##master-page:AuditResultTemplate ##master-date:2014-06-24 #acl BenediktHeintel:read,write,delete,revert,admin BoardGroup:read UlrichSchroeter:read All:read #format wiki #language en = Audit Results Session 2015.1 = ## select in each field one ## Review of Internal controls, Compliance Review, Operational or Management Audit, Financial Audit, Special Investigation || Audit Type || Compliance Review || ## Draft, Formal Draft, Final Report || Report Status || Final Report || ## Audit plan, Directive of Board, Request of ''XX'' || Audit initiated by || Requested by Assurance Officer || || Audit Subject || Compliance of Software with Assurance Policy || ## Comments received, comments integrated, agreed, needs rework || Follow up status || 2015-04-10 informed board, management review expected till 2015-05-30 || || || 2015-08-11 Approved by board in [[https://community.cacert.org/board/motions.php?motion=m20150803.4|m20150803.4]] || <> == Executive Summary == This audit report covers the finding of session 2015.1 over CAP form and WebDB. There are three findings whereof two are non-conformities. == Purpose, Scope and Methodology == This audit session is about the compliance of the assurance process against CAcert's [[https://www.cacert.org/policy/AssurancePolicy.html|Assurance Policy (AP)]]. The CAP form and the WebDB is evaluated against the matching sections of the AP. The walk-through is done with a fictive Assuree in the test system. == Audit Results and Recommendations == The auditor identified two non-conformities and one recommendation. === Non-Conformities === ==== Member's Name ==== [[https://www.cacert.org/policy/AssurancePolicy.html#s2.1|AP 2.1]] describes the handling of member's name as: {{{ 1. The Name should be recorded as written in a government-issued photo identity document (ID). 2. The Name should be recorded as completely as possible. That is, including all middle names, any titles and extensions, without abbreviations, and without transliteration of characters. 3. The Name is recorded as a string of characters, encoded in unicode transformation format. }}} The while trying to catch all parts of the second point in the WebDB, the third point is not valued. All data fields are stored as individual fields and not as "a [as in 'one'] string of characters". Beside, this implementation is not following the AP 2.1's rule, it gives additional trouble for people with names not fitting in this standard (e.g. single word names). ==== Multiple Names and variations ==== [[https://www.cacert.org/policy/AssurancePolicy.html#s2.2|AP 2.2]] allows members to record additional names or variations of names to her online account. Examples are given. This is requirement is not implemented at all in current software. === Recommendation === [[https://www.cacert.org/policy/AssurancePolicy.html#s4.5|AP 4.5]] requests optional information for reciprocal assurances in Assurer's part of the CAP form. Using the same CAP form for reciprocal assurance is not recommended and not state of the art by education. It is recommended to remove the following sentence from AP: {{{ Optional: If the Assurance is reciprocal, then the Assurer's email address and Secondary Distinguishing Feature are required as well; }}} == Auditor == -- BenediktHeintel <> ---- . CategoryAudit . CategoryAuditProgramm2015