Hello and welcome to working with ABC
We understand that being independently audited sounds scary but don’t worry, we’re here to help you achieve your TAG (Trustworthy Accountability Group) Seals.
While our auditors will hold your hand throughout the process, we’ve pulled together everything you need to know about TAG’s various requirements and what being audited looks like below...
High level info and blogs:
TAG Business Requirements
Overview & Examples of Audit Evidence
Steps to our TAG Audit process
We follow the same high-level tailored audit process for all, no matter which set of TAG standards you’re working towards.
Step 1: Pre-Audit – Consultancy (Getting you in shape prior to audit)
Our independent validation starts with a consultancy meeting with our Audit Manager. At this meeting we’ll:
- Talk you through the relevant TAG Guidelines
- Obtain a good understanding of your business and how it relates to the Guidelines
- Outline the audit process
Following the consultancy, if necessary, we’ll make recommendations for any areas that may need developing before the audit starts. This may be, for example, documenting some of the policies or procedures that you already have in place. We don’t take a pass or fail approach to the audit, instead we’ll work with to you to get to the point where your current TAG related business processes are ready to submit for verification.
Step 2: The Audit - Information Request & Call (Collecting evidence)
We’ll use the information gathered from the consultancy to prepare a tailored Information Request, setting out all the documents and process evidence that we’ll be looking for.
Once you’ve had time to gather the audit evidence, we’ll set up an Audit Call to talk through any questions we may have on the information sent. We’ll also use the Audit Call to walkthrough any applicable processes.
Step 3: Post Audit – The Audit Report (Sharing our results with TAG)
Upon completion of the audit, we’ll send our Audit Report to you and TAG describing how you comply with the relevant TAG Guidelines.
TAG will review our Report and, subject to their approval, update the TAG Registry to reflect your new TAG Seal expiry date and applicable geographies.
Once your Seal has been issued, you’ll enter into TAG’s annual renewal cycle which requires all the relevant documentation submitted to TAG by 31st January each year.
back to top
The TAG Brand Safety Certified (BSC) Requirements
How you comply with the BSC Guidelines is dependent on where your business sits within the digital advertising ecosystem:
|
Requirement |
Direct Seller |
Direct Buyer |
Intermediary |
1. |
Attend BSC Training |
✓ |
✓ |
✓ |
2. |
Ensure all Digital Advertising Agreements Adhere to Brand Safety and Anti-Piracy Requirements |
✓ |
✓ |
✓ |
3. |
Employ Effective Ad Misplacement Avoidance Services and/or tools |
✓ |
✓ |
✓ |
4. |
Document Policies and Procedures related to Employing Effective Ad Misplacement Avoidance Services and/or tools |
✓ |
✓ |
✓ |
5. |
Employ Pirate Mobile App Filtering |
✗ |
✓ |
✓ |
6. |
Define & Identify Key Roles & Resources |
✓ |
✓ |
✓ |
7. |
Ensure Inclusion/Exclusion Lists are Reviewed Quarterly |
✓ |
✓ |
✓ |
Alongside the above requirements, you’ll also need to complete Internal Quarterly Reviews to ensure the TAG Certified Against Fraud Guidelines are consistently followed.
back to top
Overview & Examples of Audit Evidence – TAG BSC
1. BSC Training
We’ll need confirmation that you’ve completed the TAG training, which can be conducted at any time online.
2. Ensure All Digital Advertising Agreements Adhere to Brand Safety and Anti Piracy Principles
Evidence may include:
- Insertion Order with targeting instructions.
- Generic Terms and Conditions detailing which CV Tools, Anti-Piracy tools or inclusion/exclusion lists are used and how they are implemented.
- Standard Contracts noting (a) specific categories of inventory to be excluded and how these categories have been derived, and (b) anti-piracy terms
- Policies and Procedures to monitor ad misplacement including a Take Down policy for any ad misplacement that may occur. This could either be included in the agreement or in a publicly facing ‘Brand Safety Policy’.
- Direct Sellers will be required to attest that they own or have the licensed right to the content appearing on their media properties.
3. Monitor and Detect Ad Misplacement
Evidence may include:
- Details on how inclusion / exclusion lists are created. We’ll test that these lists are being applied across 100% of monetized transactions.
- Details of how these lists are compiled and maintained, e.g. vetting processes for sites and apps.
- Details on the use of CV Tools or Anti-Piracy tools including:
- If contextual blocking is used.
- Is the tool set up as a pre-bid or post-bid solution.
- How the tool handles an ad that is deemed inappropriate.
- The use of the tool across 100% of monetized transactions.
