If you wish to Launch a Virtual Financial Asset (VFA) in Malta you will have to, amongst other things, find a VFA Agent.

The VFA agent is responsible for performing the Financial Instrument Test (FIT) to determine whether your offering is indeed, a VFA and therefore subject to a Systems Audit.

A VFA is a particular kind of DLT Asset (i.e. Assets whose function or existence is dependent upon a Distributed Ledger Technology) – There are many of these and the Financial Instrument Test has been designed to ease the process of determining what the asset is.

If after undertaking the test you find that your VFA does not meet the criteria, or your asset has been classified as a VFA when it should not be, then we can help.

STIS Group can work with VFA agents to verify the Virtual Financial Asset against the criteria in order to provide some level of assurance.

There are several things about the MDIA and MFSA required audits of which you can be sure of:

• They do require a significant amount of effort
• Getting in shape will cost time and resources for any organisation
• There are a lot of requirements/criteria across several areas to be satisfied
• A Systems Auditor does not come cheap (they have a lot of work to do and put their reputation on the line)
• Once commissioned a Systems Auditor can only provide a certain amount of help during the audit
• If an audit does not come out in your favour, you will have to have another one if you wish to start/continue offering the ITA

A pre-audit check from STIS Group is a great way to work out if you are in a good position to pass an MDIA or MFSA audit. If we are not your Systems Auditor we can provide as much help as you need.

Our pre-audit assessment provides an indicator as to whether in our opinion you would pass an audit or not, and where you should focus your attention and efforts if there are any areas which are either not in place, or need a little work.

Of course, we cannot guarantee that another Systems Auditor would agree with our assessment however because we know the process we are well placed to advise you and can even help with your justification if there is any disagreement.

In the unfortunate event that you fail an audit, you have two choices, give up and do not provide your offering out of Malta, or try again.

If you want to see why you might fail an audit – see our guide I need a Systems Audit for some reasons as to why this might happen.

I want to try again

The best option in our opinion will be to try again, as it is likely that you have invested a lot to get this far only to stumble at the last hurdle.

You could try a different Systems Auditor and maybe they will provide a favourable opinion, however the MDIA/MFSA are unlikely to accept a second opinion on the same evidence and testing unless the competence of the original Systems Auditor is in doubt.

Remediate the Issues

Your Audit should provide some clues as to what you did wrong and or why the Auditor did not provide a favourable opinion. Using this information and our help we can remedy the unfavourable items and help you develop new controls/artefacts that address the Auditors concerns.

In our experience most organisations are not used to having to read vast amounts of regulatory information and go through tests and audits before they can launch a product.

Organisations are specialists in their own areas of expertise,  whether it be gaming, crowdfunding, social networks, trading, manufacturing and retail, advertising etc

We have observed through the implementation of GDPR that compliance and regulation although accepted as necessary are a potential barrier to actually doing business.

It does not have to be that way

Don’t get bogged down in the rules and regulations, let us help you navigate the path to getting your product launched. Between us and your VFA Agent (if required) we can guide you through the process, all the way from your initial idea all the way through to a successful Systems Audit and launch of your product, including ongoing help throughout the life of your service.

We talk about the 66 controls elsewhere on this website – Development of controls for each of the 66 Audit criteria.

However, developing the controls is only half the problem (well less than half probably).

Controls need to be backed up by something material which satisfies the controls, including but not limited to the items below:

• A policy which enforces behaviour within your organisation
• A process which will be or must be followed by your employees
• A standard which must be adhered to when following a process
• Documentation of a system which must be used
• Training that must be undertaken by some or all staff
• Systems and technology that must be in place and functioning

Knowing which ones are the right ones to satisfy the controls and what they need to contain is a big ask for any organisation not familiar with the process.

The selection, execution and evidencing that each control is satisfied is ultimately down you.

We have 300 or so solutions and examples of the types of backup material we would expect you might need to cover the 66 top level controls.

If we are not your Systems Auditor then we can provide, documentation, templates, guides, logs, training, training material, and standards to meet all the requirements.

We can also provide help with Technology selection and implementation, Security Testing, Data protection and Infrastructure Operations.

Bear in mind that your Systems Auditor, whoever they are should not write the controls for you, or provide material to help you satisfy the controls.

If you are offering an ITA and have worked out that you need your ITA to be audited by a Systems Auditor then you will hopefully be familiar with the 66 controls. Indeed, there are 66controls across 15 Different areas.

Each of the 15 sections is split into a number of high-level controls, which may be applicable to the type of ITA being offered. In relation to the above table.

• IVFAO is a VFA
• DLT otherwise a Blockchain technology
• Smart Contract or other application type running on top of a Blockchain
• ITA Other – if an ITA is not covered explicitly by one of the above then it may still require a systems audit and the client/auditor will decide the applicable controls

On the plus side not all 66 controls will be applicable to every ITA and even the ones recommended may not be in scope for your ITA. If you can justify why a control is out of scope and your Systems Auditor agrees then you do not need to be audited on it. STIS Group can help with this – Advice and guidance on scoping and how to justify out of scope criteria.

For each of the controls required and not justified as out of scope you need to be able to demonstrate how your proposed solution satisfies the control in the case of a Type 1 audit, and prove that it does so in the case of a Type 2 Audit.

It is highly likely that each of the 66 controls will require more than one piece of evidence. For example, control 65, is likely to require at least 3 different sub controls.

Control 65 – Data Disclosure

“The Auditee retains a complete, accurate, and timely record of processing of personal data including a record of users performing the processing and the results of the processing.”

STIS Group have already examples and guidance relating to backup material which will help you design controls that are likely to be acceptable to other Systems Auditors, and they are all available via our online auditing tool.

Provided we are not your Systems Auditors the STIS Group can help develop controls, if we don’t already have something suitable you can use, we will work with you to develop one that suits your needs.

One of the most critical areas you will need to consider when commissioning a Systems Auditor will be the scope of the audit.

Most Systems Auditors will base the cost of the audit on the complexity of the audit and the organisation and the risk which is in some ways proportional to the number of relevant audit controls.

It is also worth noting that the less controls you need to satisfy then the less work you will have to do.

There are 66 top level controls in scope for a DLT audit, 57 for an IVFAO and 54 for Smart Contract as defined by the MDIA – Development of controls for each of the 66 Audit criteria.

HOWEVER: These are not set in stone, a VFA or Smart Contract might need those missing controls (in some circumstances), or a number of controls could be put out of scope.

Placing controls out of scope might seem like a good idea when you commission an audit, but BEWARE you have to be able to justify why the control is out of scope and ultimately the MDIA may not agree.

What does that mean for you the client

Consider the situation where you  commissions an audit based on 33 controls being in scope and 33 out of scope, so this would be 50% of a full audit and might attract a 50% discount on the controls element of the full cost – (don’t forget the report, opinion, account management etc. will mostly be the same effort regardless of controls, and of course the work to check the out of scope items will also need to be considered).

The Systems Auditor quotes for the work and assesses all of the controls in scope.

You then submit the Systems Audit Report with the other ITA documentation for review by the MDIA, on reviewing the submission the MDIA decide that one or more controls that you put out of scope ARE applicable.

You are now in a situation where you now need to go back and generate new control criteria for the controls put back into scope and ask the Systems Auditor to review them.

In this instance the audit is likely to be delayed and controls are not invented quickly, the Systems Auditor is also likely to change the total price, since the assumptions around the number of controls is now no longer correct.

A Type 2 Audit is likely to require an onsite presence or at least some interaction between your staff and the Systems Auditor, this is because in a Type 2 audit the auditor will want to evidence that what you say is being done is actually being done and is following the processes, policies and procedures you have written.

This interaction may not be confined to operational staff only, since Data Protection awareness, knowledge of the Information Security Policy, how to respond to incidents etc. are elements that all employees should be aware of.

All the above are some of the requirements that sit behind the 66 high level controls.

• If you don’t have an Information Security Policy we can help
• If your staff need GDPR Awareness training we can help
• If your staff need training around general IT Security and how to respond to Incidents/Breaches or requests we can help
• Additionally, we are able to coach administrator’s, HR, security personnel on how to approach an audit and dry run the interview process so your staff know what to expect

We can also provide help and guidance on how to write policies, procedures, processes, etc. if you don’t want to use the ones we have already created.

Please bear in mind that under the strict rules of the MDIA concerning conflict of interested and maintaining our independence, we can not do both audit preparation and your audit, this would be seen as making our own homework.

Of course, we would love for every enquiry and every ITA provider to use STIS Group as their systems auditor – realistically of course this is not going to happen.

There are many reasons why you would select one auditor over another – apart from price, which is always a consideration, it really should not be your main criteria.

How to select a Systems Auditor

1 – First and foremost you can only use authorised accredited systems auditors, which means those who have been authorised to perform VFA audits for the MFSA along MDIA guidelines, and for MDIA audits those who have been fully accredited as Systems Auditors – list can be found here https://mdia.gov.mt/systems-auditor/.

