[cabfpub] Ballot idea: Define "Audit Period"

Ryan Sleevi sleevi at google.com
Thu Feb 23 20:04:52 UTC 2017

On Thu, Feb 23, 2017 at 11:50 AM, Gervase Markham via Public <
public at cabforum.org> wrote:

> The term "audit period" is used in the BRs but not defined, and Kathleen
> tells me she keeps running into CAs who don't understand it, often
> confusing it with the period of time the auditor is on the premises.
> Would anyone be opposed to a ballot to add a definition of Audit Period
> along the following lines?
> Audit Period: the period of CA operations a Qualified Auditor considers
> when assessing the work of a CA in order to write an Audit Report. This
> is not the same as the (much shorter) period of time during which the
> auditor is carrying out the audit. Audit Periods MUST NOT exceed 1 year
> in duration, and Audit Periods for successive audits of a particular
> type MUST be continuous.
> (The latter sentence is added for clarity, and repeats something said in
> section 8.1.)
> The ballot would also replace "audit period" with "Audit Period"
> throughout.

Having encountered an auditor (!!!) who tried to argue this, and pointing
them to their professional standards (as auditors) that defined the term, I
can understand and am sensitive to (... and still incredulous at) this
being confusing/controversial.

I have three concrete concerns with the wording proposed:
- The possibility of conflict with AICPA & ETSI (and more generally, terms
of art in the auditing professions)
  - For example, the "time on premises" has a specific name - "Period of
the Professional Engagement" -
- It be seen as conflicting/more liberal than what the BRs state at present
(for example, "For both government and commercial CAs, the CA SHOULD make
its Audit Report publicly available no later than three months after the
end of the audit period." in 8.6)
- I believe we should be very careful when introducing normative
requirements in definitions, given their ability to be ignored.

I'm curious whether there's a way to word it such that the Audit Period is
the Period of Time of CA operations, stated in the Audit Report, that the
Qualified Auditor has examined and is offering opinions on.

I suspect Jeff, Don, and our ETSI colleagues can offer a suitable
definition that doesn't let auditors shirk any expected duties while gives
CAs the clarity they need :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170223/7f80fcb8/attachment-0003.html>

More information about the Public mailing list