This guide has been created to assist CCSSA's in the performance of audits.
All CCSS audit engagements must be based on a written agreement between the auditor and information system operator. Agreements will not include the CCSS Steering Committee or CryptoCurrency Certification Consortium (C4) and are directly between auditor and entity. CCSSA and entity agreement must include name of Peer Reviewer. As such, Appendix 1 must be signed by every auditor and client in order for the audit to be recognized by C4. Appendix 1 must be included with the completed audit.
The cost of the agreement will be determined between the auditor and client. It is the responsibility of the CCSSA to ensure sufficient time has been allocated to the engagement to perform it to the required standard of quality.
All audit fees must also include the CCSSA peer review fee which will be payable to the CCSSA performing the engagement.
The CCSSA is responsible for ensuring that all agreements include a confidentiality clause in line with the requirement of the jurisdiction the audit is being performed in.
All CCSS engagement covers a period of time and will test the operating effectiveness of the control over this period of time.
Engagements are designed to be performed at least annually and cover the preceding 12 month period. Where a first time audit is performed the period covered may be 6 to 18 months.
The recommended process to follow for a first time audit is an initial readiness assessment by the CCSSA, followed by a remediation and operating process and then the final CCSS audit.
Example:
Company A was started in November 20X1 and started discussing an audit with a CCSSA in March 20X2. They want to perform a CCSS audit which covers the period from 1 July to 30 June annually.
The CCSSA will perform a readiness assessment in March 20X2 to identify any remediation actions required by the company.
Where no remediation actions or very few are identified, the company may choose to initiate a full CCSS audit immediately over a period starting before the date of the readiness assessment. For this example, let's say they choose a period from 1 November 20X1 to 30 June 20X2 (8 months). The CCSSA will then perform their audit over the full period and the client faces the risk of non-compliance if any exceptions are identified in the period before the readiness assessment.
Where remediation actions are identified, the client can remediate these points and then choose a point in time when the audit period will start. Let’s say the client chooses to take April 20X2 to remediate points and decides to start the effective audit period from 1 May 20X2.
The audit period will then run from 1 May 20X2 to 30 June 20X3 (14 months) for the first audit.