Social media’s strategic role within organizations has grown exponentially as it has become a ubiquitous juggernaut of nonstop information of varying degrees of accuracy and relevance. But its risks to the organization have accelerated, as well. To keep up, organizations need a strong governance structure that specifically emphasizes social media.
Similarly, social media’s high impact and high risks mean internal audit should look closely at all related activities. Perhaps the most important of these activities for internal audit is ensuring the organization’s social media governance is effective.
It Starts at the Top
Any aspect of governance starts with the board. As part of its assurance efforts, internal audit should ensure the board understands the broad scope of risks related to social media, as well as the board’s role in establishing an appropriate governance structure.
Foundationally, the organization already should have an effective governance structure in place. But the fast pace of change related to social media means the board should take a more active role in ensuring the organization’s governance structure addresses unique social media issues effectively. This not only helps the organization successfully achieve these objectives, but also further ensures the organization will not be broadsided by change, irrelevance, and damaging reputation issues.
The board must understand the changing landscape of social media, as well as the current and evolving risks. Further, directors must understand the organization’s social media strategies — both the strategies specific to social media and those using social media to better achieve objectives. This includes understanding how the strategies were developed and how they support the organization’s overall mission. Finally, the board should understand how the organization will address emerging issues, potential crises, and the overall changes in the social media environment.
Ultimately, board members must be able to lead conversations that get to the heart of the organization’s approach (see “Questions the Board Should Ask” at the bottom of this page). To ensure the board is prepared to successfully oversee social media activities, internal audit should focus on three areas: knowledge, training, and communication.
Knowledge The constant press coverage related to social media “fails” has resulted in boards becoming more aware of social media’s risks and pitfalls. But it also has led many boards to focus on the latest YouTube debacle or Twitter mistake, rather than understanding the broader risks. Therefore, internal audit should ensure board members fully understand the risks and opportunities related to social media, as well as the organization’s activities.
Training Internal audit should ensure the board has been trained appropriately on new and emerging social media technologies, how they are used, the risks to the organization and its industry, and how competitors are using social media. Such training will help the board understand how the organization developed its strategic approach and what it needs to be successful.
Communication Internal audit should ensure communication channels allow the board unfettered and timely access to the information it needs about social media. In addition to information from executives, this communication should come from committees responsible for social media, departments involved in developing and communicating through social media, and front-line personnel who are dealing with day-to-day issues that can quickly grow into organizational disasters.
Internal audit can provide assurance that board members are prepared by examining activities at the highest levels of the organization. The best way is for auditors to speak directly with board members to gain assurance that directors are providing the best oversight possible. Additionally, auditors should review correspondence and minutes of board meetings, as well as the information received by the board, to ensure that it has been kept in the loop. They also should review training materials to ensure materials cover all appropriate areas and that all board members have participated.
At the next layer of governance, the executive level is responsible for developing and implementing the organization’s social media strategies and objectives, as well as ensuring they align with the organization’s other strategies and objectives. Like the board, executives should obtain assurance that social media projects are advancing as expected, the projects are aligned with other strategies, the objectives are being met, significant risks and issues are communicated, and all other necessary information is brought to executives’ attention timely.
Best practice is to assign a social media champion at the executive level to oversee social media activities organizationwide and be responsible for their success. The executive should fully understand and believe in the value of social media to the organization, while also understanding the associated risks. This individual also should have the status to freely communicate potential issues and concerns to fellow executives. Otherwise, social media activities may fail because of lack of interest.
It also is best practice to establish a social media oversight committee to handle responsibilities at a more granular level. The committee should encompass all departments with a role in social media and include individuals with the authority to initiate changes. The committee will be responsible for ensuring the alignment and success of all social media strategies, objectives, and plans; monitoring project progress; and communicating potential issues. The executive champion should be an active member of this committee, providing guidance and ensuring necessary communication between the committee and executives.
Much of internal audit’s review of executive oversight is similar to that outlined for the board — just more detailed. This includes obtaining assurance that executives receive ongoing training that allows them to understand how social media can best be used, and that executives are adequately updated on social media. In addition, internal audit should determine whether executives are actively ensuring their individual departments are using social media appropriately, and that those activities are aligned with other departments and functions.
