Frequently Asked Questions
Audit Program Frequently Asked Questions
Audit Methodology Questions
How long will the audit take?
The audit timeline is approximately five months: one month to collect the data (Request for Information or RFI), three months to audit the data collected, and one month to report the results. ICANN is committed to keeping the impact to the contracted party minimal, if all data is provided upon request during the RFI process (otherwise, follow up questions or requests to the contracted party may be needed).
What algorithm ICANN used for randomly selecting Registrars/Registries during the three-year audit program?
ICANN will use StatPlus, a random # generator based on the sample size input and the population. StatPlus is a similar algorithm calculation program as Data Analysis/Random Sampling in Excel: Computerized random sampling method where a user inputs the sampling conditions (i.e. the sample size desired, total population) and other conditions, like the confidence level, defaults to the original standard parameters within the application.
What is ICANN's current approach for selecting Registrars and Registries for audit?
ICANN uses the following factors in its process to select parties for audit:
- Contracted parties that have not been previously audited
- Contracted parties that were audited over 2 years ago
- Contracted parties with highest numbers of 3rd Notices per number of domains under management calculated over the past 12 months
- Contracted parties that had received a Notice of Breach in last 12 months
- Contracted parties with highest numbers of failed data escrow deposits
- Contracted parties with low responsiveness to ICANN's requests/inquiries
- Contracted parties with issues that were remediated and are re-occurring again
- Contracted parties for which there appear to be ICANN community concerns, as reflected in media reports, blogs, or inquiries/reports from community members or other contracted parties
- Contracted parties that had changes to the delivery of services (for ex. Changes in service providers, data escrow agents, etc.)
What does ICANN plan to report to the community?
ICANN will issue two standard reports: (a) an audit report listing the Registrars/Registries randomly sampled by year, as well as the provisions audited; and (b) a deficiencies report listing all deficiencies found through the audit, by statistics only and not by the Registrar/Registry. A summary, by provision, of the pass versus fail rate will be an example of a statistic to be published.
Reports will be defined during the planning phase and a list will be made available on the Contractual Compliance webpage (Under "Audit Program"). All statistics will be published, including the Registrar/Registry name, and provision audited. Individual audit reports will be sent to each Registrar/Registry either during or at the close of the audit phase.
How will ICANN audit a Registrar/Registry group that has multiple agreements?
Each agreement will be audited separately. Contracted parties may submit the same data/records in response to the RFI for multiple entities if the data/records apply to those entities.
How will the Registrars and Registries receive the Pre-Audit Notification and RFI notification?
The Pre-Audit Notification will be sent to all contracted parties by email. The RFI will be sent via fax and email to only those selected contracted parties for the year.
How will ICANN collect the data and ensure its security?
All data and records will be collected in a secure, encrypted repository with strict access controls by designated and specific user access permissions.
How long will ICANN hold data collected from the Registrars/Registries?
ICANN is committed to retaining data collected through the audit for the minimum period under ICANN data retention policy.
If no issues are identified within the Registrar/Registry response, the audit data will be destroyed after six months.
For the Registrar/Registry for which contractual compliance issues are identified, data regarding such instances of non-compliance will be retained until resolution, plus six months. (For example, if the data provided through the audit demonstrates that a Registrar does not have a certificate of general liability insurance, but is in compliance on the other items audited, ICANN will only retain data related to the insurance issue for the longer period of time.)
What specific registrar agreement and registry agreement terms is ICANN auditing?
All contractual obligations, including ICANN consensus policies, are potentially subject to an audit. The scope will be communicated within the Pre-Audit Notification Letter as well as in the RFI. When identifying the specific obligations to be included in an audit, and to minimize resource impact, ICANN will take into account factors such as community needs, risk assessment, time, resources and costs.
How is ICANN validating responses?
ICANN performs both manual and automated validation efforts based on the data received. All data is to be validated against pre-defined steps as part of the overall audit plan. ICANN compares the responses and follow up where questions exist. Please see the audit plan posted here: https://www.icann.org/resources/pages/audits-2012-02-25-en
What happens if issues are identified?
ICANN follows the Contractual Compliance Informal Resolution process [PDF, 1.15 KB], also referred to as the 1-2-3 process which consists of 15 business days for Notice 1, five business days for Notice 2, and five business days for Notice 3. There are various issues that could be identified during this process: failure to respond, responding with inaccurate or incomplete data, or a situation where the Registrar or Registry identifies an issue internally during the audit and notifies ICANN. All issues will be followed up directly with the contracted party, prior to publishing any statistics. If the responses result in a resolution of the issue identified, then that will not be noted as an issue in the posted audit results. Otherwise, outstanding issues remaining after the audit closed will be reported to Registrar or Registry in the final deficiencies report. The outstanding issues will be published online in the Notice of Breach when it reaches the Formal Resolution Process also known as the enforcement stage.
Why not audit just the "bad" players? Why audit everyone?
Audits are a valuable component of any organization's contractual compliance function because they offer the opportunity to generally: (a) gain insight into performance weaknesses; (b) develop predictability expectations for contracting parties; (c) assist ICANN in developing effective and efficient mechanisms to ensure contractual compliance, including through consistent and equitable remediation efforts; and (d) allow ICANN to enhance community transparency through fact based and measurable reporting. Once the baseline has been established, ICANN will consider a more focused approach based on contracted party audit results.
What's the basis for including all contracted parties, when the 'Right to Audit' clause isn't present in 2001 RAA and Registry Agreements?
One of ICANN's responsibilities is to conduct audits of its agreements in order to ensure that all contracted parties are in compliance with those agreements.
Gathering the data requested to respond to some questions may take longer than 15 days, will extension requests be freely granted?
Extension requests will be reviewed and assessed on a case-by-case basis. With the advanced planning and publishing of the overall audit plan, contracted parties are encouraged to review the plan and prepare for the audit.
Registry Operators will have 15 business days to reply to the RFI. If there is no reply from the registry operator (or incomplete data is provided), ICANN will follow up with a second and third notice, as needed (five business days to reply to each). Failure to respond to the third notice (or still providing incomplete data) will result on a notice of breach to the Registry Operator. Only the notice of breach is published on ICANN's web site. ICANN will collaborate in each phase to clarify what information is missing or incomplete.
If a deficiency is discovered and a remediation plan is agreed upon, can we avoid being breached?
Yes. If a deficiency is discovered, a remediation plan is agreed upon, and the contracted party delivers in accordance with the remediation plan timeline, ICANN will not breach that contracted party for those issues that have been remediated. If the contracted party fails to comply with the remediation plan, ICANN will follow the compliance approach and process in the informal resolution (1-2-3 step) phase prior to enforcement.
ICANN states that 'Registrars or Registries may be subject to more than one audit in a three-year cycle based on special circumstances or considerations.' What circumstances or considerations would cause multiple audits?
Special circumstances or considerations may include excessive compliance issues identified during the audit, excessive complaints, or other unforeseen reasons requiring additional reviews. If such circumstances exist, the contracted party will be notified in advance of receiving a second RFI.
One of my registrars/registries went through an audit last year. Another one of my registrars/registries has been selected for audit this year. Is there any way we can be waived from this year's audit?
As set forth in ICANN's audit guidelines regarding "opt out" from the inception of the three-year audit plan (Beijing ICANN46), a registrar or "family of registrars" (i.e., a group of companies that has the exact same operations and processes in place and are under common ownership and/or have a parent/subsidiary relationship organizational structure) may "opt out" of an audit only if the following criteria are met:
(1) There are no significant deficiencies or multiple deficiencies noted from the prior year audit,
(2) There are no significant organization or process changes over the course of the year and the registrar/registry can attest to the accuracy of the control environment, and
(3) There are no significant ICANN Policies/Contracts that have been implemented prior to the audit cycle.
Please send an email to ICANN Contractual Compliance at firstname.lastname@example.org if you believe that your registrar/registry qualifies to "opt out" of audit for the current audit cycle.
Audit Documentation Questions
With regards to RFI's request for evidence that registrants accepted terms & conditions in our Registration Agreements, some of our Registration Agreements are subject to Non-Disclosure Agreements. How can we seek to provision for the data you require without breaching client confidentiality?
The RAA allows the contracted parties to designate information provided to ICANN as confidential information to be maintained in confidence. Registrars need to inform ICANN if delivering the information being requested violates any law and need to indicate the applicable country, name of the law, number (as applicable), with an explanation of why delivery of the information to ICANN under an obligation of confidentiality would violate the local law.
In response to request above in the RFI, ICANN does not need to see confidential information such as prices, customer info, and service description; when and where appropriate, please mask or redact the confidential information in the registration agreement that is subject to confidentiality. The Registrar needs to demonstrate that the registrant accepted the Terms & Conditions for registration. Another approach to this question that other registrars have taken is to provide a log that shows timestamp of acceptance.
Often, registrars have payment proof not only for the domain, but also for other services. Does the audit request payment proof of all services or only the domains?
For audit purposes, ICANN needs payment proof for the domains. You do not need to send proof of payments for other services.
Does the invoice itself act as proof of payment for domain? Or should we provide financial statements of the payment provider?
The invoice itself is not an evidence of payment received; however, an invoice marked as "Paid" would be considered as proof of payment. Other evidences of proof can be bank statements, PayPal statements, or similar statements that show payment was received.
Would invoices that indicate "total amount charged" or "transaction complete" act as proof of payment?
As long as the invoice shows that the payment was for the domain, it would be considered as the proof of payment. On the other hand, if the invoice shows only the amount paid and no relation to any domain name, it would not be considered as proof of payment unless additional proof is provided.
Does the audit request proof of the last payment or of any prior periods?
As stated in RFI, the audit only requests the most recent payment.
With regards to RFI's request for evidence of payments for selected domains, we invoice our clients in a consolidated manner rather than transact via web site/credit card per domain. For "proof of payment", is it sufficient to provide invoice number and date in which the payment for these domains is included?
A proof of payment as described above providing invoice number, date and time of the transaction, domain name and an indication that it is a payment transaction is sufficient.
Some of the domains were registered five years ago and are not paid for the last five years. What should registrars do if they cannot find the payment records of those domains? To the extension of this question, how many years are registrars supposed to keep the payment records?
The RFI requires evidence of the most recent payment received for the registration of each domain name included in the sample. If the registrar cannot provide the appropriate records, the registrar will be notified of the deficiency and will begin a remediation plan.
The 2009 RAA requires registrars to maintain records and information for the life of the domain name and three years after the deletion or the transfer away of the registration.
Domains registered during LandRush followed a different procedure. What should registrars do with those domains if they do not have registration logs?
Domains registered during LandRush do not apply to the current RFI, because it is out of the scope of the 2009 Registrar Accreditation Agreement. This matter falls under the new registry agreements; at this time, provisions of 2013 RAA are not being audited.
What exactly is the RFI Excel spreadsheet for?
The RFI Excel spreadsheet acts as a summary sheet of the information registrars and registries provided. For example, registrars and registries can enter words such as "Done;" "Uploaded" or leave it blank to indicate the request documents are submitted. When something is not applicable, registrars and registries can provide details such as "N/A, no transfers are made in last 45 days;" "N/A, we don't keep these records due to …." or "N/A, we can't find any documentation." With such spreadsheet, the auditor can clearly navigate the audit process.
Are we required to fill out the RFI Excel spreadsheet in addition to uploading information in the folders?
What is in the RFI?
The RFI includes questions and some examples of the documentation that auditors are looking for.
There are domains that are in ASCII format, but I would like the Unicode format.
Registrars may use the following web site to convert the ASCII domain name to Unicode format: http://mct.verisign-grs.com/.
Cells that are designated for phone/fax numbers in the Request For Information document are supposed to be filled with phone & fax numbers but the format of those is set and locked to something else. Thus each time I am entering a phone number it is converted to a random number. For example I am trying to enter the number +552.2812517 into cell F11 (which is our primary contact phone number) but Excel is automatically turning it into 126.96.36.199.
Please do not enter + sign in the beginning; Excel will treat it as formula.
Are there any limits on the file formats that may be uploaded to the web site? Is it restricted to only .TXT, .DOC, and .PDF?
There are no restrictions on file format; you can upload files in any non-proprietary formats.
If the documentation to be uploaded includes email communication, will ICANN request logs proving the mail was received at the senders' host?
ICANN would expect to receive full TCP headers for the email messages that your registrar sends to the registered name holders.
For "Request for Domain Deletion & Auto-Renewal Policy," do registrars upload the policy, or simply show a link to the live webpage on the Excel spreadsheet instead?
Either way is acceptable. Registrars may upload the policy, or simply show a link to the live webpage on the Excel spreadsheet.
What exactly is the auditor looking for under the request of public contact?
Auditor is looking for accurate and complete public contact data in RADAR.
There is a question on the RFI Excel spreadsheet that requires information whether the selected sample domains were transferred out or in within specified timeframe. If the selected sample domain does not have any transfer activities within the indicated period, would "N/A" be an appropriate answer?
For domains that have not been transferred out or in within the indicated period, "N/A" is an appropriate answer. If there has been a transfer, the appropriate answer would be either "Gaining/Transferred In" or "Losing/Transferred Out."
With regards to question in the RFI that is asking for FOAs/AuthCodes, does this only refer to the domains that have transferred, as it was indicated in the answer to prior question?
Yes, this question applies only to domains that are marked "Gaining/Transferred In" or "Losing/Transferred Out" in response to prior question.
Some companies own several registrars, brands and trademarks. In some cases, the company's registrar may register domain names to its brands for commercial purposes by using registrar's name as the registrant. The end result is that the registrars have registered domain names to themselves. Under such circumstances, would "N/A" be an appropriate answer to the request of "Registration Agreements"?
Registrars can also be registrants for domain names registered through use of their own accreditation provided that the domain names are used for the provision of registrar services. If registrar enters "N/A" in the spreadsheet, the registrar will need to provide explanation of how the domain name is used for: (1) contracting with domain name holders; (2) collecting registration data about registered name holders; and (3) submitting registration data to the registry operators.
The audit notice states: "If you are part of a family and multiple registrars within your family were selected, you can respond for one IANA number within your family ONLY if all selected registrars operate the same, technically and operationally." Does it mean we can answer for the domain names identified for one registrar only?
Yes, it does. However, please provide a list of all Internet Assigned Numbers Authority (IANA) numbers of the family members and indicate which IANA number you are choosing to represent the family. Or, alternatively, you can indicate on each family member's RFI – "member of the family, see IANA xxxx."
Are the RFIs for the registrars public? Are the responses to the RFI from registrar audits made public in an anonymized form at all?
Neither RFI nor responses to RFI provided to ICANN are made public.
When an email is sent to ICANN Contractual Compliance do we get an acknowledgment immediately (automated) or if not automated then what is the expected time frame to receive the first acknowledgement of the email?
There is no automated acknowledgment from the ICANN Contractual Compliance email address when it has received an email. We recommend that you send emails to ICANN Contractual Compliance (email@example.com) with a delivery receipt selected for your email so that you know that we have received it.
ICANN's Contractual Compliance team strives to acknowledge receipt of emails and when possible, reply in substance, to all inquiries within three to five business days.
Are replies to questions and documentation requested in the Request for Information acceptable in English only or other languages are acceptable?
Replies in Registrar's native language are acceptable; documentation is acceptable in the original language, no translation is required.
Request for Information requests Registrar Self-Assessment Certification (CEO Certificate). What is the CEO certificate?
The Registrar Self-Assessment Certification (CEO Certificate) template can be found at the following link https://www.icann.org/resources/pages/ceo-certification-2014-01-29-en
I lost my upload log on information (or it does not work), what should I do?
Email firstname.lastname@example.org and request new log on credentials.
I am having difficulty opening the RFI, what should I do?
Email email@example.com and specify the difficulty you are having. ICANN will work with you to provide RFI in other formats.
Where is the 2013 RAA Registrar Training located?
Click here: https://www.icann.org/resources/pages/registrar-training-resources-2015-09-23-en – this link provides the content hosted by ICANN (http://learn.icann.org) as well as a link to an alternative YouTube version of the content. Use whichever is more convenient for you, but note that 1) quizzes are not included in the YouTube version; and 2) translated-subtitle versions of the training are only available on learn.icann.org (from the home page, select your language at the top of the screen, then select the 2013 RAA Registrar Training.)
Audit Program Service Provider Questions
How did ICANN select the Audit Program service provider?
Preparation and planning for the Audit Program began in April 2012. The methodology, approach and Request for Proposal (RFP) were designed and approved in late May 2012. The RFP was released to five pre-selected firms on 13 June 2012. ICANN identified the five audit firms based on the following criteria: knowledge of ICANN, global presence, size, expertise, and reputation. ICANN followed its normal procurement process: RFP issued, Q&A, Proposal Analysis, Scorecard Ratings Methodology. A cross-functional steering committee was formed to evaluate and rank the firms. The vendor selection is based on the steering committee's evaluation and consultation with the ICANN executive management team.
What happens if the auditors being considered are also new gTLD Applicants? Does this pose as a conflict of interest?
The Audit Program service provider is required to disclose and publish any and all actual or potential organizational, as well as individual staff members', conflicts of interest and propose a mitigation plan for each disclosed circumstance. At a minimum, the service provider is required to deploy an ethical wall between those working on the audit and those that have any involvement in a registry or registrar. This helps ensure confidentiality, as well as mitigate any potential or actual conflicts. If ICANN is made aware of a conflict, ICANN will employ all available resources to mitigate any issues and, at a minimum, will internally review all documentation provided by the contracted party, rather than have anyone with the Audit Program service provider review such documentation.
New Registry Agreement Audit Program Questions
How will the New gTLD Compliance Audit Program impact the new Registry Agreement Audit Program audit plan?
The audit plan is impacted in terms of the scope as it related to the number of registry operators that sign the new Registry Agreement with ICANN and the changes to the agreement (exemptions, additional obligations, etc.).
Who will the RFI be sent to?
ICANN will email the RFI to the registry operator's compliance point of contact, with a copy to the primary contact.
Will ICANN publish a guide on how to pass the audit?
ICANN does not provide a guide on how to pass the audit. Please respond and provide the requested information per the required date. ICANN will review and follow-up on a case-by-case scenario.
Please consult with your legal, technical and operational teams on the steps required to pass the audit.
Will ICANN be providing additional details regarding the methodology and further guidelines to enable us to provide you with more detailed feedback?
ICANN has shared, to the extent possible and appropriate, the audit approach. Additional details related to testing methodology are not provided to auditees. This is a common practice in auditing.
Is there a provision for the registry operator to request additional time in order to respond to the RFI?
ICANN is following its standard approach; parties will have 15 business days to provide the requested information. If information is not provided, further notifications will be issued, providing some extra time, before matter is potentially escalated to a breach of contract.
Can we expect a more precise WHOIS specification (other than Specification 4) prior to the audits?
At this point, the audit is based on the WHOIS Specification 4 as outlined in the registry agreement. The auditors will take into consideration any additional guidance on the subject, as soon as it is finalized.
How many TLDs will be audited? Is there a requirement for at least one registry operator from each region?
The objective of the new Registry Audit Program is to select a representative sample to test the overall compliance with the different contractual obligations. The number of TLDs selected for audit is based on selection criteria which does not include physical location or place of registration of a registry operator. Thus, it is possible that there will be more than one (or none) TLDs selected for an audit for a certain region.
Will there be consideration given to registry service providers that support multiple registries?
The audit covers registries, as they are the contracted parties for ICANN. It is possible that several registries, serviced by the same registry service provider will be selected for audit.
Will the RFI require registries to repeat everything that's already in the new gTLD application and/or the Agreement?
The RFI will take into consideration applicable previously submitted information. If the RFI calls for information that registry operator provided during application, then the registry operator should state that and respond that there have been no changes since the application was submitted.
Is the New Registry Audit Program target all gTLDs in existence?
This program targets gTLDs that have signed the 2 July 2013 base registry agreement, as amended from time to time.
There are provisions in the New Registry Agreement that apply once a year in January. If the registry operator signed before 1 January but was delegated in May, does that annual provision apply?
In this case, the registry operator may respond "not applicable" to questions in the RFI and briefly explain the reason why.
Will ICANN provide guidelines on the form of expected responses?
The RFI will provide general guidelines to the form of expected documentation and responses.
Will detailed explanations be required or will it be self-certification?
The RFI may include some questions where self-certification (or a statement) is sufficient. Other questions may require documentation and/or detailed explanations.
Will some of the audit checks be actual transaction tests?
The audit checks will be performed based on the need to validate compliance; some tests/checks might include actual transaction tests.
Will ICANN be conducting site visits as envisioned in the Registry Agreement?
At this time, site visits are not planned, but are possible.
During the claims period for each registry, will ICANN audit whether the domains registered have not been approved by the Trademark Clearinghouse Database (TMDB)?
Yes, ICANN will audit that during the claims period the registry, prior to domain registration, verified whether or not the domain name have been in TMDB.
Section 2.11b of the New Registry Agreement requires the registry operator to reimburse ICANN for audit costs incurred where the registry operator is vertically integrated; can you provide rough cost estimates for budgeting purposes?
At this time, ICANN will incur the cost of the audit program.
Is Centralized Zone Data Service (CZDS) in the audit scope?
Centralized Zone Data Service will not be audited; it is not one of the audit program focus areas at this time.
Will the Registry-Registrar Agreement be required to be presented as part of the audit?
RRAs are in the audit scope (see audit scope http://www.icann.org/en/resources/compliance/outreach/registry-agmt-audit-12may14-en.pdf [PDF, 714 KB]). ICANN will review some of the provisions in RRAs to confirm the compliance with Code of Conduct (and, possibly, some other provisions of Registry Agreement).
Question 6.B in the RFI, refers to "custom policies" regarding reserved names. What are "custom policies" regarding reserved names?
Article 2.6 of the Registry Agreement (RA) states that "…Registry Operator may at any time establish or modify policies concerning Registry Operator's ability to reserve (i.e., withhold from registration or allocate to Registry Operator, but not register to third parties, delegate, use, activate in the DNS or otherwise make available) or block additional character strings within the TLD at its discretion." The audit refers to this as "Custom policies". If the TLD has created any policies covering reserved names, please disclose such policies. If not, please state "No."
Questions 7.a and 7.b requests in RFI requests a registry operator's to upload its Business Continuity Plan (BCP) and most recent results of BCP's annual testing. What are the expectations of ICANN with respect to Business Continuity Plans for TLDs?
As stated in Specification 6, Article 3.3 of the RA, "Registry Operator shall maintain a business continuity plan." Therefore, it is expected that a Business Continuity Plan should be in place by the TLD delegation date. In addition, Article 3.3 also specifies that the BCP should be tested annually by each TLD.
Question 9 of the RFI is about the cross ownership between registry operators and registrars and/or resellers. What if a registry operator is not entitled to obtain accounting books or financial records of the registrar or reseller with whom it is vertically integrated?
Please provide an explanation as to why the registry operator is not able to obtain the records, and indicate where revenues from its registrar or reseller are captured in the registry operator's financial statements.
Question 12 of the RFI requests that the registry operator upload all of its Registry-Registrar Agreements (RRAs) to ICANN's Contractual Compliance site. Is this correct?
There are multiple ways to comply with this request: (1) by uploading a full copy of all RRAs (signature pages are optional) that your registry operator has in effect, or, (2) by uploading the standard RRA, the pages of any RRAs that are different from the standard template and provide a list of the registrars and resellers for the TLD. ICANN may select registrars and/or resellers from the list and request its full RRA.