Section 100.60  Audit Requirements

a)         Upon application for the Secretary's certification of a qualified security procedure, the applicant shall submit annually to the Secretary an independent third party audit with an unqualified opinion.  If the applying certification authority has been in operation for one year or less, the applicant shall submit an American Institute of Certified Public Accountants Statement of Standards (S.A.S. 70) Type One Audit.  If the applying certification authority has been in operation for longer than one year, the applicant shall submit a Type Two Audit.  (The American Institute of Certified Public Accountants Statement of Standards (S.A.S. 70) (December 15, 1999; no subsequent dates or editions) is hereby incorporated and is available from the Institute at 1211 Avenue of the Americans, New York NY 10036.)

b)         The auditor shall be a certified public accountant licensed in the State of Illinois, and shall have a current and valid certificate as either a certified information systems auditor by the Information Systems Audit and Control Foundation or as a certified information systems security professional by the International Information Systems Security Certification Consortium.

c)         The auditors shall attest that they have demonstrated significant experience in the application of public key cryptographic technologies and computer security.

d)         The audit shall include the auditor's opinion or attestation that the applicant has implemented and designed CA certification practices and policies to achieve the requirements of the applicant authority's policy and stated control objectives.  The audit shall also establish that the applicant authority has the use of a  trustworthy system.