On Monday, February 15, 2021 at 1:57:11 PM UTC-6, Ryan Sleevi wrote: > On Mon, Feb 15, 2021 at 2:03 PM Jeff Ward via dev-security-policy < > dev-secur...@lists.mozilla.org> wrote: > > > I wanted to clarify a couple of points. Firms must be independent to do > > audit/assurance work. If independence is impaired, for example, by one > > person in the firm performing management functions, the entire firm is no > > longer independent. Firms have the responsibility to monitor activities of > > its professionals, which also includes personal investments, to ensure they > > remain independent. > > > > Also, WebTrust practitioners provide information on the firm and the > > professionals used on these engagements. The information provided is > > closely aligned with the Auditor Qualifications you are describing. As you > > know, CPA Canada provides a listing of qualified audit firms on its > > website. Working closely with them could also help in instances where > > auditor qualifications are in question. > > > > And one last item, thank you for hearing us on the listing of auditors > > performing the engagement. The only place I am aware that lists the audit > > partner in a comparable world is the signing audit partner on public > > company audits in the US, which is available on the SEC website. Other > > than that, I am not aware of any other team member being listed. We have > > seen listings of team members and related experience summarized on a > > non-publicly issued letter to management in the US Federal space. > Jeff, > > https://www.oversight.gov/sites/default/files/oig-reports/18-19.pdf > > Is an example, which is an audit of the U.S. Government Printing Office, > provided by a WTTF member, against the US Federal PKI CP. This doesn’t meet > the criteria you mentioned (public company, SEC), and itself was provided > several years ago. > > It is directed to a set of named parties, and made publicly available by > those parties, using the WebTrust for CAs criteria. On page 4 (report)/6 > (FPKI submission)/9 (PDF page), you can see an enumerated list of audit > participants and their applicable skills, summarized. > > Since you mentioned “a comparable world”, the BSI C5 controls, which > provide a valuable model for improvements in transparency and thoroughness > of reporting (aka the so called “detailed controls” report), notes this > within Section 3.5.1 of the Controls [1] > > “As part of the reporting, it must be specified which of the professional > examinations/certifications are held by the audit team (e. g. in the > section “Independence and quality assurance of the auditor”). Upon request, > appropriate documents (e. g. certificates etc.) must be submitted to the > client.” > > Could you clarify whether you and the WTTF considered these two cases? The > former is an example of using an assurance scheme the FPKIMA has said on > its own is insufficient, namely WTCA, but with additional reporting can be > made sufficient. The latter is an example of a scheme specifically adapted > for cloud/vendor security controls against an ISAE 3000 reporting scheme, > which is nearly identical to WTBRs in that regard. It was unclear if y’all > were simply not familiar with these cases, or if you believe there is > substantive differences in the proposal here that may require addressing. > > [1] > https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/CloudComputing/ComplianceControlsCatalogue-Cloud_Computing-C5.pdf?__blob=publicationFile&v=3 > > > > Correct Ryan. This is one of the examples you provided previously. This report is of course restricted: "This report is intended solely for the information and use of {CA} and the Federal PKI Policy Authority and is not intended to be, and should not be, used by anyone other than {CA} and Federal PKI Policy Authority."
As you know, this report then is not generally / publicly distributed as it is a restricted use report. This restriction does not appear in the public company audit opinions, hence the reference. I called out the federal space with this very example in mind. So yes, I am aware of and quite familiar with this scenario. It is more about the restricted use (or in this case the lack thereof) as it is the framework being used. The very point you are referencing an opinion that you are using outside of the restriction sums up my argument. I can't speak for all audit firms as this is more of a risk management issue, but my firm would be fine issuing this report in a restricted manner, unless it became known it would not actually be used in the restricted manner. That defeats the whole purpose. I've issued auditor qualifications in this manner in a management letter, which is also restricted. To my knowledge, that letter has never been made available to those outside of the restricted use, as it appears to have been in this case. So unfortunately your statement is not true. This report is not, and was never meant to be "made publicly available". _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
