Section 434-180-240. Compliance audits.  

(1) A licensed certification authority shall obtain a compliance audit at least once every year. The auditor shall issue an opinion evaluating the degree to which the certification authority conforms to the requirements of this chapter and of chapter 19.34 RCW. If the certification authority is also a recognized repository, the audit must include the repository.

(2) For purposes of the opinion required by this section, the auditor shall exercise reasonable professional judgment as to whether a condition that does not strictly comply with legal requirements is or is not material, taking into consideration the circumstances and context. Noncompliance as to any of the following shall be deemed material, in addition to any others the auditor may judge to be material:

(a) Any condition of noncompliance with statute or rule that relates to the validity of a certificate;

(b) Any employee performing the functions of operative personnel who has not qualified pursuant to WAC 434-180-215;

(c) Any material indication that the certification authority has used any system other than a trustworthy system.

(3) An audit may be performed by any licensed certified public accountant, or, in the case of a public agency, by the Washington state auditor. For purposes of this section, licensed certified public accountants include any person holding a certified public accountant certificate issued pursuant to chapter 18.04 RCW, or any licensee under any equivalent law of any other jurisdiction. Any auditor, or group of auditors, performing an audit pursuant to this section shall include at least one individual who has been issued a current and valid certificate as either a certified information systems auditor, by the information systems audit and control foundation, or as a certified information systems security professional, by the International Information Systems Security Certification Consortium. The names of all individuals possessing such certificates shall be disclosed in the audit report, or in a cover letter accompanying that report.

(4) The certification authority shall file a copy of the audit report with the secretary, prior to the date the certification authority must renew its license pursuant to WAC 434-180-205. At the certification authority's option, it shall be sufficient to file a portion of the report if that report summarizes all audit exceptions and conditions of noncompliance (including, but not limited to, those stated in subsection (2) of this section) stated in the full report, and bears the auditor's signature. The report may be filed electronically, if it is validly digitally signed by the auditor, using a licensed certification authority. The secretary shall publish the report, or summary, in the certification authority disclosure record it maintains for the certification authority.