CAcert Internal Audit


Welcome on CAcert's internal audit page. From this landing page, you are able to determine, the objectives, the team, the scope, and the progress of CAcert's internal audit.

The Scope of the audit is the prove of compliance to CAcert's Policies in the first step and the check against external audit / certification readiness in a second step. CAcert's internal Audit follows the international norm ISO 19011:2011, i.e. the life cycle about audit planning, audit execution, audit monitoring, and audit improvement.


This audit programme is created to prove CAcert's maturity

Roles and responsibilities

Auditors are the main resource in an audit, it is important, that auditors have the required competences to fulfil their duty. Where the knowledge of the auditors is limited, specialist might help out and work with the auditors. Main skills and tasks of these audit participants are listed below, the current audit team is listed on a separate page.

Lead auditor

The lead auditor is entitled to create, execute, monitor, review and improve CAcert's internal audit programme. She is further authorised to nominate auditors and delegate duties towards them. Skills and competences of a lead auditor are:


An auditor is responsible for dedicated sessions during an audit. (S)He conducts interviews, does inspections, and observations to propose non-conformities or potential improvements to the organisation. Auditors might be nominates for each audit plan separately.


RA-Auditors (former Co-Auditors) are senior assurers with the special task to audit CAcert's registration authority. (S)He is a passive observer in a normal assurance process between an assurer and an assurer. RA-Auditors are nominated under the RA-Audit Program.


A specialist brings additional knowledge to the audit team without being an auditor. (S)He helps the auditor to understand systems and technologies and delivers the base for the auditor's decisions. A specialist could be a penetration tester. Specialists might be nominated session by session.

Extent of the audit programme

The internal audit over CAcert covers the organisation with is organs such as but not limited to

the Certificate Authority with its Registration Authority, and the technical infrastructure, i.e. data centres, servers, cabling, etc. This audit programme has an extend of three years and contains three audit plans, one for each year. The audit plans specify the audited parts of CAcert. Within the three years, each and every part of the organisation should have been audited at least once. The audit programme will take the results of former internal and external audits into concern. All documentation will be done in English and published related on their severity based on CAcert's policies.

Risk evaluation

The audit programme follows a risk-based approach, taking into account the risk appearing in the context of planning, resources and selection of the audit team, communications, records and their controls, and the monitoring, review and improvement of this audit programme.

Audit procedures

Each audit under this programme follows the international norm ISO 19011:2011. The lead auditor is responsible for the security and confidentiality of the information collected during the audit sessions. In her responsibility also lies the competence of the auditors, the selection of appropriate samples, the maintenance of the audit programme records, and the reporting to CAcert's committee.


Non-Conformity is the "non-fulfillment of a requirement". It is a failure to comply with requirements. A requirement is a need, expectation, or obligation. It can be stated or implied by an organization, its stakeholders, or other interested parties.

Recommendation is a positive proposal how to improve the audited system. It does not need to be implemented, however, it should be considered and the the decision not to implement it should be documented.


