Thanks Ryan for the additional context.
I was mainly trying to highlight some known differences between CPA
Canada and NABs. In practice, can you please confirm whether CPA Canada
performs audit reviews against their licensed practitioners, and if so,
how frequently? As I explained, NABs actually review/assess audit cases
of CAs performed by their CABs on an annual basis.
Best regards,
Dimitris.
On 6/4/2022 4:21 π.μ., Ryan Sleevi wrote:
On Tue, Apr 5, 2022 at 2:57 PM Dimitris Zacharopoulos
<[email protected]> wrote:
Hi Moudrick,
CPA Canada is not like a NAB in Europe. NABs supervise CABs which
means they assess/examine/review audit work of CABs - I believe -
on a yearly basis and decide on the accreditation of the CAB. CABs
are "assessed" by NABs similarly as CAs are audited by CABs.
I am not sure CPA Canada works this way. Based on past
discussions, please correct me if I'm wrong, my understanding is
that WebTrust audit firms have a peer-review process (not sure if
it is annual or not) which means that audit firms examine other
audit firms' audits.
IMHO CPA Canada is more analogous to ACAB-c than to a NAB but with
more "power"/authority over the WebTrust program (closer to the
powers of EA https://european-accreditation.org/). ACAB-c has no
authority over NABs/CABs or ETSI standards.
The analogy there is not quite correct.
For example, to use North Carolina as an example: North Carolina
General Statute Chapter 93 [1] sets forth rules regarding the use of
the title "accountant" (and CPA), and established the Board of
Certified Public Accountant Examiners as a professional licensing
board. The Board is responsible for enforcing the Rules of
Professional Conduct, as adopted by the Board. In North Carolina, for
example, the board incorporates, by reference [2], the statements on
auditing standards developed by AICPA [3], such that it is it is
reason for discipline to claim to be a CPA without being licensed as
one, or as a CPA, to fail to adhere to the professional standards as
established by AICPA. AICPA is itself a Professional Accountancy
Organization (PAO) that is a member of IFAC [4], which works to
developed harmonized International standards which can correspondingly
be incorporated (by reference) into various laws, treaties, etc, e.g.
ISAE 3000 [5].
Thus, to demonstrate how poorly the concepts map, CPA Canada here
behaves similar to ETSI, with respect to developing audit criteria and
standards that satisfy regulatory needs (e.g. incorporation, by
reference, of AICPA standards, CPA Canada standards or ISAE 3000
standards). The standards for conducting such audits behave similarly
to Implementing Acts with respect to eIDAS, in that they have legal
weight and recognition (and penalties for violating). IFAC functions
as a somewhat mix between ACAB-c, ETSI, and EA, of which CPA Canada is
a member, but that's somewhat orthogonal. Individual jurisdictions
(e.g. North Carolina) can establish agencies (e.g. NC Board of CPA
Examiners) that can function as NAB-like equivalents, while the
WebTrust Task Force and CPA Canada functions akin to a Supervisory
Body with respect to the WebTrust scheme, and like the NAB with
respect to CABs against that scheme.
Hopefully you can see it's a bit of Apples and Oranges, in that these
aren't necessarily equal things, and the concepts don't map cleanly
between them.
For example, under the EA model, you have separate entities enforcing
compliance with various aspects: the NABs enforce standards on the
CABs, but may not supervise scheme-specific activities, which are
deferred to a separate entity (the Supervisory Body, e.g. in the case
of eIDAS). ETSI may develop standards, both TS and EN, with the latter
involving votes according to the ENAP [6], but those don't necessarily
have legal weight to them, although they can (e.g. through
implementing or delegated acts). CABs may incorporate those ETSI
requirements (e.g. to fulfill certain legal objectives), or may
develop their own schemes that incorporate parts, or none, of the ETSI
work, if fulfilling market goals rather than legal goals. The NAB
accreditation of the CAB may only extend relevant to the fulfillment
of the legal objective, and not necessarily provide the same degree of
oversight or supervision for those market goals, dependent on the
scheme. ACAB'c, however, provides a degree of voluntary scheme
harmonization and supervision, to address that gap between audits
being used for presumptive legal goals versus those satisfying market
needs and requirements.
Although the comparison to ACAB-c and CPA Canada (since WebTrust is
just a brand of a product by CPA Canada, and the WTTF is partially
part of CPA Canada) may be tempting, I hope you can see that there are
differences in what they provide and do. The comparison might be more
apt if ACAB-c was developing internationally recognized and harmonized
standards that were incorporated (e.g. by implementing or delegated
acts by the EC), and if there were legally-recognized consequences for
failing to uphold the code of conduct of ACAB-c (as there is with
respect to CPA Canada's standards), but that's not quite the case.
This ties back with my explanation to Kathleen, in that the lack of a
WebTrust license may mean that the entity performing the audit is not
recognized as a CPA within the construct of IFAC's standards around
audits and attestations, unless independently verified (as in the case
of North Carolina, above). There's no single role within the "ETSI"
framework to reflect this: it combines portions of the NAB/EA,
portions of ISO (e.g. 17065, although ISAE 3000 is _far_ more
descriptive and prescriptive), portions of the Supervisory Body for a
particular scheme, and portions of ACAB-c for verification of suitability.
[1]
https://www.ncleg.gov/EnactedLegislation/Statutes/PDF/ByChapter/Chapter_93.pdf
[2]
https://regulations.justia.com/states/north-carolina/title-21/chapter-08/subchapter-n/
[3]
https://regulations.justia.com/states/north-carolina/title-21/chapter-08/subchapter-n/section-08n-0403/
[4]
https://www.ifac.org/about-ifac/membership/members/association-international-certified-professional-accountants-aicpa
[5]
https://www.iaasb.org/publications/international-standard-assurance-engagements-isae-3000-revised-assurance-engagements-other-audits-or-0
[6] https://portal.etsi.org/Resources/Standards-Making-Process/Process
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/58879a27-d7e9-457f-46ad-f831aed7db11%40it.auth.gr.
