325K.06 Performance audits.
Subdivision 1. Annual audit; auditor qualifications; rules. A certified public accountant having expertise in computer security must audit the operations of each licensed certification authority at least once each year to evaluate compliance with this chapter. The secretary may by rule specify the qualifications of auditors.
Subd. 2. Compliance categories. Based on information gathered in the audit, the auditor must categorize the licensed certification authority's compliance as one of the following:
(a) Full compliance. The certification authority appears to conform to all applicable statutory and regulatory requirements.
(b) Substantial compliance. The certification authority appears generally to conform to applicable statutory and regulatory requirements. However, one or more instances of noncompliance or of inability to demonstrate compliance were found in an audited sample, but were likely to be inconsequential.
(c) Partial compliance. The certification authority appears to comply with some statutory and regulatory requirements, but was found not to have complied or not be able to demonstrate compliance with one or more important safeguards.
(d) Noncompliance. The certification authority complies with few or none of the statutory and regulatory requirements, fails to keep adequate records to demonstrate compliance with more than a few requirements, or refused to submit to an audit.
The secretary shall publish in the certification authority disclosure record it maintains for the certification authority the date of the audit and the resulting categorization of the certification authority.
Subd. 3. Exemption from audit. The secretary may exempt a licensed certification authority from the requirements of subdivision 1, if:
(1) the certification authority to be exempted requests exemption in writing;
(2) the most recent performance audit, if any, of the certification authority resulted in a finding of full or substantial compliance; and
(3) the certification authority declares under oath, affirmation, or penalty of perjury that one or more of the following is true with respect to the certification authority:
(i) the certification authority has issued fewer than six certificates during the past year and the recommended reliance limits of all of the certificates do not exceed $10,000;
(ii) the aggregate lifetime of all certificates issued by the certification authority during the past year is less than 30 days and the recommended reliance limits of all of the certificates do not exceed $10,000; or
(iii) the recommended reliance limits of all certificates outstanding and issued by the certification authority total less than $1,000.
Subd. 4. False declaration. If the certification authority's declaration under subdivision 3 falsely states a material fact, the certification authority has failed to comply with the performance audit requirements of this section.
Subd. 5. Record of exemption. If a licensed certification authority is exempt under subdivision 3, the secretary must publish in the certification authority disclosure record it maintains for the certification authority that the certification authority is exempt from the performance audit requirement.
HIST: 1997 c 178 s 7
Official Publication of the State of Minnesota
Revisor of Statutes