[cabfpub] 答复: Changing numbers of self-audited certificates

xiongyuanyuan xiongyuanyuan at sheca.com
Wed Jun 7 10:40:13 UTC 2017

>From the point of audit risk control, set a minimum value is more
reasonable. According to the presentation in AICPA Audit Sampling
Guide(screenshot attached), when a control happens less frequently, we can
decide the sample size by the frequency of the control. So in my opinion,
when CA performs self-audit to certificates that have a small volume, it is
acceptable to take this guide as reference. From this table, we can see that
a minimum value of 5 to certificate sample size is appropriate and is able
to control audit risk.

Besides, I think we should also set a maximum value to certificate sample
This is because when CA performs self-audit to certificates that have a very
large volume, 3% of the total population will still be a lot to audit, and
this would result in large audit cost for the CA. 
When we look at AICPA Audit Sampling Guide and AU 350 of PCAOB, for those
testing samples with high risk, the TER(tolerable exception rate)should be
low as possible, a maximum value of 60(certificates) to sample size(assume
all the 60 testing samples are effective) will promise a lower TER as 5%
which is much lower than a TER as12%-15% (which is operated by some audit
firms for those testing samples with normal risk). 

Base on this, I suggest we also set a maximum value of 60 to certificate
sample size, which ensures audit efficiency as well as controls audit cost
and audit risk.

Best Regards,
Ruby Xiong
Shanghai Electronic Certification Authority co., ltd. 
18F, No.1717, North Sichuan Road, Shanghai, China
Email:xiongyuanyuan at sheca.com 

发件人: Public [mailto:public-bounces at cabforum.org] 代表 Gervase Markham via
发送时间: Tuesday, June 6, 2017 6:47 PM
收件人: CABFPub
抄送: Gervase Markham
主题: [cabfpub] Changing numbers of self-audited certificates

Currently, the BRs define, in section 8.7, the parameters for self-audits
and audits of certificates below a TCSC. At the moment, the number of certs
randomly chosen to be audited is defined as "the greater of one certificate
or at least three percent of the Certificates issued".

I think that auditing just a single certificate (which is currently OK up
until 33 are issued) makes it too easy to overlook problems when volumes are
small. I propose instead a 5-certificate minimum, or 3%, whichever is
larger. In other words:

Issued Audited
0      0
1      1
5      5
6      5
166    5
167    6

We could just change the "one" to a "five" if people thought it was obvious
that if you've issued less than five, you just audit all of them. Or we
could expand the text a bit to explicitly describe that.

I would be interested in feedback on the impact of this change. It's been
proposed for the Mozilla policy but as it's a BR stipulation I thought we
should try here first.

Public mailing list
Public at cabforum.org

More information about the Public mailing list