1 When the Auditor Comes Knocking … What to Prepare and What to Expect from your CA auditor.

Slides:



Advertisements
Similar presentations
Establishing a New Accreditation Program in the U.S.
Advertisements

Views on TRAC and the UWE workload model 12 th December 2013.
Trending Topics in Contract Auditing Presenters: Allen Devine, Senior Manager Dan Smith, Manager Government Contracts.
0 © 2009 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms.
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Public Private Partnerships: What’s in it for my Government? 14 July 2011 Malcolm Butterfield.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
KPMG’s Abilities in Motion Network USBLN Annual Conference October 2012 kpmg.com.
E-rate 101 For Maine Schools and Libraries. Simplifying E-rate can be a challenge This is brief information and an outline of the process.
©2005 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. July 27, 2005 PKI Audits and Assessments: An insider’s.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
Information Risk Management in the Audit Chapter 9 Presented by Dee Dee Owens, Senior Manager KPMG LLP KPMG LLP.
The Audit Process Chapter 9 Presented by Jessica C Smith, Manager KPMG LLP KPMG LLP.
Information Risk Management in the Audit Chapter 9 Presented by Julie Flaiz-Windham, Senior Manager KPMG LLP KPMG LLP.
Reporting Requirements Chapter 12 Presented by Kathy V. Lai, Manager KPMG LLP KPMG LLP.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Single Audit (A-133) Chapter 9 Presented by Elisa Stilwell, Senior Manager KPMG LLP KPMG LLP.
Office of Inspector General (OIG) Internal Audit
FPSC Safety, LLC ISO AUDIT.
1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.
The Federal Bridge Certification Authority – Description and Current Status Peter Alterman, Ph.D. Senior Advisor to the Chair, Federal PKI Steering Committee.
©2005 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. July 27, 2005 PKI Audits and Assessments “Another.
IA Clinic. การเตรียมการตรวจสอบ แผนการ ตรวจสอบ แผนการ ปฏิบัติงาน ตรวจสอบ หารือ หน่วยรับตรวจ รายงานผล การตรวจสอบ ติดตามผล การตรวจสอบ ผลการประเมินความเสี่ยง.
Loss Control Program Compliance Audits An overview of the purpose and procedures of program auditing.
Service Organization Control (SOC) Reporting Options and Information
Programmatic and Fiscal Compliance as a Team Effort 2014 Project Director Training & Annual Meeting1.
Effective Management and Compliance 1 ANA GRANTEE MEETING  FEBRUARY 5, 2015.
IT Internal Audit Survey Overview of survey findings May 2009 IT ADVISORY ADVISORY.
Do it pro bono. Strategic Scorecard Service Grant The Strategy Management Practice is presented by Wells Fargo. The design of the Strategic Scorecard Service.
Bridgend County Borough Council Financial statements audit 2005/6 – Presentation to Audit Committee 26 October 2006 Public Sector AUDIT Gilbert Lloyd Ian.
AUDITS What you should know - a campus perspective. Franz Lozano Director/Budget Officer (former Internal Auditor) San Francisco State University Academic.
Natives of Kodiak, Inc. September 20,2014 Beth Stuart kpmg.com.
ISO 9001: 2000 Certified Audit Process What to do.
Operations 103 Audits & Reviews, Class 7. Today’s Topic This class will examine the relative merits of various types of financial reviews, including annual.
Company Confidential Registration Management Committee 1 Completing Independent Assessments Robert Flaharty & John Horan January 17, 2013 OP Assessor Workshop.
The NIH PKI Pilots Peter Alterman, Ph.D. … again.
2011 AMC INSTITUTE COMMUNITY CONFERENCE “ACCREDITATION - IT’S ALL ABOUT BEST PRACTICES” Suzanne C. Pine, CAE AMC – National Accounts, PCVB AMCI Accreditation.
Item 5d Texas RE 2011 Budget Assumptions April 19, Texas RE Preliminary Budget Assumptions Board of Directors and Advisory Committee April 19,
 Objectives  To determine the importance and functions of working papers in IAing in Malta  To analyse the manner of recording throughout the internal.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
 Definition of a quality Audit  Types of audit  Qualifications of quality auditors  The audit process.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
Auditor’s Professional Roles and Responsibilities.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
ACCOUNTING FOR CAPITAL PROJECTS Financial Policies and Procedures for the Capital Project Delivery Process Office of the CFO.
Presented By WVDE Title I Staff June 10, Fiscal Issues Maintain an updated inventory list, including the following information: description of.
Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley The Demand for Audit and Other Assurance Services Chapter 1.
Judy Beachler, Cosumnes River College Julie Bruno, Sierra College Richard Mahon, Riverside City College The Accreditation Team(s)
Project Management Methodology Project Closing. Project closing stage Must be performed for all projects, successfully completed or shut off by management.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XI)
Shiba Sumeshwar, MAA/TCM Coordinator; Monterey County
The Demand for Audit and Other Assurance Services
Dutchess Community College Middle States Self-Study 2015
The Demand for Audit and Other Assurance Services
Compliance with Framework of Quality Control - General & Specific Controls CA Vimal Chopra, Ex Chairman of CIRC of ICAI.
Sound Financial Management
Guidelines for auditing Grid CAs
Reasons for Auditing There are many reasons for auditing. Some examples of these reasons might be: Requested by the IRB Committee Requested by an IRB.
IT internal audit update
E-MARC Recommendations
ASSISTANCE DOGS INTERNATIONAL ACCREDITATION PROCEDURES 2018
County HIPAA Review All Rights Reserved 2002.
Request for Board Action Contract for Audit Services 05/23/17
Views on TRAC and the UWE workload model
OCPS CCNA SELECTION COMMITTEE TRAINING
Presentation transcript:

