Internal Audit

1. 1

2. SOCIAL MEDIA RISK AND THE AUDIT PROCESS
• Organizational social media use is rising and growing increasingly important from a risk management standpoint,
yet formal processes for it remain a rarity.
• Evaluating and monitoring social media risk is or will soon become a key part of audit plans.
• The precise nature of organizational social media risk is rapidly changing, which generates confusion as well as
obstacles internal audit must recognize and address.
Key Findings
I am not sure everyone is trained to understand the risks of social media.
– Director of Auditing, Midsize Hospitality Company
2

3. RISKS OF A CORPORATE SOCIAL MEDIA PRESENCE
(1/2)
Threats and
Vulnerabilities
Risks Risk Mitigation Techniques
Viruses and malware
are introduced to the
organizational
network.
• Data leakage/theft occurs.
• System downtime occurs.
• Resources to clean systems
are required.
• Ensure that antivirus and antimalware controls are
installed on all systems and updated daily.
• Consider using content filtering technology to restrict
or limit access to social media sites.
• Ensure that the appropriate controls are also installed
on mobile devices, such as smartphones.
• Establish or update policies and standards.
• Develop and conduct awareness training and
campaigns to inform employees of the risks involved
with using social media sites.
Customers and the
enterprise are
exposed through a
fraudulent or hijacked
corporate presence.
• Customer backlash/adverse
legal actions occur.
• Customer information is
exposed.
• Reputational damage can
happen.
• Targeted phishing attacks on
customers or employees
occur.
• Engage a brand protection firm that can scan the
internet and search out misuse of the enterprise’s
brand.
• Provide periodic informational updates to customers
to maintain the awareness of potential fraud and to
establish clear guidelines regarding what information
should be posted as part of the enterprise’s social
media presence.
Source: Social Media: Business Benefits and Security, Governance and Assurance Perspectives, ISACA, 2010
3

4. RISKS OF A CORPORATE SOCIAL MEDIA PRESENCE
(2/2)
Threats and
Vulnerabilities
Risks Risk Mitigation Techniques
Content rights to
information posted to
social media sites are
unclear or undefined.
• The enterprise loses
control/legal rights of
information posted to the
social media sites.
• Ensure that legal and communication teams carefully
review user agreements for social media sites that
are being considered.
• Establish clear policies that dictate to employees and
customers what information should be posted as part
of the enterprise’s social media presence.
• Ensure that there is a capability to capture and log all
communications (if feasible and appropriate).
A move to a digital
business model may
increase customer
service expectations.
• Customers are dissatisfied
with the responsiveness
received in this arena,
leading to potential
reputational damage for the
enterprise and customer
retention issues.
• Ensure that staffing is adequate to handle the amount
of traffic that could be created from social media
presence.
• Create notices that provide clear windows for
customer response.
Electronic
communications that
may be impacted by
retention regulations
or e-discovery are not
effectively managed.
• Regulatory sanctions and
fines are issued.
• Adverse legal actions are
taken.
• Establish appropriate policies, processes and
technologies to ensure that communications via
social media that may be impacted by litigation or
regulations are tracked and archived appropriately.
• Remember that maintaining an archive, depending
on the social media site, may not be a recommended
approach.
4

5. POLICY RISKS
Source: http://www.protiviti.com/en-UK/Pages/UK-Companies-at-Risk-from-Inadequate-Social-Media-Policies.aspx; online.wsj.com
• Companies without adequate social media policies place themselves at risk of security breaches and reputational
damage among other issues.
• There are a growing number of cases where firms have vague or out-of-date social media policies that are
unenforceable if inappropriate activity takes place.
• Companies should provide their employees real guidance regarding the use of social media sites and should
have very clear policies targeted at issues specific to social networking.
• Companies should develop or update not only their social media policies, but they should also review all their
human resources (HR) and IT policies as many have become outdated in the era of social networking.
In May 2012, Houston-based fashion retailer Francesca's Holdings Corp. fired their CFO for improperly
communicating company information through social media. The CFO had mentioned the company’s board
meetings, earnings calls and sale of shares multiple times on various social media platforms.
Social Media Policy Breach Example
5

6. SECURITY RISKS
Five Social
Media
Security
Risks
Malware
Intellectual
Property
Leakage
Phishing
Attacks
Physical or
Connected
Threats
Privacy
Settings Left
Open to All
Source: en.community.dell.com; Global Survey on Social Media Risks,; www.adp.com, http://www.huffingtonpost.com/eliyahu-federman/social-media-addiction_b_2480109.html
• Employees may intentionally or
inadvertently use social media – whether
on-the-job or at home – in a way that
poses risks for their employers.
• Virus and malware attacks against
organizations have increased because
of employees using Facebook, Twitter,
LinkedIn and other social media in the
workplace. In 2012, Americans spent 74
billion minutes on social media sites
(20% of their time).
• Organizations are most concerned with
employees downloading apps or widgets
from social media sites, posting
uncensored content and uncensored
blog entries.
6

7. RISK MANAGEMENT FOR SOCIAL NETWORKING
• Who has access to post authorized information about your company?
− That user/account should be identified as the official representative for your company.
• Define the social networking policy.
− This policy states who can/cannot post information about your company and the objective of using
social networking sites.
− What types of information can be shared publicly?
− Are there any approvals required to post information?
− Should the information be publicly available or only to friends/subscribers?
• Identify what types of content are currently being shared that are not authorized and try to mitigate issues
with it.
− Try to get in front of the postings/issues.
• Determine if social networking is working depending on the number of subscribers/users.
− If a program is not providing value to the organization, discontinue it.
7

8. KEY QUESTIONS TO CONSIDER
• Can mobile commerce solutions be integrated effectively, efficiently and securely with your overall IT
infrastructure and existing management tools?
• Does your IT function maintain and update clear mobile commerce and social media policies that clearly convey
the acceptable use and security requirements of these capabilities to employees who engage in mobile commerce
and/or social media activities? How are these policies monitored and audited?
• How robust are your information security measures? Are these measures applied differently depending on the
sensitivity or importance of the data being processed and stored?
• Is your organization in compliance with all relevant industry standards for security and privacy as well as
applicable laws and regulations?
• Does your organization have efficient systems and processes for monitoring the quality of compliance as well as
processes for monitoring ongoing regulatory issues and anticipating new rules and regulations?
• Is the overall state of your company’s social media security sufficient? How can social media capabilities be
integrated more extensively into appropriate business processes to deliver value?
8