Disclosure Records of Recognized Certification Authorities

Disclosure Record for the Postmaster General

(This is page 12 of the disclosure record for the Postmaster General maintained by the Government Chief Information Officer ("GCIO") under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) ("Ordinance"). Click this link to go back to page 1 of the disclosure record.)

Assessment Report and Statutory Declaration (1 January 2007 - 31 December 2007)

In accordance with section 43(3) of the Ordinance, the GCIO must publish in the disclosure record for the Postmaster General as a recognized certification authority the dates of and the material information in the assessment report and statutory declaration on the certification authority ("CA") services of the Postmaster General. Only those parts of the report and statutory declaration containing material information are herewith published.

The Postmaster General is hereinafter referred to as the "Hongkong Post CA".

Assessment Report

A. Date of the Report

• The date of the report is 20 January 2008.

B. Material Information

1. The assessment report was prepared by the assessor for the period between 1 January 2007 and 31 December 2007.

Recognized CA Practices

2. Except for the item highlighted in paragraph 11 below, in the assessor's opinion, in all material respects:
   1. the management assertions in respect of Hongkong Post CA's compliance with the sections of the Code of Practice (Note 1) set out in Part 3A of Appendix 3 to Practice Note 870 (Note 2) for the period from 1 January 2007 to 31 December 2007 are reasonable. In particular, Hongkong Post CA has:
      1. disclosed its business practices in its CPSs (Note 3) in accordance with the Ordinance applicable to a RCA (Note 4) and the Code of Practice and provided its services in accordance with its disclosed business practices;
      2. reasonably complied with the requirements in respect of the use of a trustworthy system to support its operations in accordance with section 37 of the Ordinance and the Code of Practice; and
      3. reasonably complied with the requirements in respect of recognition of its certificates in accordance with the provisions of the Ordinance applicable to a RCA and the Code of Practice;
   2. no information came to the attention of the assessor during the course of the assessment that would indicate that the management assertions in respect of Hongkong Post CA's compliance with the sections of the Code of Practice set out in Part 3B of Appendix 3 to Practice Note 870 for the period from 1 January 2007 to 31 December 2007 are not reasonable; and
   3. based on the conclusions drawn in paragraphs (a) and (b) above in respect of Hongkong Post CA's compliance with the provisions of the Ordinance applicable to a RCA for the period from 1 January 2007 to 31 December 2007, the management assertions in respect of Hongkong Post CA's compliance with the provisions of the Ordinance applicable to a RCA for the period from 1 January 2007 to 31 December 2007 are reasonable.

Financial projections

3. Except for the item highlighted in paragraph 12 below, in the assessor's opinion, in all material respects, the accounting policies upon which Hongkong Post CA's cashflow projections for the two 6-month period intervals from 1 November 2007 to 30 April 2008 and from 1 May 2008 to 31 October 2008, financial position forecasts as at 30 April 2008 and as at 31 October 2008, and projection of operating costs for the period from 1 November 2007 to 31 January 2008, in respect of the RCA's operations relevant under the Ordinance are based, are consistent with those normally adopted by Hongkong Post CA and conform with generally accepted accounting principles adopted in Hong Kong.
4. In the assessor's opinion, in all material respects, the financial projections have been properly compiled on the basis of the assumptions made by the management of Hongkong Post CA.
5. It has been ascertained from Hongkong Post CA that the amount of net current assets (i.e. current assets less current liabilities) as shown in the unaudited management accounts of Hongkong Post CA for the 7 months period ended 31 October 2007 was nil.
6. It has been ascertained from Hongkong Post CA that the 90-day projection of operating costs from 1 November 2007 to 31 January 2008 was nil.
7. A comparison of the figures in the above paragraphs reveals that both net current assets and the projected 90-day operating costs were nil.
8. The assessor has not carried out any verification work on the unaudited management accounts of Hongkong Post CA for the period ended 31 October 2007.

Potential liabilities

9. Due to the nature of the industry in which Hongkong Post CA operates, there is uncertainty in determining Hongkong Post CA's potential liabilities given the limited history of past claims (both in Hong Kong and other parts of the world for risks of this nature).
10. In the assessor's opinion, in all material respects, the management assertions that Hongkong Post CA has implemented and maintained appropriate procedures to determine and manage its potential liabilities in relation to the issuance of certificates are reasonable.

Exception and Matter Arising

11. 	Exception	Response of Hongkong Post CA
    i.	The assessor noted from their review of an independent assessment report commissioned by, and prepared for, one of the external Registration Authority ("RA") organizations (i.e. to which certain of the RCA's RA functions and processes are being outsourced) that the period of assessment covered only 1 January 2007 to 31 October 2007 resulting in a portion of the assessment period (i.e. 1 November 2007 to 31 December 2007) being omitted. As a result, they are not able to ascertain if there were any significant issues that might have affected the control environment within the outsourced RA operations of the concerned external RA organization during the omitted period.	The independent assessor of the concerned external RA organization expressed that before issuing the RA assessment report in December 2007, the independent assessor had clarified with the concerned external RA organization on whether there was any major change which might affect the concerned external RA organization's controls over the RA operation. Based on the information that Hongkong Post CA had and the clarification from the independent assessor of the concerned external RA organization, Hongkong Post CA did not note that there were any significant issues that might have affected the control environment of the RA operations of the concerned external RA organization during the period from 1 November 2007 to 31 December 2007. As such, Hongkong Post CA held the view that its compliance with the relevant provisions of the Ordinance applicable to a RCA and the Code of Practice would not be affected during the period from 1 January 2007 to 31 December 2007. Furthermore, Hongkong Post CA has confirmed that the next RA assessment exercise would cover the period from 1 November 2007 to 31 December 2007.

12. In addition to the exception noted in paragraph 11 above, the assessor has identified another issue relating to the requirements stipulated in the Guidance Note on Compliance Assessment of Certification Authorities under the Electronic Transactions Ordinance (Cap. 553) published in July 2004 (which does not form part of the Code of Practice). The assessor drew attention to the following such issue which the assessor considered to be of particular significance.

    	Matter Arising (Note 5)	Response of Hongkong Post CA
    i.	The assessor considers that the function of monitoring the performance of E-Mice (Note 6) performed by Certification Authority Monitoring Section ("CAMS") is part of the fulfillment of Hongkong Post CA's responsibility as the RCA and therefore the transactions generated by this function should be included in the financial projections. The assessor also considers that this treatment is in accordance with generally accepted accounting principles adopted in Hong Kong. On the assumption that the Government will continue to fund the costs in relation to the function of monitoring beyond 1 April 2008, the matter described above has no net effect to the financial projections.	As the Hongkong Post CA operation has been taken up by E-Mice, and the function of monitoring the performance of E-Mice is not part of the Hongkong Post CA operation, the costs in relation to the monitoring performed by CAMS and the related Government grant income are not included in the financial projections of the Hongkong Post CA operation. Hongkong Post CA clarified that there were no other expenses for CAMS incurred except the staff costs and other general administrative expenses. Hongkong Post CA confirmed that the source of funding for CAMS after 31 March 2008 would be from the Government.

13. 1. Regarding the exception identified by the qualified person, the GCIO considered that it had no significant impact to the trustworthiness of the CA operation of Hongkong Post CA based on the clarification provided by the independent assessor of the concerned external RA organization and the confirmation of Hongkong Post CA that they did not note any significant issues that might have affected the control environment of the RA operations during the period from 1 November 2007 to 31 December 2007. Hong Kong Post CA explained that the abridged assessment period was a special occasion to tie in with the reporting deadline in 2007. Furthermore, Hongkong Post CA has confirmed that the next RA assessment exercise would cover the period from 1 November 2007 to 31 December 2007.
    2. Regarding the issue identified by the qualified person:
       1. it is required by the Ordinance and the Code of Practice that recognized CA shall use trustworthy system, which includes effective controls and procedures in respect of day-to-day operations. Moreover, recognized CA is and remains responsible for the performance of its subcontractor. Accordingly, Hongkong Post CA shall maintain effective controls and procedures to monitor the performance of its contractor, E-Mice;
       2. the GCIO noted the assessor's opinion that the transactions generated by the function of monitoring the performance of E-Mice should be included in the financial projections in accordance with generally accepted accounting principles adopted in Hong Kong as stipulated in the Guidance Note on Compliance Assessment of Certification Authorities under the Electronic Transactions Ordinance (Cap. 553) ("Guidance Note"). While the GCIO considered that the matter had no significant impact to the trustworthiness of the CA operation of Hongkong Post CA, Hongkong Post CA shall include the transactions generated by the function of monitoring the performance of E-Mice in the financial projections in accordance with generally accepted accounting principles adopted in Hong Kong as stipulated in the Guidance Note.

Statutory Declaration

A. Date of the Declaration

• The date of the declaration is 18 January 2008.

B. Material Information

• A responsible officer of Hongkong Post CA declares that Hongkong Post CA has, from 1 January 2007 until 31 December 2007, complied with the provisions of the Ordinance and the provisions of the Code of Practice which have been set out under paragraph 2 of Appendix 2 of the Code of Practice.

Notes

1. Code of Practice for Recognized Certification Authorities issued by the GCIO under section 33 of the Ordinance.
2. Practice Note 870 "The Assessment of Certification Authorities under the Electronic Transactions Ordinance" issued by the Hong Kong Institute of Certified Public Accountants.
3. Certification practice statements.
4. Recognized certification authority.
5. Matter disclosed from the assessment.
6. E-Mice Solution (HK) Limited is the outsourcing contractor of Postmaster General in operating Postmaster General's CA operation.
7. The responses to the exception and the matters arising as reported by Hongkong Post CA and the notes in the above paragraphs are disclosed in accordance with section 31(2) of the Ordinance.