Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 When the Auditor Comes Knocking … What to Prepare and What to Expect from your CA auditor.

Published bySamson McDowell Modified over 9 years ago

Similar presentations

Presentation on theme: "1 When the Auditor Comes Knocking … What to Prepare and What to Expect from your CA auditor."— Presentation transcript:

1 1 When the Auditor Comes Knocking … What to Prepare and What to Expect from your CA auditor

2 © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 2 Coming Attractions … To Be Discussed: What kind of CA attestation will it be, and why you should care What to have ready before the auditor arrives What will happen during the auditor’s visit What happens when they leave WIIFM (What’s In It For Me?) Q & A

3 © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 3 Purpose CA attestations are important: “The trust [of the digital certificate] is in the audit.” - Judith Spencer, Federal Identification Credentialling Committee, August 2006

4 © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 4 Kinds of CA Attestation Two varieties: Web Trust for CAs (WTCA) http://ftp.webtrust.org/webtrust_public/tpafile7-8- 03fortheweb.doc http://ftp.webtrust.org/webtrust_public/tpafile7-8- 03fortheweb.doc Establishes about 200 criteria points against which to measure the CA Industry-standard attestation Widely recognized Web Trust Seal To receive the WT Seal, Webtrust.org publicly publishes the CA’s CPS, management attestation letter, and auditor’s opinion letter

5 © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 5 Kinds of CA Attestation Two varieties: (cont.) Management review Use the CA CP as the criteria – 300+ criteria (e.g., Federal FBCA ~400 elements) Individualized approach Final opinion is sent to management for their internal use All documents may be kept private/ secured/ unavailable, or published at management’s discretion

6 © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 6 Kinds of CA Attestation Consequences: More criteria often (not always) means more time on- site and more information requests (a.k.a. Prepared By Client [PBC] items) WTCA – Published documents fully support trust web: Management review – unpublished documents do not fully support trust web WTCA provided by Big Four-plus; Management review may be provided by any qualified CPA firm

7 © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 7 What to Have Ready … Know the criteria the auditor will be using Key Generation ceremony documents Logs, logs, logs – 6 to 12 months’ worth OS, CA, and other automated logs Visitor sign-in sheets (lobby, elevator, CA facility, et.al.) Cameras, badging system, et.al. Tape backup logs, off-site tracking, tests, test results, etc. Physical review, including CA login, fire, water, RA, cert creation, incident review and resolution, and other activities Staff interviews to support separation of duties, training, experience, compliance with established procedures, etc. Review of the DR site, documents, and DR test(s) results … and other areas per source criteria (see first bullet)

8 © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 8 Usual events during a CA attestation Kick off meeting Prepare and deliver PBC item list PBC document review to determine physical review steps and interview questions/content Physical review Interviews Write-up results, update PBC list, update attest criteria documents, etc. Final report/opinion

9 © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 9 After We Go … If opinion qualified: Review NFRs (Notice of Finding and Recommendation) Change/update documents and procedures Perform and document updated tests Budget and request second attest visit If opinion unqualified: For Web Trust: Opinion letter delivered CPS and management assertion letters requested and prepped for publication Web Trust Seal requested, required documents provided Seal approved and assigned to the client CA site For Management review: Opinion letter delivered

10 © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 10 Switching gears … The Federal gov’t arrived first (and why) Lessons from the Trenches What You can do to Avoid These Mistakes Q & A

11 © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 11 Experience Speaks: PMA 2002: http://www.whitehouse.gov/omb/budget/fy2002/mgmt.pdf HSPD-12 2004: http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html FPKI PA http://www.cio.gov/fpkipaFICChttp://www.cio.gov/ficcE-Authhttp://www.gsa.gov/eauthentication

12 © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 12 Experience Speaks (some more): Signatures and Access For Everyone (SAFE): http://www.safe-biopharma.org/Certipath:http://www.certipath.org/ And, yes, HEBCA: http://www.educause.edu/HEBCA/623

13 © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 13 Lesson #1: Not Ready for PrimeTime Observed actions: Requested Web Trust review Backup CA site not ready Operations not at full-time strength – few to no logs Issue(s): Issued qualified Web Trust opinion letter Request preliminary review or advisory engagement – set more realistic expectations and resource allocation Expect a second, completely different team during official WTCA attestation

