Internal auditors are increasingly taking a closer look at the company's social media strategy
Now internal audit departments are taking a closer look at those risks and the controls companies are instituting to manage them.
That's because social media is quickly becoming integral to how people and organizations communicate. More than one billion people log onto Facebook daily. Twitter has 310 million active users. Coca Cola has 1.3 million followers on Instagram, and the 235,280 subscribers to the YouTube channel of home improvement retailer Lowe's have logged more than 100 million views.
Most successful businesses today have cultivated a strong social media presence. At the same time, social media carries serious risks. "People can post things on social media that really damage a company's image," says Kevin Jackson, director, internal audit at Vulcan Materials, a Birmingham, Alabama-based producer and distributer of construction materials. "The problem is social media doesn't discern fact from fiction."
In the earlier days of social media, risk management tended to focus on the disclosure of nonpublic information, says Grant Ostler, director of internal audit at Northern Tier Energy in St. Paul Park, Minnesota. Executives worried an employee involved in the financial reporting process might divulge data that hadn't been made public, either inadvertently or intentionally.
While this remains important, reputational risk has become more critical, Ostler says. Executives worry an employee or customer, whether disgruntled, dissatisfied, or simply careless, will post something on social media that reflects negatively on the organization.
The velocity of social media can mean rapid and widespread damage. "You can go from zero to ninety in sixty seconds," says Mike Jacka, a consultant and trainer and co-author of Auditing Social Media: A Governance and Risk Guide.
Misalignment between an organization's social media messages and its business strategy is another risk. At best, the message may become muddled or fail to compel customers to action. At worst, it can distort the company's brand in ways that are negative. "What are the key strategic things to communicate?" asks Tichaona Zororo, a board member of ISACA, and an IT advisory executive with EGIT, a provider of IT advisory and consulting based in South Africa. These should inform the organization's social media strategy.
Truth in Tweeting
Most companies, but especially those that are publicly traded or operate in highly regulated industries, also need to remain vigilant regarding relevant regulations. For instance, the Federal Financial Institutions Examination Council's publication, Social Media: Consumer Compliance Risk Management Guidance, requires financial institutions that use social media to market products and originate new accounts take steps to ensure their advertising, account origination, and document retention efforts comply with applicable consumer protection and compliance laws and regulations, such as the Truth in Savings Act.
Another critical risk concerns criminals commandeering an organization's social media platforms. They may create posts purportedly in the organization's name, but that actually undermine its goals. They also may use the platform to gain access to the company's other information systems.
Role for Internal Audit
Internal audit can help the organization mitigate these risks. To be sure, internal audit traditionally has focused on financial controls. However, "internal audit is all about following where the risk is," Zororo notes, including the risks inherent in social media.
Some organizations may find that internal audit also can "bring the rigor" that might be lacking in their social media efforts, says Michael Levy, director of internal audit with Student Transportation Inc. (STI) a provider of school transportation based in Wall Township, New Jersey. For instance, organizations may find employees use their personal accounts to access the employer's social media accounts. If an employee leaves, he or she will retain access to the account, Levy points out.
Internal audit also has experience bringing together different areas of the company, Ostler says. That's key to ensuring an organization's social media efforts advance its overall objectives, without exposing it to undue risk.
Who's at the Controls?
One of the controls internal audit will want to check is the organization's ability to monitor its social media presence. While it may be neither practical nor desirable to vet every post before it appears, the organization needs to have a process for watching them. "If you're waiting for audit to come in every six months, that's too late," Ostler says. "You need to systematize it."
Internal audit also can check that the organization has deployed tools to control access, and that employees are using them. For instance, employees should use different passwords for different social media platforms, and change them on a regular basis, Zororo says. Organizations that engage outside service providers to handle their social media activities should monitor how the provider safeguards user names, passwords and other sensitive information.
Vulcan uses several software tools that monitor outgoing posts for key words and phrases, Jackson says. For instance, the software will watch for words that may indicate a financial disclosure that wasn't sanctioned by the company.
Along with tools and policies, employee training is key. "A big part of the battle is education," Jackson says. Vulcan is using e-learning software that shows how quickly social media posts can be shared, and how they live forever, giving employees a solid understanding of the long-term ramifications of social media.
Internal audit also should assess the training available to employees who work with customers. An organization that flawlessly executes its social media plan, yet falls short in delivering its core products or services, can face a social media firestorm. Say a sales associate chats on the phone while customers wait. The episode can quickly be captured and end up on social media, potentially overwhelming the company's efforts to promote its brand. "You can't out-tweet reality," says Peter Scott, a frequent speaker on auditing social media and also co-author of Auditing Social Media: A Governance and Risk Guide.
To be sure, internal audit may need to make the case for its ability to assist an organization with its social media efforts. If the resistance stems from a lack of awareness about the power of social media, "just pull the data" Jacka says. One example: in his study, "Reviews, Reputation, and Revenue: The Case of Yelp.com," issued in 2011 and revised in 2016, Harvard professor Michael Luca found a one-star increase in a Yelp rating led to a five to nine percent increase in revenue.
If the resistance stems from doubt about internal audit's ability to add value, the department needs to emphasize its expertise in assessing the integrity of processes and identifying risk. Just as this expertise adds value to financial processes, it can add value to social media.
Of course, internal audit also needs to understand social media. "You don't need to be an online celebrity, but you should be conversant in the challenges the organization faces," Scott says.
Internal audit also should develop relationships across the organization. Jackson and his colleagues at Vulcan have hosted "lunch and learns" during which they explain the role of internal audit. The company also has a robust guest auditor program. "We've tried to develop relationships outside the internal audit world, so it's not just us coming in and just auditing your group," he says.
Karen Kroll is a business and finance writer, based in Minneapolis.