Open Bug 1917224 Opened 17 days ago Updated 13 days ago

Chunghwa Telecom:Delayed Annual Audit Report 2024

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: realsky, Assigned: realsky)

Details

(Whiteboard: [ca-compliance] [audit-delay])

Attachments

(1 file)

Explanatory letter of Audit Delay
886.08 KB, application/pdf
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0

Steps to reproduce:

Chunghwa Telecom did not upload audit reports to CCADB within 3 months of the audit period end date (August 31, 2024).

Timeline:
2024-08-31 End of audit period
2024-09-03 Sent the Explanatory letter signed by the Qualified Auditor about delay of annual WebTrust for CA audit report of Chunghwa Telecom to Root Certificate Program of Google Chrome, Mozilla, Apple, Microsoft
2024-09-04 We replied to the questions by some root program by e-mail.
2024-09-05 We replied to the questions by some root program by e-mail.
2024-09-06 Preliminary reports posted

Actual results:

  1. Because of the audit engagement process is much longer than last year. According Qualified auditor's engagement rules, they need 90 days to accomplish the required works which include planning, document review, onsite auditing, following up the possible issues we identify during the field works, and reporting. We violate the “The CA MUST make its Audit Report publicly available no later than three months after the end of the audit period.” in Section 8.6 TLS BR

  2. We asked the qualified auditor to provide an explanatory letter signed by the Qualified Auditor as attached file.

  3. We know that the delay represents a violation of the baseline Requirements or root program policy, We requested the qualified auditor on June 29 shall give us the explanatory letter after we know they need 90 days after the day when qualified auditor got the bid."

Expected results:

  1. We intend to have the audit report no later than Nov 5th.
  2. We intend to upload the audit report & management's assertions to CCADB after we receive the audit report.
  3. We hope to start the audit engagement earlier next time to prevent the problem.
  4. We will post CCADB self-assessment first.
Assignee: nobody → realsky
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-delay]
Type: enhancement → task

Incident Report

Summary

Chunghwa Telecom (CHT) did not upload audit reports to CCADB within 3 months of the audit period end date (August 31, 2024). Because the bid of annual audit engagement was got by Sunrise SUN RISE CPAS’ FIRM, DFK INTERNATIONAL on August 6. The Qualified auditor needs 90 days to accomplish the required works which include planning, document review, onsite auditing, following up the possible issues they identify during the field works, and reporting. So We delay to make the audit report publicly available from August 31, 2024 to Nov. 5 2024.

Impact

We violate the “The CA MUST make its Audit Report publicly available no later than three months after the end of the audit period.” in Section 8.6 TLS BR.

Timeline

All times are UTC.

2024-04-17 We initiated discussions with prospective auditors with draft of contract and inquires.
2024-04-23 We use e-mail to contact the SUN RISE CPAS’ FIRM.
2024-04-26 We use Phone to contact the representative of SUN RISE CPAS’ FIRM.
2024-05-03 E-mail to discuss about CPA Canda's new WebTrust for CA Seal Rule. We asked the audit representative of the accounting firm to call back after seeing the missed call.
2024-05-04 E-mail to discuss about WebTrust for CA-S/MIME BR, WebTrust for CA-Network Security Seals. Because senior manager wants to know the new cost for S/MIME Auditing.
2024-05-06 SUN RISE CPAS’ FIRM provided their first version of the quotation of the engagement.
2024-05-08 Further e-mail discussion about requirements specification
2024-05-09 Further e-mail discussion about requirements specification
2024-06-03 Further e-mail request to amend typo or error of previous quotation.
2024-06-07 SUN RISE CPAS’ FIRM provided their second version of the quotation of the engagement.
2024-06-12 Another qualified auditor in Taiwan stating that due to manpower allocation issues, they could not participate in this bid and would not provide a quotation.
2024-06-12 to 2024-07-17 CHT's procurement process in document system. Delay in contract signing date with the qualified auditor due to lengthy administrative procedures and explanation within CHT.
2024-07-18 to 2024-08-06 Another phase for CHT's procurement process and tendering process.
2024-07-26 SUN RISE CPAS’ FIRM were invited to the bid of the engagement.
2024-07-29 CHT and SUN RISE CPAS' FIRM reached the final consensus. SUN RISE CPAS' FIRM needs 90 days after the day when qualified auditor got the bid to finish audit report. We requested SUN RISE CPAS' FIRM shall give us the explanatory letter as the requirements set by TLS BR section 8.6.
2024-08-06 SUN RISE CPAS’ FIRM got the bid.
2024-08-06 SUN RISA CPAS’ FIRM began to audit CHT's PKI.
2024-08-22 We reminded SUN RISE CPAS' FIRM to prepare the explanatory letter.
2024-08-31 End of audit period
2024-09-03 We Sent the Explanatory letter signed by the Qualified Auditor about delay of annual WebTrust for CA audit report of Chunghwa Telecom to Root Certificate Program of Google Chrome, Mozilla, Apple& Microsoft
2024-09-04 We replied to the questions by some root program by e-mail.
2024-09-05 We replied to the questions by some root program by e-mail.
2024-09-06 Preliminary reports posted

Root Cause Analysis

The procurement process is much longer than last year.
Delay in contract signing date with the qualified auditor due to lengthy administrative procedures and explanation within CHT.

Lessons Learned

What went well

What didn't go well

  • Use the experience last year, from April 12 2023, I entered the document system to begin the procurement process and to May 25 2023, SUN RISE CPAS’ FIRM got the engagement. It was very smooth. But it took more time this year.

    To improve it in next year, we will begin the inquiry in January 2025 and the qualified auditor will be engaged by April 30 at the latest. Note that next end date of audit period will be May 31, 2025.

Where we got lucky

Action Items

Action Item Kind Due Date
Discuss with the SUN RISE CPAS' FIRM to give us quotation next January prevent Sep 5 2024
Report to the director of our department for next year's improvement, he instructed to follow up promptly with submissions, and actively pursue further actions. prevent Sep 5 2024
Before CHT gets this year's audit report, if anyone wants to know the status of CHT's CAs, Please see CHT's CCADB Self Assessment prevent Sep 6 2024
Please be assured that as soon as we receive the audit report, we will promptly proceed the annual report in CCADB. in progress 2024-Nov 5

Appendix

Details of affected certificates

Please see the appendix of the explanatory letter.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: