California Code of Regulations Title. 2 Division 7. Chapter 10. Section 22003(a)(6)(C) requires the Secretary of State to place Certification Authorities on the "Approved List of Certification Authorities" after the Certification Authority provides the Secretary of State with a copy of an unqualified performance audit performed in accordance with standards set in the American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standards No. 70 (S.A.S. 70) "Reports on the Processing of Service Transactions by Service Organizations" (1992) to ensure that the Certification Authorities' practices and procedures are consistent with the Certification Authority's stated control objectives.
California Code of Regulations Title. 2 Division 7. Chapter 10. Section 22003(a)(6)(D) permits the Secretary of State to place Certification Authorities on the "Approved List of Certification Authorities" after the Secretary of State has been provided with proof of accreditation that has been conferred by a national or international accreditation body that the Secretary of State has determined utilizes accreditation criteria that are consistent with the requirements of Section 22003(a)(1)-(5).
The Secretary of State has determined that the submission of an unqualified "WebTrust" audit will serve as sufficient evidence of accreditation for inclusion on the state's "Approved List of Certification Authorities". The audit must be conducted by a practitioner who is licensed to perform WebTrust assurance services in accordance with the guidelines established in American Institute of Public Accountants/ Canadian Institute of Chartered Accountants publication, "WebTrust for Certification Authorities, Version 1.0. © 2000" The document, which can be viewed on the Internet at http://ftp.webtrust.org/webtrust_public/certificationauthorities.pdf is hereby incorporated by reference.