In-Depth

Missing from SOX Compliance Efforts: IM Audits, Archives

With the November 15 deadline looming for many organizations, many companies still don’t have a plan for auditing and archiving instant messages.

• By Mathew Schwartz
• 11/03/2004

Many security administrators have one date this month circled in bright red on their calendars: November 15. That's because under Section 404 of Sarbanes-Oxley (SOX), public companies with a fiscal year ending on or after that date, and that have a market capitalization of more than $75 million, must attest to the effectiveness of internal controls and audit processes. (Smaller and foreign companies covered by SOX won’t have to do this until July 15, 2005.)

For many organizations, that means it’s Sarbanes-Oxley show time.

Yet with the deadline in sight, and companies readying their annual 10-K reports for the Securities and Exchange Commission (SEC), many companies still don’t have a plan for auditing instant messaging (IM). According to Giga Information Group, less than one in 10 organizations use enterprise-grade IM capable of encrypting and retaining logs of all messages. For many organizations, IM use still occurs outside the aegis of the IT department.

Yet use of IM in the enterprise is now a well-documented fact: Osterman Research says over 90 percent of business users rely upon IM. By 2006, predicts Gartner, more communications will be conducted over IM than over e-mail.

Hence companies might want to rethink their IM stance. “Firms have deferred institutionalizing IM [for] long enough. Widespread rogue IM adoption and regulations like Sarbanes-Oxley make further delay a recipe for disaster,” says Nate Root, an analyst at Forrester Research. Especially where Sarbanes-Oxley is concerned, “Section 404 mandates annual review of firms’ internal systems to ensure that financial data is accurately communicated and reported. To perform a credible audit, firms need to store pertinent communications securely—including IMs.”

Of course, IM auditing is but one item on the long Sarbanes-Oxley “to do” list, and according to Financial Executives International (FEI), a professional organization for senior financial executives, the cost of complying with SOX continues to rise. In a recent survey of 224 public companies with average revenues of $2.5 billion, it found estimates for dealing with Sarbanes-Oxley jumped 62 percent from the beginning of this year—from $1.9 million to $3.1 million—principally because auditing standards hadn’t been finalized, meaning audit firms didn’t have cost estimates for clients. The new cost estimates result from rising internal costs (up 109 percent), external costs (up 42 percent), and external auditors’ fees (up 40 percent).

With rising internal costs, not quite everything will be done by the deadline. In fact, FEI found “companies are documenting internal controls for 92 percent of total revenue,” with the remainder obviously still to come.

Some industries, of course, will largely move into Sarbanes-Oxley compliance with all IM controls well documented. For industries regulated by the National Association of Securities Dealers, the New York Stock Exchange, or the SEC, for example, some IM monitoring is already mandatory.

Others may want to take a page from the financial playbook. According to a report issued by IM vendor Akonix Systems, “under SOX the safest approach is to … ensure that IM comes under the same compliance controls as e-mail.” In short: keep a copy of all IM communications.

Akonix recommends a three-step strategy to IM compliance: assess current IM use in the organization, develop policies for approved IM use, then use technology to enforce those policies, and audit effectiveness.

“There is no reason any company needs to accept the risk of SOX non-compliance due to unknown or uncontrolled IM communications,” notes Peter Shaw, CEO of Akonix. With a Sarbanes-Oxley deadline looming, it would also be one less internal control still to document.

Related Articles:

Best Practices: IM Monitoring
http://www.esj.com/news/article.aspx?EditorialsID=1124

Rethinking Security/Network Boundaries
http://esj.com/news/article.asp?editorialsId=1024