March 5, 2003
Louis Touton, Esq.
Vice President and General Counsel
Internet Corporation for Assigned Names and Numbers
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292
Re: REPORT OF INDEPENDENT ACCOUNTANTS
Dear Mr. Touton:
This letter is in response to the February
13, 2003 Report of Independent Accountants ("Report") prepared
by Ernst & Young ("Auditors") following its second Annual
Independent Neutrality Audit of VeriSign, Inc. ("VeriSign")
for the year ended December 31, 2002.
As in the previous year, VeriSign is supportive of the audit program
as defined by ICANN and VeriSign. Throughout the audit, we worked closely
with and provided the Auditors our full cooperation and assistance. We
have dedicated substantial resources to ensuring compliance with the applicable
requirements and have worked hard to provide the Auditors with full access
to VeriSign materials and personnel. We are pleased with the overall results
of the audit and believe that VeriSign complied in all material respects
with audited requirements.
As to the two minor areas of concern noted by the Auditors, we cannot
agree with the Auditors' conclusion that these items constituted "material
noncompliance" with the stated requirements.
1. As noted in the Report, several registrars had more than the maximum
allowable number of Internet Protocol (IP) addresses for connecting
to the Shared Registration System Gateway during 2002. None of these
registrars were affiliated with VeriSign, Inc. This was a deviation
from Sections 23(A) and 23(D) of the .com Registry Agreement and Subsections
3.5.1 and 3.5.4 of the .net and .org Registry Agreements (Appendix H,
Section V and Appendix I, Section 2).
While VeriSign acknowledges this technical "deviation," several
instances were necessary to support registrars who demonstrated a temporary
operational need to do so. VeriSign's flexibility under these circumstances
advanced the spirit and intent of the audited requirements. The temporary
nature of these instances does not support the Auditors' conclusion
that these instances constituted a "material noncompliance."
At the same time, to address the Auditors' concern, VeriSign is taking
steps to address this item by incorporating additional crosschecks prior
to implementing IP address change requests.
2. As also noted in the Report, Organizational Conflict of Interest
refresher training was not consistently conducted on an annual basis.
This was a deviation from Section 23(E) of the .com Registry Agreement
and Subsection 3.5.1 of the .net and .org Registry Agreements (Appendix
H, Section VII).
Organizational Conflict of Interest ("OCI") refresher training
is an online course and the designated employees take it independently.
As such, the "deviation" should state that the VeriSign employees
did not consistently complete the refresher training on the required
annual basis and VeriSign acknowledges this is a requirement for employees
to do so. However, of the 25 employees included in the audit sample,
for example, 12 completed initial OCI training on schedule, and 7 of
the remaining 13 completed refresher courses within 13 months from the
date of their last course. Also, during the period of employment with
VeriSign employees' job requirements may change so that they no longer
require access to the Registry and Registry data. This is especially
true for operational staff. For example, an employee who initially needs
access to the Registry and Registry data takes the OCI course. If the
employee no longer needs access to the Registry and Registry data, he/she
would again take the OCI training course. This situation may appear
to result in a gap of more than one year between OCI training dates,
but actually it is not a violation of the OCI requirements. VeriSign
plans to enhance the methods used to ensure that employees complete
OCI refresher training in a timely manner.
VeriSign believes that there has been no known material noncompliance
with the audited requirements for the year ended December 31, 2002.
We will, however, take the appropriate steps to correct the areas of concern
raised by the Report.
Very truly yours,
Russell S. Lewis, General Manager
VeriSign Global Registry Services
Comments concerning the layout, construction and
functionality of this site
should be sent to email@example.com.
©2003 The Internet Corporation for Assigned
Names and Numbers. All rights reserved.