auditor, the Controller shall within the time specified in sub regulation (4) notify
the applicant giving reasons for the rejection.
31. Qualifications for compliance auditors
For a person to qualify to conduct compliance audits under the Act or these
Regulations, that person shall (a)

have evidence of international recognition as a security professional

or certification as a public accountant;
(b)

be familiar with digital signature technology and practices; and

(c)

be knowledgeable about the requirements of the Act, these

Regulations and any other law relating to electronic transactions.
32. Revocation of registration of auditor
(1) The Controller may revoke the registration of a compliance auditor where –
(a)

the international recognition or certification in respect of that

auditor is withdrawn, suspended, cancelled or revoked;
(b)

the auditor contravenes the Act or these Regulations.

(1) Before revoking the registration under this regulation, the Controller shall
give notice requiring the auditor to show cause, within fourteen days, why the
registration should not be revoked.
33. Auditing of certification, repository and date and time stamp providers
(1) Every certification service provider, repository and date and time stamp
service provider shall engage a registered auditor at least once a year to conduct
an annual audit for compliance with the Act and these Regulations.
(2) The audit under sub regulation (1) shall be conducted at least one hundred
and eighty days before the expiry of the licence, registration or recognition of the
provider.
(3) The Controller may also engage an auditor to conduct audits on a licensed or
recognized certification service provider, repository or date and time stamp
provider, with or without notice to the relevant service provider.

Select target paragraph3