On 2020-11-06 18:31, Jeff Ward wrote: > ...
Audit reports, whether for WebTrust, financial statements, or other forms of engagement reports providing assurance to users of the information, do not include specific audit team members’ names. Simply stated, this desire to include individual auditor’s qualifications in a public report is not consistent with any other compliance reporting methods or reporting requirements for CAs, or any other auditee for that matter.
Most paper-based auditing schemes for company financial records (the historic work area of auditors) include, on each report, the personal signature and corresponding printed name of the responsible auditor, optionally with an abbreviation of their national qualification level (such as an abbreviation of "Examplarian State Authorized Public Accountant"). From there, it would be possible for interested parties to check that a physical person by that name is/was indeed on the roster of such authorized individuals, but not if/why the State of Exemplar decided to so include that person. Furthermore, the auditor person and/or their company may have voluntarily published further details of their qualifications (in brochures, on websites etc.) and may have applicable original degree documents framed and hanging on their walls for all concerned to readily inspect. In terms of GDPR, the state would have published rules for how to get added/removed from the public roster, and each auditor would have the opportunity, at all times, to retract their self-descriptions and/or remove some or all of their framed documents from their public office. A modern equivalent procedure for CA audits could be: 1. Each Auditor has their name and a unique public nickname registered in a non-public roster at either CPA Canada or the relevant European counterpart. This is done to fulfill the contractual obligation of their professional oath of responsibility. The roster organization might optionally provide alias e-mails based on the nicks. 2. Each non-public roster operates a public online service which will confirm or deny the presence of a name/nick pair, with appropriate safeguards against attempts to extract the roster by systematic polling of made up names. Unless otherwise stated in public by Mozilla (such as the statements made a few years ago about certain auditors from E&Y), any auditor on these rosters shall be presumed sufficiently qualified to sign audits used by Mozilla. 3. Each auditor person signs his public audit letters with his name, nick, a reference to the roster-keeping organization and any other honorific titles he/she may legitimately choose to use. He does this to satisfy his contractual obligation to provide the CA with that letter. Any official physical copies will have his physical signature above his name and may also carry a physical stamp or seal of him or his organization, as dictated by local legal traditions. 4. Each such public audit letter is submitted to a public repository operated by the roster-keeping organization, using a procedure that verifies that the letter was submitted exactly as given, by that named auditor from their roster. This is done to satisfy the contractual obligation of the auditor towards the CA in accordance with a contractual reference to terms of the roster-keeping organization. 5. The roster-keeping organization publishes the public audit letters in both a traditional paper journal deposited at major public archives and as an online readily accessible web site with a Merkel hash tree providing public verification that each letter was in the public record on or before the stated inclusion date. As hash algorithms fail to future cracks, the roster-keeping organization retains the ability to regenerate the signatures using new algorithms, based on its offline archive of originals, including a signed public statement of said regeneration. This publication of records that include the identity of both the actual auditors as well as relevant principal CA Officers is done to further satisfy the contractual obligations in #4. As is common in paper-based book-keeping, retractions can be filed as separate letters of correction, and the retracted documents may be made invisible to the public without invalidating the hash-tree. For public access, each public letter is given a unique permanent URL to which the CA may publicly refer, including in the CADB and on its website. 6. Each auditor shall submit for publication by the roster organization a self-authored but roster verified statement of qualifications, usually just a few paragraphs. Each such statement similarly gets a permanent URL, but remains visible only until superseded or retracted by either the auditor or roster-keeper. This publication is done as part of the auditor's contractual obligations to the roster-keeping organization, and the ability to retract provides the GDPR right of deletion of any included details. Links to the current document are published by the auditor organization (e.g. E&Y) as part of their advertising and as part of their contractual obligations to the audited CAs. An example of such a statement could be: -- Begin example document -- Statement of qualifications of WebTrust auditor Jack F. Honest Esq. (JAH2): Jack Fictional Honest graduated with a CPA degree from Harward Law School in 1975, grade average B+, and worked as classified documents security inspector for the USAF, reaching the rank of Colonel in 1985. Jack retired honorably from the army in 1990 to work for DeLoite auditing, and is now a senior partner in Deloitte's Northern California Office. Jack also holds a Masters degree in Cryptology from MIT (1998) and a Bachelors degree in computer software, also from MIT (2009). Jack was one of the original authors of the IETF public key certificate standard (PKIX, RFC5280). -- End of example document -- As previously mentioned, all these statements, if published and not hidden on the roster website would be verified for truth by the roster- keeping organization (CPA Canada for WebTrust, some European organization for eldas), so Relying parties can rely on that information to be true. Thus Mozilla could trust that an Audit signed by JAH2 and published on the WebTrust roster, was actually signed by a WebTrust qualified auditor with these qualifications and not by any other WebTrust auditor that may never have passed the requirements to join the WebTrust program, and is not one of the few named auditors that Mozilla has publically stated they won't accept audits from. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy