Chunghwa Telecom:Delayed Annual Audit Report 2024
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: realsky, Assigned: realsky)
Details
(Whiteboard: [ca-compliance] [audit-delay])
Attachments
(1 file)
886.08 KB,
application/pdf
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
Steps to reproduce:
Chunghwa Telecom did not upload audit reports to CCADB within 3 months of the audit period end date (August 31, 2024).
Timeline:
2024-08-31 End of audit period
2024-09-03 Sent the Explanatory letter signed by the Qualified Auditor about delay of annual WebTrust for CA audit report of Chunghwa Telecom to Root Certificate Program of Google Chrome, Mozilla, Apple, Microsoft
2024-09-04 We replied to the questions by some root program by e-mail.
2024-09-05 We replied to the questions by some root program by e-mail.
2024-09-06 Preliminary reports posted
Actual results:
-
Because of the audit engagement process is much longer than last year. According Qualified auditor's engagement rules, they need 90 days to accomplish the required works which include planning, document review, onsite auditing, following up the possible issues we identify during the field works, and reporting. We violate the “The CA MUST make its Audit Report publicly available no later than three months after the end of the audit period.” in Section 8.6 TLS BR
-
We asked the qualified auditor to provide an explanatory letter signed by the Qualified Auditor as attached file.
-
We know that the delay represents a violation of the baseline Requirements or root program policy, We requested the qualified auditor on June 29 shall give us the explanatory letter after we know they need 90 days after the day when qualified auditor got the bid."
Expected results:
- We intend to have the audit report no later than Nov 5th.
- We intend to upload the audit report & management's assertions to CCADB after we receive the audit report.
- We hope to start the audit engagement earlier next time to prevent the problem.
- We will post CCADB self-assessment first.
Updated•17 days ago
|
Updated•17 days ago
|
Assignee | ||
Comment 1•13 days ago
|
||
Incident Report
Summary
Chunghwa Telecom (CHT) did not upload audit reports to CCADB within 3 months of the audit period end date (August 31, 2024). Because the bid of annual audit engagement was got by Sunrise SUN RISE CPAS’ FIRM, DFK INTERNATIONAL on August 6. The Qualified auditor needs 90 days to accomplish the required works which include planning, document review, onsite auditing, following up the possible issues they identify during the field works, and reporting. So We delay to make the audit report publicly available from August 31, 2024 to Nov. 5 2024.
Impact
We violate the “The CA MUST make its Audit Report publicly available no later than three months after the end of the audit period.” in Section 8.6 TLS BR.
Timeline
All times are UTC.
2024-04-17 We initiated discussions with prospective auditors with draft of contract and inquires.
2024-04-23 We use e-mail to contact the SUN RISE CPAS’ FIRM.
2024-04-26 We use Phone to contact the representative of SUN RISE CPAS’ FIRM.
2024-05-03 E-mail to discuss about CPA Canda's new WebTrust for CA Seal Rule. We asked the audit representative of the accounting firm to call back after seeing the missed call.
2024-05-04 E-mail to discuss about WebTrust for CA-S/MIME BR, WebTrust for CA-Network Security Seals. Because senior manager wants to know the new cost for S/MIME Auditing.
2024-05-06 SUN RISE CPAS’ FIRM provided their first version of the quotation of the engagement.
2024-05-08 Further e-mail discussion about requirements specification
2024-05-09 Further e-mail discussion about requirements specification
2024-06-03 Further e-mail request to amend typo or error of previous quotation.
2024-06-07 SUN RISE CPAS’ FIRM provided their second version of the quotation of the engagement.
2024-06-12 Another qualified auditor in Taiwan stating that due to manpower allocation issues, they could not participate in this bid and would not provide a quotation.
2024-06-12 to 2024-07-17 CHT's procurement process in document system. Delay in contract signing date with the qualified auditor due to lengthy administrative procedures and explanation within CHT.
2024-07-18 to 2024-08-06 Another phase for CHT's procurement process and tendering process.
2024-07-26 SUN RISE CPAS’ FIRM were invited to the bid of the engagement.
2024-07-29 CHT and SUN RISE CPAS' FIRM reached the final consensus. SUN RISE CPAS' FIRM needs 90 days after the day when qualified auditor got the bid to finish audit report. We requested SUN RISE CPAS' FIRM shall give us the explanatory letter as the requirements set by TLS BR section 8.6.
2024-08-06 SUN RISE CPAS’ FIRM got the bid.
2024-08-06 SUN RISA CPAS’ FIRM began to audit CHT's PKI.
2024-08-22 We reminded SUN RISE CPAS' FIRM to prepare the explanatory letter.
2024-08-31 End of audit period
2024-09-03 We Sent the Explanatory letter signed by the Qualified Auditor about delay of annual WebTrust for CA audit report of Chunghwa Telecom to Root Certificate Program of Google Chrome, Mozilla, Apple& Microsoft
2024-09-04 We replied to the questions by some root program by e-mail.
2024-09-05 We replied to the questions by some root program by e-mail.
2024-09-06 Preliminary reports posted
Root Cause Analysis
The procurement process is much longer than last year.
Delay in contract signing date with the qualified auditor due to lengthy administrative procedures and explanation within CHT.
Lessons Learned
What went well
What didn't go well
-
Use the experience last year, from April 12 2023, I entered the document system to begin the procurement process and to May 25 2023, SUN RISE CPAS’ FIRM got the engagement. It was very smooth. But it took more time this year.
To improve it in next year, we will begin the inquiry in January 2025 and the qualified auditor will be engaged by April 30 at the latest. Note that next end date of audit period will be May 31, 2025.
Where we got lucky
Action Items
Action Item | Kind | Due Date |
---|---|---|
Discuss with the SUN RISE CPAS' FIRM to give us quotation next January | prevent | Sep 5 2024 |
Report to the director of our department for next year's improvement, he instructed to follow up promptly with submissions, and actively pursue further actions. | prevent | Sep 5 2024 |
Before CHT gets this year's audit report, if anyone wants to know the status of CHT's CAs, Please see CHT's CCADB Self Assessment | prevent | Sep 6 2024 |
Please be assured that as soon as we receive the audit report, we will promptly proceed the annual report in CCADB. | in progress | 2024-Nov 5 |
Appendix
Details of affected certificates
Please see the appendix of the explanatory letter.
Description
•