On Saturday, March 7, 2020 at 8:24:57 AM UTC-6, Ryan Sleevi wrote: > On Fri, Mar 6, 2020 at 9:03 PM jwardcpa--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Great follow on questions Ryan. As far as the detailed report, whether > > the end product is in the current form, or in the detailed version, the > > lead auditor is taking full responsibility and does not make mention of the > > other auditor in both the opinion, and the detailed section of the controls > > tested for a detailed report. That being said, nothing prohibits a CA from > > creating a Bug to draw attention to the fact and explain the auditors > > obtained the assistance of another firm to complete the scope of the > > testing. If WebTrust did allow a carve out approach, there would be more > > flexibility to allow the reference to another firm, but since it is > > inclusive and the lead auditor takes full responsibility, that is not an > > option. > > > > Good to know! I don't think this poses any intrinsic problems, since as you > note, the lead auditor is taking full responsibility, but it's helpful to > know what disclosures, if any, would arise in such a situation. > > > > This example demonstrates the firm was able to complete the scope of the > > audit testing on July 20th. It is up to the auditor's judgment as to how > > far the opinion can be dual dated/extended. Once too much time passes, > > this option is no longer viable. > > > > Right, you addressed the scenario of a single report, subsequently updated. > I was actually contemplating two full reports with two full engagements. > That is, the first engagement and report may be qualified, due to the lack > of the datacenter. My question was whether it's possible to engage the > auditor in a second full engagement, this time considering all the > facilities, for the original time period in question. > > Think of this as a variation for what we see some CAs do, which is scope > their annual reports into two or more reports, one of which may be > qualified. That is, they may have a Jan - July report which is qualified, > and a July - Dec report which is unqualified. However, those are > non-overlapping date periods. I was wondering if, again, using our March to > March scenario, that it's conceivable a report is delivered in April that > is qualified, access to the facility is restored in July, and the auditor > (either the original firm or a new firm) conducts a full audit of the > original March-to-March period. In effect, conducting a second audit. > > I'm trying to tease out if there are limitations on the original firm > performing that work (e.g. because they'd previously been engaged in an > audit of that period), as well as whether there are limitations as to how > far back one can go. For example, could a CA engage an auditor, today, for > a Jan 1, 2018 to Jan 1, 2019 period? What if the engagement was for a > October 1, 2018 to October 1, 2019 period (e.g. 6 months ago)? I can > understand the difficulty of obtaining an audit today for, say, the period > 2014-01-01 to 2015-01-01, but I'm wondering what options might exist for > examination of those remaining facilities after-the-fact. > > My worst case scenario is that it is determined to not be possible after > some period of time (e.g. 6 months) to obtain such originally-expected > assurances. In those cases, I think the honest and pragmatic answer may > involve discussions of removal of trust in that root, and so I want to make > sure to explore alternatives and options before having to start such > discussions.
I hate giving an "it depends" answer, but that's where I'll start. In the case where a report is issued with a qualified opinion due to the inability to visit a CA's data center, as an example, and issued primarily to comply with the 90 day rule, and the data center subsequently becomes available, it is possible for the auditor to perform necessary procedures and collect relevant documentation / artifacts subsequent to the original audit period to allow them to issue an unqualified opinion on the original audit period that was previously qualified. Kind of a mouthful. It depends if this will work on the documentation and artifacts that can be obtained during that original period. Collecting evidence on those controls outside of the period is problematic as it is not part of the audit period. That is not to say that the documentation could be obtained from the original audit period and providing the necessary comfort the auditor needed in their previously issued qualified report. In short, the auditor is looking for evidence after the period that the controls in fact were operating effectively during the period. Some documentation lends itself easily to make this determination, but I can see challenges. Reviewing logs and video surveillance are two means that come to mind that would be part of the auditor's assessment to see if that evidence can satisfy the audit objectives. These monitoring activities typically are time stamped and demonstrate when the controls were operating. Controls that can only be physically observed by the auditor, and a lack of any compensating control or controls to evaluate, will be an issue. In the end, if there is no way to determine whether or not a control or controls operated effectively then the auditor would not be able to issue an unqualified opinion on the previous audit period as the evidence collected is part of the next period. So sorry to conclude, it depends on the facts and circumstances. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
