concerns about Princeton Audit Group's auditing status

[Prof. Reardon]

Hello all:

In a previous thread I shared some concerns about a root CA, a followup message
from Ryan at Google indicated a number of auditing perculiarities [1]. The
auditor, Princeton Audit Group, seemed to have done limited work as an auditor,
the auditor described the CA operation in a different location than the
attestation, and that the auditor was only licensed in the USA.

Since then it has come to my attention that the auditor's firm appears to have
not had a license since June 30th, 2021 [2]. Despite that, it provided audits
for the TrustCor CA in November 2021 [3].

I reached out to CPA Canada about this. I haven't heard back yet, though I have
noted that Princeton Audit Group no longer appears to be listed as a WebTrust
practitioner [4].

During the prior conversation [1], Watson made a great point, which is that rotating
auditors is a good defence against excessive chumminess and normalization of
deviance, and that SOX requires rotating auditors for public firms and that this
maybe a worthwhile addition to the guidance for CAs. I wanted to make sure that
didn't get lost and echo that such a future requirement makes sense to me as well.

Thanks,
Joel Reardon


[1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/
(5th post)

[2] https://newjersey.mylicense.com/verification/
(do business search for Princeton Audit Group, which gives a license number of
 20CB00580700 with inactive status )

[3] Three of them:
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=c8857fc5-b201-4c4c-8717-f455b10ff5bc
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=459d2155-e50c-4497-929c-ee8a57f77708
https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=b18568ae-e794-48be-aa54-c86b6411179a

[4] https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international

[Rachel McPherson]

Hello Joel, 

If CPA Canada or WebTrust had any reason to believe he was not duly accredited, they would not have affixed their WebTrust seal, which only they can do. 

Princeton Audit Group was listed as a WebTrust Practitioner on the CPA Canada website up until a few days ago and they update it quite regularly, probably based on who's paid their fees for the year. 

Best Wishes & Warmest Regards, 

Rachel 

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/12160e2e-0d14-4df7-ae87-890d2cf949b3n%40mozilla.org.

[Kurt Seifried]

Instead of making statements about how WebTrust Practitioner system is supposed to operate can you, in simple terms of a yes/no state if the Princeton Audit Group was a certified auditor at the time they did the audit (since the CPA Canada website only provides a current listing and not previous entries that have expired/been decertified), and what evidence you have if you claim that they were? Surely you have evidence you used an accredited auditor, right?

Also this lack of historical data seems like a pretty significant failure on the part of CPA Canada, perhaps someone should start archiving 

https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international

at regular intervals? Ditto for the other countries/etc. Sigh.

To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/0768F8B9-39FB-4E12-B8C2-6C53F4E2941A%40trustcor.ca.

--

Kurt Seifried (He/Him)
ku...@seifried.org

[Prof. Reardon]

I've consistently seen the Princeton Audit Group listed on the webtrust page maintained by CPA Canada from April-ish of this year until today. It could be that CPA Canada didn't know that the license expired perhaps? Or it could be that the license information website for New Jersey (ref 2) is incomplete or something.

[Buschart, Rufus]

Hi all!

 

According to Enrolled WebTrust practitioners: International (archive.org) the Princeton Audit Group was enrolled for USA on the 29^th of Oct. 2021.

 

/Rufus

 

To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/f7546942-97a0-4ae7-9eb4-525de290a28an%40mozilla.org.

[Kurt Seifried]

That doesn't matter, this all happened in Canada.

[Prof. Reardon]

Hello:

I have gotten information back from WebTrust. A company that is no longer listed
means that either:
"1) the company is no longer licensed as a WebTrust practitioner; 2) the
agreement has expired and has either not been renewed or is in the process of
renewal (past renewal due date)." Without consent from the firm they cannot
comment specifically.

I asked if licensing in WebTrust is separate from professional licensing as an
accounting firm and was told there is "a specific set of rules/protocols that we
follow when licensing a practitioner (including but not limited to a signing
partner(s)’ and staff qualifications/credentials/standing, etc.)." I asked if
those rules are public and was told "We don't disclose this information
publicly."

Thus it remains to me uncertain if being a professionally licensed accountancy
is a necessary requirement to be a WebTrust practitioner for the purposes of
auditing CAs. Indeed, there empirical evidence [1] from the last year and a half
refuting the hypothesis that active professional licensing is mandatory requirement.

That said, the country listed after the practitioner is the "countries listed
after a firm(s) on our webpage indicate the countries where the firm(s) is
licensed to carry out audit engagements", which I take to mean that Canadian
operations could not have been part of a WebTrust audit in 2021. [2]

There may also be statements within the audit itself, e.g. "Our examination was
conducted in accordance with attestation standards established by the American
Institute of Certified Public Accountants (“AICPA")." [3] that might necessitate
that, e.g., the audit is performed by a firm that is professionally licensed
accountancy, but I don't know if that is the case.

Joel Reardon

[1] Limited historical records here:
https://web.archive.org/web/20220000000000*/https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international
show Princeton Audit Group as a WebTrust practitioner until Dec 5, 2022. I
also created a timeline of WebTrust practitioner changes based on archived
captures [4]. As noted earlier, Princeton Audit Group has had an inactive
professional license since June 30, 2021. [5]

[2]
https://web.archive.org/web/20191127040237/https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international
lists Princeton Audit Group for United States only and future captures are
consistent. A few months earlier it was listed for Canada only
https://web.archive.org/web/20190820081614/https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international

[3] https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=c8857fc5-b201-4c4c-8717-f455b10ff5bc

[4] https://pages.cpsc.ucalgary.ca/~joel.reardon/trustwebtrust/history.html

[5] https://newjersey.mylicense.com/verification/

(do business search for Princeton Audit Group, which gives a license number of
 20CB00580700 with inactive status )