Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

Putting the Squeeze on Social Media

Understanding social media regulation, and its associated risks, is key to helping protect the organization from potential harm.​

Comments Views

​Social networking has gone far beyond the personal domain in which it began. Use of social media technology among businesses has become widely accepted, and it is now a pervasive form of communication employed by both individual personnel and the organization itself. Sites such as Twitter, LinkedIn, and Facebook have become vital tools for managing customer relationships, recruiting talent, and sharing company-related news.

Along with the increased use of social networks, blogs, and image-sharing sites comes a proliferation of risks. Incidents related to reputational risk, such as a tarnished brand image stemming from harmful posts, have been well-documented. But other types of social media risk, such as regulatory risks, are rapidly emerging — so much so that organizations may not be aware of their potential exposure to censure and legal penalties for noncompliance. Knowledge of applicable regulations, and their associated risks, is essential to successfully navigating the complex world of corporate social media use and helping protect the organization from potential harm.

Understanding the Risks

Many regulatory agencies, especially those that oversee the financial sector, have started to issue guidance specifically aimed at social media (see “Key Regulations to Consider” at the end of this article). The requirements typically specify how companies and related persons can collect, share, monitor, and react to information exchanged via social networks.

Noncompliance, of course, constitutes one of the key concerns associated with these pronouncements. Another concern involves social media’s ability to exacerbate other types of compliance risks. For example, an untimely post before the release of financial disclosures could cause a U.S.-listed company to run afoul of Securities and Exchange Commission (SEC) rules.

Regulatory concerns are amplified when an organization’s social media policies and procedures have not kept pace with the evolving regulatory environment. Yet, according to the findings of Deloitte & Touche LLP’s 2014 Social Media Survey of internal audit professionals and other executives involved in managing social media risks, many companies are either struggling to catch up, or even more disconcerting, have yet to begin. While 78 percent of respondents indicated they view social media as a moderate to high risk, 45 percent said they do not have a formally documented social media policy or are unaware of one. Furthermore, 69 percent said they do not have internal audit or risk management reviewing social media activity or are unaware of such activities.

Common Themes in Regulatory Guidance

Because the landscape is rapidly evolving, understanding the scope of social media regulations and their corresponding risks requires agile thinking. Nonetheless, a review of current regulations reveals some common themes. Regulators and governing bodies across most industry segments — and indeed throughout the world — appear to be moving toward regulations that focus on several distinct areas.

Data Protection and Privacy Customers’ right to privacy must be upheld whenever an organization collects, stores, or uses social media data. This typically includes formulating an appropriate privacy policy and communicating it in accordance with applicable laws.

Employee Rights Governing bodies often specify the extent to which companies can monitor the activities of employees and prospective hires, which in turn influences what organizations can say in their social media policies. In general, organizations can no longer issue blanket prohibitions against employees engaging in social media activity or ask them for personal social media passwords.

Disclosure and Third-party Endorsement These requirements generally serve to enforce consumer protection laws. The objective is to help ensure that products and services are described truthfully online, and that consumers understand what they are paying for. Thus, the marketing, promotion, and endorsement of products and services on social media must generally take place in a “clear and conspicuous” manner. Endorsements must be disclosed, and links to external content provided. Organizations must also follow correct protocols for distributing and disclosing financials and other corporate information.

Governance and Oversight What are employees doing and saying about the company via their personal social media accounts? And what is the company posting on its own corporate sites? Regulatory guidelines often encourage organizations to establish processes and controls for answering those questions, and for responding in the event that inappropriate communications or behaviors are discovered and reputational damage is incurred. Many regulatory bodies are also issuing guidance to help organizations understand what type of records they are required to keep and for how long, with social media typically being treated as another form of electronic communication for legal holds and purposes of e-discovery.

The Role of Internal Audit

Many organizations are in the early stages of understanding social media compliance risk. This lack of maturity is to be expected in an environment where emerging social media tools are being introduced even as regulatory bodies and the companies they govern try to determine how to manage the more well-known social media tools.

To provide oversight and accountability without hindering the organization’s business goals, the organization should consider establishing a social media governance framework. The framework should include defining the team responsible for monitoring regulatory compliance. Moreover, the organization should develop content approval requirements, communication and escalation protocols, and an incident response time frame to comply with established regulations.

Regardless of where an organization falls on the social media maturity curve, internal audit can be at the fore-front of moving the organization to the next level by providing assistance in several areas.

Evaluating Governance and Strategy As a starting point, internal audit should determine whether the organization has a governance structure in place for social media, and whether protocols have been developed and roles and responsibilities assigned. If a governance structure exists, internal audit should review its components; if the organization lacks such a framework, internal audit can assist in developing one. The auditors can also help formulate an overall vision for what the organization wants to accomplish with social media and advise on corresponding metrics and criteria for measuring progress. Without such a vision, it can be difficult for organizations to respond appropriately if negative content goes viral because of limited accountability, siloed behavior, and inconsistency across accounts.

Educating the Organization Compliance violations often occur simply because employees and executives do not know what they can and can’t do with regard to social media. Internal audit can play a part in remedying this situation first by helping the organization hone in on who needs to be trained and in what areas they need training. The auditors can then advise management on the development of training programs and policies. Topics often include what employees should and should not be posting, how to separate business and personal use, and what executives can and can’t do in response. Different stakeholders — executives, authorized users of corporate social media accounts, general employees, and third parties — will require different types of training. Moreover, social media education shouldn’t be viewed as a one-time occurrence. It must be performed periodically because the regulatory environment is continually shifting and new social media channels appear every year.

Assessing Risks, Including Monitoring What types of threats and opportunities are arising in the course of the organization’s day-to-day social media activities? Answering this question goes beyond identifying a shortlist of risks. It also involves monitoring or “listening” to what employees and customers are actually saying about the organization by sampling social media posts across popular channels. On the one hand, internal audit should look for content that could damage the organization in terms of reputation or brand. On the other, it should look for favorable posts that could reveal product and market opportunities. In either case, social media allows internal audit to expand its approach — in addition to examining the workings of an organization from the inside out, it can also examine them from the outside in to add further value.

Auditing Social Media Compliance A compliance audit is similar to a risk assessment, but it takes a deeper dive into the organization’s practices. The objective is to identify relevant regulations and the key points that need to be considered, and then to audit the organization’s social media activities for compliance. For instance, a compliance audit that examines U.S. Financial Industry Regulatory Authority regulation would consider whether the organization has adequate policies and processes in place for crisis management and response. It might also consider how the organization has managed crises in the past, and whether these responses deviated from the stated plan.

The Rest Is Still Unwritten

From finding new customers to recruiting the next generation of tech-savvy employees, the benefits of social media are too numerous for businesses to ignore. Although regulatory agencies are responding by issuing guidance, regulations, and in some cases new laws, the rest of the story has yet to be written. As both social media channels and corporate usage proliferate, the number of relevant regulations is expected to rise, along with the degree of enforcement. Internal audit can help the organization manage these risks by leveraging its capacity to break down functional silos, such as those between IT and marketing. By working across the enterprise, internal audit can play an indispensable role in connecting the dots between proposed and current digital strategies, the fundamental themes of regulation, and what each function must do to comply.

​Key Regulations to Consider

A cursory examination of key regulations and guidelines that govern an organization’s use of social media illustrates the complexity of the compliance landscape. Although the items listed comprise only a subset of existing regulations, they establish a baseline awareness from which social media policies and risk-mitigation strategies can be discussed and developed.

Securities and Exchange Commission The U.S. Securities and Exchange Commission (SEC) allows issuers to use social networking sites to disclose material information; however, these disclosures must be distributed to the general public in a way that is “broad and nonexclusive.” The SEC’s language implies that companies must be concerned with what their employees communicate via both their own personal social media accounts and those belonging to the organization. Of utmost importance is making sure that communications are approved and widely disseminated to all investors.

Federal Trade Commission The U.S. Federal Trade Commission’s (FTC’s) Dot Com Disclosures guidance, which was updated in 2013 for online and mobile advertisers, explains how to make disclosures clear and conspicuous to avoid deception. The updated guidance emphasizes that advertisers using space-constrained ads, such as on some social media platforms, must still provide disclosures necessary to prevent an ad from being deceptive; it also advises marketers to avoid conveying such disclosures through pop-up dialog boxes, because they are often blocked. In addition, via its Guides Concerning the Use of Endorsements and Testimonials in Advertising, the FTC requires the connection between an advertiser and an endorser to be disclosed when the relationship is not apparent within the communication containing the endorsement. For example, if an advertiser gives a gift to a blogger for posting content, it could constitute a material connection that is not reasonably evident to readers and should be disclosed.

National Labor Relations Act The U.S. National Labor Relations Act (NLRA) protects the rights of employees to act together to address conditions at work, with or without a union, and these rights extend to conversations conducted via social media. Under the NLRA, companies cannot expressly prohibit employees from using social media in their personal lives, nor can they limit their ability to discuss wages, benefits, safety conditions, or other aspects of the work environment. Accordingly, companies should consider the NLRA when formulating their social media policies and in disciplining employees for social networking activity. Indeed, the National Labor Relations Board, the NLRA’s implementing agency, recently forced several U.S. companies to rewrite their social media policies to avoid violating certain provisions of the act. Several more have been found guilty of unlawfully discharging employees in response to work-related posts on social sites.

Federal Financial Institutions Examination Council In late 2013, the U.S. Federal Financial Institutions Examination Council released final guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media. The guidance states that a financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to this medium. Furthermore, the program should be commensurate with the breadth of the organization’s involvement in social media, and it should include incident response protocols in the event of a security incident, such as a data breach or account takeover. Processes must also be in place for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party.

Financial Industry Regulatory Authority Via Regulatory Notices 10-6 and 11-39, the U.S. Financial Industry Regulatory Authority (FINRA) has provided guidance to financial institutions and brokers/dealers regarding blogs, social networking websites, and business communications. The goal of these notices is to help ensure investors are protected from false or misleading claims and representations, and that companies are able to effectively and appropriately supervise their associated persons’ participation in social sites. An important aspect of the guidance requires companies to establish social media policies, procedures, and training programs and to maintain and establish mechanisms to supervise the activities of associated persons. Another aspect involves record-keeping, where companies are required to retain records of social media communications related to the broker-dealer’s business for three years. Additional specifications address “suitability,” where any recommendations made via social media must be broad and apply to every investor. Moreover, customer and third-party posts on social sites established by the organization (e.g., a company social media page, profile, etc.) are generally considered to be the company’s communication.

Investment Industry Regulatory Organization of Canada Similar to FINRA guidance in the United States, the Investment Industry Regulatory Organization of Canada’s Notice 11-0349, Guidelines for the Review, Supervision, and Retention of Advertisements, Sales Literature, and Correspondence establishes social media guidelines related to endorsements, recommendations, and record-keeping. For example, it states that organizations should develop third-party guidelines that establish acceptable practices relating to social media communications. Additionally, the guidance indicates that organizations should disclaim third-party endorsements.

Food and Drug Administration Life sciences companies already must follow strict U.S. Food and Drug Administration rules for how they can mention, promote, and endorse drugs and medical devices. These rules emphasize the need to disclose risks and side effects alongside the benefits, but the limited character counts in social media often impede compliance because they are insufficient to describe both.

European Union Labor and Privacy Regulations While they vary widely in scope, European Union labor and privacy rules basically focus on an organization’s ability to monitor individuals’ social media accounts and protect their “right to be forgotten” — that is, to request that search engines remove links associated with their names to pages deemed irrelevant, outdated, or otherwise inappropriate. Organizations must ensure that data retention policies are in place so that an individual’s information is not stored in the event that a social media account is removed.

Australian Competition & Consumer Commission The Australian Competition & Consumer Commission has issued guidance on the use of social media, which needs to be considered when communicating with existing and potential customers, and when promoting products and services. The guidance specifies that organizations should not make any misleading claims on social media or allow others to make misleading claims or comments. Procedures should be implemented to respond to false, misleading, or deceptive comments timely instead of removing them. Moreover, the guidance notes that the time organizations should spend monitoring social media pages specifically depends on two key factors: the size of the organization and the number of fans or followers, while also considering that social media operates in a continuous, around-the-clock cycle.

Michael Levy, CRMA, CISA, CISSP, is a manager within Deloitte & Touche LLP’s Advisory Practice in Philadelphia.
Anthony Leusner, CIA, CRMA, CISA, is a senior manager within Deloitte & Touche LLP’s Advisory Practice in Philadelphia.
Khalid Wasti, CIA, CPA, CISA, is a director within Deloitte & Touche LLP’s Advisory Practice in New York.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.



Comment on this article

comments powered by Disqus
  • CIA-December-2021-Premium-1
  • AuditBoard-December-2021-Premium-2
  • 2022-GAM-December-2021-Premium-3