This guide has been created to assist CCSSAs in the performance of audits. Any concerns or questions may be directed to info@cryptoconsortium.org.
All CryptoCurrency Security Standard (CCSS) audit agreements must be written between the CCSSA and the entity and include the scope of the audit. Agreements must not include the CCSS Steering Committee or CryptoCurrency Certification Consortium (C4) and are directly between the CCSSA, CryptoCurrency Security Standard Auditor Peer Reviewer (CCSSA-PR), and the entity. As such, Appendix 1 must be signed by the CCSSA, the CCSSA-PR, and the entity in order for the audit to be recognized by C4. Appendix 1 must be included with the Summary Report on Compliance (SRoC).
Additional details about selecting a CCSSA-PR can be found in section 1.3.1 Peer Review Process.
Audit fees will be determined between the CCSSA and the entity. It is the responsibility of the CCSSA to ensure sufficient time to complete the audit is reflected in the agreed upon fees.
Audit fees must also include the CCSSA-PR’s fee and Listing Fee. The CCSSA-PR’s fee will be forwarded to the CCSSA-PR by the CCSSA. C4 will send an invoice for the Listing Fee to the CCSSA after approving the SRoC.
The listing fee, paid by the audited system’s entity to the CCSSA, is based on Table 1.
The CCSSA is responsible for ensuring that all agreements include a confidentiality clause in compliance with requirements of the jurisdiction the audit is being performed in.
All CCSS audits cover a period of time prior to audit completion and will test the operating effectiveness of the control over this period of time. Audits are designed to be performed at least annually and cover the preceding 12 month period.
When a first time audit is performed the period covered may be 6 to 18 months prior to the audit, as determined by the CCSSA. It is recommended that first time audits are preceded by an Audit Readiness Assessment.
The CCSSA is responsible for obtaining sufficient evidence pertaining to the completeness and accuracy of all information obtained in the performance of the CCSS audit.
This evidence and the procedures performed should also be documented in the Audit Documentation for a CCSSA-PR to be able to inspect and verify the accuracy and completeness of information.
The CCSSA is expected to inform the entity that significant changes to security practices and procedures between the audit and Summary Report on Compliance submission could invalidate the audit and must be disclosed to the CCSSA.
Audit Documentation consists of the records maintained by the CCSSA performing the audit to support the basis for the CCSSA's conclusions over the effectiveness of controls and CCSS Level obtained.
The audit documentation should, at a minimum, detail the following.
The CCSSA must securely retain audit documentation for 7 years or as long as required by law in the jurisdiction they are operating in.
The following are examples of information/evidence that should be retained for IPE purposes:
If the CCSSA is observing a process, then they should record the following:
If the CCSSA is reviewing records such as reports then record the following:
If the CCSSA is inspecting configuration data and data at rest, then record the following:
Note that reperformance as an evidence gathering technique will not frequently be utilized. Reperformance can be substituted by observation, inspection, and interviews
There may be an action that can be performed by the CCSSA where the risk of impacting the availability, confidentiality or integrity of the system and/or information is negligible. In that instance record the following:
For each interview conducted record the following:
Ensure that notes are taken during the interview or if possible and with prior authorisation voice or video record the interview
CCSSAs should also consider the nature of the report generated. For standard and canned system reports, little additional testing would be required. For custom reports of ad-hoc queries, the CCSSA should consider additional procedures such as inspecting the query parameters or database query to ensure data produced is accurate and complete.
These considerations should take into account input, processing, and output risks around the report.
Example:
Where a CCSSA is testing controls such as new users added to the system, the CCSSA should obtain a list of all new users appointed or transfers between departments during the period directly from the entity’s HR system. The CCSSA may inspect the parameters used while pulling this listing to ensure no data was excluded and the period covered is correct. Screenshots of the query and resulting output can be used as evidence of IPE procedures.
Where an entity has privacy concerns over this data, the CCSSA may observe them pulling the listing via a video call, noting the number of records and spots checks on the data. The entity can then anonymize data, leaving unique identifiers to be able to identify items, before sending the listing to the CCSSA.
The CCSSA can then use this listing and unique identifiers to select the sample for testing the control.
Where a CCSSA is testing the operating effectiveness of a control over a period of time, a sampling approach should be followed. For a control with a high frequency of occurrence it is not practical to test all occurrences.
Audit sampling enables the CCSSA to obtain and evaluate audit evidence about some characteristic of the items selected in order to form or assist in forming a conclusion concerning the population from which the sample is drawn.
Sample size
The sample size can be determined by the application of a statistically based formula or through the exercise of professional judgment.
The CCSSA must document their rationale behind the sample size selected and consider the following factors:
Example:
An example of a testing approach would be the following (this is only a guide and should not be used as your testing methodology)
Population Size | Low risk of failure / Low Importance | High risk of failure / High Importance |
1(Annual) | 1 | 1 |
4(Quarterly) | 2 | 3 |
12(Monthly) | 3 | 6 |
1-25(Occurrences) | 5 | 10 |
26-50(Occurrences) | 10 | 20 |
51-100(Occurrences) | 20 | 30 |
101-X(Occurrences) | 30 | CCSSA judgment used |
Items selected for testing
When identifying the items to be tested, the CCSSA can use professional judgment, random selection, or a combination of the two techniques.
When identifying items to test using professional judgment the CCSSA should consider factors such as the following:
When identifying items using random selection the CCSSA should make use of a randomized sampling technique such as the following:
The CCSSA is responsible for ensuring all data related to the audit is transmitted and stored in a secure manner for the duration of the CoC and as legally required in the jurisdiction of the audit. In the event that an entity will not allow evidence storage outside of the entity’s environment, the CCSSA should record the meta-data of the documentation reviewed such as file name, location of file within assessed entities environment, version number of documentation, summary of document content, etc. In this case, the entity must give access to this documentation to the CCSSA-PR.
The CCSSA is also responsible for ensuring all data protection requirements (General Data Protection Regulation (GDPR) or equivalent) are met for the jurisdiction the audit is being performed in.
Entities will be certified at the lowest level of any Aspect, regardless of other Aspect’s Compliance Status. In the example below, CCSS Level 1 would be granted.
All CCSS audits will be subject to a peer review process after the CCSSA has completed their evidence gathering and documentation. CCSSAs must follow the CCSSA-PR selection process as explained below. CCSSAs will securely submit their Audit Documentation as well as conclusion on the CCSS Level certification obtained to a CCSSA-PR.
The CCSSA-PR must be copied on final submission of the audit to C4 in order for the certification to be issued.
Prior to signing the audit agreement with the entity, the CCSSA must complete the Intent to Audit form found here: https://cryptoconsortium.org/intent-to-audit/. C4 will then email the CCSSA a list of randomly selected CCSSAs. The CCSSA must select from the Peer Reviewer Options List (PROL) to perform the peer review and contact them. The CCSSA is responsible for negotiating directly with the CCSSA-PR. The CCSSA-PR’s fee will be included in the CCSSA’s audit agreement with the entity.
In the case of sufficient evidence a CCSSA-PR has a material conflict of interest or another reason to not perform the review, the CCSSA must contact another CCSSA-PR on the PROL.
Once the peer review is completed, the CCSSA-PR will submit any queries to the CCSSA and the CCSSA will have the opportunity to respond to these queries.
Procedure | RecommendedTimeframe |
Peer review | 10 working days |
Resolution of queries | 10 working days |
The CCSSA is responsible for negotiating directly with the CCSSA-PR. While C4 cannot recommend any specific fees, we do recommend considering the scope of the audit when choosing the Peer Review Fee.
All CCSSAs will be required to make themselves available to perform one Peer Review for every audit they complete.
Any dispute arising out of the peer review process shall be arbitrated by the CCSS Steering Committee. The committee’s decision will be final and binding. Audit Documentation for the disputed aspect will be securely submitted to the committee at CCSS_Submissions@cryptoconsortium.org. This means using encrypted, password protected, Zipped files or something comparable. The committee shall review the evidence and provide a decision within 15 business days.
After CCSSA-PR completes Peer Review, CCSSA must send the following to CCSS_Submissions@cryptoconsortium.org & copy the CCSSA-PR:
C4 will then send an invoice for the Listing Fee to the CCSSA.Once paid, C4 will provide CCSSA with CoC and Badge for CCSSA to provide to the entity.
Certificates of Completion can be viewed and verified at the following link: https://cryptoconsortium.org/completed-ccss-audits/
CCSSAs must avoid any potential conflict of interest. This may include current or previous employment, familial relationships, financial interest (such as tokens or equity held), or any other matters that may constitute a conflict of interest.
Failure to recuse oneself due to any conflicts of interest will result in disciplinary action, up to and including loss of CCSSA certification.
CCSSA-PR must avoid any potential conflict of interest. This may include current or previous employment, familial relationships, financial interest (such as tokens or equity held), or any other matters that may constitute a conflict of interest.
Failure to recuse oneself due to any conflicts of interest will result in disciplinary action up to and including loss of CCSSA certification.
This Code of Professional Responsibility defines the expectations for professional and ethical conduct of all CCSSAs. All CCSSAs must advocate, adhere to, and support the following principles:
CCSSAs who violate any of the foregoing principles will be subject to disciplinary action by C4, including but not limited to revocation of certification.
Acronym List:
CCSSA= CryptoCurrency Security Standard Auditor
CCSSA-PR= CryptoCurrency Security Standard Auditor - Peer Reviewer
SRoC= Summary Report on Compliance
CoC= Certificate of Compliance
PROL= Peer Reviewer Options List