Your Audit Report has Expired

Bruce Morton

Here is an interesting theme of questions we receive all the time. Why has your CA audit report expired? Or, when will your audit report be brought up to date?

The answer? The audit report is up to date and a new audit report will be provided within three months of the end of the next audit period.

CA Audit - SSL

So, why is there some confusion? The annual WebTrust audit takes place to cover a specific period of time, which we call the audit period. This audit verifies that the CA has policies disclosed and controls to meet those policies. The audit period is always in the past, so somehow this makes the audit look expired.

The CA/Browser Forum Baseline Requirements state, “the CA should make its audit report publicly available no later than three months after the end of the audit period.”

So, let’s do the math.

  • Entrust’s annual audit period ends February 28.
  • The last audit was for March 1, 2012, to February 28, 2013. The report had to be available by May 31, 2013.
  • The current audit period ends February 28, 2014, and the audit report will be available by May 31, 2014.

The audit report may always look out of date as it always reports for a period in the past. The good news is the track record. Entrust has been audited to the WebTrust criteria since 2001, so there are 13 successful audit periods for history. We have also expanded our audit to include Extended Validation (2007) and SSL Baseline Requirements (2013).

Maybe we should ask the WebTrust auditor to state, the next audit report will be available by …

For more information on audit criteria, please see the WebTrust site.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

1 Comment

Add to the Conversation