Closed Bug 1917224 Opened 5 months ago Closed 2 months ago

Chunghwa Telecom:Delayed Annual Audit Report 2024

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: realsky, Assigned: realsky)

Details

(Whiteboard: [ca-compliance] [audit-delay])

Attachments

(8 files, 2 obsolete files)

Explanatory letter of Audit Delay
886.08 KB, application/pdf
Details
WebTrust Principles and Criteria for Certification Authorities v2.2.2 Audit Report of Chunghwa Telecom
961.08 KB, application/pdf
Details
CHT_03_SM_Report_Assertion_Period 2023_V01.pdf
855.98 KB, application/pdf
Details
CHT_04_NS_Report_Assertion_Period 2023_V01.pdf
697.44 KB, application/pdf
Details
CHT_01_WT_Report_Assertion_Period 2023_V02.pdf
961.31 KB, application/pdf
Details
CHT_02_BR_Report_Assertion_Period 2023_V02.pdf
885.06 KB, application/pdf
Details
CHT_03_SM_Report_Assertion_Period 2023_V02.pdf
853.61 KB, application/pdf
Details
CHT_04_NS_Report_Assertion_Period 2023_V02.pdf
697.76 KB, application/pdf
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0

Steps to reproduce:

Chunghwa Telecom did not upload audit reports to CCADB within 3 months of the audit period end date (August 31, 2024).

Timeline:
2024-08-31 End of audit period
2024-09-03 Sent the Explanatory letter signed by the Qualified Auditor about delay of annual WebTrust for CA audit report of Chunghwa Telecom to Root Certificate Program of Google Chrome, Mozilla, Apple, Microsoft
2024-09-04 We replied to the questions by some root program by e-mail.
2024-09-05 We replied to the questions by some root program by e-mail.
2024-09-06 Preliminary reports posted

Actual results:

  1. Because of the audit engagement process is much longer than last year. According Qualified auditor's engagement rules, they need 90 days to accomplish the required works which include planning, document review, onsite auditing, following up the possible issues we identify during the field works, and reporting. We violate the “The CA MUST make its Audit Report publicly available no later than three months after the end of the audit period.” in Section 8.6 TLS BR

  2. We asked the qualified auditor to provide an explanatory letter signed by the Qualified Auditor as attached file.

  3. We know that the delay represents a violation of the baseline Requirements or root program policy, We requested the qualified auditor on June 29 shall give us the explanatory letter after we know they need 90 days after the day when qualified auditor got the bid."

Expected results:

  1. We intend to have the audit report no later than Nov 5th.
  2. We intend to upload the audit report & management's assertions to CCADB after we receive the audit report.
  3. We hope to start the audit engagement earlier next time to prevent the problem.
  4. We will post CCADB self-assessment first.
Assignee: nobody → realsky
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-delay]
Type: enhancement → task

Incident Report

Summary

Chunghwa Telecom (CHT) did not upload audit reports to CCADB within 3 months of the audit period end date (August 31, 2024). Because the bid of annual audit engagement was got by Sunrise SUN RISE CPAS’ FIRM, DFK INTERNATIONAL on August 6. The Qualified auditor needs 90 days to accomplish the required works which include planning, document review, onsite auditing, following up the possible issues they identify during the field works, and reporting. So We delay to make the audit report publicly available from August 31, 2024 to Nov. 5 2024.

Impact

We violate the “The CA MUST make its Audit Report publicly available no later than three months after the end of the audit period.” in Section 8.6 TLS BR.

Timeline

All times are UTC.

