The risk of social media to an organization has become one of the biggest challenges facing internal auditors as use of social media increases, but formalized processes to manage it are in their infancy.
And because social media continue to grow and change, there are always new obstacles that internal auditors must recognize and address, according to the 2013 Protiviti Internal Audit Capabilities and Needs Survey of more than 1,000 executives worldwide.
Of organizations that use social media, only slightly more than half have a social media strategy or policy.
Those that do have a policy address:
- Disclosure of company information, 90 percent
- Ethical use of social media, 76 percent
- Disclosure of employee information, 73 percent
- Approved use of social media applications, 70 percent
- Information security, 70 percent
- Organization’s purpose in using social media, 56 percent
- Approved use of community forums, 47 percent
- Employee training, 38 percent
While the monitoring of social media risk is currently part of only 20 percent of audit plans, another 35 percent of companies plan to include social media risk in next year’s plan. More than 45 percent said their organizations had no plans to include it in their future audits.
The biggest inhibitor to internal audit’s involvement in assessing social media risk, respondents said, was inadequately trained staff. Also cited was a lack of management support and, to a lesser degree, IT support.
From a risk management perspective, internal auditors see the highest risks associated with social media coming from (in order):
- Brand and reputational damage
- Data security
- Regulatory and compliance violations
- Data leakage
- Viruses and malware
- Employee defamation
- Loss of employee productivity
- Loss of intellectual property
- Financial loss
- Interrupted business continuity
Asked how effective their organizations were in identifying social media risk to an acceptable level, only 16 percent overall said “very effective.” Another 61 percent responded “moderately effective” and 23 percent said “not effective at all.”