Pages about Audit

  1. Advisory/AMinutes20080117
  2. Advisory/SysadmMinutes20090306
  3. ArbitrationForum
  4. ArbitrationForum/CZ
  5. Arbitrations/Audit/a20101025.1
  6. Arbitrations/Audit/a20111128.3
  7. Arbitrations/Audit/a20141024.1
  8. Arbitrations/Training/Lesson12
  9. Archive/AuditBudget
  10. Archive/AuditWishList
  11. AssuranceHandbook2
  12. AssuranceHandbook2/CZ
  13. AssuranceHandbook2/DE
  14. AssuranceHandbook2/SomeMoreInformation
  15. AssuranceHandbook2/SomeMoreInformation/CZ
  16. AssurerChallenge
  17. AssurerChallenge/CZ
  18. AssurerChallenge/DE
  19. AssurerChallenge/NL
  20. AssurerChallenge/fr
  21. AssurersTTPMatrix
  22. Audit
  23. Audit/AuditMinutes20070921
  24. Audit/AuditResultTemplate
  25. Audit/CZ
  26. Audit/Code
  27. Audit/CommunityReport20080111
  28. Audit/CommunityReport20080321
  29. Audit/CommunityReport20080602
  30. Audit/CommunityReport20080902
  31. Audit/CommunityReport20081007
  32. Audit/CommunityReport20081007short
  33. Audit/CommunityReport20090119
  34. Audit/CommunityReport20090426
  35. Audit/CommunityReport20090623
  36. Audit/CriteriaAlphabetSoup
  37. Audit/Directives
  38. Audit/Done
  39. Audit/Incidents
  40. Audit/Incidents/i20130810.1
  41. Audit/Incidents/i20140325.1
  42. Audit/Incidents/i20140625.1
  43. Audit/Incidents/i20140628.1
  44. Audit/Incidents/i20140814.1
  45. Audit/Incidents/i20141011.1
  46. Audit/Incidents/i20150115.1
  47. Audit/Incidents/i20150219.1
  48. Audit/Incidents/i20150725.1
  49. Audit/Incidents/i20151205.1
  50. Audit/Incidents/i20151207.1
  51. Audit/Incidents/i20160410.1
  52. Audit/Incidents/i201YMMDD.n
  53. Audit/Plan
  54. Audit/Presentations
  55. Audit/RA-Audit
  56. Audit/RA-Audit/Team
  57. Audit/Reports
  58. Audit/Reports/2014-2
  59. Audit/Results/Tracking
  60. Audit/Results/session2014.1
  61. Audit/Results/session2015.1
  62. Audit/Results/session2015.3
  63. Audit/Results/session2015.4
  64. Audit/Results/session2016.1
  65. Audit/Systems
  66. Audit/Team
  67. Audit/ToDo
  68. Brain/Study/AuditNextSteps
  69. Brain/Study/AuditNextSteps/PoJAM
  70. Brain/Study/AuditNextSteps/TTP
  71. Brain/Study/AuditNextSteps/TopAuditMinutes20070921
  72. Brain/Study/Bug665
  73. Brain/Study/COrbitCA
  74. CategoryAudit
  75. CategoryCoAudit
  76. CodesigningCert
  77. CodesigningCert/CZ
  78. Documentation/WishList
  79. ExecMeeting2007
  80. FAQ/AssuranceByTTP
  81. FAQ/AssuranceByTTP/CZ
  82. FAQ/AssuranceInformationForTTP
  83. FAQ/AssuranceInformationForTTP/CZ
  84. FAQ/Class3Resign
  85. FAQ/Class3Resign/CZ
  86. FAQ/NewPointsCount
  87. FAQ/NewPointsCount/CZ
  88. FAQ/TTPAvailability
  89. FAQ/TTPAvailability/CZ
  90. InclusionPolicies
  91. InclusionStatus
  92. InclusionStatus/IT
  93. InclusionStatus/Recognition
  94. Policy
  95. Policy/CZ
  96. Policy/FAQ
  97. Policy/FAQ/CZ
  98. Policy/Guide
  99. Policy/Guide/CZ
  100. Policy/RootDistributionLicense
  101. Policy/Tasks
  102. PolicyDecisions
  103. PolicyDiscussions/AssurancePolicy
  104. PolicyDiscussions/PolicyForNucleus
  105. PolicyDrafts/CCA
  106. PolicyDrafts/CodesigningAssurancePolicy
  107. PolicyDrafts/OrganisationAssurance
  108. PolicyDrafts/PolicyOnJuniorAssurersMembers
  109. PolicyDrafts/PolicyOnJuniorAssurersMembers2
  110. PolicyDrafts/TTPAssurerCheck
  111. Privacy/EU-EEA-DataProtectionDeclaration/CZ
  112. Privacy/EU-EEA-DataProtectionDeclaration/DE
  113. Privacy/EU-EEA-DataProtectionDeclaration/EN
  114. Privacy/EU-EEA-DataProtectionDeclaration/IT
  115. RELY
  116. RELY/CZ
  117. RemoteAssurance
  118. RemoteAssurance/Country
  119. Risk
  120. Risk/CZ
  121. RiskAssessment
  122. RiskAssessment/CZ
  123. RisksLiabilitiesObligations
  124. RisksLiabilitiesObligations/CZ
  125. Roots/20081128
  126. Roots/Class3ResignProcedure
  127. Roots/Class3ResignProcedure/CZ
  128. Roots/Class3ResignProcedure/FingerprintSources
  129. Roots/Class3ResignProcedure/Migration
  130. Roots/Class3ResignProcedure/PR-DistributionList
  131. Roots/Class3ResignProcedure/PressRelease/CZ
  132. Roots/Class3ResignProcedure/PressRelease/DE
  133. Roots/Class3ResignProcedure/PressRelease/EN
  134. Roots/Class3ResignProcedure/PressRelease/ES
  135. Roots/Class3ResignProcedure/PressRelease/FR
  136. Roots/Class3ResignProcedure/PressRelease/NL
  137. Roots/Class3ResignProcedure/PressRelease/RU
  138. Roots/Contents
  139. Roots/Contents/CZ
  140. Roots/ContentsDiscussion
  141. Roots/EscrowAndRecovery
  142. Roots/EscrowAndRecovery/ActorPassword
  143. Roots/EscrowAndRecovery/CZ
  144. Roots/EscrowAndRecovery/EnvelopeBankNotaryEscrow
  145. Roots/EscrowAndRecovery/MultiMemberEscrow
  146. Roots/EscrowAndRecovery/NewRootGenerationProcess
  147. Roots/EscrowAndRecovery/Notary
  148. Roots/EscrowAndRecovery/PassSigningServer
  149. Roots/EscrowAndRecovery/RedundantServers
  150. Roots/EscrowAndRecovery/SSSS
  151. Roots/Library
  152. Roots/NewRootsTaskForce
  153. Roots/NewRootsTaskForce/USB
  154. Roots/OrganisationSubRoots
  155. Roots/OrganisationSubRoots/CZ
  156. Roots/RolloutProcedure
  157. Roots/StateOverview
  158. Roots/StateOverview/CZ
  159. Roots/Structure
  160. Roots/Structure/CZ
  161. Roots/TechScript
  162. Roots/TestNewRootCerts
  163. Roots/TestNewRootCerts/Comments
  164. SecurityManual
  165. SecurityManual/CZ
  166. SuperAssurers
  167. SystemAdministration/InfrastructureHost
  168. TTP
  169. TTP/CZ
  170. Technology/Laboratory/COrbitCA
  171. Technology/Laboratory/Software/BirdShack
  172. USE/CZ
  173. comma/Workbench/WikiCertLoginKnowHowMgmtTool

Audit (last edited 2016-06-04 08:50:38 by AlesKastner)