Image by Bev Sykes from Flickr
It is nearly impossible to think about corporate audits without thinking of email archive solutions. However, there was a time when organizations took these systems rather lightly – simply as a repository of old documents that could be deleted at any given time, instead of thinking of them as a goldmine of information that could be used for audit and legal purposes.
The Sarbanes Oxley Act, which was signed in 2002, was conceived in the wake of a series of corporate scandals that hit some of the world’s largest companies, including energy giant Enron and telecommunications leader WorldCom. It is known mostly as a set of regulations governing financial reporting and ethical business practices. However, it is also known as the primary driver behind improvements in document storage, archiving, and security.
Section 802 of the Sarbanes-Oxley Act addresses the issue of document tampering, which was a contributing factor to alleged financial misconduct at Enron and other companies. It imposes a set of penalties on individuals and entities that alter, destroy, conceal, or falsify documents with the end goal of hampering or influencing a legal inquest. It also prescribes fines and/or imprisonment on accountants or auditors who violate certain document retention periods.
How do companies use email archive solutions to remain SOX-compliant? The law includes electronic communications in the term “relevant documents”, especially if they were created during an audit or because of one and if they contain financial data related to such an audit or review. These documents include email, email trails, and file attachments, among others. Sarbanes-Oxley prescribes a five-year retention period for such documents, during which they may not be amended, erased, or otherwise hidden in the system.
Other aspects of document storage include the recording of email audit trails and records encryption. Encrypted email archive solutions are of interest here due to the protection that they provide against unauthorized access to documents and tampering of records. It is important to note that email archiving also encompasses search and retrieval capabilities, such as e-discovery, and that e-discovery should be completed within a certain period after a company going through audit or investigation receives a request for certain electronic records.
The subject of document authentication is also brought up, particularly when it comes to memos, email, and other forms of communication. Commonly-used methods used to authenticate documents include digital signatures and timestamps. The usage of such authentication methods should be tamper-proof, restricted to authorized personnel, and usable only in the context of established business processes; otherwise, SOX auditors might flag the said usage as fraudulent. Email archive solutions being deployed post-SOX should be equipped to recognize these digital signatures and grant document access only to authorized individuals.
If an organization uses email archive solutions that do not comply with the requirements of Sarbanes-Oxley Act, they might fail audits or reviews and be suspected of conducting business improperly. Therefore, to ensure compliance with the law, external auditors and compliance leads should be involved in the planning and implementation of email archiving systems.
