Rule 28
Procedures Of Performance Audit
1) The auditor may, while conducting the audit of performance of the Certifying Authority, ask for the following details:
(a) Details of the entire functions performed by the Certifying Authority throughout the year;
(b) The detail of the certificates issued by the Certifying Authority throughout the year;
(c) Matter relating to monitoring and evaluation made by the Certifying Authority with respect to the
functions mentioned in the certificate issued under Clause (b);
(d) Statement of the amounts received by the Certifying Authority for the issuance of certificate throughout the year.
(2) The Controller shall, after the receipt of details referred to in Sub-rule (1), have to comply with the following procedures while conducting audit of the performance of the Certifying Authority:-
(a) to observe the security procedure adopted by the Certifying Authority to secure its electronic
record;
(b) to observe the physical security procedure to be connected to an electronic record;
(c) to evaluate the information technology quality standard being used by the Certifying Authority;
(d) to examine the services rendered to the subscribers by the Certifying Authority;
(e) to analyze the entire certification practices of the Certifying Authority;
(f) to evaluate into the matter as to whether or not the terms of agreement and understanding reached between a subscriber or other concerned party and the Certifying Authority are followed;
(g) to evaluate the matter as to whether or not the directions given from time to time by the Controller
under the laws in force, and the terms referred to in the licence are followed;
(3) The auditor shall, after making evaluation under Sub-rule (2), have to submit the report thereof to the Controller within a period of Three months from the date of commencement of the business by him/her.
(4) The following matters shall, in addition to other matters, be included in the report under Sub-rule (3):
(a) The errors found from the audit conducted by him/her for the performance of the Certifying
Authority throughout the year;
(b) The details of any additional directions, if any, required to be given to the Certifying Authority;
(c) The details of any action, if any, required to be taken against the Certifying Authority.
(a) Details of the entire functions performed by the Certifying Authority throughout the year;
(b) The detail of the certificates issued by the Certifying Authority throughout the year;
(c) Matter relating to monitoring and evaluation made by the Certifying Authority with respect to the
functions mentioned in the certificate issued under Clause (b);
(d) Statement of the amounts received by the Certifying Authority for the issuance of certificate throughout the year.
(2) The Controller shall, after the receipt of details referred to in Sub-rule (1), have to comply with the following procedures while conducting audit of the performance of the Certifying Authority:-
(a) to observe the security procedure adopted by the Certifying Authority to secure its electronic
record;
(b) to observe the physical security procedure to be connected to an electronic record;
(c) to evaluate the information technology quality standard being used by the Certifying Authority;
(d) to examine the services rendered to the subscribers by the Certifying Authority;
(e) to analyze the entire certification practices of the Certifying Authority;
(f) to evaluate into the matter as to whether or not the terms of agreement and understanding reached between a subscriber or other concerned party and the Certifying Authority are followed;
(g) to evaluate the matter as to whether or not the directions given from time to time by the Controller
under the laws in force, and the terms referred to in the licence are followed;
(3) The auditor shall, after making evaluation under Sub-rule (2), have to submit the report thereof to the Controller within a period of Three months from the date of commencement of the business by him/her.
(4) The following matters shall, in addition to other matters, be included in the report under Sub-rule (3):
(a) The errors found from the audit conducted by him/her for the performance of the Certifying
Authority throughout the year;
(b) The details of any additional directions, if any, required to be given to the Certifying Authority;
(c) The details of any action, if any, required to be taken against the Certifying Authority.