Concerns about data privacy and the handling of sensitive information prompted a 2011 review of Internet publishing and social media initiatives throughout the United Nations (U.N.) Secretariat that discovered weaknesses in risk management, control, and governance processes. The audit findings by the U.N.'s Office of Internal Oversight Services called for developing procedures for Internet and social media service agreements, addressing privacy risks, and developing guidelines for using copyrighted content.
The U.N. and other organizations are fast learning that social media tools can strengthen relationships with customers, enhance brand awareness, and increase revenue — but these benefits come with risks, including brand and reputational damage, regulatory and compliance violations, data leakage, viruses and malware, and loss of employee productivity. Proactively auditing social media can help organizations identify these risks and implement controls to mitigate them. However, the explosive growth of social media can be daunting to internal auditors tasked with such an audit.
The good news is that conducting a social media audit is conceptually the same as any other review. Recognizing the risk social media poses to an organization is the first step.
Internal Audit's Role
Social media has ignited a shift from unidirectional to bidirectional communication in the business world; gone are the days when an organization has absolute control over its reputation and perception among customers. In response to potential risks, many chief audit executives (CAEs) have helped their organizations implement social media policies and guidelines that mirror corporate culture, but others are grappling with what internal audit's role should be. In a February 2012 IIA Audit Executive Center survey of CAEs, only 29 percent say their organization has a formal social media strategy.
While there is no doubt that auditors can assess the comprehensiveness of the organization's social media strategy, it becomes more complicated when such a strategy doesn't exist. Mike Jacka, a senior audit manager with Farmers Insurance Group in Phoenix and co-author of Auditing Social Media: A Governance and Risk Guide (The IIA Research Foundation), says internal auditors can work with management to identify risks and gaps, determine which controls can be implemented to minimize risks, and offer guidance on social media strategies and policies. "As advisers, internal audit can partner with management to develop a strategy in such a way that it does not violate the International Standards for the Professional Practice of Internal Auditing," he says. "You can't even address lower issues until you've really got a strategy and governance process in place."
Another important consideration is the organization's objective for using social media. Although an organization may not have an official, documented goal, there may be an informal reason behind the social media initiative. Organizations may be able to create social media objectives by aligning them with business objectives.
As with any type of audit, conducting a risk assessment will build a strong foundation. Daniel Desko, a senior IT auditor at accounting, tax, and business advisory firm Schneider Downs in Pittsburgh, says the most important component of the audit is conducting a risk assessment with all social media stakeholders, which may include communications, human resources (HR), legal, marketing, sales, and IT. "You have to do a risk assessment first to see where the business areas think the risks are and to assess what can go wrong," he explains.
Before beginning its 2011 audit of Internet publishing and social media, the U.N.'s internal audit division conducted a preliminary risk assessment. "We also engaged a consultant who brought us international standards and practices, and we engaged all key departments and offices within the United Nations to get a good understanding of their use of social media and Internet publishing throughout the organization," says Andrea Charles-Browne, an auditor in the division's New York Information and Communications Technology Audit Section. The assessment uncovered several risk areas, including operational risks concerning the accuracy of content published to the Internet and through social media as well as governance risks pertaining to the need for policies and clear responsibilities to regulate the publishing process.
A risk assessment almost certainly will uncover expected risks, such as neglecting to consider the organization's industry regulatory requirements (e.g., the U.S. Financial Industry Regulatory Authority requires registered representatives to maintain copies of all customer correspondence, including that through social media) and failing to monitor social media conversations, but it may reveal larger ones as well. Jacka says organizations may be unaware of grassroots social media efforts that have arisen internally, and they may not have articulated their social media strategies and evaluated social media from a global perspective. "The strategic risk is huge, because people haven't thought about social media from that perspective," he observes.
There are many types of social media tools and platforms that organizations may be using already or plan to use, including:
- Blogs (e.g., Blogger and WordPress).
- Microblogs (e.g., Twitter and Tumblr).
- Image- and video-sharing sites (e.g., Flickr and YouTube).
- Social networking sites (e.g., Facebook and Google+).
- Location-based sites (e.g., Foursquare and Yelp).
- Professional networking sites (e.g., LinkedIn).
- Social bookmarking sites (e.g., Pinterest and Stumble Upon).
While internal auditors cannot be expert users of every social media channel, it is nonetheless important to be aware of what's out there and be familiar with the most popular sites. "Having a familiarity with each one of these tools is a requirement to be proficient in conducting the audit," says Dino Cataldo dell'Accio, chief of the New York Information and Communications Technology Audit Section of the U.N.'s Office of Internal Oversight Services.
"You have to play around with social media to know what it is and how far it can go," adds Marc Vael, an international vice president at ISACA. He notes that internal auditors working in international organizations may have a bigger challenge keeping up with social media, as there are many local, regional, and national options available.
Auditors also need to stay updated on changes in the social media landscape from a risk perspective. "There's so much out there about what the latest sites are and about what the problems are that half the time, by just listening to the news, you actually learn what's going on with social media and what the risks are," says Mike Jacka, a senior audit manager with Farmers Insurance Group.
With so many messages swirling around the social media channels and organizations buzzing in response, determining where and how to start an audit may be overwhelming. "A big challenge is trying to figure out everything that's going on, because you will be shocked by the different people doing social media that you don't even know about," Jacka says. He suggests conducting Internet searches first to identify social media sites on which the organization is represented and then talking to employees to find out who is engaged in social media on the organization's behalf.
Marc Vael, international vice president of ISACA and CAE at IT firm Smals in Brussels, agrees that having informal discussions is a good way to gather information. "The fun part about social media audits is that you can approach anybody and ask what social media means," he says. Vael suggests auditors work with the IT department to determine which social media sites are being used but stresses that employee privacy must be safeguarded. Auditors also may find it helpful to discuss the organization's use of social media with HR, which may be responsible for social media policies and know which employees are engaging in social media in an official capacity.
Distributing surveys to all employees and allowing them to reply anonymously is another way to find out how people in the organization are using social media. The U.N.'s auditors used this approach during its audit. "We distributed an internal control questionnaire to over 20 offices and departments with the intent of getting their responses as to how they use it, what they use, and what they see as their exposure as part of our planning exercise," Charles-Browne says. The questionnaire revealed that various departments began using social media to engage with the public, while others are considering using social media from a business perspective.
Framework and Objective
Equipped with knowledge about how the organization is using social media, auditors can begin planning the audit. Greg Hedges, managing director of social business at global consulting firm Protiviti Inc. in Chicago, notes the first step should be selecting an audit framework. "A framework will help organize the audit, put a box around what you mean by 'social media,' and allow you to compare and identify gaps as to processes that may be missing," he says.
In its 2010 white paper, Social Media: Business Benefits and Security, Governance, and Assurance Perspectives, ISACA suggests auditors refer to established frameworks, such as its Risk IT and COBIT and The Committee of Sponsoring Organizations of the Treadway Commission's Internal Control–Integrated Framework. Once auditors have identified a framework, they can examine the information they collected about how social media is being used in the organization and state the audit's objective. For example, based on responses from their internal control questionnaire, the U.N. audit team developed the audit plan and clearly stated their objective, which was "to assess whether the Secretariat effectively implemented adequate risk management of Internet publishing and social media." Charles-Browne notes that there were several related secondary objectives. "We looked at registration of domains and creation of different channels and pages on social media sites, and we evaluated the review, approval, and management for posting rights, because data privacy is critical to the use of social media and Internet publishing," she says.
Because organizations use social media differently, there is not a universal approach to determining an audit's scope. Some auditors may choose to audit the entire social media function across the organization, while others may decide to add a social media component to audits of departments that are active on social media such as marketing. At the U.N., the auditors' initial focus was on Internet publishing, but rather than conducting a separate audit, they decided to capture the social media risks and address them in the same audit.
A well-defined audit objective will help auditors focus on the right aspects of social media. James Fargason, a business law professor at Louisiana State University in Baton Rouge, sees many organizational risks related to social media. "One of the most prevalent is reputational risk, which is more decentralized in the social media environment," he says.
From an IT perspective, Desko notes it is important to consider user access to social media sites through personal devices and the organization's ability to wipe devices remotely. The U.N.'s audit focused on broader areas — risk management and strategic planning, oversight mechanisms, mandates and delegation of authority, and the regulatory framework.
Scott Springman, director of internal audit at Protiviti in St. Louis, has an even broader view of audit considerations for social media. "I suggest considering four key areas: strategy and governance, people, processes, and technology," he says. These categories align with the scope presented in ISACA's Social Media Audit/Assurance Program, which can be customized to the environment under review. Examples include:
Strategy and governance: risk management and policies.
People: training and awareness.
Processes: social media site user agreement management and branding enforcement.
Technology: access management to social media sites and monitoring software.
The ISACA program suggests controls to address social media risks, including ensuring that legal and communications teams review user agreements for social media sites.
Another audit consideration involves an organization's social media policy. Does the organization have a policy for employees? Is a policy in place for the overall social media program? From an employee perspective, best practices suggest that a social media policy should include the same guidelines used throughout the business — the values and confidentiality policies employees are expected to abide by every day whether tweeting, posting to Facebook, or talking with customers. At a minimum, the policy should address:
Social media channels where the organization participates.
Active social media accounts and who maintains them.
Employees authorized to communicate on the organization's behalf.
Processes for monitoring communication by employees and from customers or the public.
Training on social media and the organization's policy.
Consequences for failing to comply with the policy.
Moreover, internal audit can provide assurance that the policy is relevant to the risks posed by current and future use of social media and advise management on strengthening the policy and implementing controls.
Keys to Success
Although it may seem challenging, internal auditors already have the expertise needed to conduct a successful social media audit. The only other requirement is learning about social media and how the organization is using it. "We understand how processes work, we understand what controls are in a process, and we understand the effectiveness and efficiencies of processes," Jacka says. "If you think of it in those terms, it makes social media a little easier to grasp."
The U.N. auditors agree that their audit helped them look at the big picture of social media — governance, policies and procedures, and risks — rather than only focusing on technical issues. The organization now has a policy in place that is being followed closely up to the highest levels.