On Fri, Nov 6, 2020 at 12:31 PM Jeff Ward via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Audit reports, whether for WebTrust, financial statements, or other forms > of engagement reports providing assurance to users of the information, do > not include specific audit team members’ names. Simply stated, this desire > to include individual auditor’s qualifications in a public report is not > consistent with any other compliance reporting methods or reporting > requirements for CAs, or any other auditee for that matter. Hi Jeff, Could you help me square this statement with the practical examples? For example, here's a report [1] from a WebTrust TF member, Ernst and Young, demonstrating how this works in practice. You can see there hasn't been an issue for years [2][3], even with the direct involvement of individuals on the WebTrust TF in preparing such an audit. So I'm having difficulty squaring your statement that they "do not", when we've got examples from long-standing members of the WebTrust TF that demonstrate that, in practice, they do. Could you help highlight what's inconsistent here? Alternatively, and as mentioned to ETSI, here's an example of an ISAE 3000 based audit scheme, similar to WebTrust, that also discloses the relevant professional qualifications and skills to clients [4], as discussed in 4.4.8 and 4.4.9. [1] https://www.oversight.gov/sites/default/files/oig-reports/18-19.pdf [2] https://www.oversight.gov/sites/default/files/oig-reports/Assessment%20Report%2019-12%20GPO%20Federal%20PKI%20Compliance.pdf [3] https://www.oversight.gov/sites/default/files/oig-reports/17-27.pdf [4] https://www.bsi.bund.de/EN/Topics/CloudComputing/Compliance_Criteria_Catalogue/Compliance_Criteria_Catalogue_node.html _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy