April 2017 CA Communication

ACTION 6: QUALIFIED AUDIT STATEMENTS When an auditor finds non-compliance with the audit criteria, the audit statement should clearly indicate the word "qualified", and clearly identify the controls that failed. The auditor should provide qualified reports for all time periods until the problems have been fixed. Period-of-time audit statements are required to cover audit periods that are less than one year and are contiguous. In other words, there should never be a time gap between the audit periods indicated in period-of-time audit statements. Point-in-time audit statements may be used to confirm that all of the problems that the auditor previously identified in a qualified audit statement have been corrected. However, a point-in-time assessment does *not* replace the period-of-time assessment.
ACTION 6 COMMENTS

CA Owner Response Response
AC Camerfirma, S.A. Check here to confirm understanding of the above listed requirements
Actalis Check here to confirm understanding of the above listed requirements None
Amazon Trust Services Check here to confirm understanding of the above listed requirements
Asseco Data Systems S.A. (previously Unizeto Certum) Check here to confirm understanding of the above listed requirements
Atos Check here to confirm understanding of the above listed requirements
Autoridad de Certificacion Firmaprofesional Check here to confirm understanding of the above listed requirements
Buypass Check here to confirm understanding of the above listed requirements We have discussed this with our auditors and they don't use terms like 'clean' or 'qualified' in their audit statement. They don't issue an audit statement in case of problems and the scope section of the audit statement provides all information. The term 'quailified' has another meaning in audit statements for audits according to European standards and the eIDAS regulation.
Certicámara Check here to confirm understanding of the above listed requirements
Certinomis / Docapost Check here to confirm understanding of the above listed requirements
China Financial Certification Authority (CFCA) Check here to confirm understanding of the above listed requirements
Chunghwa Telecom Check here to confirm understanding of the above listed requirements
ComSign Check here to confirm understanding of the above listed requirements
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) Check here to confirm understanding of the above listed requirements
Cybertrust Japan / JCSI Check here to confirm understanding of the above listed requirements CTJ has conducted the WebTrust for CA and BR audit for the JCSI-root in March this year and will have a report in mid-May. We'll provide the report to you as soon as we receive it. But please note that regarding with BR audit, we conducted BR PITRA (a Point in Time Readiness Assessment) this time as mentioned in Bugzilla id=1314464. Because CTJ doesn't issue any SSL/TLS certificates yet under the JCSI-root and it's our first time to conduct the BR audit though we have been conducting CA audit annually right after we received the JCSI-root from JCSI Inc. in Jun 2014. Of course, we understand we need to conduct a full (period-of-time) BR audit for the next annual audit.
D-TRUST Check here to confirm understanding of the above listed requirements To publish information on non-conformities can cause security issues
Deutscher Sparkassen Verlag GmbH (S-TRUST, DSV-Gruppe) Check here to confirm understanding of the above listed requirements
Dhimyotis / Certigna Check here to confirm understanding of the above listed requirements
DigiCert Check here to confirm understanding of the above listed requirements
Disig, a.s. Check here to confirm understanding of the above listed requirements
DocuSign (OpenTrust/Keynectis) Check here to confirm understanding of the above listed requirements
E-Tugra Check here to confirm understanding of the above listed requirements
EDICOM Check here to confirm understanding of the above listed requirements
Entrust Check here to confirm understanding of the above listed requirements
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) Check here to confirm understanding of the above listed requirements
GlobalSign Check here to confirm understanding of the above listed requirements The requirements in Action 6 have already been communicated to our External Auditor.
GoDaddy Check here to confirm understanding of the above listed requirements
Google Trust Services LLC (GTS) Check here to confirm understanding of the above listed requirements
Government of Hong Kong (SAR), Hongkong Post, Certizen Check here to confirm understanding of the above listed requirements Does it mean that Point-in-Time audit must be performed when all problems identified in previous qualified audit statement have been corrected? Can a "clean" period-of-time audit statement covering audit period that all problems have been corrected replace the point-in-time assessment?
Government of Japan, Ministry of Internal Affairs and Communications Check here to confirm understanding of the above listed requirements
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) Check here to confirm understanding of the above listed requirements
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) Check here to confirm understanding of the above listed requirements We are not sure of understanding these requirements. We audits on a yearly basis so we don't have any gap. We checked because it’s necessary to submit the survey.
