<div dir="ltr">looks good </div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 15, 2017 at 2:22 PM, Jeff Ward via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="m_6211804584987818680WordSection1">
<p class="MsoNormal">Don Sheehy and I worked up the following definition for “Audit Period” with a copy attached in Word for your reference. Please let us know if you have any questions. <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="margin-bottom:19.5pt;line-height:19.5pt;vertical-align:top">
<b><span style="font-size:12.0pt;font-family:Arimo;color:black">Audit Period Defined</span></b><span style="font-size:12.0pt;font-family:Arimo;color:black"><u></u><u></u></span></p>
<p class="m_6211804584987818680MsoNormalCxSpMiddle" style="margin-bottom:19.5pt;text-align:justify;line-height:19.5pt;vertical-align:top">
<span style="font-size:12.0pt;font-family:Arimo;color:black">Audit engagements are normally conducted in one of two ways, covering either a
<u>point in time</u> or <u>period of time</u>. When an auditor conducts a point in time engagement, including a point in time readiness assessment (also known by CAs and Browsers as a PITRA), the testing procedures are concentrated on one particular day (the
reporting date). These engagements focus on the condition of the PKI operation in a “snapshot” fashion. The auditor assesses and reports on the suitability of the design and the proper implementation of those controls necessary and/or required by the relevant
audit schemes (i.e., ETSI or WebTrust) and the CA/Browser Forum on a particular day. In a point in time engagement, the auditor does not opine on the operating effectiveness of controls. Also, in a point in time engagement, the auditor is not opining on the
suitability and implementation of controls for any period before or after the particular reporting date. In a point in time engagement, the audit period is restricted to one day,<u></u><u></u></span></p>
<p class="m_6211804584987818680MsoNormalCxSpMiddle" style="margin-bottom:19.5pt;text-align:justify;line-height:19.5pt;vertical-align:top">
<span style="font-size:12.0pt;font-family:Arimo;color:black"><u></u> <u></u></span></p>
<p class="m_6211804584987818680MsoNormalCxSpMiddle" style="margin-bottom:19.5pt;text-align:justify;line-height:19.5pt;vertical-align:top">
<span style="font-size:12.0pt;font-family:Arimo;color:black">In a period of time engagement, the auditor assesses and reports on the suitability of the design and the proper implementation and effective operations of those controls necessary and/or required
by the relevant audit schemes (i.e., ETSI or WebTrust) and the CA/Browser Forum over a meaningful period of time. This is known as the reporting or audit period. Professional audit standards requires a minimum audit testing period of two months for reporting
on PKI operations. Audit periods normally cannot exceed twelve months for WebTrust engagements.
<u></u><u></u></span></p>
<p class="m_6211804584987818680MsoNormalCxSpMiddle" style="margin-bottom:19.5pt;text-align:justify;line-height:19.5pt;vertical-align:top">
<span style="font-size:12.0pt;font-family:Arimo;color:black"><u></u> <u></u></span></p>
<p class="m_6211804584987818680MsoNormalCxSpMiddle" style="margin-bottom:19.5pt;text-align:justify;line-height:19.5pt;vertical-align:top">
<span style="font-size:12.0pt;font-family:Arimo;color:black">An “Audit Period” should not be confused with the timing when audit procedures are conducted by the auditor, which is commonly referred to as audit fieldwork. An auditor is not typically onsite performing
testing procedures throughout the entire audit period. In addition, an auditor will typically perform some testing of transactions that occurred during the audit period after the period is over. Whether the auditor is testing onsite, remotely, or in phases
throughout the audit period, the entire audit period remains the scope of the audit requiring testing coverage throughout that period of time.<u></u><u></u></span></p>
<p class="m_6211804584987818680MsoNormalCxSpMiddle" style="margin-bottom:19.5pt;line-height:19.5pt;vertical-align:top">
<span style="font-size:12.0pt;font-family:Arimo;color:black"><u></u> <u></u></span></p>
<p class="m_6211804584987818680MsoNormalCxSpLast" style="margin-bottom:19.5pt;text-align:justify;line-height:19.5pt;vertical-align:top">
<span style="font-size:12.0pt;font-family:Arimo;color:black">At present, it is common for a CA to undergo a point in time readiness assessment or audit for its initial audit. This point in time engagement serves as an anchor for the subsequent engagement that
generally will be required by each of the Browsers to begin the application process to be included in their trusted root stores. Subsequent to the point in time engagement, the auditor performs a period of time engagement beginning with the later of
<u></u><u></u></span></p>
<p class="m_6211804584987818680MsoListParagraphCxSpFirst" style="margin-right:0in;margin-bottom:19.5pt;margin-left:.5in;text-align:justify;line-height:19.5pt;vertical-align:top">
<u></u><span style="font-size:12.0pt;font-family:Symbol;color:black"><span>·<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:12.0pt;font-family:Arimo;color:black">the date of the point in time engagement if no significant remediation was required to address any deficiencies in disclosures and/or controls, or<u></u><u></u></span></p>
<p class="m_6211804584987818680MsoListParagraphCxSpLast" style="margin-right:0in;margin-bottom:19.5pt;margin-left:.5in;text-align:justify;line-height:19.5pt;vertical-align:top">
<u></u><span style="font-size:12.0pt;font-family:Symbol;color:black"><span>·<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:12.0pt;font-family:Arimo;color:black">the date that any remediation was completed that addressed significant deficiencies in disclosures and/or controls that existed<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:19.5pt;text-align:justify;line-height:19.5pt;vertical-align:top">
<span style="font-size:12.0pt;font-family:Arimo;color:black">for a minimum of two months. It is noteworthy Browsers require continuous audit coverage with no gaps in audit periods tested during each renewal audit period, regardless of the type of audit opinion
issued (qualified or unqualified). <u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#404040">Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH</span></b><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#404040"><br>
National Managing Partner Third Party Attestation Services<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#404040">(SOC/WebTrust/CyberSecurity)<br>
<a href="tel:(314)%20889-1220" value="+13148891220" target="_blank">314-889-1220</a> (Direct) 347-1220 (Internal)<br>
<a href="tel:(314)%20889-1221" value="+13148891221" target="_blank">314-889-1221</a> (Fax)</span><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
</span><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#ed1a3b"><a href="mailto:jfward@bdo.com" target="_blank"><span style="color:#ed1a3b">jfward@bdo.com</span></a></span><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
<br>
</span><b><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#404040">BDO</span></b><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
</span><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#404040">101 S Hanley Rd, #800<br>
St. Louis, MO 63105 <br>
UNITED STATES<br>
<a href="tel:(314)%20889-1100" value="+13148891100" target="_blank">314-889-1100</a></span><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
</span><u><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#ed1a3b"><a href="http://www.bdo.com" target="_blank"><span style="color:#ed1a3b">www.bdo.com</span></a></span></u><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
<br>
</span><i><span style="font-size:10.0pt;font-family:trebuchet;color:green">Please consider the environment before printing this e-mail</span></i><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
<br>
</span><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><img border="0" width="105" height="112" id="m_6211804584987818680_x0000_i1025" alt="BDOC Networking Award"></span><u></u><u></u></p>
</div>
</div>
<br>______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
<br></blockquote></div><br></div>