14 © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 14 Lesson #2: Revision Spiral Observed actions: A client continued revising documents based on preliminary conversations Revisions required repetitive document review and criteria mapping Issues: Increase resource utilization on attestation – on both sides – staff, time, budget, expected delivery of opinion Non-stable CA environment (ever changing policies and procedures)

15 © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 15 Lesson #3: Do We Have To? Observed actions: Delayed RFP / RFQ Leads to poor resource allocation, engagement timing, etc. Concludes with delayed opinion letter Issues: Budget resources responsibly Know the criteria that fits the CA goals To the extent of the level of assurance, expands (or contracts) the trust web/fabric

16 © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 16 In Closing … Be Prepared Have Appropriate Levels and Amounts of Data Understand the attest criteria Use the attest to improve policies, processes, documents, and procedures

17 © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 17 WIIFM Remember: “The trust [of the digital certificate] is in the audit.” - Judith Spencer, Federal Identification Credentialling Committee, August 2006 Prove and increase trust in your certificates Capture weaknesses in your policies, practices, and operational areas For Web Trust Seal, use the annual engagement as an opportunity to improve processes and/or technology Increase the Web of Trust between certificate providers and certificate users within and across digital credential-using organizations

18 © 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 18 Thank You Q & A Nathan Faut KPMG LLP nfaut@kpmg.com

Download ppt "1 When the Auditor Comes Knocking … What to Prepare and What to Expect from your CA auditor."

Similar presentations

Establishing a New Accreditation Program in the U.S.

Establishing a New Accreditation Program in the U.S.
Views on TRAC and the UWE workload model 12 th December 2013.

Views on TRAC and the UWE workload model 12 th December 2013.
Trending Topics in Contract Auditing Presenters: Allen Devine, Senior Manager Dan Smith, Manager Government Contracts.

Trending Topics in Contract Auditing Presenters: Allen Devine, Senior Manager Dan Smith, Manager Government Contracts.
0 © 2009 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms.

0 © 2009 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms.
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Public Private Partnerships: What’s in it for my Government? 14 July 2011 Malcolm Butterfield.

Public Private Partnerships: What’s in it for my Government? 14 July 2011 Malcolm Butterfield.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
KPMG’s Abilities in Motion Network USBLN Annual Conference October 2012 kpmg.com.

KPMG’s Abilities in Motion Network USBLN Annual Conference October 2012 kpmg.com.
E-rate 101 For Maine Schools and Libraries. Simplifying E-rate can be a challenge This is brief information and an outline of the process.

E-rate 101 For Maine Schools and Libraries. Simplifying E-rate can be a challenge This is brief information and an outline of the process.
©2005 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. July 27, 2005 PKI Audits and Assessments: An insider’s.

©2005 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. July 27, 2005 PKI Audits and Assessments: An insider’s.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
Information Risk Management in the Audit Chapter 9 Presented by Dee Dee Owens, Senior Manager KPMG LLP KPMG LLP.

Information Risk Management in the Audit Chapter 9 Presented by Dee Dee Owens, Senior Manager KPMG LLP KPMG LLP.
The Audit Process Chapter 9 Presented by Jessica C Smith, Manager KPMG LLP KPMG LLP.

The Audit Process Chapter 9 Presented by Jessica C Smith, Manager KPMG LLP KPMG LLP.
Information Risk Management in the Audit Chapter 9 Presented by Julie Flaiz-Windham, Senior Manager KPMG LLP KPMG LLP.

Information Risk Management in the Audit Chapter 9 Presented by Julie Flaiz-Windham, Senior Manager KPMG LLP KPMG LLP.
Reporting Requirements Chapter 12 Presented by Kathy V. Lai, Manager KPMG LLP KPMG LLP.

Reporting Requirements Chapter 12 Presented by Kathy V. Lai, Manager KPMG LLP KPMG LLP.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Single Audit (A-133) Chapter 9 Presented by Elisa Stilwell, Senior Manager KPMG LLP KPMG LLP.

Single Audit (A-133) Chapter 9 Presented by Elisa Stilwell, Senior Manager KPMG LLP KPMG LLP.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
FPSC Safety, LLC ISO 14001 4.5.4 AUDIT.

FPSC Safety, LLC ISO AUDIT.

Similar presentations

Ads by Google