<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Trebuchet MS";
panose-1:2 11 6 3 2 2 2 2 2 4;}
@font-face
{font-family:trebuchet;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">I’ve been reading the emails that ponder the roles and responsibilities, for both members of the CABF and the audit community, with respect to providing guidance to interested parties on Baseline and other related requirements for CAs.
While my views are from a WebTrust point of view based on my position as Chair of the WebTrust Task Force, the same principles would apply regardless of the type of audit.<o:p></o:p></p>
<p class="MsoNormal">The Task Force has always welcomed an interactive relationship with the CABF. We are closely aligned with a common goal. Given the complexity of the environment the Task Force and CABF operate, however, and realizing questions and issues
arise at times that need our collective collaboration, it is important that guidance given to our respective members is appropriate given the facts and circumstances of the matter. It is in this spirit that I suggest communication protocols for the two distinct
scenarios listed below:<o:p></o:p></p>
<p class="MsoNormal"><u>An auditor has a specific question or needs clarification on an audit requirement</u> – In these cases, it is best to have the auditors talk to each other. Oftentimes, these questions are already coming to the Task Force directly, or
indirectly through CPA Canada. If/when CABF members receive these types of questions, please refer them to me as WebTrust Chair and/or Don Sheehy as CPA Canada’s subject matter expert. We will work with the CABF for clarification as needed.<o:p></o:p></p>
<p class="MsoNormal"><u>A CA, whether new or existing, has a specific question or needs clarification on a CABF requirement</u> – In these cases, the CA should work through the appropriate communications channels established by the CABF, whether through online
discussion, or via email to the Chair/Vice Chair of the CABF. My guess is this happens quite often given the technical nature of the work involved. It may very well dig into various technologies that are not contemplated in CABF requirements. The CABF,
of course, is always welcome to converse with myself or Don as desired.<o:p></o:p></p>
<p class="MsoNormal">Some important takeaways. First, the process will benefit by collaboration between the Forum and the Task Force, but will be more efficient if the above scenarios are followed. Second, it is important to note, the conclusion in an auditor’s
opinion, whether on a CA, construction company, financial institution, etc., uses the phrase “fairly stated, in all material respects” meaning there is a level of subjectivity on the part of the auditor when making its opinion. Where CABF and/or audit requirements
are vague, or subject to interpretation, different auditors may come up with different approaches to gain the comfort needed to conclude as to “fairly stated, in all material respects”. This has come up from time to time in meetings and otherwise why some
auditors qualify reports on matters others may not. When matters are not necessarily clear based on the facts and circumstances, this is typically where we get the most inquiries.
<o:p></o:p></p>
<p class="MsoNormal">Believe it or not, this situation is actually not unique to the CA/PKI environment. In other industries, such as commercial, not for profit, governmental, etc., when matters need clarification based on the facts and circumstances, auditors
will typically ask either the AICPA’s Task Force that oversees these services, or reach out to the AICPA Hotline. In the WebTrust world, we already have a Task Force in place, and it is noteworthy that we now have Don Sheehy helping CPA Canada, and he will
be an excellent resource to use as the WebTrust Hotline resource. <o:p></o:p></p>
<p class="MsoNormal">We can’t possibly contemplate every issue that may come up for CAs, but this plan of continuing to work together gets us to the best possible place in this complex world.
<o:p></o:p></p>
<p class="MsoNormal">Thanks for reading,<o:p></o:p></p>
<p class="MsoNormal">Jeff<o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;line-height:106%;font-family:"Trebuchet MS",sans-serif;color:#404040">Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH</span></b><span style="font-size:10.0pt;line-height:106%;font-family:"Trebuchet MS",sans-serif;color:#404040"><br>
Office Managing Partner & National Managing Partner Third Party Attestation Services<br>
314-889-1220 (Direct) 347-1220 (Internal)<br>
314-889-1221 (Fax)</span><span style="font-size:12.0pt;line-height:106%;font-family:"Times New Roman",serif"><br>
</span><span style="font-size:10.0pt;line-height:106%;font-family:"Trebuchet MS",sans-serif;color:#ED1A3B"><a href="mailto:jfward@bdo.com"><span style="color:#ED1A3B">jfward@bdo.com</span></a></span><span style="font-size:12.0pt;line-height:106%;font-family:"Times New Roman",serif"><br>
<br>
</span><b><span style="font-size:10.0pt;line-height:106%;font-family:"Trebuchet MS",sans-serif;color:#404040">BDO</span></b><span style="font-size:12.0pt;line-height:106%;font-family:"Times New Roman",serif"><br>
</span><span style="font-size:10.0pt;line-height:106%;font-family:"Trebuchet MS",sans-serif;color:#404040">101 S Hanley Rd, #800<br>
St. Louis, MO 63105 <br>
UNITED STATES<br>
314-889-1100</span><span style="font-size:12.0pt;line-height:106%;font-family:"Times New Roman",serif"><br>
</span><u><span style="font-size:10.0pt;line-height:106%;font-family:"Trebuchet MS",sans-serif;color:#ED1A3B"><a href="http://www.bdo.com"><span style="color:#ED1A3B">www.bdo.com</span></a></span></u><span style="font-size:12.0pt;line-height:106%;font-family:"Times New Roman",serif"><br>
<br>
</span><i><span style="font-size:10.0pt;line-height:106%;font-family:"trebuchet",serif;color:green">Please consider the environment before printing this e-mail</span></i><span style="font-size:12.0pt;line-height:106%;font-family:"Times New Roman",serif"><br>
<br>
</span><span style="font-size:12.0pt;line-height:106%;font-family:"Times New Roman",serif"><img border="0" width="105" height="112" id="_x0000_i1025" src="file:///C:\Windows\Support\OutlookSignatureDesigner\Icons\BDO%20Award.png" alt="BDOC Networking Award"></span><o:p></o:p></p>
</div>
</body>
</html>