Now that new gTLD registries have been operating for more than a year, a few registries have already experienced going through an audit and a few more are now receiving notifications that they are next in line. For all, the process of going through an ICANN audit is a first. Once you receive the Request for Information (RFI), you will have 15 days to respond, or seek an extension of time. Extensions may be available on a case by case basis.

Origins

ICANN’s ability to request an audit comes from a Registry Operator’s contract with ICANN. Clause 2 contains all of the covenants (or “promises”) made by the Registry Operator (“Registry”) as to how it would run the registry. One of these covenants allows ICANN to audit them.

ICANN’s Audit is a rigorous program. According to ICANN’s “Contractual Compliance Audit Program Outreach” presentation, the goal of the Audit program is “To proactively identify deficiencies and manage the remediation process to ensure compliance with contractual obligations.” The audit will cover any deficiencies in seventeen (17) general “Compliance Areas”, each corresponding to a particular contractual policy or obligation. These “Areas” include not only provisions in the Registry Agreement, but also provisions and/or obligations set forth in ICANN Temporary and Consensus Policies.

The registry must allow ICANN to conduct an audit, no more than twice per year, into its performance against the warranties and covenants given by the Registry when it signed the contract.

The key warranty is that all the information provided by the Registry was and continues to be true. The covenants are summarized below —

1. That the registry will be operated according to ICANN policies;
2. That Registry will comply with ICANN policies;
3. Registry will escrow data;
4. Registry will provide monthly reports to ICANN;
5. Registry will provide public access to registration data;
6. Registry will only reserve names according to ICANN ‘s rules;
7. Registry will use Internet technical standards, such as the RFCs on DNS, EPP, and DNSSEC to ensure the registry is safely interoperable with other Internet entities;
8. Registry will protect the legal rights of others by using at least the UDRP, URS, a Sunrise period and the TMCH;
9. Registry must provide equal, non-discriminatory access to its Registrars, and inform ICANN if it becomes a Registrar;
10. Registry will give notice of initial registration price increases, and will charge uniform renewal rates, and provide look-up service to the registry.
11. Registry will permit and support ICANN compliance audits;
12. Registry will provide a Continuing Operations Instrument;
13. Registry will cooperate with an emergency transition process to another operator, should it be needed;
14. Registry will comply with the Code of Conduct;
15. Registry will co-operate with any economic studies done by ICANN;
16. Registry will operate according ICANN’s technical specifications for gTLD registries;
17. Registry will comply with all Public Interest Commitments it signed up to;
18. Registry will notify registrars of the uses for which personal data will be collected, and require them to obtain registrant consent for that collection and use.
19. Community registries must operate according to community policies

Normally, ICANN will pay for the costs of the audit, which should be conducted in normal business hours, done in a way that is least disruptive to the business, and with at least 10 days notice of any visit to a Registry site.

ICANN announced in May ‘14 that it was preparing its Audit Program. For the rest of 2014 it developed the program with community input, including trial audits of 14 running new gTLDs, from 4 countries and in 3 languages.

In February 2015 ICANN said:

“The goal of the New Registry Agreement Audit Program is to identify deficiencies, if any, and then to collaborate with the contracted parties to help them remediate any deficiencies while ensuring proper controls exist to avoid future deficiencies. The deficiencies identified could relate to specific provisions and/or obligations set forth in the New Registry Agreement as well as in ICANN Temporary and Consensus Policies.”

How Does it Work?

ICANN has explained that each audit will be conducted by moving through 4 well-defined phases.

1. General Operations Phase

Prior to any audit commencing, ICANN will email a Pre-Audit Notification. If you have received one, you should review the the ICANN Audit FAQs. Here is how the process works:

2. RFI Phase

ICANN issues a Request for Information. This is an Excel spreadsheet containing a set of targeted questions. Each compliance area is assigned a “Request Index” and will have multiple “information requests” which are questions to be answered by uploading specific documents. An example of a compliance area is section 2.6 of Specification 5 of the Registry Agreement for the new gTLD being audited. The specific information requests ask for the complete list of reserved names, if you have implemented any custom policies, and if so to provide the custom Reserved Names policies, amongst others. The first step is to review the requirements under your Registry Agreement, then plan your responses including identifying documents that must be uploaded to ICANN.

ICANN is seeking to establish that the warranties and covenants remain true or are being complied with. For example, that the Registry Operator remains a company in “good standing” in its home jurisdiction, that the number of names under management being reported each month is accurate, and that the names that ICANN requires be"reserved” have actually been taken out of circulation.

3. Audit Phase

ICANN expects to take up to three (3) months to process the data supplied under the RFI, then to issue an Audit Report to you as the new gTLD registry. Once you receive your audit report, you should review it promptly and thoroughly to address any remediation that may be required.

Earlier this year, ICANN published a report summarizing the results of its 2014 Contractual Compliance audit of fourteen (14) new gTLD Agreements. The report covered the high-level results for the fourteen (14) new gTLD registries selected for the 1st round of audits. ICANN made public the identity of the new gTLDs, and listed the top five (5) issues/deficiences noted, as well as the potential impact or risk posed by these shortfalls. However, ICANN did not identify the deficiencies by registry. As ICANN had said before, neither the RFIs, nor the responses to RFIs, are made public.

4. Remediation Phase

ICANN has indicated a willingness to work with registry operators to help remedy any defects uncovered by the audit process. ICANN has an “informal” resolution process, which, if successful, results in no futher action being taken by ICANN. If remediation is unsuccessful ICANN will then shift to a “formal” resolution process. In the end, this may result in enforcement of the provisions of the contract including termination of the operator’s contract as a last resort.

What To Do if You Receive an RFI

Responding accurately and confidently to the RFI within a 15-day window can be a daunting task, especially if your resources are required to simultaneously manage and operate the registry. Here are some simple guidelines to follow when you receive the RFI:

1. Get organized. You will need to assemble a team who will work together to craft a coherent, consistent and accurate response to the RFI. At the very minimum, you will need:

• A financial resource: this can be your CFO or Controller who has a firm grasp on the financial statements as well as the finanial organization and set up of the registrt
• A policy resource: This is someone who is steeped in your Registry Agreement, but also has drafted the relevant policies to comply with the provisions in the RA.
• A marketing/channel sales resource: This should be someone in your organization who is most knowlegeable about marketing, sales and general channel issues. For example: they should know what if any premium names you may have delegated, and to whom?
• An operations resource: This person should know about any technical and operational processes planned or put in place at the registry and between you and your Registry Services Provider.
• It is ok if one person actually performs multiple roles, so long as they are knowledgeable about the subject matter.

2. Appoint an audit Project Manager. Although this may seem obvious, you will need to make sure you have one point of control and tracking for any documents and responses that are collected. In addition, your audit Project Manager, should:

• define and enforce version control on all docs submitted;
• review and identify any inconsistencies between answers/documents submitted by various team members and work to solve them;
• and be the main point of contact to submit any questions if needed to ICANN, and to submit the final responses.

3. Empower your audit Project Manager with the appropriate authority to task the individual team members. This doesn’t necessarily just extend to the two weeks required to pull responses together. Your audit Project Manager will also need to be on hand to review ICANN’s audit report in three months, and to coordinate any remediation efforts should they be required by ICANN.

4. Set up a schedule. You need to ensure that team collectively and individually has set aside adequate time to respond to the RFI. An organized schedule is the only way to minimize pressure on your team and mitigate disruption to the business.

• Ideally the audit Project Manager should set up bi-weekly status review calls with the team to track progress against document and response collection.
• A useful metric we have used with our clients is a percent (%) completion metric. This corresponds to the percentage of specific items that have been collected, reviewed and finalized for upload to ICANN. The audit Project Manager should track the % completion metric at each bi-weekly call, and organize efforts towards completion of the priority items still outstanding.

5. Do a final review of all documents and responses to the RFI prior to submission to ICANN.

New gTLDs will all inevitably be selected for an ICANN Contractual Compliance audit. The audit should not be taken lightly; nor should it be cause for panic and disruption. A proper understanding of the audit process coupled with a deliberate and organized plan of response are the keys to a successful outcome.