Email Compliance for Sarbanes-Oxley

by Thomas Bookwalter, CEO FMDC

The Sarbanes-Oxley Act of 2002 (SOX) and other federal regulations are changing the way that businesses think and act with regard to their records. For years, the emphasis of IT records management has been focused on Disaster Recovery (DR). Records were retained in a form designed to be used to reconstruct entire systems in the event of failure. The retrieval of a few individual records or emails was less important. Individual record retrieval was accomplished by reconstructing the system for a particular point in time, and the records were extracted.

As a result of increased regulatory scrutiny and aggressive enforcement the need to cost effectively access individual records (particularly email) is changing the way businesses manage records storage and archiving. Recent reports of large corporate fines and executive imprisonment have heightened executive awareness and focus on the need to adequately protect enterprise records and emails to mitigate risk to both themselves and to the companies they lead.

SOX has four fundamental requirements for business. Those requirements are:

  • Implement proper internal controls of financial records and reports
  • Pro-actively search for any incidents of fraud or misconduct (whether the acts directly affects the financials or not)
  • Develop written policies and procedures with regards to internal controls
  • Inform auditors of the effectiveness of the internal controls and other required processes

Additionally, Section 802 establishes tampering with records that relate to the activities of any US government agency a felony punishable by up to 20 years in prison.

Section 802, while not requiring companies to archive and secure their email and other records, creates a potential threat to enterprise value. As a best practice, companies are wise to secure their email and business records in a tamper-proof archive. This prevents individuals from putting the company at risk in a moment of personal desperation. In a recent case such tampering by just a few employees cost their company over $29 million.

Sadly, no amount of training prevents people from cutting corners or attempting schemes to increase sales or creating the illusion of success. SOX has made it the responsibility of executive management to track down and eliminate such activity. The primary place that regulators look for evidence is among a company’s email. As a result, individuals targeted in an investigation often attempt to remove any evidence of their involvement. Email is a primary place to delete records. Companies that do not protect their email archives are at risk of being damaged by the selfish acts of desperate people. Their executives are at risk of being seen as co-conspirators.

Protect your company and its executives. Make your email tamper-proof.

Copyright 2007 FMDC. All Rights Reserved.