CPD article: is social media a big enough risk to warrant inclusion in your audit plan?
Reading this article andanswering these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD.
What is social media? One definition is ‘the use of web-based and mobile technology to enable interactive communication between, across and about people, organisations and communities’. (1)
The explosion of social media In one year alone, from 2012 to 2013 the number of social network users around the world rose from 1.47bn to 1.73bn (about 25% of the world’s population), an 18% increase. By 2017, the global social network audience is expected to total 2.55bn. (2)
In addition, more than 72% of all internet users regularly access social networking sites; in the UK and US alone, people spend respectively 13 and 16 minutes every hour using social media. (3)
Perhaps more important is take-up of social media by businesses around the world. Among Fortune 500 firms, 77% now have active Twitter accounts, 70% have Facebook pages and 69% have YouTube accounts. (4)
The proliferation of social media is extensive and impacts on both organisations and individuals. The online generation with the constant need to share information through sites such as Facebook and Twitter has led to a situation where users (both corporate and individuals) are not always aware of the risks of posting certain types of data.
What about the risk? As with all technology there is an amount of inherent risk and one of the key areas which make social media risks very different from other types is the speed at which information spreads or goes viral. In some cases it can transition to conventional news media within minutes of a controversial statement.
Social media is a completely open world which allows employees to speak to a very broad audience. This ability to hit a mass audience without sufficient controls in place could lead to potential disclosure of sensitive information, such as personal accounts, health information, intellectual property, customer data and personally identifiable information. This type of information leakage may result in loss of competitive advantage, brand damage and may even lead to legal or regulatory consequences.
Risks associated with social media can be broadly split into the following areas:
brand and/or reputational damage (a great example of this was a tweet by Tesco’s customer care team during the horsemeat scandal ‘It’s sleepy time so we’re off to hit the hay’)
regulatory, legal and compliance violations
viruses and malware.
2013 Internal Audit Capabilities and Needs Survey Report white paper, protiviti.com
Statistics have also shown that where employees are unaware of the risks of using social media at work, there is considerable risk beyond just lost hours of productivity; for example:
64% of people on social media sites click on links even if they do not know where the link will take them
>50% of users let a friend or acquaintance use their login credentials to social network sites
47% of social media users have been victims of malware
26% of social media users share files within personal social networks
21% of social media users accept contact offers from people they do not recognise
20% of social media users have experienced identity theft.
Managing Privacy Risks in Social Media-Driven Society white paper, www.protiviti.com
From the above it is clear to see that employees do require awareness and training to understand basic IT security hygiene to ensure that users do not inadvertently expose themselves or their companies to vulnerabilities.
Should it be on the audit plan? In a word, YES – sort of!
Like everything in the world of audit, it all depends on the level of risk and how it is being managed. As the use of social media rapidly grows, it is becoming more pervasive and impacting on many parts of the business where there are dependencies on communication.
It’s not really a case of whether it should be included within the audit plan but how much time and attention (based on the practices and the level of risk) should be dedicated to it. The majority of companies have realised that there is some value to social media. What is probably less clear to those companies is:
how to quantify that value
how to measure it
how can it be effectively controlled and managed.
Although some companies are advancing quickly and have developed processes to understand, monitor and manage social media risks, the majority of businesses are still playing catch up. As such, they have relatively immature processes and it is reasonable to suggest that the risks associated with social media may not be well articulated or captured within risk registers. This lack of understanding is also reflected in internal audit’s (IA) involvement, where the inclusion of social media within the audit plan has been relatively slow.
This is further supported by a survey performed by Protiviti in 2013 which highlighted that social media risks will eventually be part of most audit plans, but currently it found the following IA responses:
20% stated that it is included in the current year audit plan
35% stated that it would be included in next year’s audit plan
45% stated that there were no plans to include it in the audit plan.
The survey also found that Social Media was the highest ranked for the ‘need to improve’ category and the lowest marked in terms of ‘competency’ within IA departments. This is an interesting fact, as it suggests that IA departments may not have the resource or skills to understand the risks or how to engage with the business in order to effectively identify and test those controls that are being used to mitigate the risks.
Below are some brief pointers for IA from understanding when they should be involved, types of questions to ask and what to audit.
Knowing when to act IA should be looking at social media as soon as it sees the signs of significant usage of social media, where there has been significant activity within the business or within the industry.
Some trigger points that could provide assistance on when to initiate a social media review may include:
high profile issue within your sector
high profile internal incidents
new product or service launch
desire to know more about social media
thinking about or have just introduced an enterprise social network
benchmarking how well you are leveraging social media
Within the UK financial services industry, the Financial Conduct Authority (FCA) which regulates the industry released a consultation paper in August 2014 titled Social media and customer communications. This paper specifically deals with financial promotions through the use of social media, advising on what is acceptable and what is not. The result of this consultation paper will be a definite push for those financial institutions that have yet to structurally challenge the social media risks.
Key questions to ask Although by no means a comprehensive list, some basic questions that IA could ask to help understand the current level and required level of involvement may include:
does the business and IA conduct on-going risk assessments related to social media?
is there a social media strategy supported by a policy?
who, if anyone, performs the role in monitoring and ensuring compliance with the policy?
are there controls available or deployed to monitor employees' and the company’s social media activities?
is there a sufficient level of awareness within IT, as well as throughout the business, of the risks relating to social media?
What to audit Some of the key areas to review as part of a social media audit may include:
governance and compliance
internal and external policies and programme execution
metrics and monitoring
third party relationship management
training and awareness
recruiting and work force management
information systems operations
third party management
information security and privacy.
Social media strategy and supporting governance processes are a key part in managing risks within the business and ensuring that there is alignment with the organisation’s objectives. Equally important is the culture that is adopted based on that governance and the tone from the top. The risk culture will also have an impact to some extent on external exposures; for example employees identifying and reporting negative or inappropriate comments, so that the business can take appropriate steps to respond. Summary From experience there is a noticeable increase in the use of social media policies that have been implemented; some could even argue that the development was based on knee jerk reactions to ‘have something in place just in case’.
However; this reaction to create a policy and get it out there generally lacks a strategy and governance to aid and support the social media policy. The risk here is that the use of the policy on its own will not provide sufficient control and will not identify if employees are complying with the social media policy requirements.
Ideally as businesses look to include social media within their strategy, IA should be consulted by the business to assess the adequacy of the social media policy along with supporting the governance processes and procedures. Like all policies this should include a compliance requirement that IA will be testing from time to time to assess how the business is complying with the policy.
Outside factors will also play a role in the assessment of the risk around social media, as discussed, the types of business and the industries will either increase or decrease that level of risk. The organisation’s culture will also be a difficult beast to grapple; however, businesses must tackle and improve the mind-set on dealing with social media.
As discussed, the involvement of IA with social media has been previously muted or limited at best. IA departments in some cases feel inadequately trained to deal with the risks of social media; however, we are already starting to see changes as businesses are becoming more strategic with their use of social media.
The result of these business actions will undoubtedly require IA to review the use of social media and for its inclusion within the audit plan. What is less clear is how much time and involvement will be needed.
Bill Nagra - Risk Audit Security Limited
W. Noel Haskins-Hafer - ISACA auditing social media v3.
Reading this article and answering these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD.