[cabfpub] Providing Guidance to Interested Parties

Jeff Ward jfward at bdo.com
Tue Mar 7 00:05:58 UTC 2017


I've been reading the emails that ponder the roles and responsibilities, for both members of the CABF and the audit community, with respect to providing guidance to interested parties on Baseline and other related requirements for CAs.  While my views are from a WebTrust point of view based on my position as Chair of the WebTrust Task Force, the same principles would apply regardless of the type of audit.
The Task Force has always welcomed an interactive relationship with the CABF.  We are closely aligned with a common goal.  Given the complexity of the environment the Task Force and CABF operate, however, and realizing questions and issues arise at times that need our collective collaboration, it is important that guidance given to our respective members is appropriate given the facts and circumstances of the matter.  It is in this spirit that I suggest communication protocols for the two distinct scenarios listed below:
An auditor has a specific question or needs clarification on an audit requirement - In these cases, it is best to have the auditors talk to each other.  Oftentimes, these questions are already coming to the Task Force directly, or indirectly through CPA Canada.  If/when CABF members receive these types of questions, please refer them to me as WebTrust Chair and/or Don Sheehy as CPA Canada's subject matter expert.  We will work with the CABF for clarification as needed.
A CA, whether new or existing, has a specific question or needs clarification on a CABF requirement - In these cases, the CA should work through the appropriate communications channels established by the CABF, whether through online discussion, or via email to the Chair/Vice Chair of the CABF.  My guess is this happens quite often given the technical nature of the work involved.  It may very well dig into various technologies that are not contemplated in CABF requirements.  The CABF, of course, is always welcome to converse with myself or Don as desired.
Some important takeaways.  First, the process will benefit by collaboration between the Forum and the Task Force, but will be more efficient if the above scenarios are followed.  Second, it is important to note, the conclusion in an auditor's opinion, whether on a CA, construction company, financial institution, etc., uses the phrase "fairly stated, in all material respects" meaning there is a level of subjectivity on the part of the auditor when making its opinion.  Where CABF and/or audit requirements are vague, or subject to interpretation, different auditors may come up with different approaches to gain the comfort needed to conclude as to "fairly stated, in all material respects".  This has come up from time to time in meetings and otherwise why some auditors qualify reports on matters others may not.  When matters are not necessarily clear based on the facts and circumstances, this is typically where we get the most inquiries.
Believe it or not, this situation is actually not unique to the CA/PKI environment.  In other industries, such as commercial, not for profit, governmental, etc., when matters need clarification based on the facts and circumstances, auditors will typically ask either the AICPA's Task Force that oversees these services, or reach out to the AICPA Hotline.  In the WebTrust world, we already have a Task Force in place, and it is noteworthy that we now have Don Sheehy helping CPA Canada, and he will be an excellent resource to use as the WebTrust Hotline resource.
We can't possibly contemplate every issue that may come up for CAs, but this plan of continuing to work together gets us to the best possible place in this complex world.
Thanks for reading,
Jeff
Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH
Office Managing Partner & National Managing Partner Third Party Attestation Services
314-889-1220 (Direct)    347-1220 (Internal)
314-889-1221 (Fax)
jfward at bdo.com<mailto:jfward at bdo.com>

BDO
101 S Hanley Rd, #800
St. Louis, MO 63105
UNITED STATES
314-889-1100
www.bdo.com<http://www.bdo.com>

Please consider the environment before printing this e-mail

[BDOC Networking Award]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170307/4908616d/attachment-0001.html>


More information about the Public mailing list