
  2. Evidence gathering in response to the risk assessment 
  3. Reporting the audit opinion to shareholders, based on the evidence obtained 

The financial auditing industry could be used as a template for an online harms regulator to deploy these elements in a non-financial, qualitative capacity. 

The risk assessment is a particularly important exercise, as the auditors build up a detailed understanding of the business to enable them to assess the risk that the statements as a whole might be materially misstated. Auditors have to look for what might be missing, as well as what they are presented with. This external test of veracity is currently missing in periodic transparency reports from social media platforms. The exercise of risk assessment and evidence gathering both involve evaluating and testing controls, discussions with directors, senior management and staff, as well as a variety of analytical procedures. 

It is also worth nothing that there is a clear distinction between an external audit and an inspectorate regulator (i.e. Ofsted). Inspections are more binary and prescriptive than an audit, and they focus on actions at a single point in time, like how many fire extinguishers are needed in a school, for example. Audit also has various layers, including exploratory reviews and risk assessments, and culminates in a judgement and recommendations, whereas inspections usually result in straightforward actions.

Lesson 1: Transparency Reporting Needs to Be Enhanced With Independent Scrutiny 

The first lesson to be learned from the current auditing system is that it demonstrates how public reporting (i.e. transparency reports) can work in tandem with audit, as is the common practice in regulated PIEs. The exercises of reporting and audit are in fact quite different – they both provide scrutiny and oversight but in different ways. Reporting provides periodic transparency to the regulator and originates from the company in question. Reporting can manifest itself in the form of raw data or information on the way companies operate and manage social and environmental challenges. Audit is an independent verification of annual accounts and originates from an external auditor. It is worth noting that not all regulatory reports are subject to an independent audit, which is also the case with transparency reports for social media platforms. Most commonly, financial reports are audited, but in recent years there has been a trend towards verifying more qualitative forms of information. 

The notion of objective assurance on qualitative data is gaining increasing momentum. For example, Phillips has published an Annual Report since 2008. This report links its business strategy with environmental and social trends, combining financial performance disclosures with sustainability performance data. In 2008, KPMG provided limited assurance on the non-financial information in the first integrated report. In 2010, Phillips started a project with KPMG, “The Road to Reasonable Assurance” which looked at getting higher levels of assurance on controls around non-financial information. This culminated in a new system, Credit 360, to manage sustainability data and enable audit trails. As of 2011, it shows reasonable assurance of non-financial data. 

Lesson 2: External Scrutiny Can Make Internal Governance Structures More Accountable

Secondly, external scrutiny forces companies to impose stronger internal governance structures. External audit and regulatory pressure helps ensure more consistent compliance, but would also be particularly useful if the regulator were to aim to reduce harms at a systemic level. As part of their Online Harms recommendations, the Carnegie Trust promotes a regulatory system that can assess the lifecycle of decision-making in a platform. When new tools are rolled out, what kind of principles are being prioritised – is it personalisation, balance, diversity, transparency? Having consistent oversight of these kinds of decisions, as opposed to only during the audit period, could be critical to effective governance of platforms that are fundamentally fast-moving and innovative.

Lesson 3: Regulators Need Systems to Understand Compliance With Processes As Well As Outcomes

Internal compliance teams are critical in ensuring business decisions are aligned with the statutory obligations of regulation. Such teams are crucial in fostering collaboration with the regulator and would also help ensure the platforms are not suffocated by ineffective regulation. 

Proportionate regulation and audit can help empower internal-compliance teams to have more influence within their companies. A productive relationship between those being regulated and the regulator will be critical in the context of social media companies; it should not be underestimated how, like broadcast media, they have to react to political, social and cultural trends and therefore often require quick judgement, which should be aligned with regulatory values.

This kind of collaborative relationship also lends itself to another desirable attribute of the auditing industry: ensuring compliance with processes as well as output. By creating accountability along the “audit trail”, processes could be evaluated for efficiency and challenged, and compliance could be more easily monitored. It would allow the regulator to investigate whether the platform has done everything they believe they are able to do to prevent harm, as opposed to focusing solely on a quantitative output. 

Online harms in particular can be difficult because determining what should and should not be on a platform can be subjective. Enforcing procedures, as well as output, will avoid regulators having to make prescriptive decisions about how each particular harm should be dealt with, which is neither practical nor desirable, given the risk to freedom of expression. There is no practical way of pre-empting every social/cultural/political issue that occurs in content moderation, so the most efficient way of mitigating these risks is by curating procedures that are as versatile as possible.

Lesson 4: The Regulator Need Not Be The Sole Centre Of Expertise For Holding Online Platforms To Account

The regulator needs to be independent enough to objectively analyse the effectiveness of processes, with the ability to understand the technical nuances of platforms. While collaboration with compliance teams would help bridge a knowledge gap, it would not be practical to depend on this or the skills of the regulator alone for technical expertise. 

Audit shows that independent centres of expertise can effectively scrutinise processes – even the most junior auditors need the ACA accounting qualification in order to be considered an auditor, which usually takes three-years. The equivalent level of technical expertise would be particularly important for social media platforms as their business models and safety mechanisms largely depend on computer science and commercial understanding. 

The regulator should act as the explainer and translator to the public. The regulator should take advantage of its own information-gathering powers to properly challenge areas that the general public may not immediately notice or have visibility over – such as the granularity of data security policy or algorithmic design – but rely on audits for more continuous assurance of standards. 

Audits are also a useful method of enforcement – first, because they enable regulators to act based on poor audit reports and, second, because of the reputational risk to platforms, they can speak to a platform’s viability as a business (as they do with financial audits). A negative audit report could harm a platform both in terms of its user base and its share price.

Lesson 5: There Should Be Global Coordination on Qualitative Auditing Standards 

UK financial auditing standards are dictated by the Financial Reporting Council and are closely aligned with the International Standards on Auditing used in more than 175 countries. Similarly, the International Federation of Audit Bureaux of Certification is a global federation of industry-sponsored organisations who recognise that advertising and media data need to be independently verified and readily accessible. The audit itself is done on a national basis but founded in international frameworks. 

Online platforms should collaborate with one another and with potential regulators across the world to establish transparency reporting and audit standards that can be incorporated into national law. An underlying international framework would help national regulators collaborate and allow them to make well-balanced and effective decisions regarding global companies. 

Many technology companies already subscribe to the Santa Clara Principles on Transparency and Accountability, demonstrating industry-wide buy in to transparency principles.

Find out more