Is POP3 Email Compliant? 2235



  • Our company will begin the process of compliance next year, but we are now weighing the options for our email service. Our choices are to have an exchange server in-house to handle the mail, or to use an external POP3 provider. I have searched through these forums and other resources, but cannot find whether or not POP3 will be compliant once we begin that process. Can anyone confirm? TIA.



  • Hi and welcome to the forums 🙂
    The SOX 404 standards don’t specify email frameworks or other detailed criteria, as the focus is on management control for IT financial systems. POP3 is an acceptable format, and below are a couple of links:
    Please copy to browser and enter www
    google.com/search?hl=en-and-q=Sarbanes-Oxley POP3
    s-ox.com/News/detail.cfm?ArticleID=1421
    Sox has a 7 year retention on financial records and even email, so you may want to weigh this into the decision making process (esp. if you use an off-site service).
    Email is one of the important software components, and unfortuntately a lot of confidential and highly sensitive information is shared in this environment. For example, folks may not be able to tap into the HR server, but what if they could get to a spreadsheet exhibit of salaries from an executive’s mailbox? So, if you use an outside firm evaluate security controls and encourage message encryption where possible.


Log in to reply