Summary
- AFRINIC's public record shows an audit committee and broad oversight language before 2019, but it does not demonstrate a recurring, independently reported test of who could alter number-resource records, whether each alteration matched an approved request, and whether exceptions were closed.
- The decisive inquiry began only after an external court order, public investigation and outside technical assistance brought suspicious address blocks into view; that chronology is evidence of a detection gap, not proof that every earlier auditor ignored known misconduct.
- An effective early-warning system needed four linked powers: direct access to registry and ticket data, a reporting line independent of the managers being tested, authority to assign and verify corrective action, and automatic escalation of overdue or high-risk exceptions.
- Financial audit, broad risk review and information-technology governance were not useless, but they were too easy to satisfy without reconciling the scarce asset ledger to the technical systems through which custody and control were changed.
- The governance lesson is institutional rather than personal: a regional registry should make unauthorised alteration difficult, rapidly visible and impossible to close through management assertion alone.
The scandal was detected from the outside in
An early-warning system earns the name by discovering a dangerous condition before the condition becomes a public loss. AFRINIC's later account of the address misappropriation does not describe such a sequence. Its 2021 WHOIS accuracy report says that the organisation became aware of suspicious activity around several IPv4 blocks in March 2019 after a Supreme Court of Mauritius order arising from an application by a United States investigative authority. It says the board commissioned an investigation in July, that a media investigation published serious allegations in September, and that APNIC delivered findings in December.
The internal disciplinary and police responses followed.
That chronology matters more than the vocabulary applied after the event. AFRINIC subsequently called its examination an enhanced internal audit and established what it described as a permanent audit mechanism. Yet the trigger was not a routine control that compared approved allocations with live records and raised a protected exception. The trigger came from beyond the ordinary line of management. External legal process, external scrutiny and a sister registry's assistance turned a hidden weakness into an examinable case.
This is not a semantic complaint. Detection source is a diagnostic fact. If a registry's own controls first identify an anomalous change, preserve the evidence and alert an independent body, the institution has demonstrated surveillance over its core administrative power. If a court order or outsider first identifies the suspicious block, the institution has demonstrated that it can investigate after notice. The second capacity is valuable, but it is not the first.
Nor does this chronology prove that a named auditor, committee member or executive knew of the conduct earlier. Public materials do not disclose every internal test, concern or conversation from 2010 to 2019. The defensible conclusion is narrower and more important: the published record does not show a control capable of converting the relevant registry anomalies into a timely board-level warning before external intervention. Institutional design should be judged by that observable result rather than by retrospective assurances that oversight existed in general.
Audit had a wide mandate but an indistinct entity
AFRINIC's 2018 annual report described an audit committee responsible for oversight of financial reporting, internal financial control, risk management, internal auditing, information systems and information-technology governance. The January 2019 committee charter was broader still. It required access to information for internal audit, direct access to the board and committee chairs, periodic reporting, monitoring of management responses, protection of assets against unauthorised use, and supervision of investigations involving fraud, misconduct or conflicts.
On paper, that is not a narrow mandate. Almost every institutional safeguard later found necessary can be placed somewhere within those words. Registry records are information systems. IPv4 space administered by the organisation is an institutional responsibility. Unauthorised changes are an internal-control failure. A staff conflict is a conflict of interest. A suspicious transaction is a fraud risk. The committee was not formally forbidden from looking.
But a mandate written at that level can conceal the absence of an auditable entity. What exactly was the scarce asset ledger? Which system represented the authoritative state of a resource? Which ticket, approval, applicant record and change log had to exist before a hostmaster or database administrator could alter that state? Which historical records were sufficiently reliable to establish the starting point? Who reconciled the resource inventory, the public WHOIS entry, the member account, delegated statistics, reverse-DNS authority and routing-registry entities?
Which discrepancy required immediate escalation rather than a routine correction?
An audit programme can review information technology without asking those questions. It can test password policy, backup completion, procurement, expenses, revenue, access lists and financial statements. It can receive a presentation about systems and still never select a sample of address blocks, trace each one back to a justified request, identify every privileged alteration and obtain independent proof that the registered holder is legitimate. Broad scope is not the same as a testable control universe.
AFRINIC's later WHOIS examination reveals the specificity that had been missing from the public record. The investigators used registry history, WHOIS logs, member records, delegated statistics, ticket data, maintainer information, other registries' records, historical InterNIC material, corporate information, public reports and whistleblower information. That is the anatomy of a number-resource audit. The relevant question is why a recurring version of that anatomy was not already producing exceptions before 2019.
Financial assurance could not establish resource custody
The gravitational pull of an audit committee is visible in its calendar. The 2019 charter said meetings should occur at least twice a year and correspond with the financial-reporting cycle. Much of the detailed charter addressed financial statements, accounting treatments, external auditors, going concern, capital adequacy and compliance with financial-reporting standards. These duties were necessary. AFRINIC collected fees, paid staff, contracted suppliers and held cash. Members needed confidence that money was recorded and statements were reliable.
The danger was category substitution. IPv4 addresses are not inventory in the accounting sense, and the 2017 registration agreement later published by AFRINIC expressly said number resources were not property. Whatever their legal character, they had become economically scarce and operationally powerful. A wrongful alteration could create substantial external value without generating a conventional purchase invoice, fixed-asset disposal, payroll variance or missing cash entry in AFRINIC's books.
A financial auditor asks whether an asset or liability is fairly stated under the applicable accounting framework. A registry-integrity auditor asks whether administrative custody over every number block is supported by authority, policy, applicant evidence and an unbroken change history. The same event might be invisible to the first inquiry and decisive in the second. If a block is reclassified in a technical system without a corresponding payment to the registry, the accounts may remain internally balanced while the registry has lost control of a scarce public coordination resource.
This is why the word asset can mislead. The audit charter's instruction to safeguard organisational assets was broad enough to invite action, but it did not itself define the technical population to be tested. A control owner had to translate that instruction into reconciliations, immutable logs, dual approval, anomaly thresholds and independent confirmation. Without that translation, a committee could discuss asset protection while the consequential events occurred in a system whose entries did not flow into the financial statements.
The answer is not to turn financial auditors into hostmasters. It is to join disciplines. Accounting audit should test fees, conflicts and related transactions. Technical audit should test privileged changes and system integrity. Registration audit should test entitlement and policy evidence. Legal review should test contract and authority. The committee should then receive one exception register that shows where those views do not agree.
Data access had to be direct, complete and historical
The first requirement of an early-warning audit is evidence access. A committee presentation is not access. A spreadsheet prepared by the department under review is not necessarily access. A current WHOIS query is not history. The auditor needs a read-only path to the underlying records, their changes, the identities that made them and the authorisations offered for each change.
The later investigation demonstrates why. AFRINIC reported that resources from its managed pool had been represented as legacy space. That is not merely an inaccurate contact field. Legacy classification affects the apparent origin and governance of a block. The 2021 report explained that legacy holders generally lacked a contractual agreement with AFRINIC, even though AFRINIC maintained relevant records and services. Changing classification could therefore alter the appearance of the relationship and weaken ordinary membership checks.
To identify such manipulation, an auditor needed historical snapshots of the resource inventory and a record of every classification change. The auditor also needed a trusted baseline: what AFRINIC received from predecessor registries, what IANA delegated, what was assigned, what remained available, and which legacy records migrated into the regional system. A present-state report cannot reveal that a field was changed years earlier unless the old state survives and can be compared.
Access also had to cross system boundaries. A plausible record in one interface might conflict with the member file, ticket system or delegated-statistics output. The 2021 report describes using MyAFRINIC and WHOIS histories, organisation and contact data, maintainers, tickets, service use and external historical sources. An early warning would have come from the disagreement among those records. If the same person could alter the member-facing record and the evidence presented to an auditor, a single-system check offered little protection.
Completeness is equally important. Audit sampling can be efficient, but the sampling frame must include every privileged change and every address block. High-risk selections should include conversion to legacy status, changes to dormant historical holders, alterations requested from newly registered domains, unusual concentration under one staff account, large blocks, rapid chains of updates, records without a matching request and changes followed by out-of-region routing or commercial transfer signals. A purely random sample might miss rare but extremely valuable manipulation.
Finally, access must survive management turnover and investigation. Logs that can be edited by the same administrators they describe are weak evidence. Tickets that can be deleted, private mailboxes without retention, undocumented scripts and shared credentials break attribution. Tamper-evident storage, clock consistency, named accounts and retained approvals are not technical luxuries. They are the documentary foundation on which discipline, recovery and judicial action depend.
Independence required more than non-executive membership
The 2019 charter required audit committee members to be non-executive directors and independent of management. It also provided for direct communication with the internal auditor and meetings with auditors without management present. Those are sensible formal safeguards. They reduce the risk that executives can entirely control what the board hears.
Formal independence, however, can coexist with informational dependence. A non-executive director who receives only management-selected summaries remains dependent on management for the facts. An internal auditor who must negotiate every query through the department being tested can be independent in title but constrained in practice. A committee that may hire external expertise only after board approval may be unable to act quickly when the suspected weakness touches senior authority or the board itself.
Registry audit creates a particular competence problem. Directors can be financially literate yet lack the technical context to distinguish a harmless contact update from a change that alters effective control. They may not recognise the significance of a maintainer, a legacy-status conversion, a delegated-statistics mismatch or a route object. Dependence then shifts from the executive hierarchy to a small technical group. The person explaining the control may also be the person whose activity requires testing.
True independence therefore needed three components. The first was an unmediated right to obtain data from systems and custodians. The second was access to external technical expertise selected by the oversight body, not solely by management. The third was a protected reporting route for staff and outsiders who observed anomalous records. The 2021 audit's use of APNIC assistance, media research and whistleblower information shows the value of multiple evidence channels after the crisis. The same diversity should have existed as a standing detection arrangement.
Independence also means controlling the audit plan. Management should contribute risk information, but it should not decide which address populations, staff accounts or historical periods are off limits. A board committee should approve a risk-based plan, permit unscheduled tests and receive unfiltered results. Where the board cannot act because of conflict, vacancy or deadlock, a defined substitute must receive the alert. Otherwise independence ends at the first governance failure.
A finding without closure authority is an observation
Detection alone does not protect the registry. An auditor can identify an exception, management can promise a correction, and the underlying condition can persist. The 2019 charter anticipated this risk by directing the committee to monitor management's responsiveness to findings and recommendations. The important operational question is how that monitoring was converted into closure.
A credible exception register assigns each finding an owner, risk classification, corrective act, evidence requirement and deadline. Closure is not the owner's statement that the matter is resolved. It is the auditor's verification that the control now works and that affected records have been examined. If the problem involves excessive privilege, evidence might include removal of access, rotation of credentials, review of the account's historical activity and a test showing that unauthorised changes are rejected. If it involves unsupported resource records, closure requires entitlement evidence or a carefully governed correction.
The difference between recommendation and authority becomes acute when remediation is inconvenient. A full historical review consumes staff time. Restricting privileged access can slow routine service. Preserving records can expose earlier decisions. Contacting purported holders can trigger disputes. Management facing those costs may prefer a narrower fix. Unless the oversight body can demand the broader action or take the disagreement to a body with decision power, the audit becomes advisory at the point where resistance is greatest.
Closure authority does not mean auditors should run registry operations. Management must implement controls. It means management cannot mark a high-risk finding complete on its own terms. The auditor verifies; the committee accepts or rejects closure; the board directs unresolved action; and members receive an appropriately bounded account of material exceptions. Technical and personal details can remain protected without concealing whether remediation occurred.
The 2020 response illustrates the scale that delayed closure can create. AFRINIC said it examined the entire IPv4 history, reclaimed or quarantined some address space, reversed some changes, and left other blocks under due diligence or disputed custodianship. Once questionable records had accumulated across years and passed through third parties, correction became a legal and continuity problem rather than a simple database repair. Early closure would have reduced both the number of affected parties and the evidentiary distance from the original act.
Escalation needed triggers, not discretion alone
An early-warning system needs a rule for when an exception stops being an operational matter. Without it, each manager can regard the anomaly as temporary, ambiguous or insufficiently important. Time passes while the evidence ages and the disputed position becomes commercially embedded.
The escalation rule should be automatic for certain events: an unsupported change to resource status or holder; a privileged alteration outside an approved interface; a mismatch between authoritative inventories; a request involving an entity controlled by staff; deletion or modification of audit logs; repeated failure to answer an audit query; or a high-risk finding overdue beyond a short period. These triggers should notify the internal auditor and committee chair simultaneously, preserving evidence before the subject can be normalised.
Other matters can escalate by accumulated risk. One stale contact record is not equivalent to a large unexplained transfer of administrative control. But repeated stale records, dormant legacy holders, recently created domains and concentrated staff intervention may form a pattern. The audit function should be able to aggregate signals across cases. A case-by-case helpdesk view can miss the common actor or method.
Escalation must also have destinations. The first is the audit committee. The second is the full board when management does not act or the risk exceeds a defined threshold. The third may be independent technical review, legal counsel, law enforcement or affected holders, depending on evidence and law. The fourth is the membership, in a form that reports material control failure and remediation without prejudicing an investigation or exposing sensitive data.
The 2019 experience shows why a court order cannot be the designed final rung. Courts and investigators can compel records after suspicion arises, but they are not continuous registry monitors. A member community cannot outsource routine assurance to litigation. External intervention should be available when necessary, not required to make the institution look at its own ledger.
Management assurance was structurally limited public evidence
Regional registries depend on specialised staff. The same expertise that makes operations possible creates an oversight asymmetry. Directors and members cannot personally validate every allocation. They need management to explain systems, assess staff and certify that controls operate. Yet a system intended to test management cannot terminate in management assurance.
A useful assurance chain separates assertions. The registration team states that a request was evaluated. A system record shows who changed the allocation. A second approver confirms that the action matched the request. An automated reconciliation confirms that the public and internal records agree. Internal audit tests the evidence and exceptions. The committee checks closure. Each layer answers a different question, and no one actor can manufacture the complete chain.
Where one senior specialist can approve, implement and explain a change, reputation becomes a control. Reputation is cheap in normal times and expensive in failure. Long service, technical knowledge and trusted relationships may reduce everyday friction, but they increase the need for independent logs and review because colleagues are less likely to challenge familiar authority.
Management also controls priorities. During address exhaustion, staff face growing request volume, member pressure and increasingly valuable IPv4 space. Controls that slow allocation or updates can appear bureaucratic. An independent audit plan protects integrity work from operational urgency. It states that a reconciliation will occur even when queues are long and that an exception will be investigated even when the responsible manager considers the matter closed.
This is not an argument for governing by suspicion. Most staff actions are legitimate, and cumbersome approval can harm service. Controls should scale by risk. Routine low-impact updates can be automated and sampled. Large blocks, legacy changes, transfer-like events, privileged overrides and related-party signals deserve dual control and complete review. The point is to remove the need to choose between blind trust and universal paralysis.
The public record should have exposed control performance
Members elect directors and fund the registry, yet the public materials before the scandal offered limited means to assess whether core registry controls were operating. An annual report could describe the audit committee's remit and list members without reporting the number of internal audits completed, high-risk findings opened, overdue findings, privileged-access reviews or registry reconciliations. Governance existed as structure; performance remained difficult to see.
Transparency does not require publishing vulnerabilities or allegations. A registry can report control metrics safely: percentage of privileged changes matched to approved tickets; number of unexplained inventory discrepancies; age of unresolved high-risk findings; frequency of access recertification; completeness of immutable logging; number of legacy-holder disputes; and whether the internal auditor met privately with the committee. These figures tell members whether assurance is alive without revealing credentials or targets.
Material findings need narrative too. If an audit discovers that historical records cannot establish custodianship, members should know the scale, the risk, the protective status applied and the decision rule for correction. If management and audit disagree, the committee should state that a disagreement exists and how it will be resolved. Silence should not transform uncertainty into apparent normality.
The later WHOIS report supplied extraordinary detail about address counts and statuses. It identified 2,371,584 addresses described as misappropriated from AFRINIC's pool, reported 1,060,864 reclaimed, and stated that 1,310,720 remained subject to due diligence. For legacy space, it described 1,799,168 addresses as apparently compromised, with portions consolidated, reversed or disputed. Whatever later disputes attach to particular cases, the publication shows that quantified accountability was possible. A smaller, recurring version before 2019 could have made deterioration visible sooner.
Scarcity changed the risk faster than oversight changed
Between 2010 and 2019, IPv4 scarcity intensified. Other regional registries moved through exhaustion milestones, transfer markets grew, and address blocks acquired obvious commercial value. AFRINIC continued to hold comparatively significant space for allocation. The incentive to obtain, lease, route or misrepresent addresses therefore rose even if the technical act of changing a record remained superficially similar.
Risk assessment should have responded dynamically. A control adequate when addresses were plentiful might be inadequate when a large block could support a substantial commercial business. The size of the possible benefit changes the insider-threat model. It justifies stronger separation of duties, transaction monitoring, staff conflict declarations, post-allocation verification and scrutiny of unusual routing or holder changes.
The audit universe also changed. A registry no longer needed only to prevent mistaken data entry. It needed to detect deliberate combinations of plausible documents, historical ambiguity, corporate changes and technical updates. Legacy records were particularly exposed because original organisations might have merged, dissolved or lost knowledgeable contacts. A claim could sound credible precisely because verification was difficult.
The committee charter's annual review of risk and internal audit plans should have been the mechanism for adaptation. Yet the public record does not demonstrate that IPv4 scarcity was translated into a standing forensic test of the registry. This is another distinction between mandate and execution. A risk can be recognised in speeches and policy debate without changing what auditors sample on Monday morning.
The control model should begin with an allocation evidence chain
The most important reform is conceptually simple: no live resource state should exist without an evidence chain that can be independently replayed. For a non-legacy allocation, the chain begins with the applicant's legal identity and eligibility, continues through demonstrated need and policy analysis, records the decision and approvals, captures the exact system change, and preserves subsequent updates, reviews and authorised transfers. Fees and membership records are linked but do not substitute for entitlement evidence.
For legacy space, the chain is different because the holder may have no registration agreement and the original allocation predates AFRINIC. The baseline should include predecessor-registry records, historical corporate identity, migration evidence and later verified changes. Where evidence is incomplete, the record should carry a visible protected status and changes should require enhanced review. Uncertainty must be represented, not silently resolved by whichever claimant reaches an administrator.
Every link needs an owner and retention rule. Every privileged change should reference the case that authorised it. Automated controls should reject a change if required evidence is absent. Emergency overrides should be rare, time-limited, independently notified and reviewed the next business day. The audit system should identify orphan records and orphan approvals in both directions.
This design makes sampling more powerful. Auditors do not search for wrongdoing in an undefined mass of data. They test whether chains are complete, whether approvals came from authorised and unconflicted people, whether live state matches decisions, and whether post-allocation facts trigger review. Exceptions become comparable across years and teams.
Independence must extend to the remediation budget
Audits fail when they identify a problem but cannot obtain the resources to fix it. Historical reconciliation, external expertise, secure logging and identity verification cost money. Management can defer them in favour of visible services. A board that approves the audit plan but not the remediation capacity has approved observation rather than control.
The audit committee should therefore assess the cost of open findings and recommend a protected remediation budget. High-risk registry integrity work should not compete each month with events, travel or discretionary projects. The board should see both the cash cost of repair and the exposure created by delay. Scarce IPv4 makes the latter potentially much larger than the former.
External advisers should be appointable quickly under a bounded budget. The 2019 charter allowed external personnel subject to board approval. That safeguard controls spending but can produce delay or conflict when rapid independent expertise is needed. A pre-approved panel, spending threshold and emergency notification rule would preserve accountability while preventing management from controlling the only technical interpreter available to the committee.
Resources also include staff time. If the registration team is expected to clear its ordinary queue and reconstruct fifteen years of history without added capacity, remediation will slip. The committee should require a plan that separates current control from historical review, so old uncertainty does not continue to create new weakness.
Audit quality should be tested by surprise and replay
Assurance cannot rely entirely on scheduled reviews. A person able to anticipate the sample can prepare a clean path while leaving other conduct untouched. The committee needs authority for unannounced read-only tests of selected records and privileged activity. Surprise should be proportionate and controlled, not an invitation to disrupt production.
Replay is the stronger test. An auditor selects a resource block and asks the institution to reconstruct, from retained evidence, why the current holder is recorded, who approved each material change, what policy applied at the time and whether any unresolved exception exists. The result should not depend on the memory of the employee who processed it. If the chain cannot be replayed, the registry has a continuity and accountability defect even if the present entry happens to be correct.
The same method can test a staff account. Select a period, enumerate every privileged action, match each action to an approved case, and investigate the unmatched residue. Concentration, timing and unusual categories become visible. Departing staff accounts should receive a complete replay before access is closed and records become harder to explain.
These tests create deterrence without assuming guilt. Staff know that any high-risk change may later be reconstructed from independent records. Honest employees benefit because a complete chain protects them from unsupported allegations. The institution benefits because investigation begins with evidence rather than reputation.
What members should demand from the warning system
Members do not need to run the registry, but they should define the assurance outcome. They should require the board to state annually whether all number-resource populations are covered by an audit universe; whether privileged access was recertified; whether high-risk changes were independently matched to evidence; whether material discrepancies remain; and whether the auditor had unrestricted access and private reporting.
They should also insist on a closure table. Findings can be grouped by severity without exposing sensitive facts. The table should show opened, closed, overdue and independently verified items, with previous-year comparison. A high-risk finding that remains open should carry a reason, an interim safeguard and a decision date. Repeated deferral should trigger a member-visible board explanation.
Appointments matter, but competence and protection matter more than names. The committee needs financial literacy, technical registry understanding, legal judgment and investigative experience. Members should know how conflicts are handled, how an auditor can report concern about management or directors, and who receives the report when the board lacks quorum.
Finally, members should reject two comforting extremes. The first says that the existence of a committee proves control. The second says that one control failure proves every institutional act corrupt. Neither helps. The useful task is to identify the failure mechanism and build evidence that the mechanism has been removed.
The lesson is about the distance between a charter and a signal
AFRINIC did not lack oversight nouns. Its materials referred to audit, risk, internal control, information systems, independence, access, fraud investigation and asset protection. The later crisis showed that nouns do not produce warnings. A signal appears only when a defined test reaches complete data, the result bypasses the subject of review, a responsible body can compel correction, and delay automatically moves the issue upward.
The 2019 discovery sequence offers a measurable standard. A future anomaly should not need a foreign investigation, court order, journalist or sister registry to become visible. Those actors remain valuable checks, and outside scrutiny may always uncover matters internal controls miss. But the ordinary first alert should come from the registry's own reconciliation and reach independent oversight before records are commercialised, disputed or operationally embedded.
That standard is also a continuity safeguard. Early detection narrows the remedy. One questionable change can be frozen, examined and corrected with notice. A multi-year chain touching holders, customers and routed networks creates litigation, recovery uncertainty and collateral risk. Good audit is therefore not administrative overhead. It is the mechanism that keeps a control failure from becoming a regional continuity problem.
The institutional verdict is exact. The public record supports the existence of an audit structure and later serious investigation. It does not show an effective pre-2019 warning chain for number-resource manipulation. The missing elements were not another statement of values. They were direct historical evidence, operational independence, verified closure and mandatory escalation. Until all four are demonstrable, an audit can confirm that failure occurred; it cannot reliably prevent the institution from learning last.
Timeliness should be an audited control in its own right
Audit design often measures whether a control exists and whether a selected transaction was handled correctly. A warning system must also measure elapsed time. A correct review performed two years after a privileged change may establish history, but it does little to protect an address block that has acquired customers, routing dependencies and competing claims in the interval. Delay changes both the harm and the available remedy.
AFRINIC should therefore define clocks for every high-risk stage. A privileged change should appear in an independent exception feed within hours. The referenced approval should be matched within a business day. An unexplained mismatch should preserve logs and suspend further non-essential changes immediately. The control owner should answer within a short stated period, and the auditor should either verify the explanation or escalate it. The committee should see high-risk open items at each meeting and receive immediate notice when a deadline is missed.
These clocks should be measured from system events, not from the date management chooses to open a case. Otherwise a long-undetected change can appear newly discovered and still within target. The assurance report needs two ages: time from the original event to detection, and time from detection to verified closure. A falling closure time can coexist with a dangerously long detection time; reporting only one would create false comfort.
Timeliness also disciplines competing narratives. When the record preserves the exact moment of alteration, the first automated alert, the human review, the notice to affected parties and the escalation decision, later entities do not have to reconstruct institutional intent from press statements. They can assess whether the control operated as designed. If it did not, the missed clock identifies where responsibility moved next.
Service targets should reflect severity rather than convenience. A minor contact-format discrepancy can enter an ordinary queue. A change of holder, status or maintainer for a large block deserves immediate attention. An apparent staff-related interest, log deletion or unsupported override should bypass ordinary management. The purpose is not to pronounce guilt quickly. It is to stop evidence and dependencies from moving while legitimacy is tested.
An annual independent test should then select several warnings and replay the clocks end to end. It should verify that alerts could not be suppressed, timestamps were consistent, notifications reached the intended independent recipient, interim safeguards actually applied, and closure evidence answered the original exception. This is the audit of the audit: proof that the institution's promised warning channel works under realistic conditions rather than merely existing in a policy document.
Sources and evidentiary boundaries
The principal evidence is AFRINIC's WHOIS Database Accuracy Report, which provides the institution's account of the 2019 triggers, the later methodology, address counts, statuses and post-discovery controls. Its descriptions of misconduct and custodianship are treated as AFRINIC's documented findings, not as final judicial determinations of every disputed right.
AFRINIC's 2018 Annual Report establishes how the organisation publicly described the audit committee's remit before discovery. The January 2019 Audit Committee Charter supplies the committee's stated access, independence, reporting, investigation and management-response responsibilities. Neither document, by itself, proves which tests were actually performed on individual resource records.
The February 2020 board minutes document the board's treatment of the internal investigation and outside assistance after discovery. AFRINIC's August 2020 statement supplies the organisation's interim account of police referral, address categories, reclamation and control reinforcement. Later institutional statements are used to reconstruct response and claimed findings; they are not allowed to determine the article's governance framing.