2024-04-17 We initiated discussions with prospective auditors with draft of contract and inquires.
2024-04-23 We use e-mail to contact the SUN RISE CPAS’ FIRM.
2024-04-26 We use Phone to contact the representative of SUN RISE CPAS’ FIRM.
2024-05-03 E-mail to discuss about CPA Canda's new WebTrust for CA Seal Rule. We asked the audit representative of the accounting firm to call back after seeing the missed call.
2024-05-04 E-mail to discuss about WebTrust for CA-S/MIME BR, WebTrust for CA-Network Security Seals. Because senior manager wants to know the new cost for S/MIME Auditing.
2024-05-06 SUN RISE CPAS’ FIRM provided their first version of the quotation of the engagement.
2024-05-08 Further e-mail discussion about requirements specification
2024-05-09 Further e-mail discussion about requirements specification
2024-06-03 Further e-mail request to amend typo or error of previous quotation.
2024-06-07 SUN RISE CPAS’ FIRM provided their second version of the quotation of the engagement.
2024-06-12 Another qualified auditor in Taiwan stating that due to manpower allocation issues, they could not participate in this bid and would not provide a quotation.
2024-06-12 to 2024-07-17 CHT's procurement process in document system. Delay in contract signing date with the qualified auditor due to lengthy administrative procedures and explanation within CHT.
2024-07-18 to 2024-08-06 Another phase for CHT's procurement process and tendering process.
2024-07-26 SUN RISE CPAS’ FIRM were invited to the bid of the engagement.
2024-07-29 CHT and SUN RISE CPAS' FIRM reached the final consensus. SUN RISE CPAS' FIRM needs 90 days after the day when qualified auditor got the bid to finish audit report. We requested SUN RISE CPAS' FIRM shall give us the explanatory letter as the requirements set by TLS BR section 8.6.
2024-08-06 SUN RISE CPAS’ FIRM got the bid.
2024-08-06 SUN RISA CPAS’ FIRM began to audit CHT's PKI.
2024-08-22 We reminded SUN RISE CPAS' FIRM to prepare the explanatory letter.
2024-08-31 End of audit period
2024-09-03 We Sent the Explanatory letter signed by the Qualified Auditor about delay of annual WebTrust for CA audit report of Chunghwa Telecom to Root Certificate Program of Google Chrome, Mozilla, Apple& Microsoft
2024-09-04 We replied to the questions by some root program by e-mail.
2024-09-05 We replied to the questions by some root program by e-mail.
2024-09-06 Preliminary reports posted

Root Cause Analysis

The procurement process is much longer than last year.
Delay in contract signing date with the qualified auditor due to lengthy administrative procedures and explanation within CHT.

Lessons Learned

What went well

What didn't go well

  • Use the experience last year, from April 12 2023, I entered the document system to begin the procurement process and to May 25 2023, SUN RISE CPAS’ FIRM got the engagement. It was very smooth. But it took more time this year.

    To improve it in next year, we will begin the inquiry in January 2025 and the qualified auditor will be engaged by April 30 at the latest. Note that next end date of audit period will be May 31, 2025.

Where we got lucky

Action Items

Action Item Kind Due Date
Discuss with the SUN RISE CPAS' FIRM to give us quotation next January prevent Sep 5 2024
Report to the director of our department for next year's improvement, he instructed to follow up promptly with submissions, and actively pursue further actions. prevent Sep 5 2024
Before CHT gets this year's audit report, if anyone wants to know the status of CHT's CAs, Please see CHT's CCADB Self Assessment prevent Sep 6 2024
Please be assured that as soon as we receive the audit report, we will promptly proceed the annual report in CCADB. in progress 2024-Nov 5

Appendix

Details of affected certificates

Please see the appendix of the explanatory letter.

The audits were conducted according to the plans of the qualified auditor and went smoothly. We will obtain a clean report. The qualified auditor is currently preparing the report. Once the signed audit report and managements’ assertion are obtained, they will be provided to CCADB as soon as possible. Thanks.

Attached file is the annual WebTrust Principles and Criteria for Certification Authorities v2.2.2 of Chunghwa Telecom.

Attached file is a WebTrust Principles and Criteria for Certification Authorities v2.2.2 Audit Report of Chunghwa Telecom.

