CADA Auditor Independence

Summary Under the proposed Cloud and AI Development Act (CADA), an auditing organisation is strictly disqualified from auditing a cloud computing service provider (CCSP) for Union assurance levels 2, 3, or 4 if it has provided "non-audit services related to the matters audited" within the 12-month period before the audit begins. Furthermore, as required by Article 20(4)(a)(i), the auditor must formally commit to refraining from providing such services for the 12-month period after the audit's completion. These temporal firewalls, combined with a 10-year ban on re-engagement for the same firm, are designed to guarantee the absolute independence and objectivity of the sovereignty assessment.

Detail

The CADA proposal establishes a rigorous Union cloud computing sovereignty framework. For providers seeking recognition at Union assurance levels 2, 3, or 4, compliance is not self-declared; it must be verified by an independent third-party audit. To prevent conflicts of interest that could undermine the credibility of these assessments, the regulation imposes stringent independence criteria on auditing organisations. The primary provision governing these disqualifications is Article 20, specifically paragraph 4, which lists the mandatory requirements for any entity performing a CADA audit.

The 12-Month Look-Back and Look-Forward Rule

Article 20(4)(a) mandates that auditing organisations must be independent from the cloud computing service provider concerned and any legal person connected to that provider. The most critical temporal constraint is found in Article 20(4)(a)(i). This clause establishes a dual-sided firewall:

1. The Look-Back: The auditing organisation must not have provided non-audit services related to the matters audited to the CCSP or any connected legal person in the 12-month period before the beginning of the audit.
2. The Look-Forward: The auditing organisation must have committed to not providing such services in the 12-month period after the completion of the audit.

This creates a strict 24-month window of restricted engagement surrounding the audit period. The legislative intent is to prevent the "self-review threat," where an auditor might be asked to verify the effectiveness of controls, processes, or data flows that they themselves designed or implemented. It also prevents the "management threat," where an auditor could be influenced by the prospect of future lucrative consulting contracts.

Defining "Non-Audit Services Related to the Matters Audited"

While the CADA proposal does not provide an exhaustive, closed list of what constitutes a "non-audit service related to the matters audited," the definition must be interpreted in the context of the specific criteria in Annex II and the evidence requirements in Annex III. Based on the sovereignty framework's scope, "related matters" would likely include any service that directly influences the compliance criteria being assessed.

Examples of services that would likely trigger disqualification include:

• Designing or implementing the specific technical, organizational, or legal measures required to meet Union assurance level criteria (e.g., designing the data localisation architecture or the personnel screening process).
• Developing the Software Bill of Materials (SBOM) or the data flow diagrams that serve as primary audit evidence under Annex III.
• Consulting on the mitigation of third-country control risks, which is a core criterion for assurance levels 2, 3, and 4.
• Drafting the EU statement of conformity or the internal control procedures that the auditor is subsequently asked to verify.

If an organisation has helped build the controls it is now asked to verify, it cannot act as an independent auditor. Crucially, the disqualification extends beyond the primary CCSP to "any legal person connected to that provider." This prevents corporate groups from circumventing the rule by shifting non-audit consulting work to a subsidiary while the parent entity seeks the audit.

Additional Independence Constraints

Beyond the non-audit services restriction, Article 20(4)(a) outlines other disqualifying factors that in-house counsel must monitor to ensure a valid audit opinion:

• The 10-Year Audit Ban: Under Article 20(4)(a)(ii), the auditing organisation must not have provided auditing services pursuant to this Article to the same CCSP or connected legal person in the 10-year period before the beginning of the audit. This "cooling-off" period is an organisational ban; it prevents long-term auditor-client relationships that may breed familiarity threats. Rotating personnel within the same firm does not cure this disqualification; the entire legal entity (the auditing organisation) is barred.
• Prohibition on Contingent Fees: Under Article 20(4)(a)(iii), the audit cannot be performed in return for fees that are contingent on the result of the audit. This ensures the auditor's financial interest is not tied to achieving a "positive" opinion. Fees must be fixed or based on time and materials, never on the outcome of the recognition process.

Consequences of Non-Compliance

If an auditing organisation fails to meet these independence requirements, the audit report and the "positive" audit opinion it issues are invalid for the purposes of CADA recognition. Under Article 17, a CCSP must submit a "positive" audit opinion to the national competent authority to be recognised as offering a Union assurance level. If the auditor was disqualified due to prior non-audit services or a breach of the 10-year rule, the national competent authority is empowered to reject the application for recognition.

Furthermore, Article 24 empowers Member States to impose penalties for infringements of Chapter I of Title IV (the sovereignty framework). Penalties must be "effective, proportionate and dissuasive." Factors considered include the nature, gravity, and duration of the infringement, as well as any financial benefits gained. For CCSPs, relying on a disqualified auditor could result in a rejected application, significant delays in market access for sovereign cloud services, and potential liability for damages suffered by recipients of the service under Article 24(3).

What this means for you

For in-house counsel, compliance officers, and procurement teams at cloud computing service providers, these rules necessitate a rigorous vendor management protocol for auditing organisations.

1. Conduct Pre-Engagement Due Diligence: Before contracting an auditing organisation for a CADA assurance level audit, request a formal, written declaration confirming that they have not provided non-audit services related to the audit scope within the preceding 12 months. Obtain written confirmation of their commitment to refrain from such services for the 12 months following the audit.
2. Map Connected Legal Persons: Ensure the independence check extends to all legal persons connected to your provider. If a sister company, subsidiary, or holding company received consulting services from the auditor within the last year, the auditor is disqualified from auditing the parent entity.
3. Review Historical Engagements: Check the 10-year history with the auditor. If you have used the same firm for CADA audits in the past decade, you must select a different organisation. This is a hard organisational ban, not a personnel rotation issue.
4. Structure Contracts Carefully: Ensure audit fee structures are fixed or hourly. Never include "success fees" or clauses where payment is contingent on obtaining a positive opinion or recognition.
5. Document Everything: Maintain records of these independence declarations and the due diligence performed. In the event of a regulatory challenge, a dispute over recognition, or a penalty investigation, you must be able to demonstrate that you verified the auditor's compliance with Article 20(4).

Common misconceptions

• "Any prior consulting relationship disqualifies the auditor." This is incorrect. The disqualification applies only to non-audit services related to the matters audited. If an auditor provided unrelated services (e.g., general HR consulting or unrelated tax advice) that have no bearing on the cloud sovereignty criteria, it may not be a conflict. However, given the breadth of CADA's technical and legal criteria, the scope of "related matters" is likely broad. When in doubt, assume it is related.
• "The 12-month rule only applies before the audit." Incorrect. Article 20(4)(a)(i) explicitly requires a commitment to not provide these services for the 12 months after the audit as well. The auditor must sign off on this future restriction as a condition of the engagement.
• "We can use the same auditor every year if we rotate the lead partner." No. Article 20(4)(a)(ii) prohibits the same auditing organisation from auditing the same provider within a 10-year period. Rotation of personnel within the same firm does not cure this organisational disqualification. The ban applies to the legal entity performing the audit.

Related

• CADA Audit Reports: What if an auditor cannot audit certain aspects?
• Can a CADA auditor revoke its audit opinion? Article 20 explained
• Who pays for the CADA audit? Provider costs explained
• Which CADA tier suits a financial services workload?
• Which CADA assurance levels require an independent audit?

This is general information about a draft EU regulation, not legal advice.