ICANN Logo

Report of AIN Audit
Date: 19 June 2002


The .com, .net, and .org registry agreements between ICANN and VeriSign include a Registry Code of Conduct. Each Code of Conduct states in part:

8. VGRS will conduct internal neutrality reviews on a regular basis. In addition, VGRS agrees that it will cooperate with an independent third party ("Auditor") performing Annual Independent Neutrality Audits ("AIN Audits"), to be conducted during the fourth quarter of each calendar year. The Auditor will be selected by ICANN, and will be an accounting firm with significant experience in the review of contractual and other legal commitments. All costs of the AIN Audits will be borne by VGRS. The AIN Audit is intended to determine whether VGRS has been in compliance with [Section 23 for .com; Subsection 3.5 for .net, and .org] of the Registry Agreement, and will utilize such tests and techniques as the auditor deems appropriate to determine that compliance. The terms of reference of the AIN Audit will be established by ICANN, subject to the approval of VGRS (such approval not to be unreasonably withheld), and provided to the Auditor by ICANN. A complete report of the results of each AIN Audit shall be provided by the Auditor to ICANN and VGRS no later than 1 December of each calendar year (and by ICANN to the US Departments of Commerce and Justice promptly thereafter). ICANN shall determine that VGRS is in compliance with [Section 23 for .com; Subsection 3.5 for .net, and .org] if:

(1) any material breach(es) of [Section 23 for .com; Subsection 3.5 for .net, and .org] found by the audit that are susceptible to cure have been cured, or are cured within a reasonable time; and

(2) in addition and not as an alternative to subparagraph (1) above, any monetary sanction that ICANN chooses to impose under the Sanctions Program set forth in Appendix Y for any such breach(es) has been timely paid.

A summary of each AIN Audit report, excluding any information that ICANN and VGRS agree (such agreement not to be unreasonably withheld) is confidential or proprietary, will be posted on the ICANN web site no later than 31 January of the calendar year immediately following the audit.

The AIN Audit for the 2001 calendar year was delayed, but the report is now completed. The audit report describes the accountants' procedures designed to verify a Report of Management on Compliance representing that VeriSign had complied with the requirements of the Registry Code of Conduct and its Equivalent Access Certifications.

VeriSign has prepared a response to the AIN Audit Report, which ICANN has posted at VeriSign's request.


Ernst & Young LLP
8484 Westpark Drive
McLean, VA 22102
Phone: (703) 747-1000
www.ey.com

Report of Independent Accountants

We have examined management’s assertion, included in the accompanying Report of Management on Compliance, that VeriSign, Inc. complied with the following requirements of Appendices H and I of both Section 23 of the .com Registry Agreement and Subsection 3.5 of the.net and .org Registry Agreements executed by and between VeriSign, Inc. and the Internet Corporation for Assigned Names and Numbers, Inc. (ICANN) for the year ended December 31, 2001 (the ICANN Requirements):

  • H.I, H.II, H.III, H.IV, H.V, H.VI, H.VII, H.VIII
  • I.1, I.2, I.3, I.4, I.5, I.6, I.7, I.8.

Management is responsible for VeriSign, Inc.’s compliance with the ICANN Requirements. Our responsibility is to express an opinion on VeriSign, Inc.’s compliance based on our examination.

Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included examining, on a test basis, evidence about VeriSign, Inc.’s compliance with those requirements and performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Our examination does not provide a legal determination on VeriSign, Inc.’s compliance with specified requirements.

Our examination disclosed the following material noncompliance with the ICANN Requirements applicable to VeriSign, Inc. during the year ended December 31, 2001:

  • ICANN Requirement H.V.1: “All registrars (including any registrar affiliated with VGRS) connect to the Shared Registration System Gateway via the Internet by utilizing the same maximum number of IP addresses and SSL certificate authentication.

    Noncompliance: VeriSign permits registrars to temporarily exceed the maximum number of IP addresses when the request is based on operational needs, such as transferring operations from one site to another, and a registrar requests a period of overlap in order to effect a smooth operational transition.

    In addition, several registrars (i.e., InterAccess, NameZero/NamesDirect, NameEngine, and InterCosmos) had assigned their allocations to another registrar (Tucows) to manage their processing. However, NameEngine was still allocated its IP address resources without notifying VeriSign of the reallocation.

  • ICANN Requirement H.VI, Exhibit A, Marking of Internal Documents: "Computer tapes and other recorded material should be identified by proper labeling which is visible to the ordinary person while the material is being stored. In addition, all such material should have a warning notice at the beginning of the material to ensure the user is forewarned about the proprietary nature of its contents (as soon as access is afforded to a computer tape or at the beginning of a sound recording, etc.)."

    Noncompliance: VeriSign maintains two off-site tape storage sites. One is interim (i.e., involving storage for approximately one week) and the second is long-term. Although tapes at the interim site are labeled in accordance with H.VI, it was determined that, in the process of transferring tapes to the long-term facility, the labels were being removed by the interim site operator.

Our examination also disclosed that VeriSign, Inc. had not established adequate controls that would allow us to obtain sufficient evidence to determine compliance with requirements H.V.1, H.V.2, H.V.4 and I.2 for the year ended December 31, 2001 because VeriSign, Inc. did not maintain sufficient historical records of system configuration information on a daily basis. Because of this restriction on the scope of our examination, we do not express an opinion on compliance with Requirements H.V.1, H.V.2, H.V.4 and I.2 for the year ended December 31, 2001.

In our opinion, except for the material noncompliance and the restriction on the scope of our examination described above, VeriSign, Inc. complied, in all material respects, with the ICANN Requirements for the year ended December 31, 2001.

This report is intended solely for the information and use of VeriSign, Inc.; the Internet Corporation for Assigned Names and Numbers, Inc.; the U.S. Department of Commerce; and the U.S. Department of Justice; and is not intended to be and should not be used by anyone other than these specified parties.

/s/

June 19, 2002


Comments concerning the layout, construction and functionality of this site
should be sent to webmaster@icann.org.

Page Updated 25-Jul-2002
©2002  The Internet Corporation for Assigned Names and Numbers. All rights reserved.