The .com, .net,
and .org registry
agreements between ICANN and VeriSign include a Registry
Code of Conduct. Each Code of Conduct states in part:
8. VGRS will conduct internal neutrality reviews on a regular basis.
In addition, VGRS agrees that it will cooperate with an independent
third party ("Auditor") performing Annual Independent Neutrality
Audits ("AIN Audits"), to be conducted during the fourth quarter
of each calendar year. The Auditor will be selected by ICANN, and will
be an accounting firm with significant experience in the review of contractual
and other legal commitments. All costs of the AIN Audits will be borne
by VGRS. The AIN Audit is intended to determine whether VGRS has been
in compliance with [Section 23 for .com; Subsection 3.5 for .net, and
.org] of the Registry Agreement, and will utilize such tests and techniques
as the auditor deems appropriate to determine that compliance. The terms
of reference of the AIN Audit will be established by ICANN, subject
to the approval of VGRS (such approval not to be unreasonably withheld),
and provided to the Auditor by ICANN. A complete report of the results
of each AIN Audit shall be provided by the Auditor to ICANN and VGRS
no later than 1 December of each calendar year (and by ICANN to the
US Departments of Commerce and Justice promptly thereafter). ICANN shall
determine that VGRS is in compliance with [Section 23 for .com; Subsection
3.5 for .net, and .org] if:
(1) any material breach(es) of [Section 23 for .com; Subsection 3.5
for .net, and .org] found by the audit that are susceptible to cure
have been cured, or are cured within a reasonable time; and
(2) in addition and not as an alternative to subparagraph (1) above,
any monetary sanction that ICANN chooses to impose under the Sanctions
Program set forth in Appendix Y for any such breach(es) has been timely
A summary of each AIN Audit report, excluding any information that
ICANN and VGRS agree (such agreement not to be unreasonably withheld)
is confidential or proprietary, will be posted on the ICANN web site
no later than 31 January of the calendar year immediately following
The AIN Audit for the 2001 calendar year was delayed, but the report
is now completed. The audit report describes the accountants' procedures
designed to verify a Report
of Management on Compliance representing that VeriSign had complied
with the requirements of the Registry
Code of Conduct and its Equivalent
VeriSign has prepared a response
to the AIN Audit Report, which ICANN has posted at VeriSign's request.
|| Ernst & Young LLP
8484 Westpark Drive
McLean, VA 22102
|Phone: (703) 747-1000
Report of Independent Accountants
We have examined managements assertion, included in the accompanying
Report of Management on Compliance, that VeriSign, Inc. complied with
the following requirements of Appendices H and I of both Section 23 of
the .com Registry Agreement and Subsection 3.5 of the.net and .org Registry
Agreements executed by and between VeriSign, Inc. and the Internet Corporation
for Assigned Names and Numbers, Inc. (ICANN) for the year ended December
31, 2001 (the ICANN Requirements):
- H.I, H.II, H.III, H.IV, H.V, H.VI, H.VII, H.VIII
- I.1, I.2, I.3, I.4, I.5, I.6, I.7, I.8.
Management is responsible for VeriSign, Inc.s compliance with the
ICANN Requirements. Our responsibility is to express an opinion on VeriSign,
Inc.s compliance based on our examination.
Our examination was conducted in accordance with attestation standards
established by the American Institute of Certified Public Accountants
and, accordingly, included examining, on a test basis, evidence about
VeriSign, Inc.s compliance with those requirements and performing
such other procedures as we considered necessary in the circumstances.
We believe that our examination provides a reasonable basis for our opinion.
Our examination does not provide a legal determination on VeriSign, Inc.s
compliance with specified requirements.
Our examination disclosed the following material noncompliance with the
ICANN Requirements applicable to VeriSign, Inc. during the year ended
December 31, 2001:
ICANN Requirement H.V.1: All registrars (including any
registrar affiliated with VGRS) connect to the Shared Registration System
Gateway via the Internet by utilizing the same maximum number of IP
addresses and SSL certificate authentication.
Noncompliance: VeriSign permits registrars to temporarily
exceed the maximum number of IP addresses when the request is based
on operational needs, such as transferring operations from one site
to another, and a registrar requests a period of overlap in order
to effect a smooth operational transition.
In addition, several registrars (i.e., InterAccess, NameZero/NamesDirect,
NameEngine, and InterCosmos) had assigned their allocations to another
registrar (Tucows) to manage their processing. However, NameEngine
was still allocated its IP address resources without notifying VeriSign
of the reallocation.
ICANN Requirement H.VI, Exhibit A, Marking of Internal Documents:
"Computer tapes and other recorded material should be identified
by proper labeling which is visible to the ordinary person while the
material is being stored. In addition, all such material should have
a warning notice at the beginning of the material to ensure the user
is forewarned about the proprietary nature of its contents (as soon
as access is afforded to a computer tape or at the beginning of a
sound recording, etc.)."
Noncompliance: VeriSign maintains two off-site tape storage
sites. One is interim (i.e., involving storage for approximately one
week) and the second is long-term. Although tapes at the interim site
are labeled in accordance with H.VI, it was determined that, in the
process of transferring tapes to the long-term facility, the labels
were being removed by the interim site operator.
Our examination also disclosed that VeriSign, Inc. had not established
adequate controls that would allow us to obtain sufficient evidence to
determine compliance with requirements H.V.1, H.V.2, H.V.4 and I.2 for
the year ended December 31, 2001 because VeriSign, Inc. did not maintain
sufficient historical records of system configuration information on a
daily basis. Because of this restriction on the scope of our examination,
we do not express an opinion on compliance with Requirements H.V.1, H.V.2,
H.V.4 and I.2 for the year ended December 31, 2001.
In our opinion, except for the material noncompliance and the restriction
on the scope of our examination described above, VeriSign, Inc. complied,
in all material respects, with the ICANN Requirements for the year ended
December 31, 2001.
This report is intended solely for the information and use of VeriSign,
Inc.; the Internet Corporation for Assigned Names and Numbers, Inc.; the
U.S. Department of Commerce; and the U.S. Department of Justice; and is
not intended to be and should not be used by anyone other than these specified
June 19, 2002
the layout, construction and functionality of this site
should be sent to firstname.lastname@example.org.
©2002 The Internet Corporation for
Assigned Names and Numbers. All rights reserved.