1 When the Auditor Comes Knocking … What to Prepare and What to Expect from your CA auditor

© 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 2 Coming Attractions … To Be Discussed: What kind of CA attestation will it be, and why you should care What to have ready before the auditor arrives What will happen during the auditor’s visit What happens when they leave WIIFM (What’s In It For Me?) Q & A

© 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 3 Purpose CA attestations are important: “The trust [of the digital certificate] is in the audit.” - Judith Spencer, Federal Identification Credentialling Committee, August 2006

© 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 4 Kinds of CA Attestation Two varieties: Web Trust for CAs (WTCA) 03fortheweb.doc 03fortheweb.doc Establishes about 200 criteria points against which to measure the CA Industry-standard attestation Widely recognized Web Trust Seal To receive the WT Seal, Webtrust.org publicly publishes the CA’s CPS, management attestation letter, and auditor’s opinion letter

© 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 5 Kinds of CA Attestation Two varieties: (cont.) Management review Use the CA CP as the criteria – 300+ criteria (e.g., Federal FBCA ~400 elements) Individualized approach Final opinion is sent to management for their internal use All documents may be kept private/ secured/ unavailable, or published at management’s discretion

© 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 6 Kinds of CA Attestation Consequences: More criteria often (not always) means more time on- site and more information requests (a.k.a. Prepared By Client [PBC] items) WTCA – Published documents fully support trust web: Management review – unpublished documents do not fully support trust web WTCA provided by Big Four-plus; Management review may be provided by any qualified CPA firm

© 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 7 What to Have Ready … Know the criteria the auditor will be using Key Generation ceremony documents Logs, logs, logs – 6 to 12 months’ worth OS, CA, and other automated logs Visitor sign-in sheets (lobby, elevator, CA facility, et.al.) Cameras, badging system, et.al. Tape backup logs, off-site tracking, tests, test results, etc. Physical review, including CA login, fire, water, RA, cert creation, incident review and resolution, and other activities Staff interviews to support separation of duties, training, experience, compliance with established procedures, etc. Review of the DR site, documents, and DR test(s) results … and other areas per source criteria (see first bullet)

© 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 8 Usual events during a CA attestation Kick off meeting Prepare and deliver PBC item list PBC document review to determine physical review steps and interview questions/content Physical review Interviews Write-up results, update PBC list, update attest criteria documents, etc. Final report/opinion

© 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 9 After We Go … If opinion qualified: Review NFRs (Notice of Finding and Recommendation) Change/update documents and procedures Perform and document updated tests Budget and request second attest visit If opinion unqualified: For Web Trust: Opinion letter delivered CPS and management assertion letters requested and prepped for publication Web Trust Seal requested, required documents provided Seal approved and assigned to the client CA site For Management review: Opinion letter delivered

© 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 10 Switching gears … The Federal gov’t arrived first (and why) Lessons from the Trenches What You can do to Avoid These Mistakes Q & A

© 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 11 Experience Speaks: PMA 2002: HSPD : FPKI PA

© 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 12 Experience Speaks (some more): Signatures and Access For Everyone (SAFE): And, yes, HEBCA:

© 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 13 Lesson #1: Not Ready for PrimeTime Observed actions: Requested Web Trust review Backup CA site not ready Operations not at full-time strength – few to no logs Issue(s): Issued qualified Web Trust opinion letter Request preliminary review or advisory engagement – set more realistic expectations and resource allocation Expect a second, completely different team during official WTCA attestation

© 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 14 Lesson #2: Revision Spiral Observed actions: A client continued revising documents based on preliminary conversations Revisions required repetitive document review and criteria mapping Issues: Increase resource utilization on attestation – on both sides – staff, time, budget, expected delivery of opinion Non-stable CA environment (ever changing policies and procedures)

© 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 15 Lesson #3: Do We Have To? Observed actions: Delayed RFP / RFQ Leads to poor resource allocation, engagement timing, etc. Concludes with delayed opinion letter Issues: Budget resources responsibly Know the criteria that fits the CA goals To the extent of the level of assurance, expands (or contracts) the trust web/fabric

© 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 16 In Closing … Be Prepared Have Appropriate Levels and Amounts of Data Understand the attest criteria Use the attest to improve policies, processes, documents, and procedures

© 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 17 WIIFM Remember: “The trust [of the digital certificate] is in the audit.” - Judith Spencer, Federal Identification Credentialling Committee, August 2006 Prove and increase trust in your certificates Capture weaknesses in your policies, practices, and operational areas For Web Trust Seal, use the annual engagement as an opportunity to improve processes and/or technology Increase the Web of Trust between certificate providers and certificate users within and across digital credential-using organizations

© 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. For internal use only. 18 Thank You Q & A Nathan Faut KPMG LLP

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.