Hello all: In a previous thread I shared some concerns about a root CA, a followup message from Ryan at Google indicated a number of auditing perculiarities [1]. The auditor, Princeton Audit Group, seemed to have done limited work as an auditor, the auditor described the CA operation in a different location than the attestation, and that the auditor was only licensed in the USA.
Since then it has come to my attention that the auditor's firm appears to have not had a license since June 30th, 2021 [2]. Despite that, it provided audits for the TrustCor CA in November 2021 [3]. I reached out to CPA Canada about this. I haven't heard back yet, though I have noted that Princeton Audit Group no longer appears to be listed as a WebTrust practitioner [4]. During the prior conversation [1], Watson made a great point, which is that rotating auditors is a good defence against excessive chumminess and normalization of deviance, and that SOX requires rotating auditors for public firms and that this maybe a worthwhile addition to the guidance for CAs. I wanted to make sure that didn't get lost and echo that such a future requirement makes sense to me as well. Thanks, Joel Reardon [1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/ (5th post) [2] https://newjersey.mylicense.com/verification/ (do business search for Princeton Audit Group, which gives a license number of 20CB00580700 with inactive status ) [3] Three of them: https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=c8857fc5-b201-4c4c-8717-f455b10ff5bc https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=459d2155-e50c-4497-929c-ee8a57f77708 https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=b18568ae-e794-48be-aa54-c86b6411179a [4] https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/12160e2e-0d14-4df7-ae87-890d2cf949b3n%40mozilla.org.