2 – Find an auditor who understands the process – just because an auditor is accredited it does not mean that they can guide you coherently through the process – talk to them and see if what they say makes sense.

3 – For an MDIA audit you need your choice of auditor to be agreed upon by the MDIA – if they are not then you cannot use them.

4 – Ask about their audit process – each auditor will have their own process, some will be completely hands off which might suit an organisation who already is comfortable with the audit process. Other Systems Auditors including STIS Group are hands on and provide as much help and guidance as possible without compromising independence.

5 – Ask what systems, tools or processes the Systems Auditor might use to help you through the process, and are you comfortable using them.

6 – Ask what their policy is if you fail the audit – do you pay full price for another one?

7 – How much will they charge you to be retained as your Systems Auditor – you need a Systems Auditor on your books throughout the life of the ITA.

8 – What clauses are there in the contract restricting you if you wish to change Systems Auditors, and will they migrate your information post audit, or even mid audit.

9 – Are your auditors compliant with GDPR – do their contracts have the appropriate GDPR clauses in them, if they don’t follow their own GDPR guidance  how are they going to assess your data protection controls.

There are others consideration of course but asking these simple questions might help you avoid comparing apples with oranges.

MDIA Report and What Type of Audit is Right for me?

If you are working through the MDIA ITA requirements and have come to the stage where you need a Systems Audit, then read on to find out what type of audit might be best for you.

If you already know about the ITA process then go directly here Which Audit is Right for me otherwise read on.

The ITA Application process

My organisation has in place or is planning to implement an Innovative Technology Arrangement (ITA) what do I need to do and how can STIS Group help?

“Innovative Technology Arrangement”, also referred to as “ITA” within this page, as defined within the First Schedule of the Innovative Technology Arrangements and Services Act, 2018. For the avoidance of doubt, this definition includes, inter alia, any ITA supporting an IVFAO, Providers of VFA Services or similar arrangements.” – From the ITA Guidelines

Your Responsibilities

It is your responsibility to fulfil the requirements for an ITA application and part of that application is a Systems Audit report of which the Systems Auditor Opinion is the critical part.

How the Process Works

The MDIA indicates what type of Systems Audit is Required based on the rules below

• For a non-operative ITA (i.e. ITAs that, at the time of application for an ITA certification, are not yet live or have been operating for less than six (6) months), the Authority shall initially require a Type 1 Systems Audit to be conducted).
• If a certificate is granted for the above then a Type 2 audit will be required 6 months from the go live date of the ITA.
• A Type 2 audit is required on an annual basis for any live ITA that has been operating for over 6 months.

You “the Auditee” must provide a Written Assertion….

A written assertion should be provided by the Auditee and include whether in all material respects, and based on suitable criteria (from the MDIA documentation):

• The Auditee’s description(see next section) of the Innovative Technology Arrangement fairly presents the ITA that was designed and implemented throughout the period in the case of a Type 2 Report (or “as of [date]” for a Type 1 Report);
• The controls stated in the Auditee’s description of the ITA were suitably designed throughout the specified period in the case of a Type 2 Report (or “as of [date]” for a Type 1 Report) to meet the applicable Control Objectives;
• In a Type 2 Report, the controls stated in the Auditee’s description of the ITA operated effectively throughout the specified period to meet the applicable Control Objectives.

Where “as of [date]” would be the date of the audit – for a Type 1, audit.

Innovative Technology Arrangement Description

The Auditee is responsible for preparing the ITA description, including the completeness, accuracy, and method of presentation of the description, and ensure that such description is in line with the ‘Innovative Technology Arrangement Guidelines’ issued by the Authority.

The description should clearly detail the services performed by the Auditee to enable the user of the Systems Audit Report to understand the structure and processes supported.

The depth of detail should enable the report user to identify risk areas where controls that address the specific control objectives in each category have been implemented by the Auditee.

Selection of the Applicable Categories and Control Objectives

Control Objectives are set out in the “Systems Audit Control Objectives” document issued by the Authority. From time to time, the ‘Systems Audit Report Guidelines’ and the ‘Systems Audit Control Objectives’ may be updated to cover additional areas as required by the Authority. The Auditee may identify Categories and Criteria set out in the Systems Audit Control Objectives that are not applicable to the particular ITA, however, the rationale for each exclusion needs to be explained and documented in the Systems Audit Report.

The Systems Audit Report must include a section identifying the Criteria that is covered by the Systems Auditor and the Subject Matter Experts who were responsible for the Audit of those criteria.

