Require qualified auditors unless agreed in advance

[gerv]

Way back when, Mozilla wrote some requirements for auditors which were more liberal than "be officially licensed by the relevant audit scheme". This was partly because organizations like CACert, who were at the time pondering applying for inclusion, might need to use unofficially-qualified auditors to keep cost down.

This is no longer a live issue, and this exception/expansion causes confusion and means that we cannot unambiguously require that auditors be qualified.

Therefore, I propose we switch our auditor requirements to requiring qualified auditors, and saying that exceptions can be applied for in writing to Mozilla in advance of the audit starting, in which case Mozilla will make its own determination as to the suitability of the suggested party or parties. This would involve removing bullets 3-6 in the Audit section of 2.4, and rewording bullet 2 to say something like the above.