Magazine Article | May 10, 2006

E-Mail Management Keeps You In Compliance

Source: Field Technologies Magazine

E-mail falls under the Sarbanes-Oxley Act’s requirements to save business records associated with financial reporting. You need to implement an e-mail management system to comply.

Integrated Solutions, May 2006

You’ve seen and heard the reports of SEC (Securities and Exchange Commission) investigations into discrepancies in public companies’ accounting and deal-making undertakings. Enron and Tyco are the most high profile examples, and Morgan Stanley recently joined their ranks. For any C-level executive, the fear of an investigation is very real. To protect themselves, companies are working to comply with the Sarbanes-Oxley Act (SOX). And to do this, companies are turning to their IT departments to put systems in place that fulfill the mandates in SOX. As e-mail becomes more and more prevalent as the main method of business communication, an e-mail management solution must be part of any thorough compliance effort.

SOX was created as a guideline to regulate the accounting and corporate governance procedures at public companies. The language of the act is, unfortunately, rather vague when it comes to actionable directives that information technology can help address. The most applicable statement is found in section 103 (a), which discusses auditing and quality control. The act reads that companies should “prepare, and maintain for a period of not less than 7 years, audit work papers, and other information related to any audit report, in sufficient detail to support the conclusions reached in such report.” From this, you can conclude that the “other information related to any audit report” includes documentation of communication — in other words, e-mail. “The issue with e-mail management and SOX that makes the headlines is the fact that e-mail is a source of corporate records,” says David Winkler, VP of product marketing for Mobius Management Systems, Inc.

E-mail is becoming the de facto standard for business communication. According to a recent study by the RadiCati Group, Inc., the average corporate e-mail user sends and receives 84 e-mails each day, equal to 10 MB per day, and the study predicted the latter number to rise to 15.8 MB per day by 2008. Gartner predicts that the volume of business e-mail will grow 25% to 30% per year through 2009. A white paper from Xiotech entitled, “The Dog Ate My E-Mail: SOX For The Midsized Enterprise,” includes a quote from a top IT officer at a public company. “E-mail wasn’t designed to be a document repository,” said the executive. “It was meant to be sent, read, and deleted. But now you can’t delete it.” Saving e-mail is necessary to have an accurate record of communications involving financial and business information. However, you can’t just back up your e-mail servers (which you already do anyway) and call it a day. You need to develop an effective e-mail management implementation strategy that gets you in compliance without overburdening your IT systems. Here’s how you can go about it.

To keep your e-mail management project at a manageable scope, name a single person as compliance officer (or something similar). This person will be responsible for leading the project, establishing retention schedules and rules, and enforcing the rules. Of course, this person will not work independently from the outset. “To guarantee the success of an e-mail initiative, it is critical to forge a strong partnership between business management, IT, and legal to ensure that the right policies and procedures are put in place and that the technology solution supports them,” says Winkler. IT will be able to discuss integrating the e-mail management system with other document and records management systems, which will streamline the records archive.

E-mail management solutions are not implemented and used in the same manner. Some capture, index, and store e-mail as it comes in directly from a central server, before it gets to a user’s inbox. Other solutions operate as a client on users’ computers; users mark e-mail to be retained as they receive it, and the e-mail is indexed and archived on a central server. For the larger companies subject to SOX compliance, the former method is more appropriate, as it enables better control over what e-mail is retained by not relying on users to determine what to save. Also, the method saves e-mail before users have a chance to modify it, a requirement by the SEC (i.e. records should be stored in their unaltered forms).

Whether you capture e-mail automatically or depend on users to do so, your compliance officer should establish specific keywords that indicate which e-mails should be saved. The keywords are usually in the ‘From,’ ‘To,’ and ‘Subject’ lines and can be as simple as specific executives (e.g. CFO, CEO) and specified accounting and legal firms. Other keywords such as ‘figures,’ ‘transaction,’ and ‘profit,’ will indicate a need to save the e-mail. “Companies need to save e-mail that is relevant to the production of financial reporting,” says Stewart Noyce, senior manager, product marketing, messaging for EMC Software Group. “You can determine the people who are involved in the production of financial reports and what information they would share and communicate with executives at companies.”

While e-mail is the predominant method of business communications, many companies still rely on fax to send documents — documents that can be considered records in an SEC investigation. These documents are unsecured and often end up floating around an office, never to be found when needed. “A fax could wind up sitting in a tray for an hour or more waiting to be delivered,” says Steve Adams, VP of marketing for Protus IP Solutions. “During that time, anyone passing by can pick it up and read it. What if it contains financial information or announces an acquisition that is not supposed to be public knowledge? Companies are at risk for SOX/SEC violations if this happens.”

It is important to establish a way to archive and index faxes as well as e-mail. The easiest way to do this is to convert faxes into electronic documents, and you can then incorporate fax retention into your e-mail management policy. Faxes can be converted into electronic documents in a number of ways. First, a document someone wants to fax can be scanned and turned into a PDF, which can then be e-mailed to the appropriate recipient. Many desktop scanners and MFPs (multifunction peripherals — machines that copy, scan, and fax) have preset functions that allow for direct scanning to e-mail. There are also Internet fax solutions, which allow users to send and receive faxes via e-mail. Once the faxes are in e-mails (either as the e-mail or as an attachment), those communications can be incorporated into your e-mail management solution and saved as needed for SOX compliance.

You can’t risk doing nothing about your e-mail — you know the consequences. And, given the availability of solutions that can help you comply with regulations, you now know how to comply with regulations and avoid negative consequences.