Are social media risks in your audit plans?
10/6/2014
Using social media is a growing challenge to organizations from a risk management perspective, according to Protiviti’s 2014 Internal Audit Capabilities and Needs Survey.
In both its 2013 and 2014 surveys, Protiviti studied this emerging issue of interest to internal auditors, analyzing how social media risk has become an important area for audit consideration among organizations.
The surveyed organizations recognize that they are only moderately effective in identifying (60 percent), assessing (61 percent) and mitigating (62 percent) social media risk to an acceptable level. Although only moderately effective, these percentages are rather high considering that 44 percent of organizations still do not intend to address social media risks in their audit plans or risk assessment processes.
One-fourth of the 600 participants in the 2014 survey feel the greatest obstacle to including social media risk in their audit plans is a lack of skills and resources among their staff. This is up from 19 percent in the 2013 survey.
However, when addressing cybersecurity risks, an encouraging 53 percent of companies said they either are including social media cybersecurity in their audit plans this year or intend to include these risks next year. Reports in the national news of recent cybercrime may be a motivating factor.
Companies are “just getting started in establishing their social media risk management capabilities,” according to survey participants asked to rate their organizations’ social media use on a maturity scale adapted by Protiviti from the Carnegie Mellon Institute.
Although organizations showed little change since the 2013 survey when it comes to having a social media strategy (55 percent in 2014 as opposed to 53 percent in 2013), the number of organizations that have developed a social media policy has risen significantly. Today, 63 percent have a policy as opposed to 57 percent in 2013.
The table below provides the five most common areas covered by the organizations’ policies in both 2013 and 2014:
| Issue | ||
|---|---|---|
| Disclosure of company information | ||
| Ethical use of social media | ||
| Disclosure of employee information | ||
| Approved use of social media applications | ||
| Information security |
Other areas covered by company policies include the purpose of social media use, approved use of community forums, and employee training. Only 3 percent of organizations in the survey make use of social media for employee training.
Use of social media for external communication is much more popular (74 percent) than for internal communication (39 percent), according to the 2014 survey. This makes sense because most organizations have implemented social media use to increase their revenue by attracting new customers, trying to excite the public about products and services, and relying on customers to spread the word about products or services.
For this reason, it’s easy to understand why the marketing or PR/communication department is currently most involved in evaluating a company’s risk exposure from social media. The marketing department is followed by the information technology, internal audit/IT audit, and legal departments and by executive management.
Organizations rated on a 1-to-10 scale, with 10 being the highest, the areas related to social media posing the highest risk in 2014:
- Financial loss – 7.3
- Interrupted business continuity – 6.9
- Loss of intellectual property – 6.6
- Loss of employee productivity – 6.1
- Viruses and malware – 5.6
By far, monitoring reputation risk is considered to provide the greatest value from addressing social media risk, with 50 percent of organizations agreeing. Other categories of perceived value are earlier identification of risks or control problems (17 percent), overall business strategy (13 percent) and regulatory compliance (8 percent).
