Joanna: Thanks for that explanation. However, I believe that's the point of concern/confusion; GoDaddy has disclosed both https://crt.sh/?sha256=28689B30E4C306AAB53B027B29E36AD6DD1DCF4B953994482CA84BDC1ECAC996 and https://crt.sh/?sha256=2D12B619A660CEFB013271831D891213FC434E982A21568256CF4E2E86324BEA and bound to the same CP/CPS as GoDaddy, and covered by GoDaddy's audit.
Both certificates are clearly not part of GoDaddy's audit, based on Appendix A, and based on Comment #2, also not bound by GoDaddy's CP/CPS anymore.
In terms of incident reporting, it seems that we're in agreement that GoDaddy should have disclosed both cross-certificates as under Amazon's audit and Amazon's CP/CPS, which GoDaddy is responsible for maintaining in CCADB for these two cross-certificates.
Have I misunderstood the report or the facts? If not, it would be good to file an incident report, on this bug, as to why GoDaddy disclosed this as "Audit same as parent" and "CP/CPS Same as parent", despite having transitioned control to Amazon. Similar to other CAs, it would be good to go through every disclosure by GoDaddy in CCADB and ensure it is correct, associated with the correct audit and CP/CPS, and report back any further corrections.