Type 1, Type 2 Audit – A Guide for the Uninitiated
If you are doing business in Malta or looking to use Malta as your base for your Initial Coin Offering (ICO), Blockchain project, Distributed Ledger Technology, Smart Contract or anything else classified by the Malta Digital Innovation Authority as an Innovative Technology Arrangement (ITA) then the chances are you will need a Systems Audit at some point performed by an Accredited and Registered Systems Auditor.
So, if you have come this far you might be wondering what on earth a Type 1 and Type 2 audit is?
Here is the official guidance from the MDIA.
Type of Systems Audit Reports
There are two types of Systems Audit Reports which may be issued:
Type 1 reports: The Systems Auditor expresses an opinion on whether the
description of the ITA is fairly presented and whether the controls included in
the description are suitably designed to meet the documented applicable
criteria2. This type of audit is typically carried out when an Innovative
Technology Arrangement is in the process of applying to be certified by the
Authority; or when deemed necessary by the Authority, or other Lead Authority
Type 2 reports: The Systems Auditor’s report contains the same opinions
expressed in a Type 1 report, but also includes an opinion on the operating
effectiveness of the controls during the period covered by the audit. This type
of audit may be carried out periodically during the operational lifetime of an
ITA; or on the request of the Authority or other Lead Authority in Malta.
This may be perfectly clear to some people reading this, however sometimes these things are easier to understand if explained in another way.
Lets look at it in reverse.
Type 2 Audit
- If you are a business already operating an ITA in Malta then you need a Type 2 audit.
- If you started operating an ITA in Malta and you have been operating it for a handful of months, then before you get to 6 months or operations then you need a Type 2 audit.
- If you have had a Type 2 and are coming around to the anniversary of the ITA (i.e. from when you had the last Type 2 audit) then you will need an annual compliance certificate to be issued which requires a Type 2 audit.
Why – because for any operational ITA the audit has to cover the actual operating effectiveness of the organisation and systems responsible for the ITA.
This is the difference between –
“we read the documentation and tested some of the assertions and elements that were in place to determine if what was there and what is planned, if operated effectively, would be sufficient”
“we checked the documentation and visibly through interview, demonstration, logs or screenshots gained evidence that proved the tasks were being performed according to the documentation”
Type 1 Audit
- If you are a business planning to operate an ITA in Malta but have not actually started yet and therefore cannot prove through direct evidence that what is planned is actually working
- If you have operational governance, processes policies and procedures designed, along with an organisational structure to operate them and systems and network designs sufficient to document that ITA
This type of audit basically attests that if you build what you say you will and operate how you said you would, assuming that it is in line with the MDIA requirements for an ITA then all is well.
Note: According to the guidelines set down by the MDIA – You cannot operate a ‘new’ ITA without a Type 1 audit having been performed, and you cannot continue to operate an ITA unless you have a Type 2 audit within 6 months of becoming operational.