audit not just for the finance guys any more l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Audit: Not just for the finance guys any more! PowerPoint Presentation
Download Presentation
Audit: Not just for the finance guys any more!

Loading in 2 Seconds...

play fullscreen
1 / 11

Audit: Not just for the finance guys any more! - PowerPoint PPT Presentation


  • 177 Views
  • Uploaded on

Audit: Not just for the finance guys any more!. What to Prepare and What to Expect from your CA auditor. Agenda. Types of CA attestation What to have ready before the auditor arrives What will happen during the auditor’s visit What happens when they leave WIIFM (What’s In It For Me?)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Audit: Not just for the finance guys any more!' - johana


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
audit not just for the finance guys any more

Audit: Not just for the finance guys any more!

What to Prepare and What to Expect from your CA auditor

agenda
Agenda
  • Types of CA attestation
  • What to have ready before the auditor arrives
  • What will happen during the auditor’s visit
  • What happens when they leave
  • WIIFM (What’s In It For Me?)
  • Q & A
purpose
Purpose
  • CA attestations are important:

“The trust [of the digital certificate] is in the audit.”

- Judith Spencer, Federal Identification Credentialling Committee, August 2006

kinds of ca attestation
Kinds of CA Attestation
  • Two varieties:

1. Web Trust for CAs (WTCA)

      • http://ftp.webtrust.org/webtrust_public/tpafile7-8-03fortheweb.doc
      • Establishes about 200 criteria points against which to measure the CA
      • Industry-standard attestation
      • Widely recognized Web Trust Seal
      • To receive the WT Seal, Webtrust.org generally publicly publishes the CA’s CPS, management assertion letter, and auditor’s opinion letter
kinds of ca attestation5
Kinds of CA Attestation
  • Two varieties: (cont.)

2. “Compliance review”

      • Use the CA CP as the criteria – 150+ criteria (e.g., Federal FBCA ~200 elements)
      • Individualized approach
      • Final opinion is sent to management for their internal use
kinds of ca attestation6
Kinds of CA Attestation
  • Consequences:
    • More criteria often means more time on-site and more information requests
    • Trust fabric:
      • WTCA – Published documents fully support trust fabric
      • “Compliance Review” – unpublished documents do not fully support trust web
    • Qualified auditors:
      • WTCA provided by Big Four-plus;
      • “Compliance Review” may be provided by any CPA or CISA
what to have ready
What to Have Ready …
  • Know the criteria the auditor will be using
  • Key Generation ceremony documents
  • Logs, logs, logs – 6 to 12 months’ worth
      • OS, CA, and other automated logs
      • Visitor sign-in sheets (lobby, elevator, CA facility, et.al.)
      • Cameras, badging system, et.al.
      • Tape backup logs, off-site tracking, tests, test results, etc.
  • Physical review, including CA login, fire, water, RA, cert creation, incident review and resolution, and other activities
  • Staff interviews to support separation of duties, training, experience, compliance with established procedures, etc.
  • Review of the DR site, documents, and DR test(s) results
  • … and other areas per source criteria (see first bullet)
usual events during a ca attestation
Usual events during a CA attestation
  • Kick off meeting
  • Prepared by Client (“PBC”) document/item list
  • Physical review
  • Interviews
  • Status meetings
  • Update PBC list, etc.
  • Draft Findings, Draft opinion letter, Draft Representation and Assertion letters
  • Final report/opinion
after we go
After We Go …
  • If opinion qualified:
    • Review NFRs (Notice/s of Finding and Recommendation)
    • Change/update documents and procedures
    • Perform and document updates
    • Budget and request second attest visit
  • If opinion unqualified:
    • For Web Trust:
      • Opinion letter delivered
      • CPS and management assertion letter requested and prepped for publication
      • Web Trust Seal requested, required documents provided
      • Seal approved and assigned to the client CA site
    • For “Compliance review”:
      • Opinion letter delivered
wiifm
WIIFM

Remember: “The trust [of the digital certificate] is in the audit.” - Judith Spencer, Federal Identification Credentialling Committee, August 2006

  • Prove and increase trust in your certificates
  • Capture and address weaknesses in your policies, practices, and operational areas
  • For Web Trust Seal, use the annual engagement as an opportunity to improve processes and/or technology
  • Increase the Trust Fabric between certificate providers, certificate users, and relying parties within and across digital credential-using organizations
thank you
Thank You

Q & A

Nathan Faut

KPMG LLP

nfaut@kpmg.com