A licensed certification authority shall obtain a compliance and financial audit at least once every calendar year. The auditor shall issue an opinion evaluating the degree to which the certification authority conforms to the requirements of this chapter and Minnesota Statutes, chapter 325K and must also prepare financial statements. If the certification authority is also a recognized repository, the audit must include the repository.
For purposes of the opinion required by this part, the auditor shall exercise reasonable professional judgment as to whether a condition that does not strictly comply with legal requirements is or is not material, taking into consideration the circumstances and context. Noncompliance as to any of the following must be considered material, in addition to any others the auditor may judge to be material:
a condition of noncompliance with a statute, rule, or the certification practice statement that relates to the validity of a certificate;
an employee performing the functions of operative personnel who has not qualified according to part 8275.0035; or
a material indication that the certification authority has used any system other than a trustworthy system.
Audited financial statements must state that they have been prepared according to generally accepted accounting principles.
The financial audit must be performed by a licensed certified public accountant or, in the case of a public agency, by the Minnesota state auditor or, in the case of a state agency, the Minnesota legislative auditor. The audit of the trustworthy system must be done by an individual who has been issued a current and valid certificate as either a certified information systems auditor by the Information Systems Audit and Control Foundation, or as a certified information systems security professional by the International Information Systems Security Certification Consortium. The names of all individuals possessing these certificates and participating in the audit must be disclosed in the audit report filed with the secretary.
The certification authority shall file the following information with the secretary before the date the certification authority must renew its license according to part 8275.0020: the auditor's name, the name of the auditor holding the certificate required to complete the trustworthy system audit, the name of the auditing firm, the address of the auditor, the date of the audit, and the categorization resulting from the audit. The information may be filed electronically if it is digitally signed by the auditor using a licensed certification authority. The secretary shall publish the information in the certification authority disclosure record it maintains for the licensed certification authority.
23 SR 1352
October 27, 2003