Today's online platforms rely heavily on recommendation systems to serve content to their users; social media is a prime example. In turn, recommendation systems largely depend on artificial intelligence algorithms to decide who gets to see what. While the content social media platforms deliver is as varied as the users who engage with them, it has been shown that platforms can contribute to serious harm to individuals, groups and societies. Studies have suggested that these negative impacts range from worsening an individual's mental health to driving society-wide polarisation capable of putting democracies at risk. To better safeguard people from these harms, the European Union's Digital Services Act (DSA) requires platforms, especially those with large numbers of users, to make their algorithmic systems more transparent and follow due diligence obligations. These requirements constitute an important legislative step towards mitigating the systemic risks posed by online platforms. However, the DSA lacks concrete guidelines to operationalise a viable audit process that would allow auditors to hold these platforms accountable. This void could foster the spread of 'audit-washing', that is, platforms exploiting audits to legitimise their practices and neglect responsibility. To fill this gap, we propose a risk-scenario-based audit process. We explain in detail what audits and assessments of recommender systems according to the DSA should look like. Our approach also considers the evolving nature of platforms and emphasises the observability of their recommender systems' components. The resulting audit facilitates internal (among audits of the same system at different moments in time) and external comparability (among audits of different platforms) while also affording the evaluation of mitigation measures implemented by the platforms themselves.

翻译：当今在线平台高度依赖推荐系统向用户提供内容，社交媒体便是典型例证。而这些推荐系统又主要依靠人工智能算法决定用户能看到何种内容。尽管社交媒体平台提供的内容与参与其中的用户一样多样化，但研究表明，平台可能对个人、群体乃至社会造成严重危害。研究显示，这些负面影响既可能损害个人心理健康，也可能引发足以威胁民主制度的社会性极化。为更好保护人们免受这些危害，欧盟的《数字服务法案》要求平台（尤其是用户数量庞大的平台）提高其算法系统的透明度，并履行勤勉尽责义务。这些要求构成了减轻在线平台系统性风险的重要立法步骤。然而，《数字服务法案》缺乏具体指南来制定可操作的审计流程，使审计人员能追究平台责任。这一空白可能导致"审计粉饰"现象的蔓延，即平台利用审计来为其行为正名并推卸责任。为填补这一空白，我们提出基于风险场景的审计流程，详细阐述根据《数字服务法案》应对推荐系统进行何种审计与评估。我们的方法同时考虑平台的动态演变特性，并强调其推荐系统组件的可观测性。由此产生的审计既能实现内部可比性（同一系统在不同时间节点审计结果间的比较）和外部可比性（不同平台审计结果间的比较），又能评估平台自身已实施的风险缓解措施。