Interviews with executives are the best way for auditors to obtain this information. And, while social media-focused interviews can be an important part of the review, an effective alternative is to discuss the topic in meetings about departmental risks, concerns, and upcoming initiatives. Special attention should be paid to the executive champion, who can be a significant source of information about the status and growth of social media. If the relationship is cultivated appropriately, the champion can be a source for potential areas of review.
The First Line of Defense
A challenge in any governance structure is ensuring coordination among the teams that manage the various aspects of risk. Effective social media governance requires each of the three lines of defense — operational management, risk management and compliance functions, and internal audit — to understand the specific risks and responses that apply to their functions.
The first of these lines, operational management, owns and manages the risk. These are the operational managers responsible for maintaining effective internal controls and executing ongoing risk and control procedures. Each operational function must understand the impact of social media on its responsibilities, as well as the function’s role in the organization’s social media presence. Although their roles and responsibilities can vary from one organization to the next, the following are functions that could be involved with social media.
Marketing This function is responsible for marketing through social media channels, including brand management. Responsibilities include ensuring social media delivers a consistent message to the right customers, brand integrity and standards are maintained in all social media channels — including the activities of agencies and third-party vendors — and the message being delivered matches organizational objectives.
Sales The sales function’s responsibilities include ensuring sales efforts on social media match marketing’s message, delivery of products and services sold through social media is accurate and timely, and follow-up is taken on leads generated through social media. The department also must keep online sales information updated and accurate, and use social media data to analyze trends related to leads, sales, and returns. Ultimately, the function should ensure social media improves sales efficiencies and costs.
Customer Service This function ensures complaints received through social media are handled efficiently, customer satisfaction in the online sales process is maintained at the desired levels, and customers are referred to the appropriate goods and services. Customer service also makes sure all online communications maintain the appropriate tone and social media is used to accurately measure customer satisfaction.
Public Relations Also known as corporate communications or community relations, public relations manages how the public perceives the organization. Its responsibilities include ensuring social media messages related to public relations match the overall messaging strategy and monitoring exists to identify, avert, and mitigate crisis situations. Public relations also should have an effective crisis management plan that includes responding to social media issues and using social media as part of the crisis management process.
IT This function develops and maintains hardware and software used for social media. IT’s responsibilities include ensuring customers have a seamless experience while using social media and maintaining sufficient backups to reduce or eliminate downtimes. This function implements technology to achieve the organization’s social media objectives and ensures access to the organization’s social media sites is controlled.
Human Resources This function uses social media to recruit new employees and potentially uses social media to deliver training. Human resources should ensure that training on the use of social media includes all employees and all facets of social media use. It should ensure a social media policy is developed that complies with existing regulations and the organization’s other policies, and monitor employee satisfaction through external comment boards and websites.
The Second Line
The second line of defense comprises those functions that ensure first line of defense controls are designed appropriately, in place, and operating as intended. Spanning the organization, these functions provide assurance related to their field of expertise. Second line functions need to keep abreast of changes in social media with a particular emphasis on issues impacting the areas they oversee. As with the first line of defense, the specific structure and responsibilities of second-line functions differs among organizations. In reviewing governance, internal audit should ensure that the organization is addressing all of the potential social media oversight roles these functions perform.
Risk Management This function ensures social media risks are understood throughout the organization and included in risk assessment processes. Responsibilities include ensuring all risk assessments consider social media, departments keep abreast of emerging issues and risks related to social media, and those issues and risks are communicated timely. The risk function also must ensure all departments’ risk assessment and management procedures address social media risks appropriately.
Compliance The compliance function is responsible for ensuring existing regulations are reviewed for reinterpretations that may impact social media and that new and changing regulations are monitored. It must advise all departments of regulations that will impact their use of social media and ensure that potential noncompliance issues are reported and acted upon.
Security The security function must ensure appropriate access to and control over social media activities. It ensures general IT security controls such as password, antivirus, anti-malware, and firewalls have been established and are being used effectively. It also makes sure that access to the organization’s social media accounts is restricted appropriately, all accounts are monitored for suspicious activity, and accounts that are no longer in use have been decommissioned. Additionally, the security function should ensure all employees understand the risks related to inappropriate use of social media.
Quality This function is responsible for ensuring the organization’s use of social media complies with standards related to brand and image. Its responsibilities include ensuring branding and imaging within social media accounts match established standards, and making sure overall quality and professionalism of social media interactions match the desired level. The quality function also should ensure information reported through social media channels is accurate, and the organization takes effective corrective action on identified issues.
The Third Line
Internal audit provides the board and senior management with independent and objective assurance of the other two lines’ efficiency and effectiveness. To that end, auditors should ensure that all entities in the three lines understand social media risks as well as their responsibilities for those risks. Internal audit can use two approaches to provide this assurance.
The first is to conduct an overall review of social media, focusing on the functions where the greatest risk may reside. This review may entail separate audits of social media for each function — which will provide detail on how the function is performing — or a review of social media risks, adding focus on potential gaps among departments.
The second approach is to include social media as a risk area in all audits planned for the year. The results should be included in the individual reports, but auditors also should consider providing an overview of organizationwide responses to social media risks.
Audit’s Social Impact
Social media has become an integral part of any organization’s success and an area that internal audit functions ignore at their own peril. In providing assurance regarding social media, governance can be one of the most impactful areas in which internal audit can provide value. Moreover, reviewing governance establishes a foundation upon which internal audit can begin to build its understanding of, and assurance work related to, social media.
Questions the Board Should Ask
A well-informed board is equipped to ask the important questions about the organization’s use of social media. To ensure the organization understands its social media strategies and direction, here are some questions board members should be prepared to ask and the organization should be able to answer.
How are we using social media to engage with our customers, open new markets, and recruit top talent?
These three areas are only a small part of how the organization is using social media. But they provide a good foundation to ensure the organization understands the impact of social media, and they may help the organization explore how best to use it.
How are our competitors using social media?
Social media is a competitive advantage. Without understanding how the competition is involved, the organization cannot know if it is ahead of or behind the curve. Understanding the competition’s use of social media also provides lessons learned without actually taking the risks. In addition, following competitors on social media provides insights into their strategies and plans beyond social media.
How are our employees and other stakeholders using social media? What do we allow?
This question generally will lead to a discussion about existing social media policies. But the primary purpose is to provide assurance that the organization is aware of the risks related to employee and stakeholder use of social media, is monitoring those activities, and is prepared to respond quickly to potential issues.
What regulations regarding social media does our organization need to be aware of?
Board members need assurance that the organization understands the impact of regulators on the organization’s use of social media, monitors compliance with those regulations and regulatory changes, and takes appropriate actions.
How are we monitoring social media activity for potential negative issues? Does this include plaintiff, activist, regulator, and vendor social media activity?
Monitoring is an important part of the organization’s social media risk management process. Almost every social media fail could have been better controlled had the organization monitored and responded to social media conversations appropriately. Monitoring can provide early warning about public relations, brand, regulatory, or legal issues before they get out of hand.
How are we interacting with the organization’s followers, friends, etc.?
The board needs to understand how success is measured related to the investment in social media. The important aspect of this question relates to how any measures of success will be used to positively impact organizational objectives. Board members should be asking for a direct link between social media metrics and broader organizational success.
What do board members need to do to ensure they keep out of trouble?
First, the board must be assured that it has the information necessary to understand and respond to relevant social media risks. Second, board members must understand how their use of social media — whether as a representative of the organization or as a private citizen — can impact the organization. While these are questions that should be asked by board members, they also are excellent questions for internal audit to use during its reviews, particularly at a governance level. The questions dig deeply into the knowledge and awareness of all social media participants.
Adapted from “Critical Social Media Questions for the Board Room” by Richard S. Levick, Fast Company, 11/27/12.
Jacka and Scott are the authors of Auditing Social Media, Second Edition, published in August by The IIA’s Internal Audit Foundation.