On Fri, Mar 6, 2020 at 9:03 PM jwardcpa--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Great follow on questions Ryan. As far as the detailed report, whether > the end product is in the current form, or in the detailed version, the > lead auditor is taking full responsibility and does not make mention of the > other auditor in both the opinion, and the detailed section of the controls > tested for a detailed report. That being said, nothing prohibits a CA from > creating a Bug to draw attention to the fact and explain the auditors > obtained the assistance of another firm to complete the scope of the > testing. If WebTrust did allow a carve out approach, there would be more > flexibility to allow the reference to another firm, but since it is > inclusive and the lead auditor takes full responsibility, that is not an > option. > Good to know! I don't think this poses any intrinsic problems, since as you note, the lead auditor is taking full responsibility, but it's helpful to know what disclosures, if any, would arise in such a situation. > This example demonstrates the firm was able to complete the scope of the > audit testing on July 20th. It is up to the auditor's judgment as to how > far the opinion can be dual dated/extended. Once too much time passes, > this option is no longer viable. > Right, you addressed the scenario of a single report, subsequently updated. I was actually contemplating two full reports with two full engagements. That is, the first engagement and report may be qualified, due to the lack of the datacenter. My question was whether it's possible to engage the auditor in a second full engagement, this time considering all the facilities, for the original time period in question. Think of this as a variation for what we see some CAs do, which is scope their annual reports into two or more reports, one of which may be qualified. That is, they may have a Jan - July report which is qualified, and a July - Dec report which is unqualified. However, those are non-overlapping date periods. I was wondering if, again, using our March to March scenario, that it's conceivable a report is delivered in April that is qualified, access to the facility is restored in July, and the auditor (either the original firm or a new firm) conducts a full audit of the original March-to-March period. In effect, conducting a second audit. I'm trying to tease out if there are limitations on the original firm performing that work (e.g. because they'd previously been engaged in an audit of that period), as well as whether there are limitations as to how far back one can go. For example, could a CA engage an auditor, today, for a Jan 1, 2018 to Jan 1, 2019 period? What if the engagement was for a October 1, 2018 to October 1, 2019 period (e.g. 6 months ago)? I can understand the difficulty of obtaining an audit today for, say, the period 2014-01-01 to 2015-01-01, but I'm wondering what options might exist for examination of those remaining facilities after-the-fact. My worst case scenario is that it is determined to not be possible after some period of time (e.g. 6 months) to obtain such originally-expected assurances. In those cases, I think the honest and pragmatic answer may involve discussions of removal of trust in that root, and so I want to make sure to explore alternatives and options before having to start such discussions. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy