auditing social media: the cae toolkit

THE ESSENTIAL RESOURCE FOR AUDIT EXECUTIVES

AUDITING SOCIAL MEDIA:

THE CAE TOOLKIT

JUNE 28, 2012

Presenter

Dan Desko, Senior

Schneider Downs & Co., Inc.

Technology Advisors/Internal Audit

WWW.THEIIA.ORG/CAE Staying Ahead of Social Media

INTRODUCTIONS

• Schneider Downs & Co., Inc.

– Public Accounting, Tax, Business Advisory, Internal Audit, Technology Advisors, etc.; Since 1956

• Dan Desko, Senior IT Audit Consultant

– 2 years with Schneider Downs, 8 years experience in total; Leads and Manages IT Audit Fieldwork

2


LEARNING OBJECTIVES

3

• Understanding the purpose of social media

use in organizations

• Impact and risks associated with having a corporate social media presence

• Controls and best practices to mitigate social media risks

• Audit techniques to test the effectiveness of social media controls


AGENDA

• Survey results

• What is social media

• Benefits of social media

• Threats/Risks/Controls

• Audit steps

• Social media disasters

4


RECENT CAES SOCIAL MEDIA SURVEY RESULTS

5


ON WHICH SOCIAL NETWORKING WEBSITE(S) DOES YOUR COMPANY MAINTAIN A CORPORATE PRESENCE?

6

Facebook

Twitter

LinkedIn

Own Platform

YouTube

None


DOES YOUR ORGANIZATION BLOCK ANY SOCIAL MEDIA WEBSITES FROM EMPLOYEE USAGE WHILE

THEY ARE ON COMPANY TIME?

7

Yes 47%

No 53%


IF YES, WHICH SITES ARE BLOCKED?

8

84%

71%

63%

63%

34%

21%

17%

Facebook

Twitter

MySpace

YouTube

Flickr

Google+

LinkedIn

Multiple Responses Were Accepted


TOP REASONS FOR BLOCKING

9

1. Productivity issues, time waster, etc.

– Overwhelmingly the #1 reason for those who block

2. Information security (distant 2nd place)

3. Bandwidth (distant 3rd place)


WHY DON’T YOU BLOCK?

10

• “We are not dictators.”

• “Social media is representing a critical means to reach-out, interact with our customers and nurture our relationship with them. Which is at the very core of how we have been doing business for more than 100 years.”

• “Lack of management perception of risk.”

• “Because we use it as part of marketing.”


DOES YOUR ORGANIZATION USE SOCIAL NETWORKING AND BLOGS FOR ANY OF THE

FOLLOWING PURPOSES?

11

0102030405060708090

100

Neither

Both

Blogs

Social Networking


DOES YOUR ORGANIZATION ALLOW ITS EMPLOYEES TO IDENTIFY THE ORGANIZATION BY NAME ON THEIR PROFILES ON SOCIAL NETWORK

PLATFORMS OR BLOGS?

12

No

Yes, Must FollowPolicy/Guidelines

Yes, NoPolicy/Guidelines


DOES YOUR ORGANIZATION ALLOW EMPLOYEES TO OPENLY REPRESENT YOUR ORGANIZATION ON

SOCIAL MEDIA SITES (I.E., "BRAND EVANGELISTS")?

13

No

Yes, Only Certain People

Yes, Only for Discussion Boards

Yes, Only for Blogs

Yes, Everyone Can Blog or Post to a Board


IF YES, WHICH EMPLOYEES OPENLY REPRESENT YOUR ORGANIZATION ON SOCIAL MEDIA SITES?

14

• Chief Marketing Officer

• Corporate Communications

• Social Media Coordinators

• Director of Investor Relations

• CFO


REGARDING SOCIAL MEDIA, DOES YOUR ORGANIZATION HAVE:

15

0%10%20%30%40%50%60%70%80%90%

100%

No

Yes


PLEASE IDENTIFY THE KEY COMPONENT(S) OF YOUR ORGANIZATION'S POLICY OR GUIDELINES:

• Acceptable contents for posting. Sensitivity to “insider” type information.

• General do’s and dont’s • Employees are allowed to note they are

employed by the organization in their bio info but specific statements about the company are prohibited

• Users can only represent themselves, not the company

• Use common sense 16


DOES YOUR ORGANIZATION CONDUCT FORMAL TRAINING OR PROMOTE AWARENESS OF ITS

SOCIAL MEDIA POLICY?

17 0% 50% 100%

Yes, we provide training

Yes, we promoteawareness

No


PLEASE IDENTIFY THE FREQUENCY OF TRAINING OR AWARENESS EFFORTS:

18

0 5 10 15

Upon Hire

Annually

Twice Per Year

As Changes Occur


WHO IS RESPONSIBLE FOR TRAINING OR AWARENESS EFFORTS?

• Communications/PR

• Compliance

• Human Resources

• Information Technology

• Marketing

• Legal

19


IF APPLICABLE, WHAT ROLE DO THE FOLLOWING AREAS PLAY IN MANAGING YOUR ORGANIZATION'S SOCIAL MEDIA INITIATIVES OR ACTIVITIES?

