Michigan Association of CPAsBusiness EdgeInside Technology
HOME E-NEWS LEADERS' EDGE SEMINARS & CONFERENCES CLASSIFIEDS
June 22, 2005
Volume 2, No. 13
 
In this issue...
 -  Long-Term Care Insurance: A New Executive Perk
 -  Simple Risk Management Saves the Small Business Dream
 -  When is 3¢ Per Minute Not Really 3¢ Per Minute?: A Primer on Call Rounding
Part 1
 -  Medical Insurance Plans: Challenges and Opportunities for Managing Costs
 -  What Every Company Should Know About E-Mail
 -  Three Ways to Use Trade Shows to Boost Your Bottom Line
Words from the Wise

“A good plan implemented today is better than a perfect plan implemented tomorrow.”

- George Patton
What Every Company Should Know About E-Mail

By Mike Gundling

{Editor’s note: This article was adapted from the February 18, 2005 issue of Compliance Journal.}

Just when you thought you couldn’t possibly fit anything else on your compliance plate, e-mail management has emerged as a critical regulatory issue.

One of the fundamental regulations laid out by the Sarbanes-Oxley Act (SOX) requires businesses to demonstrate effective corporate governance and information management controls. E-mail has undoubtedly become the de facto method of business communication, as well as the most critical source of information for almost every large business; thus making e-mail management a crucial element of SOX compliance.

Yes, e-mail management seems like a daunting task, especially when considering the sheer volume of e-mails exchanged among enterprises. Research from the Radicati Group, Inc. shows that the average corporate e-mail user sends or receives 84 e-mails daily. This is the equivalent of 10 MB of storage per day. This number is expected to rise to 15.8 MB per user, per day by 2008. Although these figures may be overwhelming, e-mail archiving and management are necessary, unavoidable components of complying with SOX regulations.

Impact of Sarbanes-Oxley
Numerous sections of the SOX discuss communications and retention management. For example, Sections 103(a) and 801(a) require public companies and registered public accounting firms to maintain audit work papers; documents that form the basis of an audit or review; and all information supporting conclusions for seven years. Clearly, e-mail communications related to audit work papers and financial controls fall into this category. Other sections of SOX use broader language. Section 104(a) states that the Public Company Accounting Board has the option to broaden the range of types of records that accounting firms must maintain.

For some firms, saving every e-mail means backing up an entire e-mail system on a daily basis. Many companies already protect themselves from data loss by storing e-mail on a separate storage device, usually a tape library for large systems; and some attempt to extend these systems for compliance purposes. Tape backup systems are entirely inadequate, however, because of the time and expense required to extract e-mail from enormous volumes of undifferentiated backup tape. In most instances, companies that rely on this method are unknowingly violating sections of SOX that require them to establish a “timely” method for retrieving and producing this information. As a result, the concept of active e-mail archiving has emerged.

Simply storing millions of e-mail messages on an interactive storage media consumes expensive storage space without providing a solution. Active e-mail archiving involves storing e-mail in an “active” manner so that it is not only readily accessible, but also easily integrated with applications that provide powerful searching and management capabilities. Without active e-mail archiving, trying to find e-mails among a vast archive is the equivalent of trying to find a needle in a haystack. Remember when politicians criticized the amount of time it took the White House to retrieve e-mails during the investigation of the media’s naming of a CIA agent? These politicians called it a “delay tactic,” but in truth, extracting e-mail from backup storage at the White House—or at any organization—is nearly impossible without the right tools.

So how does a company integrate an effective solution to deal with the e-mail management regulations set forth by SOX? Actively archiving e-mails to comply with regulations is not a new concept. The SEC, for example, has long required that financial institutions retain e-mail exchanges. SEC rule 17 a-4 states that financial institutions must preserve all electronic records exclusively in a non-rewritable and non-erasable format. Additional rules require that the SEC be able to review specific communications upon request.

To ensure SEC compliance, financial institutions deploy message management solutions that support their compliance policies regarding message archival, retention, supervision, mail storage management, discovery and litigation support. Similarly, these types of solutions can be implemented by companies in other industries that are facing SOX deadlines. Before a solution can be put in place, however, corporate compliance policies must be established.

Establishing Policies for Compliance
An effective policy must take into account the relevant technology and business factors associated with compliance. For example, simply setting a policy under which every e-mail ever sent or received in the enterprise is stored may not be efficient. Many e-mail messages may not be relevant for compliance, including personal e-mail and spam messages. Within an archive, these messages take up costly storage space and impact the efficiency of the overall e-mail system.

Policies must also take into account the unique factors and regulatory frameworks associated with different lines of business and departments. For example, a company might establish an enterprise-wide policy that any messages exchanged between an entity and a third party will be archived, regardless of content. It is prudent to establish such polices for third parties, such as consulting and accounting firms, because they still have access to and influence information germane to SOX.

Only after a comprehensive compliance policy is put in place does it make sense to implement a solution that flexibly supports this policy. This flexibility could include the ability to retain e-mails between specific groups of people—internally or externally—or messages sent to a specific person. For example, a company can customize the solution to archive any e-mails sent to C-level executives. The company may also choose to save e-mails sent between executives and the Board of Directors, while choosing not to archive messages exchanged among junior level individuals (excluding, perhaps, the employees in the finance department).

Of course, retaining e-mails is only useful if you can find the archived messages when needed. Section 105(b) of SOX Investigation And Disciplinary Proceedings; Investigations; Use Of Documents, states that any client of a public accounting firm may be required to produce documents related to audits or investigations. The core concept of an active e-mail archive is to find, organize and produce archived messages. Effective e-mail management solutions also need discovery and litigation tools for quickly and efficiently searching the archive—regardless of volume or size—for pertinent messages. They should also offer the ability to automatically categorize messages according to content or flag messages that contain information under the attorney-client privilege. These features are valuable for refining what does and does not have to be turned over, which can prove to be critical to producing successful litigation and regulatory outcomes.

Effective e-mail management solutions enable companies to take a proactive approach to compliance. Monitoring capabilities allows any message to be flagged for review by company officials, and can even stop delivery of messages based on content. Messages containing certain “danger” words or phrases—such as those related to a public company’s performance—will not be delivered until they are properly reviewed and authorized.

Implementing an e-mail management solution is an enterprise-wide IT decision. E-mail touches every person and department within an organization, and it is becoming more critical to business processes. Developing requirements for any e-mail management solution for SOX compliance should involve IT executives, Chief Information Officers, lawyers, outside consultants, the CEO, and, of course, the Chief Compliance Officer.

Everyone in the corporate world knows that SOX violations will have drastic consequences for firms and individuals. Fortunately, to comply with the regulation’s information management standards, corporations can look to best practices and software solutions that have already been proven in the field by many organizations in highly regulated vertical industries.

About the Author
Mike Gundling is the vice president of product management at iLumin Software Services, a leading email management solutions provider located in Reston, VA. Mike can be reached at mgundling@ilumin.com.
Printer Friendly
The information contained in The Business Edge is for guidance only. The opinions and observations are solely
those of the authors and do not reflect the opinions or official positions of the Michigan Association of Certified Public Accountants.
Readers are encouraged to contact the authors, or their professional advisors, directly.
5480 Corporate Drive, Suite 200, Troy, MI 48098 Phone: 248.267.3700 Fax: 248.267.3737 E-mail: businessedge@michcpa.org