“The Auditee is responsible for designing and implementing controls to achieve the applicable criteria, identifying the risks that threaten the achievement of the applicable criteria, and evaluating the linkage of the controls to the risks that threaten the achievement of the applicable criteria. In many cases, the Systems Auditor may be able to obtain the Auditee’s documentation of its identification of risks and evaluation of the linkage of controls to those risks. In these instances, the Systems Auditor may evaluate the completeness and accuracy of the Auditee’s identification of risks and the effectiveness of the controls in mitigating those risks.”

What does the mean in simple terms?

It’s probably easier if we work backwards through the requirements.

Applicable Controls

For each of the controls applicableto your ITA, you need to demonstrate to the Systems Auditor how you achieve the intention of the controls – this may be either by explicitly creating control descriptions and tests which adequately fulfil the control objectives.

Or

By providing existing material such as documentation, tests, logs, descriptions, policies and procedures which serve to adequately fulfil the control objectives.

Controls that are not Applicable

For any control that you feel is not applicable you, the auditee must provide a reason as to why it is not applicable and it must be clearly explained and documented in the report. In theory you can put any control out of scope if you do not believe it is pertinent to your ITA.

What are the Consequence of Putting Controls out of Scope?

The MDIA has provided guidance on which controls are applicable for each type of ITA.

If you put one of these controls out of scope the justification you provide must satisfy the MDIA such that they are sure you do not need the control.

One mechanism they might use for this is the Systems Auditors assurance report which provides and opinion on the ITA and the controls against the Blueprint.

If the Systems Auditor on examining the controls and the Blueprint (or whitepaper) determines there is a mismatch and that one or other of the out of scope controls would satisfy the mismatch then the opinion will reflect that finding.

Criteria Covered in the Report

This section of the report identifies all of the controls considered in scope and who from the Systems Auditor team was/is responsible for auditing that control. 

So, I need a Systems Audit so I can submit a Written Assertion?

A Systems Audit is required so that the Issuer can submit a Written Assertion  to the MDIA (Malta Digital Innovation Authority) or the MFSA (Malta Financial Services Authority) depending on whether the ITA is classified as a DLT, Smart Contract or VFA. The purpose of the report is to confirm that reasonable standards with reference to the specific purposes, qualities, features, attributes, behaviours and/or aspects of the ITA are met.

The Issuer/Auditee is responsible for the Assertion but it is the Systems Auditor who provides IASE 3000 type assurance report – ‘the opinion’ on whether the standards have been met.

Which Audit is Right for Me?

So, you know if you need a Type 1 or a Type 2 audit – or even an Enhanced audit, so the next question is how comfortable are you with the process and how much of the work do you want to do yourself?

The MDIA guidelines say that the Auditee is responsible for designing the controls to satisfy the requirements that are in scope. Assuming you are implementing a DLT type ITA then that is at least 66 controls you will need to satisfy. Assuming you put some out of scope and they are correctly justified then you might have 45 controls for example.

How comfortable are you that you can create the sub-controls you need to satisfy each high-level control and that they will be sufficient to enable the Systems Auditor to provide a favourable opinion.

Standard Audit

(I don’t need any help with controls, or creating the report description and assertion)

The standard audit places all the responsibility on you to write the report, submit the description and the assertion and to prove to us, your Systems Auditor, through the controls that your ITA and the Blueprint for the ITA will function, or would function as expected. What this means is:

• You work through the 66 (or less) and either provide justification to put them out of scope or provide one or more sub-controls that satisfies us.
• We assume you know what you need to do and are confident in being able to interpret the controls sufficiently to allow us to provide the assurance.
• This type of audit benefits the experienced auditee, because you don’t pay us for services you don’t need.
• You submit all of your controls and documentation; we provide our opinion and that ends the standard audit.
• Help is available if you need it but is chargeable.

If you start with a standard audit and subsequently find out that you need a bit more help than you originally thought then there is always the option to upgrade…

Premium Audit

(I can create controls when I know what they should look like and have some idea of what you are expecting, and I might need to ask a lot of questions along the way)

This type of audit allows you to get help when you need it.

For example,

• What should my report look like?
• What are the elements of a report?
• What is the intention of this control i.e. what does it mean?
• Are my controls sufficient?

Independence of the Systems Auditor

It must be noted that under no circumstances can we as your Systems Auditor, write your Written Assertion for submission to the MIDA, or write any controls for you.

The MDIA guidance on the controls is enough for the experienced to determine what is needed. For the inexperienced we bridge the gap, whilst remaining independent

Can you help me Decide?

We are happy to talk you through the process and give you more detail about each audit type but ultimately it is your choice.