Confirmed users
569
edits
CA/Audit Statements: Difference between revisions
Jump to navigation
Jump to search
→Providing Auditor Qualifications: revised based on suggestions from auditors
(added the rest from the document) |
(→Providing Auditor Qualifications: revised based on suggestions from auditors) |
||
| Line 199: | Line 199: | ||
'''DRAFT'''<br /> | '''DRAFT'''<br /> | ||
<br /> | <br /> | ||
Version 2.7.1 of Mozilla's Root Store Policy requires CAs to have their auditor provide information about the auditor's qualifications when they provide audit statements. The information needs to be sufficient for us to see that the requirements listed above have been met by the audit team, but does not need to specifically name the individuals on the team, other than the lead auditor who signs the audit statement. The | Version 2.7.1 of Mozilla's Root Store Policy requires CAs to have their auditor provide information about the auditor's qualifications when they provide audit statements. The information needs to be sufficient for us to see that the requirements listed above have been met by the audit team, but does not need to specifically name the individuals on the team, other than the lead auditor who signs the audit statement. The Audit Team may consist of one person provided that the person meets all criteria set out above and that there is an audit quality reviewer. | ||
* Date that the | |||
CAs must submit a summary of the Audit Team's qualifications and experience as outlined below with respect to the audit. The information can also be provided as part of the audit result documentation, like the Audit Attestation Letter (AAL), or as a supplement to the WebTrust Assurance Report. | |||
* Date that the audit report was signed | |||
* Full name of the CA that was audited | * Full name of the CA that was audited | ||
* Name of | * Name and address of the audit firm or Conformity Assessment Body (CAB) | ||
* | * Audit Criteria, e.g. ETSI / WebTrust | ||
* Proof of Accreditation (URL), see below. | * Proof of audit firm or CAB Accreditation (URL), see paragraphs below. | ||
* Lead Auditor | * Name of Lead Auditor (except where prohibited by law, otherwise, we ask that you not provide any personally identifiable information) | ||
* For the Audit Team and the Audit Quality Reviewer | |||
** Number of Audit Team Members | |||
** Academic qualifications or professional training received | |||
** Average Years of Auditing Experience auditing trust services or similar information systems | |||
** Experience, Special Skills, and Qualifications (e.g. audit/assessment principles and functions, information technology, software development, trust services, public key infrastructure, CA operations, and information security including risk assessment/management, network security, physical security, etc.) | |||
** Credentials, Designations, or Certifications (e.g. CPA, CISA, CITP, CISSP, CCSP/CCA/CCP, etc.) | |||
* For | * How the Audit Team and team members are bound by law, regulation or professional standards to render an independent assessment of the CA (e.g.https://pub.aicpa.org/codeofconduct/Ethics.aspx# 0.300.050 Objectivity and Independence; CPA Canada, Rule 204; or ETSI EN 319 403-1 Annex A, respectively) | ||
** Audit Team | * Name of the Insurance Carrier providing the professional liability or errors and omissions insurance coverage defined in CA/B Forum Baseline Requirements section 8.2. | ||
** Years of Experience | * Whether the Audit Team relied on any third-party specialists or affiliate audit firms, and if so, their names and where they performed services. | ||
** | |||
** Credentials/ | |||
* | |||
* | |||
* | |||
== Verifying WebTrust Auditor Qualifications == | == Verifying WebTrust Auditor Qualifications == | ||