The roles of the CCSS Auditor (CCSSA) and the CCSSA-PR are separate and independent, and each serves a different purpose in the CCSS certification process.
A CCSSA works directly with the organization being audited. The CCSSA evaluates the system against the CCSS requirements by reviewing evidence through interviews, documentation reviews, inspections, and observations to determine whether the system complies with the applicable CCSS requirements and the appropriate CCSS certification level.
A CCSSA-PR does not audit or independently assess the system. The CCSSA-PR does not receive audit evidence or other audit artifacts; the only document provided for review is the redacted Report on Compliance (RoC) submitted by the CCSSA. The CCSSA-PR reviews the redacted RoC to determine whether, for each applicable requirement, the audit methodology, evidence-gathering techniques, and documented findings provide reasonable assurance that the audit was conducted in accordance with the CCSS audit process and that the CCSSA’s conclusions are adequately supported.
This independent review helps promote consistency, quality, and impartiality across all CCSS audits before the Summary Report on Compliance is submitted to C4.