česky | english
CAcert Internal Audit
The Scope of the audit is the prove of compliance to CAcert's Policies in the first step and the check against external audit / certification readiness in a second step. CAcert's internal Audit follows the international norm ISO 19011:2011, i.e. the life cycle about audit planning, audit execution, audit monitoring, and audit improvement.
This audit programme is created to prove CAcert's maturity
- to determine the effectiveness of the management system,
- to contribute to the improvement of the management system,
- to fulfil the need for compliance with CA/Browser Forum's baseline requirements,
- to verify conformity with contractual requirements from CCA,
- to obtain and maintain the community's confidence in CAcert, and
- to evaluate the compatibility and alignment of the management system objectives with CAcert's overall organisational objectives.
Roles and responsibilities
Auditors are the main resource in an audit, it is important, that auditors have the required competences to fulfil their duty. Where the knowledge of the auditors is limited, specialist might help out and work with the auditors. Main skills and tasks of these audit participants are listed below, the current audit team is listed on a separate page.
The lead auditor is entitled to create, execute, monitor, review and improve CAcert's internal audit programme. She is further authorised to nominate auditors and delegate duties towards them. Skills and competences of a lead auditor are:
- knowledge of audit principles, procedures and methods
- knowledge of auditing management system standards
- skills to manage the audit programme
An auditor is responsible for dedicated sessions during an audit. (S)He conducts interviews, does inspections, and observations to propose non-conformities or potential improvements to the organisation. Auditors might be nominates for each audit plan separately.
RA-Auditors (former Co-Auditors) are senior assurers with the special task to audit CAcert's registration authority. (S)He is a passive observer in a normal assurance process between an assurer and an assurer. RA-Auditors are nominated under the RA-Audit Program.
A specialist brings additional knowledge to the audit team without being an auditor. (S)He helps the auditor to understand systems and technologies and delivers the base for the auditor's decisions. A specialist could be a penetration tester. Specialists might be nominated session by session.
Extent of the audit programme
The internal audit over CAcert covers the organisation with is organs such as but not limited to
- the committee of CAcert Inc.,
- policy group,
- support engineers,
- software development and assessment,
- education including ATEs, RA-Audit, and CATS,
the Certificate Authority with its Registration Authority, and the technical infrastructure, i.e. data centres, servers, cabling, etc. This audit programme has an extend of three years and contains three audit plans, one for each year. The audit plans specify the audited parts of CAcert. Within the three years, each and every part of the organisation should have been audited at least once. The audit programme will take the results of former internal and external audits into concern. All documentation will be done in English and published related on their severity based on CAcert's policies.
The audit programme follows a risk-based approach, taking into account the risk appearing in the context of planning, resources and selection of the audit team, communications, records and their controls, and the monitoring, review and improvement of this audit programme.
Each audit under this programme follows the international norm ISO 19011:2011. The lead auditor is responsible for the security and confidentiality of the information collected during the audit sessions. In her responsibility also lies the competence of the auditors, the selection of appropriate samples, the maintenance of the audit programme records, and the reporting to CAcert's committee.
Non-Conformity is the "non-fulfillment of a requirement". It is a failure to comply with requirements. A requirement is a need, expectation, or obligation. It can be stated or implied by an organization, its stakeholders, or other interested parties.
Recommendation is a positive proposal how to improve the audited system. It does not need to be implemented, however, it should be considered and the the decision not to implement it should be documented.
- Audit Programmes
Audit Next Steps (Outdated)
Systems Audit (Outdated)
Pages about Audit