Asseco DS / Certum: Overdue Audit Statements 2019
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: kathleen.a.wilson, Assigned: wtrapczynski)
Details
(Whiteboard: [ca-compliance] [audit-failure])
Attachments
(5 files)
Audit statements are overdue for the following root certs.
CA Owner: Asseco Data Systems S.A. (previously Unizeto Certum)
Root Certificates:
Certum Trusted Network CA 2
Certum CA
Certum Trusted Network CA
Standard Audit: https://bug1286477.bmoattachments.org/attachment.cgi?id=9001516
Standard Audit Period End Date: 2018-03-26
BR Audit: https://bug1286477.bmoattachments.org/attachment.cgi?id=9001514
BR Audit Period End Date: 2018-03-26
EV Audit: https://bug1286477.bmoattachments.org/attachment.cgi?id=9001515
EV Audit Period End Date: 2018-03-26
Reporter | ||
Updated•5 years ago
|
Comment 1•5 years ago
|
||
Certum had audit in this year from 04 march to 8 march. Audit was carried out by Ernst and Young Poland as in previous years. Audit covered period March 27, 2018 to 04 March, 2019 and included all Certum root certificates. Now we are during signing the Statement of Management, and we will update CCADB as soon as possible.
Comment 2•5 years ago
•
|
||
Aleksandra: Thank you for the update.
Unless I'm mistaken, the period of time from 2019-03-08 to today, 2019-07-17, is over 4 months. The Baseline Requirements, Section 8.6, notes that
the CA SHOULD make its Audit Report publicly available no later than three months after the end of the audit period. In the event of a delay greater than three months, and if so requested by an Application Software Supplier, the CA SHALL provide an explanatory letter signed by the Qualified Auditor.
Please consider this a formal request for such an explanatory letter, signed by E&Y Poland, that explains the reasoning for the delays. Similarly, please inform E&Y Poland about this bug, so that they may also communicate on or engage with this bug. Auditors that have demonstrated patterns of delays in producing reports have had their own issues opened against them, so it is very important for us to understand the nature and cause of the delay, and the steps that both Asseco/Certum and E&Y Poland are taking to ensure that future reports are not delayed.
Updated•5 years ago
|
Comment 3•5 years ago
|
||
I attach Ernst and Young Poland statement. From the Certum side I assure that we sent all the documents and evidence that auditors wanted, as soon as we received the information about them. We told EY Poland also that they can write a comment at this bug.
Comment 4•5 years ago
|
||
Aleksandra: Thanks. To clarify, right now it sounds like E&Y Poland is ascribing the delay to Asseco/Certum. Perhaps if you could provide a timeline of events and exchanges, that would help understand the delay. For example, if it was E&Y Poland realizing that they hadn't asked for necessary documents, rather than Asseco/Certum not providing them, hopefully the timeline will help illustrate this.
Thanks for your understanding!
Comment 5•5 years ago
|
||
Timeline of documents exchanges beetween Certum and E&Y Poland after audit:
2019-03-04-08 – Audit
2019-03-29 – additional question about Validation Specialist, we answered 29.03
2019-04-02 – additional question about one of the audit issue, we answered 02.04
2019-04-02 – we received audit closure report
2019-04-05– additional question about EV verification, we answered 05.04
2019-04-18 – additional questions about key-life-cycle, we answered 30.04
2019-04-26 – additional question about CPS and cryptography, we answered 30.04 and 06.05
2019-05-08 – additional question about CP, keys, renewal and information about certificates expiration, we answered 09.05 and 14.05
2019-05-15 – additional question about one of the audit issue, we answered 23.05
2019-05-15 – request to prepare a remediation plan, we sent it 23.05
2019-06-03 - additional question about one of the audit issue, we answered 03.06 and 10.06
2019-06-19 - request to prepare a compensation mechanisms, we answered 19.06
2019-07-02 – we received information about we have pass an audit.
I hope this timeline illustrate that Certum cooperated well with auditors.
