In the past week, I've read 3 distinct stories about sarbox compliance and the use of instant messaging in the enterprise. From what I can tell, all of the IT hubbub is around section 404. I can't for the life of me imagine a situation where IM would fall under this rule.
In general, issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting.
The registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting.
On its face, maybe you could construe the meaning of "system of internal control" to include everything that the company does to conduct business. It is my opinion that this interpretation goes far beyond what the intent of the crafters of this legislation was.
In the late 80s or early 90s, the accounting profession changed it's rules regarding the audit engagement. Prior to that point, each audit required an opinion on the adequacy of the company's internal control systems. I feel that the intent of this law was to put that part of the audit back in place.
In that system, the system of internal control was concerned with the nature of recording accounting transactions. It was based on the concept that a strong internal control system required that the custody of assets, the authorization of transactions and the recordation of transactions be vested in separate individuals in the company. This is a strong method for combatting internal fraud since it forces 2 or 3 people to collude to defraud either the company or its stockholders. This is obviously a laudable goal of any responsible company.
So, how does instant messaging, or even email, fall under this rule? It seems like it would be crazy to require the use of either of these pieces of technology as part of your system for recording financial transactions. I would certainly be uncomfortable accepting transactional authorization through instant messaging. I would either want a real signature on a source document, or an archived electronic document with an electronic signature.
It seems to me that there is actually a pretty good argument for outsourcing both types of technology as employee empowerment tools. By bringing those systems in house and logging all activity, you're now subjecting those records to being subpoenaed. While that certainly has some legal ramifications, it still appears to be outside the scope of SarbOx. So, in effect, the enterprise has actually increased it's liability by bringing these systems in house.
I think that the SarbOx compliance industry is banking on people not actually reading and understanding the context of the law in order to sell more services into the enterprise.
If you look at the technology as just alternate methods of facilitating employee communication and collaboration, it seems like the compliance thoughts are misplaced. How many companies record all phone conversations, or even water cooler conversations. I doubt anybody would claim that your conversations with your coworkers in the rest room are the property of the corporation. It just seems rediculous that other methods of communication are not treated the same way.
I've also read about the disproportionately high compliance expenses incurred by smaller corporations (although even small corporations covered by SarbOx would be considered large corporations by almost any standard). This is due primarily by the heavy hand of government imposing the internal control standards equally across the board. In the pre-dregulation days of the public accounting method of studying internal control systems, the study was always able to make judicious use of the materiality principle. In essence, if a failure of the specific internal control system would not lead to a materail misstatement on the company's financial statements, some allowance could be made for simply not having enough people to separate all three parts of the control structure in certain places. Unfortunately, the law doesn't take company size into account or the materiality principle.
It is my understanding that there is some movement in Congress to address some of the size issues. I don't know the nature of the proposed amendments or the chances of them passing. I hope they offer some clarification on some of these issues.
So, when your company tells you that they need to bring IM in house because of SarbOx, ask them what is it exactly they are complying with. Make sure you tell me, because I'd really like to know.
Personally, I think it's just another questionable sales practice being perpetrated in order to dig into your privacy even more. Unfortunately, there is almost no law in the US regarding workplace privacy. Some states have taken on some of this, but it's a sparse patchwork at best. Maybe it's time the Country got serious about protecting our privacy a bit more.