Protiviti and Deloitte & Touche Surveys Highlight the Need for Risk Assessment of the use of Social Media in the Workplace
Increasingly, businesses and other organizations are finding the use of social media in the workplace is fraught with danger. The question I address is whether the new challenges in the business environment are being dealt with adequately.
A recent Internal Audit Survey released by Protiviti, a global risk and business consulting firm, finds the lack of social media policy and process plaguing organizations with unnecessary risks. While the seventh annual edition of the study surveyed more than 1000 internal audit professionals about their technical and audit process knowledge, a key focus of this year’s report was on social media usage and related audit processes and policies. Key findings show that 43 percent of respondents have no social media policy within their organizations and among companies with a social media policy, many fail to address basic issues. In fact, information security and approved use of social media applications are areas that are not covered in nearly one in three organizations (30 percent).
What may be the most striking result from the survey is that more than half (51 percent) of organizations do not address social media risk as part of their risk assessment process, with 45 percent indicating that they have no plans to do so in the coming year’s audit plan. Additionally, of those that do address social media risk, 84 percent rated their organizations social media risk-assessment capability as “not effective” or just “moderately effective.”
Respondents also evaluated 42 areas of audit process knowledge in terms of where they need to improve, and ranked data analysis tools and fraud as the predominant issues of concern. Eight of the top 10 priorities in audit process knowledge that most need improvement were related to data analysis tools (data manipulation ranked #1; statistical analysis ranked #5; sampling ranked #9) and fraud (monitoring ranked #1; fraud risk assessment ranked #4; fraud detection/investigation ranked #6; fraud auditing ranked #10). In contrast, there were no fraud related issues ranked among the top five areas for improvement in 2012 or 2011.
According to a 2012 survey of 192 executives conducted by Deloitte & Touche LLP and Forbes Insights, social media was identified as the fourth-largest risk through 2015, on par with financial risk. This ranking derives from social media’s capacity to accelerate to other risks, such as financial risk associated with disclosures in violation of Securities and Exchange Commission rules, for example. Other risks inherent to social media include information leaks, non-compliance with regulatory requirements, third-party and governance risks.
Internal audit should be involved in identifying crisis events and provide guidance on the impact that each of these events may have on the organization. The internal audit function can also play a role in identifying the integration points of social media crisis management with other crisis management plans, such as security incident management and business continuity crisis management. To support the crisis management plan, organizations should build capabilities and systems that allow them to detect events on social channels that may damage their brands, and internal audit should have a role in testing these solutions once they have been implemented.
The key to an effective social media policy is to establish procedures through the internal audit function to monitor such activities and set standards for acceptable use of social media in the workplace. Internal audit can help their organizations in understanding potential risks, developing business processes to help mitigate them, monitoring compliance with implemented processes and assessing implemented controls. Moreover, an effective internal audit policy on social media can protect the brand and reputation of an organization, its most important asset.
Blog posted by Staten Mintz, aka Ethics Sage, on October 22, 2013