Certainly, situations such as the outbreak of COVID-19 (Coronavirus) provide significant business challenges, not to mention all of the heartache felt by those suffering personally. From a business standpoint, the outbreak of the Coronavirus is a reminder how fragile companies are to events out of our control. It is also appropriate to include the outbreak with natural disasters / acts of God when contemplating the necessary reaction needed. both for the enterprise, its stakeholders, auditors, etc. These types of events are also the vary reason companies adopt Business Continuity Plans / Disaster Recovery Plans. When the rubber hits the road, these plans are put to the test.
Auditors are challenged on how these types of events affect the scope of the engagement, in particular the nature, timing, and extent of testing necessary to provide the assurance needed to express an opinion on the subject matter of the engagement. Depending on the circumstances of the event, auditors could be challenged with how to physically inspect documents or access essential critical security installations when travel restrictions are in place, or even faced with availability of necessary documentation/artifacts relevant to the audit that are damaged or destroyed. These scenarios can present significant challenges for the auditor in trying to cover those necessary elements needed to cover the entire scope of the examination. Ultimately, when an auditor is not able to obtain assurance on the entire scope of the engagement, and realizing a carved out approach is not permitted in a WebTrust audit, for example, when a certain data center is not able to be visited to observe controls operating and underlying documentation, the auditor will not be able to provide an unmodified/unqualified/clean opinion and the client would not be able to display the WebTrust seal. In these situations, the auditor would include an explanatory paragraph that details what gave rise to the scope limitation and issue one of the following modified opinions: • Qualified opinion (when conditions are least severe but significant enough to mention), stating an except for paragraph explaining the condition(s) arising from the scope limitation, such as not being able to test the data center. • Adverse opinion (when conditions are more severe), stating that the conditions are such that due to the severity of the scope limitation, the auditor states controls are not operating effectively and they were not able to satisfy themselves that the necessary controls were able to operate. • Disclaimer of opinion (when conditions are most severe), stating that the auditor is unable to form any opinion due to the nature of the scope limitation. If the potential threat of a scope limitation is primarily due do an auditor not being able to travel to perform necessary testing, as with the Coronavirus, there are potential remedies for the auditor to consider, including, but not limited to: • Using the work of another auditor, whereby the lead auditor verifies the independence, qualifications and technical competency of another firm that can do a portion of the work, and the lead auditor directs the work, plans, supervises and reviews the other auditor’s work, taking ultimate responsibility. In this case, no mention of the other firm is made in the report as the lead auditor is taking responsibility for the other firm’s work. • Using technology to observe physical controls and underlying documents/artifacts via remote means, such as video. In this case, the auditor must ensure the authenticity, integrity, security and confidentiality of the transmission. If the auditor is able to design the audit plan in a manner that overcomes the challenges present from what otherwise would be a scope limitation, and can obtain satisfaction through adequate testing procedures, the auditor will be able to express an unqualified/unmodified (clean) opinion resulting in the ability to obtain the WebTrust seal. Otherwise, the auditor will explain what gave rise to the scope limitation and no seal will be able to be issued. CAs should work with their auditors as early as possible to identify any impact on the scope of their audit and communicate any issues with the browsers. It looks like from this thread any impact on the scope and the timing of the release of the audit should be documented in Bugzilla, which should also include the CAs incident response plan. So what happens if a modified opinion is provided by an auditor, for example, because a data center in China could not be tested in the normal course of the examination? Then say, six months later, the data center becomes accessible and available for audit. Since the audit for the year was already issued with the qualification, as required, you would have the option of waiting for the next annual audit to include the data center in question and proceed as normal. Once again, a WebTrust audit cannot include a carve out of the data center, nor can a WebTrust audit be performed later on just the data center. Depending on the significance of the operations not able to be included in the scope of the most current audit, and depending on the needs and requirements of the users (browsers), a CA could undergo specified/agreed-up procedures in a separate engagement, or conduct a full scope WebTrust audit when possible. There ae no hard and fast rules for this situation and each should be treated on a case by case basis, with discussions including the CA, the browsers, and the auditor. I hope this helps. Happy to answer any further questions. Jeff On Wednesday, February 19, 2020 at 3:03:44 AM UTC-6, Arvid Vermote wrote: > COVID-19 is going on and there currently is a quarantine of certain areas in > China and also alert levels are further raising in other (mainly East-Asian) > countries. > > > > How will the root programs approach CA facilities with key material that are > in a lockdown or in a territory that is not accessible by auditors and hence > cannot be inspected within the three months after the end of the CA's > period-under-audit? > > > > Lockdown in the above meaning properly secured according to the requirements > and BCP/DR plans but because of external conditions not accessible and > available for external auditors / inspection. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy