On Monday, February 15, 2021 at 4:11:15 PM UTC-6, Ryan Sleevi wrote: > Apologies for belaboring the point, but I think we might be talking past > eachother. > > You originally stated “The only place I am aware that lists the audit > partner in a comparable world is the signing audit partner on public > company audits in the US, which is available on the SEC website.” I gave > two separate examples of such, and you responded to one (FPKI) by saying > the report was not public (even when it is made available publicly), and > the other I didn’t see a response to. > > This might feel like nit-picking, but I think this is a rather serious > point to work through, because I don’t think you’re fully communicating > what you judge to be a “comparable world”, as it appears you are dismissing > these examples. > > I can think of several possible dimensions you might be thinking are > relevant, but rather than assume, I’m hoping you can expand with a few > simple questions. Some admittedly seem basic, but I don’t want to take > anything for granted here. > > 1) Are you/the WTTF familiar with these audit schemes? > > 2) Are you aware of schemes that require disclosing the relevant skills and > experience of the audit team to the client? (E.g. as done by BSI C5 audits > under ISAE 3000) > > 3) Are you aware of such reports naming multiple parties for the use of the > report (e.g. as done by FPKI audits) > > 4) Are you aware of schemes in which a supplier requires a vendor to be > audited, and ensures that the customer of supplier are able to access such > audits as part of their reliance upon supplier? (Note, this doesn’t have to > be limited to ISMS systems) > > I’m trying to understand what, given the prevalence of these practices, > makes these instances *not* a comparable world, since it seems that helps > move closer to solutions.
Ryan, I hope you are not suggesting I am dodging you points. That would be absurd. Let me use different words as comparable world seems to be tripping you up. You are not providing a general/public distribution example to make your point so it is baseless. You are using a restricted opinion from EY and neither Ryan Sleevi nor Google are listed as the two intended users. The closest I have seen to support your desire to name individual auditors is in public company audit reports, which are housed on the SEC website. To be clear, of your two examples, one is an opinion, which is restricted, and the other represents the guidelines. Perhaps you have seen a public/general distribution report from your second opinion as I do not see it in this thread. I am aware, as mentioned previously, of the Federal PKI program desiring to know more about team members, but that is not listed in a non-restricted report, in a public/general distribution format. EY did the FPKI audit. I am not sure why you keep tagging the as a WTTF member. They are a global firm so if you are implying only they know the standards/rules (which I hope you are not) would be misleading. But to answer you question #1, yes. We even spoke last about this in our TF meeting last week and every member had the same response, including the one you have referenced. #2 answered previously. We are not arguing who wants what. The fact this information is desired is not being debated, rather how it is reported to the user. #3 question is unclear. I am not aware of any report that restricts an opinion to certain users specifically, in the case you mentioned the CA and FPKI that allows additional users to get this information. SOC2 for example has a broader restriction which allows the reports to go to a class or classes of users. Your example is not that case. #4 I am definitely aware of this requirement. A public/general distribution report can be shared with anyone. The restriction dictates who gets the opinion. This is the main point you are not understanding Ryan. For example, I if perform an audit of a company and restrict it to them and one other user, say their bank, the engagement letter / statement of work would clearly reflect this restriction. In addition, the standard terms would require the company to get permission to issue the report beyond the specified users. The example you raise in this question is certainly covered under the broad type of restriction that SOC2 provides, as they would be knowledgeable about the subject matter. The EY report example you provided does not include the broader use. And not to belabor this point, but the restriction precludes its public/general distribution. The words matter. When the distribution of a report is tightly binding two parties, as in your example, you can't distribute it broader. Restricted reports by definition are different. This is a long dialogue supporting Ben's approach. Firms will most likely be willing to provide the qualifications of auditors in a non-public manner as Ben has suggested. Jeff _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
