Are internal auditors able to perform the audits as mentioned in paragraphs 1 and 2 of the RTS on strong customer authentication and secure communication?
Is there a difference in the answer of this question between the audit as referred to in paragraph 1 and 2 of Article 3 of this RTS?
Article 3(1) of the RTS states that the Auditors to perform the review of security measures should be “auditors with expertise in IT security and payments and operationally independent within or from the payment service provider”.
Article 3(2) of the RTS states that the “The auditor performing this audit shall have expertise in IT security and payments and be operationally independent within or from the payment service provider. During the first year of making use of the exemption under Article 18 and at least every 3 years thereafter, or more frequently at the competent authority's request, this audit shall be carried out by an independent and qualified external auditor.”
In many cases, internal auditors will be included in the project team of PSD2 / RTS requirements implementation. This can be seen as operationally dependent because if they would perform the audit, this means that they will audit an object that they have helped to implement. However, it seems quite hard to know if an internal auditor has helped with the implementation of the requirements in the RTS. Therefore it seems very hard for the national authority to be able to assess whether an internal auditor qualifies as "operationally independent".
The background for the second question is the following is stated in paragragh 2 of article 3 (last sentence): "this audit shall be carried out by an independent and qualified external auditor".
Article 3 of the Commission Delegated Regulation (EU) 2018/389 requires an operationally independent auditor with expertise in IT security and payments that is not required to be external for the general audit of all the security measures foreseen in the RTS. Further, paragraph 2 of this Article in case of payment service providers making use of the exemption under Article 18 explicitly requires an independent and qualified external auditor to carry out the first audit and at least every 3 years thereafter in relation to the exemption under Article 18 of the same Regulation.