|
Now that new gTLD registries have been operating for more than a year, a few registries have already experienced going through an audit and a few more are now receiving notifications that they are next in line. For all, the process of going through an ICANN audit is a first. Once you receive the Request for Information (RFI), you will have 15 days to respond, or seek an extension of time. Extensions may be available on a case by case basis.
Origins
ICANN’s ability to request an audit comes from a Registry Operator’s contract with ICANN. Clause 2 contains all of the covenants (or “promises”) made by the Registry Operator (“Registry”) as to how it would run the registry. One of these covenants allows ICANN to audit them.
ICANN’s Audit is a rigorous program. According to ICANN’s “Contractual Compliance Audit Program Outreach” presentation, the goal of the Audit program is “To proactively identify deficiencies and manage the remediation process to ensure compliance with contractual obligations.” The audit will cover any deficiencies in seventeen (17) general “Compliance Areas”, each corresponding to a particular contractual policy or obligation. These “Areas” include not only provisions in the Registry Agreement, but also provisions and/or obligations set forth in ICANN Temporary and Consensus Policies.
The registry must allow ICANN to conduct an audit, no more than twice per year, into its performance against the warranties and covenants given by the Registry when it signed the contract.
The key warranty is that all the information provided by the Registry was and continues to be true. The covenants are summarized below —
Normally, ICANN will pay for the costs of the audit, which should be conducted in normal business hours, done in a way that is least disruptive to the business, and with at least 10 days notice of any visit to a Registry site.
ICANN announced in May ‘14 that it was preparing its Audit Program. For the rest of 2014 it developed the program with community input, including trial audits of 14 running new gTLDs, from 4 countries and in 3 languages.
In February 2015 ICANN said:
“The goal of the New Registry Agreement Audit Program is to identify deficiencies, if any, and then to collaborate with the contracted parties to help them remediate any deficiencies while ensuring proper controls exist to avoid future deficiencies. The deficiencies identified could relate to specific provisions and/or obligations set forth in the New Registry Agreement as well as in ICANN Temporary and Consensus Policies.”
How Does it Work?
ICANN has explained that each audit will be conducted by moving through 4 well-defined phases.
1. General Operations Phase
Prior to any audit commencing, ICANN will email a Pre-Audit Notification. If you have received one, you should review the the ICANN Audit FAQs. Here is how the process works:
2. RFI Phase
ICANN issues a Request for Information. This is an Excel spreadsheet containing a set of targeted questions. Each compliance area is assigned a “Request Index” and will have multiple “information requests” which are questions to be answered by uploading specific documents. An example of a compliance area is section 2.6 of Specification 5 of the Registry Agreement for the new gTLD being audited. The specific information requests ask for the complete list of reserved names, if you have implemented any custom policies, and if so to provide the custom Reserved Names policies, amongst others. The first step is to review the requirements under your Registry Agreement, then plan your responses including identifying documents that must be uploaded to ICANN.
ICANN is seeking to establish that the warranties and covenants remain true or are being complied with. For example, that the Registry Operator remains a company in “good standing” in its home jurisdiction, that the number of names under management being reported each month is accurate, and that the names that ICANN requires be"reserved” have actually been taken out of circulation.
3. Audit Phase
ICANN expects to take up to three (3) months to process the data supplied under the RFI, then to issue an Audit Report to you as the new gTLD registry. Once you receive your audit report, you should review it promptly and thoroughly to address any remediation that may be required.
Earlier this year, ICANN published a report summarizing the results of its 2014 Contractual Compliance audit of fourteen (14) new gTLD Agreements. The report covered the high-level results for the fourteen (14) new gTLD registries selected for the 1st round of audits. ICANN made public the identity of the new gTLDs, and listed the top five (5) issues/deficiences noted, as well as the potential impact or risk posed by these shortfalls. However, ICANN did not identify the deficiencies by registry. As ICANN had said before, neither the RFIs, nor the responses to RFIs, are made public.
4. Remediation Phase
ICANN has indicated a willingness to work with registry operators to help remedy any defects uncovered by the audit process. ICANN has an “informal” resolution process, which, if successful, results in no futher action being taken by ICANN. If remediation is unsuccessful ICANN will then shift to a “formal” resolution process. In the end, this may result in enforcement of the provisions of the contract including termination of the operator’s contract as a last resort.
What To Do if You Receive an RFI
Responding accurately and confidently to the RFI within a 15-day window can be a daunting task, especially if your resources are required to simultaneously manage and operate the registry. Here are some simple guidelines to follow when you receive the RFI:
1. Get organized. You will need to assemble a team who will work together to craft a coherent, consistent and accurate response to the RFI. At the very minimum, you will need:
2. Appoint an audit Project Manager. Although this may seem obvious, you will need to make sure you have one point of control and tracking for any documents and responses that are collected. In addition, your audit Project Manager, should:
3. Empower your audit Project Manager with the appropriate authority to task the individual team members. This doesn’t necessarily just extend to the two weeks required to pull responses together. Your audit Project Manager will also need to be on hand to review ICANN’s audit report in three months, and to coordinate any remediation efforts should they be required by ICANN.
4. Set up a schedule. You need to ensure that team collectively and individually has set aside adequate time to respond to the RFI. An organized schedule is the only way to minimize pressure on your team and mitigate disruption to the business.
5. Do a final review of all documents and responses to the RFI prior to submission to ICANN.
New gTLDs will all inevitably be selected for an ICANN Contractual Compliance audit. The audit should not be taken lightly; nor should it be cause for panic and disruption. A proper understanding of the audit process coupled with a deliberate and organized plan of response are the keys to a successful outcome.
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byVerisign