A certified public accountant having expertise in computer security must audit the operations of each licensed certification authority at least once each year to evaluate compliance with this chapter. The secretary may by rule specify the qualifications of auditors.
Based on information gathered in the audit, the auditor must categorize the licensed certification authority's compliance as one of the following:
(a) Full compliance. The certification authority appears to conform to all applicable statutory and regulatory requirements.
(b) Substantial compliance. The certification authority appears generally to conform to applicable statutory and regulatory requirements. However, one or more instances of noncompliance or of inability to demonstrate compliance were found in an audited sample, but were likely to be inconsequential.
(c) Partial compliance. The certification authority appears to comply with some statutory and regulatory requirements, but was found not to have complied or not be able to demonstrate compliance with one or more important safeguards.
(d) Noncompliance. The certification authority complies with few or none of the statutory and regulatory requirements, fails to keep adequate records to demonstrate compliance with more than a few requirements, or refused to submit to an audit.
The secretary shall publish in the certification authority disclosure record it maintains for the certification authority the date of the audit and the resulting categorization of the certification authority.