by Geoffrey James

Instant Messaging: Auditing the Chat Line

Sep 15, 20032 mins

You’ve got instant messaging, a.k.a. IM. And the accountants and government regulators may want to take a look at it someday. Especially if you are in the financial services industry, those instant chat missives are subject to the same kinds of document retention rules that govern paper documents and e-mail messages.

In July, the National Association of Security Dealers, or NASD, which regulates dealers who trade on the Nasdaq stock market, issued a notice urging member companies to supervise how they use IM technologies and make their use consistent with e-mail policies. The “lack of formality of instant messaging does not exempt it from the general standards applicable to all forms of communication with the public,” the NASD notes.

Unfortunately, most corporate IM activity relies on consumer-grade products from AOL, MSN and Yahoo—70 percent according to Osterman Research. While such products combine the multitasking of e-mail with the immediacy of a phone call, they lack the tracking and data retention features that the government sometimes requires.

However, that’s simply not acceptable, says Charles Landes, director of the audit and attest standards team at the American Institute of Certified Public Accountants. He says that the SEC has determined criteria for records that must be retained, which can include any electronic records that contain conclusions, opinions, analyses or financial data related to an audit. “If an instant message meets the criteria of the SEC rule, it will have

to be retained,” he insists.

Michael Osterman, president of Osterman Research, says CIOs typically replace consumer-style IM with corporate-grade IM products that provide security and management features, including record retention. There’s also a middle ground for companies whose end users have grown accustomed to consumer IM software: installing add-on IM applications from companies such as Communicator, Endeavors Technology or FaceTime Communications.

Either approach allows IT managers to implement security measures, such as detecting IM usage, gathering statistics, documenting network usage and mapping “buddy name” aliases back to the corporate directory, as well as keeping an auditable record of IM transactions. That could be useful information for the auditors.

Regardless, IM is on its way to ubiquity. An estimated 84 percent of corporations had some users with IM in 2002, and Osterman forecasts that IM will penetrate 99 percent of enterprises by 2007.