## 20160604 AK ---- [[Audit/CZ|Ĩesky]] | '''english''' ---- = CAcert Internal Audit = <> == Introduction == Welcome on CAcert's internal audit page. From this landing page, you are able to determine, the objectives, the [[Audit/Team|team]], the scope, and the [[Audit/Plan|progress]] of CAcert's internal audit. The Scope of the audit is the prove of compliance to CAcert's Policies in the first step and the check against external audit / certification readiness in a second step. CAcert's internal Audit follows the international norm ISO 19011:2011, i.e. the life cycle about audit planning, audit execution, audit monitoring, and audit improvement. == Objectives == This audit programme is created to prove CAcert's maturity * to determine the effectiveness of the management system, * to contribute to the improvement of the management system, * to fulfil the need for compliance with CA/Browser Forum's baseline requirements, * to verify conformity with contractual requirements from CCA, * to obtain and maintain the community's confidence in CAcert, and * to evaluate the compatibility and alignment of the management system objectives with CAcert's overall organisational objectives. == Roles and responsibilities == Auditors are the main resource in an audit, it is important, that auditors have the required competences to fulfil their duty. Where the knowledge of the auditors is limited, specialist might help out and work with the auditors. Main skills and tasks of these audit participants are listed below, the current [[Audit/Team|audit team]] is listed on a separate page. === Lead auditor === The lead auditor is entitled to create, execute, monitor, review and improve CAcert's internal audit programme. She is further authorised to nominate auditors and delegate duties towards them. Skills and competences of a lead auditor are: * knowledge of audit principles, procedures and methods * knowledge of auditing management system standards * skills to manage the audit programme === Auditor === An auditor is responsible for dedicated sessions during an audit. (S)He conducts interviews, does inspections, and observations to propose non-conformities or potential improvements to the organisation. Auditors might be nominates for each audit plan separately. === RA-Auditor === RA-Auditors (former Co-Auditors) are senior assurers with the special task to audit CAcert's registration authority. (S)He is a passive observer in a normal assurance process between an assurer and an assurer. RA-Auditors are nominated under the [[Audit/RA-Audit|RA-Audit Program]]. === Specialist === A specialist brings additional knowledge to the audit team without being an auditor. (S)He helps the auditor to understand systems and technologies and delivers the base for the auditor's decisions. A specialist could be a penetration tester. Specialists might be nominated session by session. == Extent of the audit programme == The internal audit over CAcert covers the organisation with is organs such as but not limited to * the committee of CAcert Inc., * arbitration, * policy group, * support engineers, * software development and assessment, * projects, * education including ATEs, RA-Audit, and CATS, the Certificate Authority with its Registration Authority, and the technical infrastructure, i.e. data centres, servers, cabling, etc. This audit programme has an extend of three years and contains three audit plans, one for each year. The audit plans specify the audited parts of CAcert. Within the three years, each and every part of the organisation should have been audited at least once. The audit programme will take the results of former internal and external audits into concern. All documentation will be done in English and published related on their severity based on CAcert's policies. == Risk evaluation == The audit programme follows a risk-based approach, taking into account the risk appearing in the context of planning, resources and selection of the audit team, communications, records and their controls, and the monitoring, review and improvement of this audit programme. == Audit procedures == Each audit under this programme follows the international norm ISO 19011:2011. The lead auditor is responsible for the security and confidentiality of the information collected during the audit sessions. In her responsibility also lies the competence of the auditors, the selection of appropriate samples, the maintenance of the audit programme records, and the reporting to CAcert's committee. === Findings === '''Non-Conformity''' is the "non-fulfillment of a requirement". It is a failure to comply with requirements. A requirement is a need, expectation, or obligation. It can be stated or implied by an organization, its stakeholders, or other interested parties. '''Recommendation''' is a positive proposal how to improve the audited system. It does not need to be implemented, however, it should be considered and the the decision not to implement it should be documented. == References == * Audit Programmes * [[attachment:Audit_Programme_2014-2016.pdf|Audit Programme 2014 - 2016]] * [[Audit/Plan|Audit Plans]] * [[Audit/Results/Tracking|Tracking of Non-Conformities & Recommendations]] * [[Audit/Reports|List of Audit Reports]] * [[Brain/Study/AuditNextSteps|Audit Next Steps]] (Outdated) * [[Audit/Systems|Systems Audit]] (Outdated) ---- == Pages about Audit == <> ---- . CategoryAudit