Government of Taiwan, Government Root Certification Authority (GRCA) Check here to confirm understanding of the above listed requirements
Government of The Netherlands, PKIoverheid (Logius) Check here to confirm understanding of the above listed requirements The terms “clean” or “qualified” are not used in the certification system (for ETSI) that is employed for our issuing CAs (Trusted Service Providers). There is no such thing as a “qualified” audit for ETSI (the use of “qualified” means a completely different thing in ETSI terminology and could be very confusing if used as required here). Audit statements for ETSI are only issued if the auditor has found no major non-conformities, otherwise no audit statement is issued.
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) Check here to confirm understanding of the above listed requirements
HARICA Check here to confirm understanding of the above listed requirements The word "qualified" for ETSI reports is used for proper compliance with the eIDAS regulation and does not indicate something negative. In Webtrust audit reports it means something negative. We suggest you require indication through a different word or words (e.g. "non-conformant") or a full expression that should be included in all non-compliant audit reports (Webtrust and ETSI).
IdenTrust Services, LLC Check here to confirm understanding of the above listed requirements
Internet Security Research Group (ISRG) Check here to confirm understanding of the above listed requirements
Izenpe S.A. Check here to confirm understanding of the above listed requirements
Krajowa Izba Rozliczeniowa S.A. (KIR) Check here to confirm understanding of the above listed requirements
LuxTrust Check here to confirm understanding of the above listed requirements Could you explain why a non-compliance is indicated as "qualified" because in our understanding, based on eIDAS regulation, "qualified" can only be used for a audited and certified service ? I don't understand these requirements. However I checked the box because without checking it it's not possible to submit this survey We conduct an audit on yearly basis which means that we don't have any gap between audit period, does this answers action 6? This audit is required and reviewed by our national supervisory body (ILNAS)
Microsec Ltd. Check here to confirm understanding of the above listed requirements
NetLock Ltd. Check here to confirm understanding of the above listed requirements
OISTE Check here to confirm understanding of the above listed requirements OK
PROCERT Check here to confirm understanding of the above listed requirements
QuoVadis Check here to confirm understanding of the above listed requirements Auditors generally will not use terms like 'clean' or 'qualified' in their audit statement. WebTrust has standardised templates for audit statements and this requirement would need to be addressed by the WebTrust CA Task Force. Note that the term 'qualified' in relation to CAs may have other meanings in the EU.
SECOM Trust Systems CO., LTD. Check here to confirm understanding of the above listed requirements
SK ID Solutions AS Check here to confirm understanding of the above listed requirements To use word “qualified” for failed controls is deeply misleading in European context, where qualified is used for compliant services under eIDAS regulation.
Sectigo Check here to confirm understanding of the above listed requirements
SecureTrust Check here to confirm understanding of the above listed requirements
Start Commercial (StartCom) Ltd. Check here to confirm understanding of the above listed requirements
SwissSign AG Check here to confirm understanding of the above listed requirements
Swisscom (Switzerland) Ltd Check here to confirm understanding of the above listed requirements
Symantec Check here to confirm understanding of the above listed requirements We confirm our understanding and will request our auditors to clearly state the word “qualified” when they find non-compliance.
T-Systems International GmbH (Deutsche Telekom) Check here to confirm understanding of the above listed requirements
Taiwan-CA Inc. (TWCA) Check here to confirm understanding of the above listed requirements
Telia Company (formerly TeliaSonera) Check here to confirm understanding of the above listed requirements
Trustis Check here to confirm understanding of the above listed requirements
TurkTrust Check here to confirm understanding of the above listed requirements
Visa Check here to confirm understanding of the above listed requirements The WebTrust CA Task Force, which our auditing firm is a member of, does not currently provide an audit statement and/or transmittal letter which the word “qualified” is included to identify a failed control. This is an item that will require resolution within the WebTrust CA Task Force in order to adopt and adhere to this requirement
Web.com Check here to confirm understanding of the above listed requirements
WoSign CA Limited Check here to confirm understanding of the above listed requirements
certSIGN Check here to confirm understanding of the above listed requirements