Comment 6•5 years ago
|
||
Thanks Aleksandra.
Wayne, I think you might be better placed for next steps here. Comment #3 has a statement from E&Y Poland, and Comment #5 has the timeline from Asseco/Certum's point of view. I don't want to discourage auditor rigor in investigation, and it does sound like that was a factor for it, but I'm also not sure that we've got a clear plan to prevent future delays. Do you have a sense for what information you'd want?
Comment 7•5 years ago
|
||
While it is worth tracking patterns of problematic auditor behavior, we don't seem to have clear evidence one way or the other in this case. Regardless of that, it is ultimately the CA's responsibility that audits are delivered on time. I want to know two things:
- when will these audit reports be delivered to Mozilla?
- what will Certum do to ensure that this doesn't happen again next year?
Comment 8•5 years ago
|
||
(In reply to Wayne Thayer [:wayne] from comment #7)
While it is worth tracking patterns of problematic auditor behavior, we don't seem to have clear evidence one way or the other in this case. Regardless of that, it is ultimately the CA's responsibility that audits are delivered on time. I want to know two things:
- when will these audit reports be delivered to Mozilla?
From information from our auditor Aneta Dobruk-Serkowska it follows that the report is ready and waiting for the approval of the main auditor who is currently on vacation. We expect to end this as soon as possbile when he return.
- what will Certum do to ensure that this doesn't happen again next year?
In september, we planned meeting with E & Y representatives on which we will summarize the various stages of this year's audit and ask auditors to present a recovery plan on issues that have slowed the timely completion of this year's audit. If the E&Y representatives will not cooperatives in this regard, we will considering the change of auditors next year. Details of the meeting and findings, we can provided in the end of september.
Comment 9•5 years ago
|
||
(In reply to Aleksandra Kapinos from comment #8)
(In reply to Wayne Thayer [:wayne] from comment #7)
While it is worth tracking patterns of problematic auditor behavior, we don't seem to have clear evidence one way or the other in this case. Regardless of that, it is ultimately the CA's responsibility that audits are delivered on time. I want to know two things:
- when will these audit reports be delivered to Mozilla?
From information from our auditor Aneta Dobruk-Serkowska it follows that the report is ready and waiting for the approval of the main auditor who is currently on vacation. We expect to end this as soon as possbile when he return.
One person's vacation is not a good excuse for further delays. Since no specific date is has been given, please provide weekly updates in this bug until the audit report has been delivered to Mozilla.
Comment 10•5 years ago
|
||
We asked our auditors for an update today and we received information that report documents are still under review. We will update this bug next week or earlier when we will have new information.
Comment 11•5 years ago
|
||
Today we received from auditors accepted reports. Tomorrow we will sign them and send to E&Y Poland.
Reporter | ||
Comment 12•5 years ago
|
||
(In reply to Aleksandra Kapinos from comment #11)
Today we received from auditors accepted reports. Tomorrow we will sign them and send to E&Y Poland.
Please file an Audit Case in the CCADB.
https://www.ccadb.org/cas/updates
Comment 13•5 years ago
|
||
We are waiting for publication. We will update CCADB as soon as possible when we get information from EY Poland.
Comment 14•5 years ago
|
||
Comment 15•5 years ago
|
||
Comment 16•5 years ago
|
||
Comment 17•5 years ago
|
||
Comment 18•5 years ago
|
||
Hello,
I attached the current audit reports for Asseco Data Systems/Certum CA.
ADS - Independent Assurance Report CS EV_2019.pdf
ADS - Independent Assurance Report NQ_2019.pdf
ADS - Independent Assurance Report SSL_2019.pdf
ADS - Independent Assurance Report SSL-EV_2019.pdf
Reporter | ||
Comment 19•5 years ago
|
||
I have finished processing the Audit Case for the Asseco Data Systems 2019 audit statements, so I will close this bug as resolved.
Updated•5 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Description
•