Reporting/logging on Email System User Access 1086



  • I wanted to know if logging and reporting on user access to an email system is required by sox?
    If so, do vendors supply tools to do so, since most companies have email systems? We already log/report on network access and the ERP system. I dont see where email access is a material weakness.
    I know email retention is another story.
    Thanks,



  • it depends whether you consider your email system in scope for SOX (IT general computing controls). If it is in scope, then are these controls (logging and reporting on user access for the email system) KEY?
    For example, at my current client we have scoped out the email system because it does not have an impact on financial reporting and it is not considered to be a critical system. That doesn’t mean that if email system had an outage it wouldn’t stop productivity or be painful because it would. We are just saying that outage would not impact our ability to produce accurate and complete financial statements.



  • The short answer is no. The longer answer is it depends, but probably not.
    Generally email systems are not used to process financial transaction - although they may form part of the evidenciary environment. IT applications only come into scope for SOX when you are relying on automated controls within that application - and this would be very rare for email.



  • There are also different laws about reading employees mail, I.e. in Norway you need special permission from one of the government ‘agencyes’



  • Thanks for all the feedback, its good see other views on this topic…


Log in to reply