Comparison with Service Auditor Reports

Comparison of a WebTrust for Certification Authorities Examination With Service Auditor Reports:

Professional standards currently exist for auditors to report on controls of third-party service providers (a service auditor’s engagement). Guidance for these engagements is set out in the Statement on Auditing Standards [SAS] No. 70 [SAS-70], Service Organizations, as amended.

WebTrust for Certification Authorities engagement differs from a service auditor’s engagement in a number of ways, including the following:

• Purpose. WebTrust for Certification Authorities provides a new framework for reporting activities of CAs through auditor communication to interested parties, including business partners and existing or potential customers. SAS-70 was designed for auditor-to-auditor communication to assist the user auditor in reporting on the financial statements of a customer of the service organization.




• Target of evaluation. WebTrust for Certification Authorities was designed specifically for the examinations of CA business activities. Service auditor reports were designed for service organizations in general.




• Type of engagement. WebTrust for Certification Authorities requires reporting on compliance with the WebTrust Principles and Criteria for Certification Authorities. Service auditor reports were designed for reporting on the design and existence of controls and the effective operation of those controls when the report covers a period of time.




• Examination standards. WebTrust for Certification Authorities follows the Statements on Standards for Attestation Engagements (SSAEs). Service auditor reports follow generally accepted auditing standards.




• Coverage of activities. WebTrust for Certification Authorities requires coverage of specific areas as defined herein, including CA business practices disclosure, service integrity (including key and certificate life cycle management activities), and CA environmental controls. Service auditor reports were designed for reporting upon controls related to financial information.




• Linkage to authoritative standards. WebTrust for Certification Authorities provides uniform rules derived from the draft ANSI X9.79 standard (which is intended to be submitted to the International Organization for Standardization [ISO] for international standardization). Standards underlying service auditor reports do not specify the control objectives that must be covered by the report.




• Period of coverage of review. WebTrust for Certification Authorities encourages continuous coverage from the point of initial qualification and requires continuous coverage to retain the seal. Qualification after compliance can be tested over a minimum two-month period, with updates over a specified period (currently one-year maximum). Service auditor reports cover a period of time specified by the service organization, but do not require continuous coverage.

In addition, this approach maintains consistency in the professional standards used for the Suitable Trust Services Criteria and Illustrations.