Re-audit Procedures
This chapter defines the re-audit procedures for renewal, change, and restoration of TQS certification. It includes re-audit triggers, re-audit scope, grace periods, expedited audits, and renewal audit results.
34.2.1. Re-audit Triggers
Re-audits are performed when the following reasons occur. The re-audit scope and required duration vary depending on each trigger.
| Reason | Re-audit Scope | Duration |
|---|---|---|
| Major version update | All items | 1-2 weeks |
| TQS standard revision | Changed items only | 3-5 days |
| Security incident occurrence | All security items | 1 week |
| Restoration request after suspension | Non-compliant items | 3-5 days |
34.2.1.1. Major Version Update
When a project's major version is updated (e.g., v1.x to v2.x), the existing certification expires. Since major versions may involve architecture changes, technology stack replacements, and large-scale code rewrites, re-verification of all checklist items is required.
The characteristics of a major version renewal audit are as follows.
- All items are verified at the same scope as the initial audit.
- Previous version audit results are used only as reference material; item exemptions do not apply.
- The certification grade is newly determined based on the re-audit results.
- It is recommended to request the renewal audit before the major version release.
34.2.1.2. TQS Standard Revision
When TQS standards are revised and new mandatory items are added or the criteria for existing items are changed, a re-audit for those items is required. Re-audits triggered by standard revisions target only the changed items, so the scope is reduced compared to a full audit.
The TQS Committee announces the following information when standards are revised.
- List of changed items and change details
- Grace period (default 3 months)
- Re-audit application method and deadline
34.2.1.3. Security Incident Occurrence
When a security incident occurs in a project, a re-audit of all security-related items is performed. The security re-audit focuses on verifying the root cause analysis, the appropriateness of response measures, and the effectiveness of recurrence prevention measures.
The items verified in a security re-audit are as follows.
- Spring Security configuration and access control
- Secret management (environment variables, secret manager)
- Dependency security (OWASP Dependency-Check results)
- Data encryption (At-Rest, In-Transit)
- Input validation logic
- Incident response measures and recurrence prevention measures
34.2.1.4. Restoration Request After Suspension
When a project with suspended certification requests restoration, a re-audit is performed only on the non-compliant items corresponding to the suspension reason. The restoration re-audit focuses on confirming whether the non-compliant items have been remediated.
34.2.2. Re-audit Scope
The specific audit scope for each trigger is as follows.
34.2.2.1. Full Item Re-audit
Applied during major version updates. All checklist items are verified at the same scope as the initial audit.
| Area | Verification Items |
|---|---|
| Code convention | Formatters, naming, package structure |
| Framework | Spring Boot, Vue 3, Composition API |
| Testing | Coverage (line 80%, branch 70%), test quality |
| CI/CD | Pipeline configuration, automated verification |
| Security | Access control, secret management, dependency security |
| Data | jOOQ, Flyway, HikariCP configuration |
| Frontend quality | Lighthouse scores, accessibility, bundle size |
| API | RESTful rules, error response format |
34.2.2.2. Partial Item Re-audit
Applied during TQS standard revision or certification restoration. Only changed or non-compliant items are verified.
- The TQS Committee notifies the items subject to audit in advance.
- Items not subject to audit retain their previous audit results as-is.
- Even in partial re-audits, full execution results of automated verification tools must be submitted.
34.2.2.3. Security Item Re-audit
Applied when a security incident occurs. All security-related items are targeted, and the appropriateness of incident response measures is additionally verified.
- All security configurations are re-verified.
- An incident report (cause, impact scope, response measures, recurrence prevention measures) must be submitted.
- OWASP Dependency-Check must be re-executed and the latest security scan results must be submitted.
34.2.3. Grace Period
When TQS standards are revised, a grace period is granted to existing certified projects. During the grace period, existing certifications remain valid.
34.2.3.1. Default Grace Period
The default grace period is 3 months. The grace period starts from the date the standard revision is announced.
| Standard Revision Type | Grace Period | Notes |
|---|---|---|
| Strengthening of existing item criteria | 3 months | Default grace |
| Addition of new mandatory items | 3 months | Default grace |
| Technology stack change requirement | 6 months | Extended grace |
| Item deletion or relaxation | Immediate effect | No grace needed |
34.2.3.2. Grace Period Extension Conditions
A grace period extension may be requested from the TQS Committee if the following conditions are met.
- The standard revision items require large-scale code rewrites to implement
- The project's release schedule conflicts with the grace period
- Response to external dependencies (third-party libraries, platform updates, etc.) is required
The extension duration is determined by the TQS Committee on a case-by-case basis and may be extended by a maximum of 3 months. Extensions may only be requested once.
34.2.3.3. Grace Period Expiration
If the changed standard items are not applied within the grace period, the following procedure is executed.
- The TQS Committee notifies the project team of the grace period expiration.
- An additional 14-day response period is granted from the notification date.
- If the items remain unapplied even after the additional response period, certification is suspended.
34.2.4. Expedited Audit
Projects that demonstrated a high level of standard compliance in previous audits may be eligible for an expedited audit. Expedited audits target only changes and require less time than full audits.
34.2.4.1. Expedited Audit Eligibility Criteria
To be eligible for an expedited audit, all of the following conditions must be met.
| Condition | Criteria |
|---|---|
| Previous certification grade | Excellent or higher |
| CI build success rate | Average 95% or higher over the last 6 months |
| Periodic report submission | All quarterly reports submitted within the period |
| Security incident history | None |
| Certification suspension history | None |
34.2.4.2. Expedited Audit Procedure
The expedited audit proceeds as follows.
- The project team submits a change specification document.
- The TQS Committee confirms the scope of changes.
- Full execution results of automated verification tools are submitted.
- Manual review is performed only on changed areas.
- Unchanged areas are verified based on previous audit results and periodic reports in lieu of re-verification.
34.2.4.3. Expedited Audit Duration
The duration of an expedited audit varies depending on the scope of changes.
| Scope of Changes | Duration |
|---|---|
| Minor changes (configuration, dependency updates) | 1-2 days |
| Moderate changes (feature additions, module changes) | 3-5 days |
| Large-scale changes (architecture changes) | Ineligible for expedited audit; converted to full audit |
If the scope of changes is at a level that affects the entire system, the TQS Committee may request conversion from an expedited audit to a full audit.
34.2.5. Renewal Audit Results
The results of a renewal audit (re-audit) are classified into the following 3 categories.
| Determination | Description | Follow-up Actions |
|---|---|---|
| Pass | All audit items met | Certification renewed, validity period extended |
| Conditional pass | Minor remediation needed | Remediate within 2 weeks, then re-verify |
| Fail | Mandatory items not met | Certification revoked, re-certification required |
34.2.5.1. Pass
When all audit items are met, certification is renewed. The validity period of the renewed certification starts fresh from the date the renewal audit is passed. The certification grade may be upgraded, maintained, or downgraded based on the re-audit results.
34.2.5.2. Conditional Pass
Granted when mandatory items are met but minor remediation is needed. The project team must resolve the remediation items within 2 weeks and request re-verification. Re-verification is performed only on non-compliant items. If re-verification is not completed within 2 weeks, the result is converted to a fail.
34.2.5.3. Fail
Granted when mandatory items are not met. Upon failure, the existing certification is revoked, and use of the TQS Mark must be immediately discontinued. To obtain certification again, the initial audit procedure (Chapter 31) must be followed from the beginning. A renewal audit failure is recorded in the project's certification history.