On Friday, November 6, 2020 at 1:13:43 PM UTC-6, Ryan Sleevi wrote: > On Fri, Nov 6, 2020 at 12:31 PM Jeff Ward via dev-security-policy < > dev-secur...@lists.mozilla.org> wrote: > > > Audit reports, whether for WebTrust, financial statements, or other forms > > of engagement reports providing assurance to users of the information, do > > not include specific audit team members’ names. Simply stated, this desire > > to include individual auditor’s qualifications in a public report is not > > consistent with any other compliance reporting methods or reporting > > requirements for CAs, or any other auditee for that matter. > Hi Jeff, > > Could you help me square this statement with the practical examples? For > example, here's a report [1] from a WebTrust TF member, Ernst and Young, > demonstrating how this works in practice. You can see there hasn't been an > issue for years [2][3], even with the direct involvement of individuals on > the WebTrust TF in preparing such an audit. > > So I'm having difficulty squaring your statement that they "do not", when > we've got examples from long-standing members of the WebTrust TF that > demonstrate that, in practice, they do. Could you help highlight what's > inconsistent here? > > Alternatively, and as mentioned to ETSI, here's an example of an ISAE 3000 > based audit scheme, similar to WebTrust, that also discloses the relevant > professional qualifications and skills to clients [4], as discussed in > 4.4.8 and 4.4.9. > > [1] https://www.oversight.gov/sites/default/files/oig-reports/18-19.pdf > [2] > https://www.oversight.gov/sites/default/files/oig-reports/Assessment%20Report%2019-12%20GPO%20Federal%20PKI%20Compliance.pdf > > [3] https://www.oversight.gov/sites/default/files/oig-reports/17-27.pdf > [4] > https://www.bsi.bund.de/EN/Topics/CloudComputing/Compliance_Criteria_Catalogue/Compliance_Criteria_Catalogue_node.html
Sure Ryan, the answer is quite simple. When I used the word "public" in my post, I should have been more clear as to the nuance of this concept. Public reports by definition are generally distributed (available to anyone). When reports are restricted in distribution and only intended for a certain user or users as specified in the report, they are no longer public. In each of the EY examples you reference, they all state in the last paragraph before the EY signature, "This report is intended solely for the information and use of GPO-CA and the Federal PKI Policy Authority and is not intended to be, and should not be, used by anyone other than GPO-CA and the Federal PKI Policy Authority." When reports are not generally distributed and available to the general public, the specifics of individuals performing the audit will not be present. When my firm issues reports for FPKI, we also provide the listing of individuals in a letter that is not public information. Jeff _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy