Sarbanes Oxley : Technology : Email
What Every Company Should Know About Email Management for Sarbanes-Oxley Compliance
Heaven forbid a regulator should ask for a specific email or email communication.
In simple terms, the Sarbanes-Oxley Act (SOX) requires businesses to demonstrate effective corporate governance and information management controls. However, since the Act passed, it seems that just about everyone ? lawyers, consultants, industry analysts and technology vendors ? have jumped on the SOX compliance bandwagon with recommendations and products to sell. The noise about SOX has become nearly deafening.
Senior Vice President
Luckily, as we approach the first significant deadlines related to the act, the legal and technology communities are coming together in agreement on some key best practices regarding the implications of SOX. At a fundamental level, complying with the regulation means establishing a process for managing communications and information lifecycle management. Since email has become the de facto method of business communication and the most critical source of information for almost every large business, the management of email is a fundamental element of SOX compliance.
The prospect of storing and retrieving email is daunting, as the sheer volume of email exchanged among enterprises is staggering. Recent research from the Radicati Group, Inc. states that the average corporate email user sends and receives 84 emails a day, equating to 10 MB per day of storage. This number is expected to rise to 15.8 MB per user, per day by 2008. Recent TowerGroup research on email content management states that by 2007 the securities industry alone will handle more than 95.8 million email messages per day.
Given the severe consequences for non-compliance with SOX, companies tend to overcompensate. Managers fear that one email could be the catalyst that pushes the entire company over the dividing line between compliance and non-compliance. The pressure on top executives is redoubled by the requirement that they personally must verify, in writing, that their systems are in compliance. It's not surprising that many executives react with a policy ordering IT staff to archive every email. They figure that more is better.
For some firms, saving every email means backing up an entire email system on a daily basis. Many companies already protect themselves from data loss by storing email on a separate storage device ? usually a tape library for large systems. In the past, many firms have attempted to extend these systems for regulatory compliance purposes.
Tape back-up systems are entirely inadequate though, when you need to gain even simple access to the stored files, let alone search or manage these mail stores. Most companies vastly underestimated the time and expense required to extract email from enormous volumes of undifferentiated back-up tape at the behest of regulators or a litigation event. In most instances, companies that rely on this method are unwittingly violating sections of SOX that require them to establish a "timely" method for retrieving and producing this information. For this reason, the active email archiving concept has emerged, which involves storing email "actively," so that it is not only easily accessible but is integrated with applications that provide powerful searching and management capabilities.
Simply storing millions of email messages on an interactive storage media consumes a lot of expensive storage space without providing a solution. Heaven forbid a regulator should ask for a specific email or email communication. Finding emails among the vast archive is the equivalent of finding a needle in a haystack. Politicians harped on the time it took the White House to retrieve emails during the recent investigation of the media's naming of a CIA agent. The politicians called it a delay tactic, but, in truth, extracting email from back-up storage at the White House or at any organization is nearly impossible without the right tools.
So, with all of this headache and heartburn (and potential cost or penalties), how is one to deal with Sarbanes-Oxley? Thankfully, active email archiving is not a new concept, and archiving to comply with regulations is not new either. The securities industry has implemented archiving and data retention solutions to comply with regulations for a long time. Investigating best practices in this industry is helpful for those implementing SOX solutions.
For financial institutions, the SEC has long required the retention of email exchanges ? and recently, of instant message (IM) conversations. SEC rule 17 a-4 states that financial institutions must preserve all electronic records exclusively in a non-rewritable and non-erasable format. Additional rules require that the SEC be able to review specific communications upon request. The National Association of Securities Dealers sets other, similar regulations for its members and even requires that email communications be supervised.
To ensure compliance, financial institutions deploy message management solutions that support their compliance policies regarding message archival, retention, supervision, mail storage management, discovery and litigation support.
Without question, these advances in the email management market can be utilized by companies staring at Sarbanes-Oxley deadlines. For SOX compliance, companies can follow the example of the financial institutions, who, facing their own regulations, have established corporate policies for retaining messages and exchanges. Often, these policies involve input from many constituencies within the organization so they can withstand scrutiny from internal and external legal counsel.
As is the case with the financial market, there is no standard policy for corporations to follow to ensure compliance, mostly because SOX is vague. But best practices are emerging. Numerous sections of Sarbanes-Oxley discuss communications and retention management. For example, Sections 103(a) and 801(a) require public companies and registered public accounting firms to maintain audit work papers, documents that form the basis of an audit or review, and all information supporting conclusions for seven years. Given that, clearly email communications related to audit work papers and financial controls should be retained for at least seven years.
Other portions of the Act use broader language. Section 104(a) states that the Public Company Accounting Board has the option to broaden the range of types of records that accounting firms must maintain.
Due to the amorphous nature of the Act, it is understandable that many companies would establish policies that simply store each and every email ever sent or received in the enterprise. While this is an understandable reaction, it may not be the correct one. Not only may this be above and beyond what is necessary, it could actually be an obstacle to effective compliance. Many email messages may not be relevant for compliance, including personal email, spam messages and other communications. Within an archive, these messages take up costly storage space and impact the efficiency of the overall email system.
Regardless, what firms need to do is first establish a corporate compliance policy. And then implement solutions that flexibly support their policy, as it will certainly need to evolve over time. This policy must take into account the relevant technology and business factors associated with compliance. It must take into account the unique factors and regulatory frameworks associated with different lines of business and departments.
Some email archiving solutions can retain messages between specific groups of people, internally or externally, or emails sent to a specific person. A company might establish a firm-wide policy that any messages exchanged between an entity and a third-party (such as a consultant or accounting firm) will be archived all the time, no matter what their content. Since consulting and accounting firms are third parties but still access and influence information germane to SOX, establishing policies for archiving communication with them is prudent.
From an internal perspective, a company might archive any emails sent to C-level executives, or it might choose to save emails sent between executives and the Board of Directors. Meanwhile, all messages exchanged among junior level individuals (except for those in the finance group) might not be archived.
Of course, retaining emails is only useful if you can find the messages when needed. Section 105(b) of SOX states that any client of a public accounting firm may be required to produce documents related to audits or investigations. The entire purpose of an "active" email archive is to find, organize and produce archived messages. Some email management solutions include discovery and litigation tools for quickly and efficiently searching the archive, regardless of volume or size, for pertinent messages. Some solutions also offer the ability to automatically categorize messages according to content or flag messages that contain attorney-client privileged information. These features are valuable for refining what must be turned over and what is not required to be turned over. This can be critical to producing successful litigation and regulatory outcomes.
To reduce the total cost of storing massive quantities of email, companies are looking for hierarchical storage management features. This simply means the firm can use different storage media, based on the age or importance of the message and how quickly it will need to be retrieved. Using email management software with hierarchical storage features, messages that are most critical or vulnerable to regulation are stored on the most expensive media, keeping those messages easily accessible and "active."
The financial services industry must also comply with additional elements of the Sarbanes Oxley Act. Section 501(a) requires securities analysts to be separated from broker/dealers by "appropriate informational partitions." It also restricts prepublication approval of research reports by investment banking. Investment banks may face requests to provide evidence of any email interactions between these two groups prior to publication of a report.
Some email management software provides the capability to set and enforce policies for internal communication between individuals, groups and departments. Email can even be blocked pre-delivery between restricted groups on the basis of group membership or based on content scanning. Once sent, mail can be evaluated by the email management software and either approved or rejected according to the established policy. Using this blocking capability, a Financial Services firm can set a policy to block mail addressed to a member of the Investment group from a member of the Research group and vice versa. Or it can block email that references a particular stock or ticker.
In addition, section 301(4) of SOX requires public companies' internal audit committees to establish procedures for the receipt, retention and treatment of complaints related to fraud, accounting, internal accounting controls or auditing matters. There must be a mechanism in place for storing and time-stamping tips or complaints and an audit trail demonstrating a response. Existing software solutions can automatically capture, time-stamp and flag messages containing complaints and provide an audit trail of compliance activity. So not only will the message be captured, it can be categorized and retained for an appropriate time period along with an audit trail to demonstrate compliance.
Email management solutions even provide the ability to be proactive about compliance. Monitoring functionality allows any message to be flagged for review by company officials, even stopping delivery of messages based on content. For example, messages that contain words or phrases that trigger a concern, such as material information about a public company's performance or insider trading or money laundering. Some even offer advanced content analysis based on natural language processing which is a far more accurate technology for content scanning than keyword or phrase-based alerts. These email management solutions are proven technologies and are widely implemented in the Financial Services industry.
Implementing an email management solution is an enterprise-wide IT decision. Email touches each and every department in a company, and it is becoming more and more critical to how business is done. Developing requirements for any email management solution for SOX compliance should involve IT executives, CIOs (or CISOs), lawyers, outside consultants, the CEO, and of course, the Chief Compliance Officer at progressive firms where this executive-level post is becoming more commonplace.
Violations of Sarbanes-Oxley will have Draconian consequences for firms and individuals. Everyone in the corporate world knows this. Fortunately, to comply with the regulation's information management standards, corporations can look to best practices and software solutions that have already been proven in the field by many organizations in highly regulated vertical industries, including hundreds of entities in financial services.