Audit criteria vs audit evidence under CADA

Summary Under the proposed Cloud and AI Development Act (CADA), audit criteria are the cumulative requirements in Annex II that a cloud service must meet to be recognised at Union assurance levels 2, 3 or 4, while audit evidence is the information an auditing organisation uses to verify that those criteria are met. Article 2(19) defines the criteria; Article 2(20) defines the evidence. In short, criteria are the rules and evidence is the proof. Both feed the positive or negative audit opinion that, under Article 17, underpins recognition for public-sector procurement.

Detail

The distinction between criteria and evidence sits at the heart of CADA's sovereignty audit. The proposal defines the two terms separately, with separate sources and separate functions.

Article 2(19) vs Article 2(20)

• Audit criteria — Article 2(19). Defined as "the criteria, pursuant to Annex II to this Regulation, against which the auditing organisation assesses whether the audited provider and its audited service comply with each cumulative criterion to be met for it to be recognised as offering Union assurance levels 2, 3, or 4." These are the rules: the cumulative obligations in Annex II covering Union establishment, location of infrastructure, assets and personnel, data localisation, personnel requirements, cybersecurity certification, software supply-chain controls and absence of third-country control. For example, for Union assurance level 3, Annex II, Section 3.1(d) requires that the personnel involved in providing the service "are Union citizens" and, where appropriate, hold the necessary national security clearance. The criterion is the rule itself, not the proof it is satisfied.

• Audit evidence — Article 2(20). Defined as "any information used by an auditing organisation to support the audit findings and conclusions and to issue an audit opinion, including data collected from documents, databases or IT systems, interviews or testing performed." This is the proof: the records, artefacts and observations that demonstrate the criteria are met. For the citizenship example, evidence would include employment records, identity documentation and access records as relevant.

Criteria as the standard, evidence as the support

Article 21(1) ties the two together: to prepare the audit report and opinion, "the auditing organisation shall assess the compliance of the audited service with the criteria set out in Annex II on the basis of the audit evidence listed in Annex III." Annex III is indicative and organised by audit criterion (A–K), each mapping to a paragraph of Annex II. For location of infrastructure, for instance, Annex III (Audit criterion B) expects a list with "the precise location (number, street, city, postal code and country)" of the infrastructure and "network diagrams and architecture documents" showing exclusive use of Union-based infrastructure. A provider cannot satisfy the audit by asserting compliance; it must produce the evidence.

Feeding the audit opinion for levels 2-4

The two concepts culminate in the audit opinion. Article 20(1) requires providers seeking recognition at levels 2, 3 or 4 to undergo independent third-party audits to obtain an audit report and an audit opinion. Under Article 20(5)(g), the report must include "a 'positive' or 'negative' audit opinion and any information on whether the audited service of the audited provider complies with the applicable audit criteria for Union assurance level 2, 3 or 4 pursuant to Annex II." Where the opinion is negative, Article 20(5)(h) requires operational recommendations and a timeframe; where positive, Article 20(5)(i) requires the assurance level to be recognised.

The opinion is not a matter of the auditor's good faith. Article 21(2) requires that audit evidence be (a) "relevant and sufficient to enable the auditing organisation to prepare an audit report and provide an audit opinion" and (b) "reliable, according to the auditing organisation's professional judgment and scepticism." If the evidence is insufficient to prove compliance with a criterion, the auditor cannot support a positive opinion for that level — which is what gives the Union assurance label its weight.

Practical implications for providers

1. Map criteria to evidence. Systematically map each Annex II criterion to the evidence you can produce. For "no third-country control" (Annex II, Section 3.1(g) / Section 4.1(g)), the relevant evidence — shareholder and cap-table details, governing-body composition, veto and other specific rights, and commercial or financial links — is set out in Annex III, Section 7.
2. Keep evidence ready. Article 20(2) requires providers to give auditors access to all relevant data and premises and to refrain from hampering the audit. Weak or missing evidence can produce a negative opinion even where the underlying position is sound.
3. Respect the cumulative nature. The criteria are cumulative (Article 20(1)); a higher level requires all lower-level criteria too, and failure on any one precludes the higher level.

What this means for you

For in-house counsel and compliance officers:

• Prepare evidence, not just policy. When preparing for a level 2–4 audit, gather the records (logs, contracts, diagrams, personnel records) that prove your policies are implemented. Auditors test the evidence (Article 21(2)).
• Build evidence rights into contracts. Ensure contracts with subcontractors let you extract the evidence the audit needs; the criteria and evidence apply to subcontractors involved in providing the service.
• Mind enforcement exposure. Article 24 requires Member States to lay down penalties that are effective, proportionate and dissuasive. Note that an auditing organisation may revoke its report and opinion where a provider, intentionally or negligently, supplied incorrect or misleading audit evidence (Article 20(7)).
• Protect public-market access. Recognition for public procurement depends on a positive opinion, which depends on sufficient, reliable evidence.

Common misconceptions

• "Meeting the criteria is enough." Reality: You must prove it. Article 21 requires the assessment to be made on the basis of the audit evidence listed in Annex III.
• "Audit evidence is just internal documentation." Reality: Article 2(20) covers documents, databases, IT systems, interviews and testing, and Article 21(2) requires it to be relevant, sufficient and reliable. Internal policy documents alone are unlikely to suffice.
• "The audit opinion is a permanent certificate." Reality: Article 20(8) requires the provider to submit the report and positive opinion for annual review, and the auditing organisation may confirm, update or revoke it. Article 23 also imposes transparency obligations on material changes in circumstances.

Related

• What is audit evidence under CADA? Article 2(20) explained
• What are audit criteria under CADA? Annex II sovereignty rules
• Hardware vs software vs component under CADA: what's the difference?
• What is the difference between an SME and a small mid-cap under CADA?
• What is the difference between a public sector body and a Union entity under CADA?

This is general information about a draft EU regulation, not legal advice.