[cabfpub] Auditor question

Sheehy, Don (CA - Toronto) dosheehy at deloitte.ca
Tue Apr 21 09:44:37 UTC 2015

Jeremy - as the guidelines are currently written, the issue is not whether there is audit duplication - the issue is whether the primary CA has sufficient monitoring controls to ensure that the obligations are being met at RA level for example. It is those controls that we would need to audit.  If they do not, then we as primary auditor need to obtain other evidence that controls exist - and that may require us visiting the other party or using the work of another auditor as long as certain criteria are met and sufficient information can be obtained. 

If an audit is expected only at the primary CA, then the guidelines need to be concise as to that fact


Donald E. Sheehy, CPA, CA, CISA, CRISC, CIPP/C, CITP 
Partner | Enterprise Risk 

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Tuesday, March 10, 2015 12:36 AM
Subject: [cabfpub] Auditor question


I wanted to pass along a concern someone raised with the EV Guidelines:

Currently the EV guidelines say "EV audits MUST cover all CA obligations under these Guidelines regardless of whether they are performed directly by the CA or delegated to an RA or subcontractor."  It would make it much more cost effective for CAs if the requirement was modified to allow the auditor to rely on a separate audit done on the RA/subcontractor. Imagine I had a CA and subcontracted another CA to perform certain operations.  As it stands today, the second CA would have to undergo their normal audit plus an audit by the first CA's auditors.  This is great if you are an auditor (more billable hours), but not great if you are the second CA and trying to make money by offering services to other CAs.  For example, let's say we run an OCSP service for another CA.  Would the other CA's auditor have to come check out our OCSP servers to verify compliance?

Personally, I think the intent was that as long as each CA had an EV audit covering their portion of the requirements, then you were okay (since all gaps are covered).  The first CAs auditor wouldn't actually need to audit the second CA.  Is this not the case? I'd like to amend the language to clarify how the two audits interoperate. 

Public mailing list
Public at cabforum.org
Confidentiality Warning: 

This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system. Thank You

If you do not wish to receive future commercial electronic messages from Deloitte, forward this email to unsubscribe at deloitte.ca

Avertissement de confidentialité: 

Ce message, ainsi que toutes ses pièces jointes, est destiné exclusivement au(x) destinataire(s) prévu(s), est confidentiel et peut contenir des renseignements privilégiés. Si vous n’êtes pas le destinataire prévu de ce message, nous vous avisons par la présente que la modification, la retransmission, la conversion en format papier, la reproduction, la diffusion ou toute autre utilisation de ce message et de ses pièces jointes sont strictement interdites. Si vous n’êtes pas le destinataire prévu, veuillez en aviser immédiatement l’expéditeur en répondant à ce courriel et supprimez ce message et toutes ses pièces jointes de votre système. Merci.

Si vous ne voulez pas recevoir d’autres messages électroniques commerciaux de Deloitte à l’avenir, veuillez envoyer ce courriel à l’adresse unsubscribe at deloitte.ca

More information about the Public mailing list