- Details and examples of moderation controls over user generated content
- Direct Sellers will be required to disclose policies for the additional monitoring, detection and management of risk against ad misplacement, such as the use of editorial codes of conduct.
- Direct Sellers will be required to attest that they do not block or unduly restrict the legitimate use of Content Verification and Anti-Piracy services.
- Direct Sellers must disclose the means by which they ensure that their media properties do not host or stream pirate content.
4. Document Policies and Procedures to Minimise Ad Misplacement
Evidence includes:
- Making available documented brand safety policies and procedures which will include:
- How inclusion/exclusion lists are created and maintained and;
- How content is reviewed and flagged as brand safe, for example by use of a CV tool, AI or moderation.
- Policies and procedures around anti-piracy, including the use of an anti-piracy tool if applicable
5. Employ Pirate Mobile App Filtering
For Intermediaries and Direct Buyers only*.
*Important: TAG can provide you with the Pirate Mobile App List within your TAG Member Portal log in. However, the use of this list alone is not sufficient to meet the requirements and in-house filtering must also be applied.
6. Define & Identify Key Roles & Resources
Companies must define and identify the internal roles and resource(s) responsible for responding to any incidents of ad misplacement due to brand safety issues or piracy. These could be an individual or a team as well as any tolls used by those individuals or teams.
External roles and resources responsible for responding to any incidents of ad misplacement due to brand safety issues or piracy must also be documented. These are who the internal resources would communicate with for any brand safety or piracy issues.
7. Ensure Inclusion/Exclusion Lists are Reviewed Quarterly
Policies and procedures to maintain any inclusion/exclusion lists must be documented and followed as part of your Internal Quarterly Reviews. The methodology for adding/removing keywords, key-phrases, categories and digital media properties must be provided to TAG.
back to top
The TAG Certified Against Fraud (CAF) Requirements
How you comply with the CAF Guidelines is dependent on where your business sits within the digital advertising ecosystem:
|
Requirement |
Direct Seller |
Direct Buyer |
Intermediary |
1. |
Attend CAF Training |
✓ |
✓ |
✓ |
2. |
Employ Invalid Traffic (IVT) Detection and Removal |
✓ |
✓ |
✓ |
3. |
Employ Domain Threat Filtering |
✓ |
✓ |
✓ |
4. |
Employ Data Centre IP Filtering |
✓ |
✓ |
✓ |
5. |
Employ App Threat Filtering |
✓ |
✓ |
✓ |
6. |
Implement a TAG-Approved Follow the Money Solution |
✗ |
✗ |
✓ |
7. |
Implement & Honour ads.txt and app ads.txt |
✓ |
✓ |
✓ |
8. |
Employ Ads.cert Authenticated Connections for SSAI Billing Notifications |
✗ |
✗ |
✓ |
9. |
Employ Header Information in SSAI Ad Tracking Requests |
✗ |
✗ |
✓ |
10. |
Define & Identify Key Roles & Resources |
✓ |
✓ |
✓ |
Alongside the above requirements, you’ll also need to complete Internal Quarterly Reviews to ensure the TAG Certified Against Fraud Guidelines are consistently followed.
back to top
Overview & Examples of Audit Evidence – TAG CAF
1. CAF Training
We’ll need confirmation that you’ve completed the TAG training, which can be conducted at any time online.
2. Employ Invalid Traffic (IVT) Detection and Removal
All monetised transactions and/or inventory is measured and handled in a manner compliant with a TAG-recognised standard for IVT detection and removal. This includes impressions, clicks, conversions etc. and covers all types of digital inventory.
All inventory handled by a company must be filtered for IVT – including owned and operated media as well as any inventory handled on behalf of a third-party partner.
The type of evidence we may review is:
- Reporting from the accredited tool or ad server showing the blocking of IVT across campaigns
- A walkthrough of your platform showing the implementation and use of the accredited tool or ad server to block IVT as standard
- Policies and procedures detailing how the tool or ad server is used
- If you operate globally or across multiple entities, evidence of how the consistent use of the accredited tool or ad server is achieved such as central monitoring and/or training of relevant teams
- If a Direct Seller relies on intermediary partners for their IVT detection, all of these partners must have been awarded a TAG CAF seal
3. 4. & 5. Filtering
Domain Threat Filtering, Data Centre IP Threat Filtering and App Threat Filtering should be applied across all monetised transactions (including impressions, clicks, conversions etc.) All can be applied pre-bid or post-bid.
- Domain Threat Filtering is the practice of filtering out domains that are identified to have a high risk of being the origin and/or the destination for invalid traffic.
- Data Centre IP Threat Filtering is the practice of filtering out IP addresses that are identified to have a high risk of being the origin and/or destination for invalid traffic.
- App Threat Filtering is the practice of filtering out apps that are identified to have a high risk of being the origin and/or the destination for invalid traffic.
You must have in-house techniques for addressing each of the above. Your chosen accredited tool or ad server may apply a Domain Threat List, Data Centre IP* or App Threat filtering already.
*Important: TAG can provide you with the Data Centre IP List within your TAG Member Portal log in. However, the use of this list alone is not sufficient to meet the requirements and in-house filtering must also be applied.
6. Implement a TAG-Recognised Follow-the-Money Solution
For Intermediary’s only, the TAG-Recognised Follow-the-Money Solution verifies the path of payment. Solutions include (but are not limited to):
- the TAG Payment ID System or
- SupplyChain object and Sellers.json
The type of information we may review is:
- Evidence of the implementation, upload and maintenance of a Sellers.json file
- Evidence that the SupplyChain Object field has been included/populated in bid requests
- Evidence of the implementation of the Payment ID system for a sample of transactions
For additional guidance on how to implement the TAG Payment ID System, please reference the ‘TAG Product Specification for Payment ID System.’
7. Implement and Honour ads.txt and app ads.txt
A Direct Seller must publish an ads.txt file. If that company owns and operates media in the in-app environment, an app-ads.txt file must also be published.
A Direct Buyer must honor an ads.txt and/or app-ads.txt file where published.
An Intermediary must honor an ads.txt and/or app-ads.txt file where published.
The type of information we may review is:
- Evidence of the implementation, upload and maintenance of app-ads.txt files (Direct Sellers)
- Evidence of filtering for (app-) ads.txt authorised inventory in your platform (Buy side Intermediaries)
- Evidence of checking for app-(ads.txt) traffic when buying inventory from technology partners (Direct Buyers)
10. Define & Identify Key Roles & Resources
Companies must define and identify the internal roles and resource(s) responsible for responding to ad fraud events. These could be an individual or a team as well as any tolls used by those individuals or teams.
External roles and resources responsible for responding to any ad fraud events must also be documented. These are who the internal resources would communicate with for any ad fraud events.
back to top
The TAG Certified Against Malware (CAM) Requirements
How you comply with the CAM Guidelines is dependent on where your business sits within the digital advertising ecosystem:
|
Requirement |
Direct Seller |
Direct Buyer |
Intermediary |
1. |
Attend CAM Training |
✓ |
✓ |
✓ |
2. |
Define and Identify Key Roles and Resources |
✓ |
✓ |
✓ |
3. |
Define Escalation Process |
✓ |
✓ |
✓ |
4. |
Employ Effective Malvertising Detection and Removal Services |
✓ |
✓ |
✓ |
5. |
Review Monitoring, Reporting and Post-mortem Processes Semi-annually |
✗ |
✗ |
✓ |
6. |
Define Post-mortem Processes |
✗ |
✓ |
✓ |
Alongside the above requirements, you’ll also need to complete Internal Quarterly Reviews to ensure the TAG Certified Against Fraud Guidelines are consistently followed.
back to top
Overview & Examples of Audit Evidence – TAG CAM
1. CAM Training
We’ll need confirmation that you’ve completed the TAG training, which can be conducted at any time online.
2. Define and Identify Key Roles and Resources
Companies must identify, designate and document the responsible resource(s) on behalf of their partners. Evidence may include Vendor Terms of Service, SLAs and documented business expectations.
3. Define Escalation Process
Define and document processes for assessing malvertising events and determining whether an event is an incident as well as process for escalating malvertising incidents within their companies and with their partners.
4. Employ Effective Malvertising Detection and Removal Services
Applicable to Intermediaries and Vendors only for all advertising assets and landing pages.
Techniques may include:
- Scanning of campaign assets and landing pages
- Real-time detection based on blocklists, code analysis or third-party verification knowledge repositories
- Run-time behavioral analysis
Intermediaries must provide a description of the methodologies used to employ such malware detection and removal services, and a list of vendors used to execute such services.
5. Review Monitoring, Reporting and Post-mortem Processes Semi-annually
Applicable to Intermediaries and Vendors only. The Post-mortem processes should be documented and evidence of the reviews maintained, including any output from post-mortem investigations.
6. Define Post-mortem Processes
Applicable to Buyers, Intermediaries and Vendors only. Define and document the post-mortem processes.
back to top
Making use of our FREE marketing support
We want to ensure you get the most value from working with us and achieving your TAG Seal. That’s why we’ve created a suite of FREE supportive marketing tools for you to use. These include:
- Email signatures
- Personalised ads
- PR templates
- Educational powerpoint slides
These will all be provided to you upon completion of your audit. To discuss in more detail please contact Jo.