# How are the CA’s systems designed?
# How well are CA processes documented and programmatically enforced for compliance with industry requirements?
# How does the applicant reduce operational risk and maintain an error-free, compliant operation?
# What pre-issuance lint testing does the CA use? What other automation does the CA use to reduce risk?
# What mechanisms ensure that the CA system is agile to change when required for privacy, security, or compliance reasons?
# What is the quality of execution? What measures does the CA implement to quickly address compliance incidents?