Search:
Office of Secretary of State 
Elections / Elleciones
Business Filings
Notary
Advance Directives
Publications
Rules Filings
Legislative Filings
News Room
Kids Page
 
Print This Page!

 

 
 

Performance Audit Standards For
Approval Of Certification Authorities

March 15, 2002

Our Administrative Rules for Electronic and Digital Signatures specify performance audit standards for Approval of Certification Authorities (Title 2. Chapter 12. Article 5.):

R2-12-501. Definitions

P. "S.A.S. 70" means the standards set in the American Institute of Certified Public Accounts (AICPA) Statement on Auditing Standards No. 70. Should current S.A.S. 70 standards (or any succeeding version) be superceded, the Secretary of State, in consultation with GITA and the State Treasurer, shall establish a deadline for all affected parties to comply with the replacing standard. This deadline shall be no later than 2 years from the date of issuance of the new S.A.S. standards. GITA will also provide a "roadmap" of how the revised standard fits the current Type 1 and Type 2 S.A.S. 70 designations used elsewhere in these rules.

The AICPA[1] published the AICPA/CICA WebTrust Program for Certification Authorities (CA WebTrust) on August 25, 2000. The CA WebTrust has since become the generally accepted performance audit process for Certification Authorities. AICPA developed this new process when they realized that their SAS 70[2] process did not fully meet the evolving requirements for evaluating Certification Authorities. The CA WebTrust procedure was designed specifically for the examinations of certification authority business processes and controls.  (Details of the program are available on-line.)

Given that WebTrust for Certification Authorities:

  • was specifically developed to assess Certification Authorities by the same body that developed S.A.S. 70 and
  • it is generally accepted by Certification Authorities, affected non-CA service vendors and other relying parties,

the Secretary of State (in the capacity of Policy Authority) wishes to upgrade the Certification Authority audit requirement for approval from an unqualified S.A.S. 70 report to an unqualified WebTrust for Certification Authority report. Given the general acceptance of CA WebTrust, the Policy Authority will take comments until May 1, 2002 and, unless there are material issues with this change, intends to put this performance audit requirement into affect on July 1, 2002. The previously mentioned AICPA website has a guide titled “AICPA/CICA WebTrust Program for Certification Authorities.” That guide provides, in our opinion, the “roadmap” that our rules request GITA to provide.

Please direct any comments or issues to the policy authority.

 

[1]  along with the Chartered Accountants of Canada

[2] AICPA’s Statement on Auditing Standards (SAS) No. 70 and Service Organizations (AICPA, Professional Standards, vol. 1, AU sec. 324).
  
©2005 Arizona Secretary of State, All Rights Reserved