On Mon, Feb 15, 2021 at 2:03 PM Jeff Ward via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> I wanted to clarify a couple of points. Firms must be independent to do > audit/assurance work. If independence is impaired, for example, by one > person in the firm performing management functions, the entire firm is no > longer independent. Firms have the responsibility to monitor activities of > its professionals, which also includes personal investments, to ensure they > remain independent. > > Also, WebTrust practitioners provide information on the firm and the > professionals used on these engagements. The information provided is > closely aligned with the Auditor Qualifications you are describing. As you > know, CPA Canada provides a listing of qualified audit firms on its > website. Working closely with them could also help in instances where > auditor qualifications are in question. > > And one last item, thank you for hearing us on the listing of auditors > performing the engagement. The only place I am aware that lists the audit > partner in a comparable world is the signing audit partner on public > company audits in the US, which is available on the SEC website. Other > than that, I am not aware of any other team member being listed. We have > seen listings of team members and related experience summarized on a > non-publicly issued letter to management in the US Federal space. Jeff, https://www.oversight.gov/sites/default/files/oig-reports/18-19.pdf Is an example, which is an audit of the U.S. Government Printing Office, provided by a WTTF member, against the US Federal PKI CP. This doesn’t meet the criteria you mentioned (public company, SEC), and itself was provided several years ago. It is directed to a set of named parties, and made publicly available by those parties, using the WebTrust for CAs criteria. On page 4 (report)/6 (FPKI submission)/9 (PDF page), you can see an enumerated list of audit participants and their applicable skills, summarized. Since you mentioned “a comparable world”, the BSI C5 controls, which provide a valuable model for improvements in transparency and thoroughness of reporting (aka the so called “detailed controls” report), notes this within Section 3.5.1 of the Controls [1] “As part of the reporting, it must be specified which of the professional examinations/certifications are held by the audit team (e. g. in the section “Independence and quality assurance of the auditor”). Upon request, appropriate documents (e. g. certificates etc.) must be submitted to the client.” Could you clarify whether you and the WTTF considered these two cases? The former is an example of using an assurance scheme the FPKIMA has said on its own is insufficient, namely WTCA, but with additional reporting can be made sufficient. The latter is an example of a scheme specifically adapted for cloud/vendor security controls against an ISAE 3000 reporting scheme, which is nearly identical to WTBRs in that regard. It was unclear if y’all were simply not familiar with these cases, or if you believe there is substantive differences in the proposal here that may require addressing. [1] https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/CloudComputing/ComplianceControlsCatalogue-Cloud_Computing-C5.pdf?__blob=publicationFile&v=3 > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
