September 2007

Conducting Effective Audits of Messaging Systems

Proper access controls, system documentation, and disaster recovery plans are some of the items auditors need to examine during reviews of messaging systems.

Ike Ugochuku
TLK Enterprise

In many organizations throughout the world, messaging systems are considered a critical corporate asset. Losing e-mail access for only a few hours can impact productivity significantly or, worse, result in significant financial losses. In addition, electronic evidence now plays a major role in regulatory investigations and court cases. Due to their criticality and importance, messaging systems need to be audited regularly and thoroughly to ensure that proper controls are in place. Besides reviewing the effectiveness of existing access controls, e-mail archiving tools, and antivirus safeguards, auditors need to pay close attention to their organization's control documentation, system monitoring alerts, storage size limits, and disaster recovery controls.


When auditing a messaging system, auditors first need to review the system's documentation. For instance, any software or hardware addition to the messaging system requires its own set of policies that state how the software or hardware is to be implemented, maintained, and updated. IT departments also need to log any changes made to the system, define expected operational standards, and document the messaging system's configurations and operational guidelines. Furthermore, the documentation of the messaging system's architecture needs to show the connections among different internal components, the systems that interface with them, and the message flow. As a result, audits of messaging system documentation should verify the existence and effectiveness of the following items:

  • Standards adopted from different regulatory frameworks or industry best practices as stated in the architecture document.
  • Installation documents that indicate how to set up new system components.
  • Standard operating procedures (SOPs) that specify how to make changes to the messaging system and troubleshoot problems.
  • Any documentation on how tools interface with the messaging system, such as spam filters, antivirus software, and compliance monitoring software.

During the audit, auditors should identify whether the documents mentioned above accurately reflect what is currently installed and configured in the company's IT infrastructure. Auditors also need to review each document section, such as the architecture diagram in the design document, the configuration section in the installation document, or the daily task section in the SOP document. Next, auditors should compare the organization's documents of the messaging system with best practice recommendations and identify whether the mail administrator has a process for maintaining the accuracy of the messaging system's documentation.


Because messaging is a critical component of business communications, organizations need an active monitoring system to alert e-mail administrators of any system failures or changes. These failures can occur because a messaging system often consists of complex connections among separately hosted components. For example, e-mailboxes may be on one server, the e-mail transfer components on another server, and the e-mail directory on a third server. Each one of these components is a potential bottleneck that can cause an e-mail communication breakdown. Therefore, the infrastructure hosting the messaging system and the operation of the messaging application should be monitored. Auditors should keep in mind that some messaging applications are integrated into the infrastructure system, so both systems have to be monitored by the mail administrator.

The message flow and communication between these messaging components should be monitored as well. Thresholds should be defined based on performance benchmark tests and the service-level agreement (SLA) established between the IT department and the business unit it supports. Consequently, auditors need to identify whether the alert monitoring system detects all system failures. If possible, the mail administrator should test the alerting system during non-business hours in the presence of the auditor by manually bringing down a component and observing the reaction of the alert system. During the test, the auditor should check if the alert system monitors the application event log for any errors or notable warnings.

For messaging applications that are integrated into the IT infrastructure, auditors should identify whether the event logs of the infrastructure are also monitored for messaging-related events. The e-mail administrator can tell the auditor which events need to be monitored. Usually, this is based on vendor documentation and past experience. In addition, the auditor should review how exceptions are notified to messaging personnel through the alert system (e.g., is there only one method of notification? Is e-mail used to notify administrators? What happens if the e-mail system is down?).

Finally, auditors need to verify that a defined escalation procedure exists and whether there are defined severity levels (e.g., at what point is the IT help desk or management alerted a problem?). Examining incident logs will enable the auditor to determine if the escalation procedure was followed. Auditors also should verify whether a periodic metrics report was conducted by the mail administrator on the effectiveness of the alert system.


Companies that record only what they backup at the end of the day are in danger of omitting e-mail that may be required to research business issues or e-mail that can be used in future legal proceedings. Because many users move e-mail from the message system into local mail storage files, users need to place these files on the network so that they can be backed up regularly. As a result, auditors need to verify whether mail administrators are communicating this information to e-mail users. However, files located at the user's home are not the responsibility of the mail administrator. These files need to be stored on disks by the user and brought to the mail administrator for backup. Remote users with corporate laptops should be asked to bring their laptops in regularly for backup.

Messaging systems are not a data storage tool; they are a communication medium. To streamline costs, storage limits can be set for the messaging system, which may affect the system's maintenance cost (e.g., the larger the mailbox size, the more difficult it is to manage and restore the messaging infrastructure).

As part of their work, auditors should first examine the messaging system's configuration to determine if a mailbox size is set and ask network administrators how that size was determined. Auditors can then review the effectiveness of the company's attempt to enforce the size limit policy, such as preventing users from sending e-mail once they reach their mailbox limit. Because mailbox sizes affect the server's backup and restoration time, storage size limits should depend on the server's backup and restoration SLA. If there is no SLA, size limits should depend on the tested acceptable time for conducting backup and restoration activities. For example, a large server may take 12 hours to backup and 20 hours to restore. Therefore, the company must decide how much system downtime is acceptable without seriously affecting business operations.


Shared messaging components, also known as groupware, may pose a security threat because their infrastructure allows more than one user to read and post data, much like a bulletin board. As a result, it may be difficult to track who has read an e-mail message or if the information shared is restricted. To mitigate groupware risks, auditors need to identify whether the guidelines and procedures for configuring the shared messaging system are the same as those for the mailbox.

In addition, the organization should have an enforced size limit for the shared system to prevent data from being stored and a policy that identifies how confidential or restricted data will be mailed, stored, and discarded. A periodic review of the access rights of the shared system can verify the accuracy of the report and monitor the participation of data owners.


Following a disaster, typically the first system an organization needs to have up and running after its critical business applications is the messaging system. To help organizations accomplish this, auditors should examine the company's disaster recovery plan and determine the role messaging systems have in restoring normal business operations. The mail administrator should provide the auditor with a documented and tested disaster recovery plan for the messaging system so that the auditor can determine if it was developed closely with the business continuity plan.

Once the auditor obtains the disaster recovery plan, he or she should look for the following issues:

  • Will the company perform a warm recovery (i.e., the use of servers that were configured and running before the disaster) or cold recovery (i.e., the use of servers that are built after the disaster)?
  • If the company will perform a warm recovery, will it be on an infrastructure-warm server (i.e., the servers where the operating systems are located, are configured and running prior to the disaster) or will the IT department use an application-warm server (i.e., the application server is configured and running prior to the disaster).
  • If it is an application-warm server, is there an active replication process between the production servers and the disaster recovery server?
  • If there isn't an active replication process, are the data center location and capacity design of the mail servers appropriate? For example, if a server can normally handle 2,000 mailboxes, it may have a production limit of 1,000 users. There also may be a similar server in another state that has a production limit of 1,000 users, and each is a warm-recovery server for the other. For companies that perform a cold recovery, the auditor should find out if there is a leased location and if data backups are regularly transported to this location.


E-mail encryption is crucial to organizational security, especially for messages sent over the Internet. Some organizations require that sensitive internal communications be encrypted (e.g., legal information falling under attorney-client privilege), while many e-mail best practices dictate that messages containing restricted data should be encrypted. Consequently, data classification policies should determine which e-mails need to be encrypted before they are sent. The encryption level for different data classifications should be stated in the company's information security policy, and auditors should examine the company's documented security standards to make sure that e-mail classification activities follow established guidelines. Finally, auditors should test the encryption software to verify that e-mail messages are being encrypted.


A distribution list (DL) — an object in the e-mail directory that can be used to send an e-mail to several users — is a way of sharing information with multiple users and, therefore, faces the same security risks as the shared messaging system. One way to secure distribution lists is by creating and establishing guidelines that govern their creation and maintenance. During the review process, mail administrators should provide auditors documented guidelines that describe the DL management process. Issues that should be covered in the document include:

  • How are large DLs managed? Generally, as DLs grow in size, the messaging system has a harder time managing them. This is because each name in the DL has to be matched to an e-mail address, and this may take a considerable amount of time if there are 10,000 names on the list.
  • How are DLs created? DLs should be created after a formal request is made that outlines their business justification, owner, and start and end dates. As a best practice, DLs should have one primary owner, and this person should be the only one allowed to make changes to it.
  • How are requests to change DL memberships handled? All requests to be added to or removed from a DL should be sent to the owner.
  • Was a review of the DL system conducted? Periodic reviews of the DL owner should be conducted to determine if the DL is still in use.


Messaging applications (i.e., applications that use the messaging system for receiving or sending data) pose potential risks to organizations because there could be a sudden increase in the volume of e-mail traffic due to a software malfunction that can stop regular mail flow. Hence, it is important to control access to the application since this could allow access to the messaging system that isn't directly controlled by the network administrator. As part of the audit, the network administrator needs to provide auditors with the company's documented procedure for handling messaging applications. When reviewing the document, the auditor should look for the following:

  • How are access requests from applications owners handled? There should be a formal request from the application owner to the network administrator stating the business justification for using the messaging system, the expected traffic volume, the purpose of the application, and the relationship of the messaging system and the application (e.g., is the application used for data input into the messaging system or data output?).
  • Is the traffic of the applications segregated? Where possible, application traffic should be segregated so it doesn't affect the normal traffic flow of the business in the event of an application malfunction.
  • Is there a different SLA for the application's mail traffic? The SLA for applications may be different from the normal SLA. For instance, a fax application that uses the e-mail system to send the fax may require an SLA mail delivery of five minutes on average, while the regular SLA is 15 minutes.


As a critical corporate asset, messaging systems have become an indispensable tool for business operations. Business users plan their days with calendars, tasks, and addresses stored in the organization's messaging system. When a messaging system fails for even a few hours, operations can grind to a halt. To help organizations bounce back to recovery quickly, or prevent the disaster in the first place, audits of the messaging system must be thorough and comprehensive and on the same level as those of financial applications. When conducting reviews of messaging systems, internal auditors can use the information above as a guideline for the audit, as well as present this information to IT and business managers who are trying to build adequate controls into the company's messaging system.

Ike Ugochuku is president of TLK Enterprise, an IT consulting firm. He has over 15 years' experience in the technology industry, working in areas such as IT risk assessment, systems design, integration, and infrastructure management. He has spent a significant part of his career on messaging systems, designing for global corporations, and reviewing and defining process controls to mitigate risks associated with e-mail systems.


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.





To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>


Subscribe_June 2014