Employees using client's email system 1804



  • We have employees who’s work has them full-time at the client’s location. In the past, our employees would login to our client’s network and be given an email account with the client. They had no access to our email system.
    We are now changing our IT model and they will have access to our email system over the web.
    My question: are we open for a SOX violation if our employees continue using our client’s email system? (thinking about data retention, monitoring information dissemination, etc.)
    Should we force our employees to use our email system only?



  • Hi and welcome to the forums 🙂
    I’m thinking that your recent changes might work for you. Below are some ideas for maybe the best of both worlds:

    1. Maybe as a standard these specialists use your company’s email system for standard company communications and their client’s email system for work-related support It would be more efficient, timely, and secure than messages traveling to/from companies across the Internet. Instead of messages arriving instantly, it might take several minutes to travel across the Internet, replicate in the email topology, be scanned for malware, etc. In fact as an IT security professional, I would not want business related email going outside my company’s network (e.g., taking the customers point of view).
    2. Equiping these specialist with a 2nd email system for company specific discussions keeps YOUR sensitive messages from ending up on the customers servers (e.g., company announcements, HR policies, sensitive employee communications, etc).
    3. This may take some getting used to by the specialists, as they now have 2 places to check for email (one for customer work and one for company communications). Still, this process should seems like it might meet your needs.
    4. It’s always good to walk these types of changes through with audit to get their blessings .
      I’m not sure of the specifics, and hope some of these ideas may help. EMAIL issues are indeed an interesting challenge from a SOX perspective as they will result in tremendous volume. I’ll try to find one recent post with a lot of links from our recent discussions.
      Good luck and maybe some of our other members have ideas as well.


  • Here’s a copy of a post recently on some of the issues related to email … For the links below, please add www and paste into browser
    General Google Search - note some links promote products but there are also good articles as well
    google.com/search?hl=en-and-lr=-and-q=sox email requirements
    google.com/search?hl=en-and-q=sox email retention
    Great article on SOX email requirements
    s-ox.com/Feature/detail.cfm?articleID=1259
    What every company should know about EMAIL
    s-ox.com/feature/detail.cfm?articleID=580
    SOX ‘socks it’ to EMAIL
    informit.com/articles/article.asp?p=431108-and-seqNum=4-and-rl=1
    SOX email retention is legal Cherynobl
    silicon.com/research/specialreports/compliance/0,3800003180,39130615,00.htm
    SOX email requirements more than meets the eye
    itbusinessedge.com/item/?ci=11827
    A few quotes related to the technological challenge of email retention, which most likely needs more attention than it’s getting in many organizations
    Enterprises have to comply with multiple laws and regulations: Sarbanes-Oxley for public companies, HIPAA for organizations handling healthcare information, SEC and NASD regulations for securities dealers, and many others. All of them have different requirements, and in some cases those requirements clearly weren’t written with the realities of computer systems administration in mind.
    Today, the vast majority of organizations use email to communicate internally and as a vehicle for the exchange of documents and correspondence between businesses and their outside consultants, accounting firms and audit firms. Since these communications often contain information about business transactions and business decisions, these email communications must be retained in order for an organization to comply with the provisions of Sarbanes-Oxley . Basically, any publicly-traded company must follow Sarbanes-Oxley regulations. In addition, private firms that may one day be merged with or acquired by a public company will fall under these regulations as well. It is recommended that all such entities implement a data retention strategy.



  • You need to ask yourself how this could impact internal controls over financial reporting. Email is going to rank very low, if at all, on the list of key controls over financial reporting. If the employer has any obligation to retain email information, it would only be for email passing through its own system. Use of any other email system by employees should not impact a company’s need to retain the messages.



  • Folks,
    I have recreated the most important excerpts from Harry
    'Equiping these specialist with a 2nd email system for company specific discussions keeps YOUR sensitive messages from ending up on the customers servers (e.g., company announcements, HR policies, sensitive employee communications, etc). ’
    This is very important because one of the big ‘five’ accounting firms (before the day when accounting firms consulting divisions were spurned off) was taken to court by it’s client where an incompetent and naive consultant (presented to the client as a subject matter expert) was sent to the client and this consultant was getting all instructions from through the client’s network, which made client retain this privileged information to win the case against this Big ‘five’ accounting firm.



  • Folks,
    I have recreated the most important excerpts from Harry
    'Equiping these specialist with a 2nd email system for company specific discussions keeps YOUR sensitive messages from ending up on the customers servers (e.g., company announcements, HR policies, sensitive employee communications, etc). ’
    This is very important because one of the big ‘five’ accounting firms (before the day when accounting firms consulting divisions were spurned off) was taken to court by it’s client where an incompetent and naive consultant (presented to the client as a subject matter expert) was sent to the client and this consultant was getting all instructions from through the client’s network, which made client retain this privileged information to win the case against this Big ‘five’ accounting firm.
    I agree that this is a good example as to why not to use a client’s email system. However, unless it can have an impact on your financial reporting, it is not a SOX concern.


Log in to reply