TCAB carries out an audit to establish compliance with the Customer’s Trust Electronic Services Management System, according to EU Regulation 910/2014 (eIDAS), based on the standards of application.

Standards of application (policies and procedures):

  • ETSI EN 319 401
  • ETSI EN 319 411-1
  • ETSI EN 319 411-2
  • ETSI EN 319 421
  • ETSI EN 319 521
  • ETSI TS 119 441
  • ETSI TS 119 511

The audit would be performed in several stages:

Audit methodology
Estimate request, specifying the scope of the audit.
Planning of the audit, assigning a lead auditor and an audit team.
Assessment performed in two stages: documentary review and on-site audit.
Conformity assessment report. In case of detected nonconformities, the auditee needs to present plan of corrective actions addressing the nonconformities.
Once the assessment is finalized, and if no nonconformities are left unaddressed, a certification decision is reached. When positive, a certificate for the assessed services is issued.
When the service is certified, several actions of surveillance are performed, and the TSP must notify any relevant changes to the service.

1.- PLANNING AND PROGRAMMING

The audits are performed with an Audit Plan, that will be made by the audit team for every assessment project. In this Plan, the audit data are settled (date, lasting, scope, points to be audited, audited area, contact persons…) and checklists (date, time, points  of the standards to be audited, audited area, contact persons, auditors). In order to prepare it, reports form other audits already performed will be collected.
Once it is made, the audit plan will be revised and approved by the Technical Committee.

2.- EXECUTION

To start the audit, an initial meeting will be held with the client to confirm the scope of the audit, the data collected in the audit plan, establish an audit sequence and analyze the points that both parties consider necessary. After this step, the audit will start following the Audit Plan as a working guide. There are two steps at this point:

  1. Document Review: we will verify the system’s conformity (documents, records…) through compliance with the points of the reference standards/laws. The resolution of possible non-conformities from previous audits will be verified.
  2. On-site Inspection: verifications of compliance with the established controls will be conducted. A sample inspection of the objective evidence will be carried out to prove the correct functioning of the technical and organizational processes related to the scope of the audit. The resolution of possible non-conformities detected in the documentary review phase will be verified.

If the audit is carried out due to the presence of non-conformities, our team will evaluate the corrective actions defined by the entity after the analysis of the causes and extent of the deviation to establish if they have been correctly treated.

Once the audit is finished, the audit team will write a results report, clearly identifying the non-conformities detected.

During the final audit meeting, the audit team will show the report to the client, explicitly indicating the findings so they can review and sign it. In those cases with significant non-conformities, a new date will be scheduled for the next audit to verify the elimination of these non-conformities, if necessary.

3.- ASSESSMENT REPORT

The audit team will submit the audit report to our Technical Body for review and certification decision-making, and a certificate will be issued (if applicable), or an additional audit will be performed, if necessary, to make a certification decision.

After the certification decision, the Conformity Assessment Report (CAR) will be sent to the provider, which must be sent to the eIDAS Supervision Body within three days (72h) after receipt.

ARCHIVE PERIOD: Audit reports and documentation on detected deviations will be stored by TCAB according to the terms established in the agreements.