On Tue, Apr 5, 2022 at 2:57 PM Dimitris Zacharopoulos <[email protected]> wrote:
> Hi Moudrick, > > CPA Canada is not like a NAB in Europe. NABs supervise CABs which means > they assess/examine/review audit work of CABs - I believe - on a yearly > basis and decide on the accreditation of the CAB. CABs are "assessed" by > NABs similarly as CAs are audited by CABs. > > I am not sure CPA Canada works this way. Based on past discussions, please > correct me if I'm wrong, my understanding is that WebTrust audit firms have > a peer-review process (not sure if it is annual or not) which means that > audit firms examine other audit firms' audits. > > IMHO CPA Canada is more analogous to ACAB-c than to a NAB but with more > "power"/authority over the WebTrust program (closer to the powers of EA > https://european-accreditation.org/). ACAB-c has no authority over > NABs/CABs or ETSI standards. > The analogy there is not quite correct. For example, to use North Carolina as an example: North Carolina General Statute Chapter 93 [1] sets forth rules regarding the use of the title "accountant" (and CPA), and established the Board of Certified Public Accountant Examiners as a professional licensing board. The Board is responsible for enforcing the Rules of Professional Conduct, as adopted by the Board. In North Carolina, for example, the board incorporates, by reference [2], the statements on auditing standards developed by AICPA [3], such that it is it is reason for discipline to claim to be a CPA without being licensed as one, or as a CPA, to fail to adhere to the professional standards as established by AICPA. AICPA is itself a Professional Accountancy Organization (PAO) that is a member of IFAC [4], which works to developed harmonized International standards which can correspondingly be incorporated (by reference) into various laws, treaties, etc, e.g. ISAE 3000 [5]. Thus, to demonstrate how poorly the concepts map, CPA Canada here behaves similar to ETSI, with respect to developing audit criteria and standards that satisfy regulatory needs (e.g. incorporation, by reference, of AICPA standards, CPA Canada standards or ISAE 3000 standards). The standards for conducting such audits behave similarly to Implementing Acts with respect to eIDAS, in that they have legal weight and recognition (and penalties for violating). IFAC functions as a somewhat mix between ACAB-c, ETSI, and EA, of which CPA Canada is a member, but that's somewhat orthogonal. Individual jurisdictions (e.g. North Carolina) can establish agencies (e.g. NC Board of CPA Examiners) that can function as NAB-like equivalents, while the WebTrust Task Force and CPA Canada functions akin to a Supervisory Body with respect to the WebTrust scheme, and like the NAB with respect to CABs against that scheme. Hopefully you can see it's a bit of Apples and Oranges, in that these aren't necessarily equal things, and the concepts don't map cleanly between them. For example, under the EA model, you have separate entities enforcing compliance with various aspects: the NABs enforce standards on the CABs, but may not supervise scheme-specific activities, which are deferred to a separate entity (the Supervisory Body, e.g. in the case of eIDAS). ETSI may develop standards, both TS and EN, with the latter involving votes according to the ENAP [6], but those don't necessarily have legal weight to them, although they can (e.g. through implementing or delegated acts). CABs may incorporate those ETSI requirements (e.g. to fulfill certain legal objectives), or may develop their own schemes that incorporate parts, or none, of the ETSI work, if fulfilling market goals rather than legal goals. The NAB accreditation of the CAB may only extend relevant to the fulfillment of the legal objective, and not necessarily provide the same degree of oversight or supervision for those market goals, dependent on the scheme. ACAB'c, however, provides a degree of voluntary scheme harmonization and supervision, to address that gap between audits being used for presumptive legal goals versus those satisfying market needs and requirements. Although the comparison to ACAB-c and CPA Canada (since WebTrust is just a brand of a product by CPA Canada, and the WTTF is partially part of CPA Canada) may be tempting, I hope you can see that there are differences in what they provide and do. The comparison might be more apt if ACAB-c was developing internationally recognized and harmonized standards that were incorporated (e.g. by implementing or delegated acts by the EC), and if there were legally-recognized consequences for failing to uphold the code of conduct of ACAB-c (as there is with respect to CPA Canada's standards), but that's not quite the case. This ties back with my explanation to Kathleen, in that the lack of a WebTrust license may mean that the entity performing the audit is not recognized as a CPA within the construct of IFAC's standards around audits and attestations, unless independently verified (as in the case of North Carolina, above). There's no single role within the "ETSI" framework to reflect this: it combines portions of the NAB/EA, portions of ISO (e.g. 17065, although ISAE 3000 is _far_ more descriptive and prescriptive), portions of the Supervisory Body for a particular scheme, and portions of ACAB-c for verification of suitability. [1] https://www.ncleg.gov/EnactedLegislation/Statutes/PDF/ByChapter/Chapter_93.pdf [2] https://regulations.justia.com/states/north-carolina/title-21/chapter-08/subchapter-n/ [3] https://regulations.justia.com/states/north-carolina/title-21/chapter-08/subchapter-n/section-08n-0403/ [4] https://www.ifac.org/about-ifac/membership/members/association-international-certified-professional-accountants-aicpa [5] https://www.iaasb.org/publications/international-standard-assurance-engagements-isae-3000-revised-assurance-engagements-other-audits-or-0 [6] https://portal.etsi.org/Resources/Standards-Making-Process/Process -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHErbJehak_5kBj0M7LxTze420M%3Du400kdEO02eB03komA%40mail.gmail.com.