Attached file is the annual WebTrust Principles and Criteria for Certification Authorities– SSL Baseline with Network Security v2.7. of Chunghwa Telecom.

Attached file is the WebTrust Principles and Criteria for Certification Authorities
– S/MIME Certificates v1.0 audit of Chunghwa Telecom.

Attached file is the WebTrust Principles and Criteria for Certification Authorities
– Network Security v1.0 audit report of Chunghwa Telecom.

  1. The qualified auditor is applying for the seals with CPA Canada this week. If we receive the seal URL , we will open an annual audit case on CCADB.
  2. Chunghwa Telecom has provided the audit report purchase specifications for next year on October 23. We are waiting for the opinion and quotation. So we can begin next' year's engagement soon.

The preview Web Trust for CA URL will be updated by this report and assertion.

Attachment #9433264 - Attachment is obsolete: true

The preview Web Trust for CA SSL BR with Network Security seal URL will be updated by this report and management' assertions.

Attachment #9433266 - Attachment is obsolete: true

The preview Web Trust for CA SMIME BR seal URL will be updated by this report and management' assertions.

The preview Web Trust for CA Network Security seal URL will be updated by this report and management' assertions.

I have updated these seals URL to CCADB. Thank you.

Update on actions

Chunghwa Telecom got the clean audit report seals and updated them in CCADB. Chunghwa Telecom has provided the audit report purchase specifications for next year on October 23. So we can begin next' year's engagement soon.

Action Items

Action Item kind State Due Date
Discuss with the SUN RISE CPAS' FIRM, please give the quotation next Janaury prevent done Sep 5 2024
Report to the director of our department next year's improvement, he instructed to follow up promptly with submissions, and actively pursue further actions. prevent done Sep 5 2024
Before CHT get this year's audit report, if anyone wants to know the status of CHT's CAs, Please see
Chunghwa Telecom's Self Assessment Framework 2024 prevent done Sep 6 2024
Please be assured that as soon as we receive the audit report, we will promptly proceed the annual report in CCADB. prevent done 2024-Nov 5

No further action is pending. We are monitoring this bug.

Flags: needinfo?(bwilson)

It appears from my review of the CCADB that the WebTrust audit reports have been updated in the CCADB, and I do not have any further questions.
Could Chunghwa Telecom provide a brief closing summary? I would appreciate it if you could follow the proposed format, which is provided below.

A closing summary should briefly:

  • describe the incident, its root cause(s), and remediation;
  • summarize any ongoing commitments made in response to the incident; and
  • attest that all Action Items have been completed.

Here is a markdown template:

Incident Report Closure Summary

  • Incident Description: [Two or three sentences summarizing the incident.]
  • Incident Root Cause(s): [Two or three sentences summarizing the root cause(s).]
  • Remediation Description: [Two or three sentences summarizing the incident's remediation.]
  • Commitment Summary: [A few sentences summarizing ongoing commitments made in response to this incident.]

All Action Items disclosed in this Incident Report have been completed as described, and we request its closure.

Incident Report Closure Summary

  • Incident Description: [Chunghwa Telecom did not upload audit reports to CCADB within 3 months of the audit period end date (August 31, 2024)]
  • Incident Root Cause(s): [The procurement process is much longer than last year. Delay in contract signing date with the qualified auditor due to lengthy administrative procedures and explanation within CHT.]
  • Remediation Description [Report to the director of our department for next year's improvement.
    Before CHT get this year's audit report, CHT disclosed its CCADB assessment. We ask the qualified auditors to give the quotation next Jan..]
  • Commitment Summary: [ CHT has uploaded the Audit Report to CCADB in Nov. 5. CHT has provided the audit report purchase specifications to qualified auditor for next year on October 23.]
  • All Action Items disclosed in this Incident Report have been completed as described, and we request its closure.

I will close this on Wed. 4-Dec-2024.

Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: