ICANN | Letter from Rusty S. Lewis (VeriSign Global Registry Services) to Louis Touton Concerning 2002 Annual Independent Neutrality Audit | 5 March 2003
  ICANN Logo Letter from Rusty Lewis to Louis Touton
5 March 2003

Global Registry

March 5, 2003

Louis Touton, Esq.
Vice President and General Counsel
Internet Corporation for Assigned Names and Numbers
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292


Dear Mr. Touton:

This letter is in response to the February 13, 2003 Report of Independent Accountants ("Report") prepared by Ernst & Young ("Auditors") following its second Annual Independent Neutrality Audit of VeriSign, Inc. ("VeriSign") for the year ended December 31, 2002.

As in the previous year, VeriSign is supportive of the audit program as defined by ICANN and VeriSign. Throughout the audit, we worked closely with and provided the Auditors our full cooperation and assistance. We have dedicated substantial resources to ensuring compliance with the applicable requirements and have worked hard to provide the Auditors with full access to VeriSign materials and personnel. We are pleased with the overall results of the audit and believe that VeriSign complied in all material respects with audited requirements.

As to the two minor areas of concern noted by the Auditors, we cannot agree with the Auditors' conclusion that these items constituted "material noncompliance" with the stated requirements.

1. As noted in the Report, several registrars had more than the maximum allowable number of Internet Protocol (IP) addresses for connecting to the Shared Registration System Gateway during 2002. None of these registrars were affiliated with VeriSign, Inc. This was a deviation from Sections 23(A) and 23(D) of the .com Registry Agreement and Subsections 3.5.1 and 3.5.4 of the .net and .org Registry Agreements (Appendix H, Section V and Appendix I, Section 2).

While VeriSign acknowledges this technical "deviation," several instances were necessary to support registrars who demonstrated a temporary operational need to do so. VeriSign's flexibility under these circumstances advanced the spirit and intent of the audited requirements. The temporary nature of these instances does not support the Auditors' conclusion that these instances constituted a "material noncompliance." At the same time, to address the Auditors' concern, VeriSign is taking steps to address this item by incorporating additional crosschecks prior to implementing IP address change requests.

2. As also noted in the Report, Organizational Conflict of Interest refresher training was not consistently conducted on an annual basis. This was a deviation from Section 23(E) of the .com Registry Agreement and Subsection 3.5.1 of the .net and .org Registry Agreements (Appendix H, Section VII).

Organizational Conflict of Interest ("OCI") refresher training is an online course and the designated employees take it independently. As such, the "deviation" should state that the VeriSign employees did not consistently complete the refresher training on the required annual basis and VeriSign acknowledges this is a requirement for employees to do so. However, of the 25 employees included in the audit sample, for example, 12 completed initial OCI training on schedule, and 7 of the remaining 13 completed refresher courses within 13 months from the date of their last course. Also, during the period of employment with VeriSign employees' job requirements may change so that they no longer require access to the Registry and Registry data. This is especially true for operational staff. For example, an employee who initially needs access to the Registry and Registry data takes the OCI course. If the employee no longer needs access to the Registry and Registry data, he/she would again take the OCI training course. This situation may appear to result in a gap of more than one year between OCI training dates, but actually it is not a violation of the OCI requirements. VeriSign plans to enhance the methods used to ensure that employees complete OCI refresher training in a timely manner.

VeriSign believes that there has been no known material noncompliance with the audited requirements for the year ended December 31, 2002. We will, however, take the appropriate steps to correct the areas of concern raised by the Report.

Very truly yours,

Russell S. Lewis, General Manager
VeriSign Global Registry Services

Comments concerning the layout, construction and functionality of this site
should be sent to webmaster@icann.org.

Page Updated 24-Mar-2003
©2003 The Internet Corporation for Assigned Names and Numbers. All rights reserved.