VeriSign Response to 2001 AIN Audit Report
Date: 24 June 2002

VeriSign's Response to Ernst & Young's Annual Independent Neutrality Audit Report

June 24, 2002

This will respond to the report ("Audit Report") prepared by Ernst & Young ("Auditor") based on its first Annual Independent Neutrality Audit for the year ended December 31, 2001.

VeriSign, Inc. ("VeriSign") is supportive of the audit program as defined by ICANN and VeriSign. Throughout the audit, we worked closely with and provided the Auditors our full cooperation and assistance. We have dedicated substantial resources to ensuring compliance with the applicable requirements and have worked hard to provide the Auditors with full access to VeriSign materials and personnel. We are pleased with the Auditors' overall conclusion that VeriSign complied in all material respects with the audited requirements, especially given that ICANN solicited comments from all ICANN-accredited registrars as part of the audit process.

As to the two minor areas of concern noted by the Auditors, we cannot agree with the Auditors' conclusion that these items constituted "material noncompliance" with the stated requirements. As a preliminary matter, it should be noted that the Audit Report explicitly states that the Auditors' "examination does not provide a legal determination on VeriSign, Inc.'s compliance with specified requirements." The Audit Report therefore does not purport to render an opinion as to whether the two noted items constituted material violations of the Registry Agreements.

Additionally, the Auditors did not find that the items described in the Audit Report resulted in any harm or benefit to any registrar or to VeriSign, or that they were the result of any pattern or practice of VeriSign intended to harm or benefit any particular registrar. The Audit Report does not suggest, for example, that the removal by a storage facility operator of proprietary labels that VeriSign had affixed to its computer tapes in accordance with its normal practices affected anyone. Indeed, this incident was contrary to VeriSign's practice and procedure and occurred outside of its direct control. If anything, the storage facility operator's removal of the labels demonstrates VeriSign's material compliance with the labeling requirement.

Similarly, the Audit Report recognizes that it was not VeriSign's normal practice or procedure to permit registrars to exceed the maximum number of IP addresses to connect with the Shared Registration System. As the Auditors found, VeriSign only granted requests to exceed the maximum number of IP addresses when the identified registrar (which did not include the VeriSign registrar) demonstrated a temporary, operational need to do so. The temporary, infrequent nature of this activity does not support the Auditors' conclusion that the activity constituted a "material noncompliance." To the contrary, VeriSign's flexibility under these circumstances advanced the spirit and intent of the audited requirements.

In any event, VeriSign has taken steps to address both of the items identified in the Audit Report. We had taken these measures in part before the audit even began.

As for the Auditors' statement that VeriSign's systems do not store historical records of system configuration information on a daily basis, we will await recommendations from the Auditors as to how such information can best be tracked.

Based on the knowledge we have gained in working closely with the Auditors during this first audit, we look forward to hosting a more streamlined audit next year.