20

0

10

20

30

40

50

60

70

80

90

Incident Handling

Daily SM Activities

Monitoring SM

Managing SM


IS SOCIAL MEDIA A PART OF YOUR ORGANIZATION’S GOVERNANCE STRUCTURE OR PROCESSES?

21

0 10 20 30 40

No No, but we plan to Yes


IS SOCIAL NETWORKING OR BLOGGING PART OF THE INTERNAL AUDIT FUNCTION'S ANNUAL AUDIT PLAN?

22

0 5 10 15 20

Yes, social networking only

Yes, blogging only

Yes, both

No, different dept is resp

Not managed at all


INDUSTRY AND COMPANY SIZE DEMOGRAPHICS

• The majority of responses were from Chief Audit Executives or company equivalents

• The majority of the organizations that the respondents work for are publicly traded organizations, privately held was next on the list, then government

• In addition the majority of organizations that the respondents work for have upwards of 1,000 employees

23


SOCIAL MEDIA POLL QUESTION #1

• Which social media sites does your organization or company use?

Twitter.com

LinkedIn.com

ISACA.org

YouTube.com

24


SOCIAL MEDIA FACTS

• Facebook tops Google for site traffic • 1 in 5 couples meet online • If Facebook were a country it would be the

world’s 3rd largest • A new member joins LinkedIn every second • Social gamers will buy $6 billion in VIRTUAL

goods by 2013 • If Wikipedia were a book, it would be 2.25 million

pages long • YouTube is the world’s 2nd largest search engine

25


WHAT DO THESE FACTS TELL US?

26

Social media must be embraced by business,

however, it should be done so carefully and strategically.


TOP 5 BENEFITS OF SOCIAL MEDIA

Communications platform

Sales growth

Brand recognition

Referral source

Recruiting conduit

27


COMMUNICATIONS PLATFORM

• Direct customer engagement – New products and features

– Convey messages instantly and without cost

• Customer surveys

28

• Learn customer preferences

• Receive feedback real-time


COMMUNICATIONS PLATFORM CONTINUED

29


SALES GROWTH

• Direct marketing tool – E-commerce

• Demographic information

• Capture email addresses and other info

• Potentially expansive reach

30


SALES GROWTH CONTINUED

• Online ad spending will grow to $39.5 billion in 2012, compared to the $32 billion spent in 2011

• According to these estimates, online ad spending will top print spending (newspaper & magazine combined) in 2012

31


SALES GROWTH CONTINUED

32


BRAND RECOGNITION

• Generate “buzz” around the office water cooler

• Get people sharing your video, pictures, content on their personal pages

• Using social media as a branding tool successfully takes creativity


BRAND RECOGNITION CONTINUED

34


REFERRAL SOURCE

• Social media outlets are valuable sources of business referrals – LinkedIn

– YouTube

– Blogs

– Forums

– Etc…

35

• All of these outlets point back to your business


REFERRAL SOURCE CONTINUED

36


RECRUITING CONDUIT

• Social media outlets are great tools for recruitment – Potential employees

learn about your organization

– Sites such as LinkedIn allow you to search for potential employees

– Save on recruiting costs and get to know potentials hires better

37


RISKS OF A CORPORATE SOCIAL MEDIA PRESENCE

38

There are

numerous social

media risks…

…let’s understand them.



Threat Risks Risk Mitigation / Control Strategy

Exposure to customers and the enterprise through a fraudulent or hijacked corporate presence.

• Customer backlash/adverse legal actions

• Exposure of customer information

• Reputational damage • Targeted phishing

attacks on customers or employees

• Develop brand protection guidelines and assign staff or hire a firm that can scan the Internet and search out misuse of the enterprise brand

• Give periodic informational updates to customers to maintain awareness of potential fraud

39




Mismanagement of electronic communications and/or inappropriate content posted on official corporate social media outlets.

• Reputational risk (self inflicted)

• Customer backlash • Brand tarnishing

• Strictly control who can post content

• Strictly control how users access corporate social media outlets

• Policy for approval of any content posts

• Social media crisis response plan

• Consider what can go wrong before posting

• Do not link corporate pages to personal accounts 40




Unclear or undefined content rights to information posted to social media sites.

• Enterprise’s loss of control/legal rights of information posted to the social media sites

• Media (images, videos, content, etc.) that are a product of the organization can be easily copied, re-used without consent

• Ensure that legal and communications teams carefully review user agreements for social media sites that are being considered

• Policies that dictate to employees what info should be posted as part of the enterprise social media presence

• Log all communications requests and validate approval 41




The move to a digital business model may increase customer service expectations.

• Customer dissatisfaction with the responsiveness received on social media sites, leading to potential reputational damage for the enterprise

• Customer retention issues

• Ensure that staffing is adequate to handle the amount of traffic that could be created from a social media presence

• Create notices that provide clear windows for customer response

• Content to establish expectations

42




Introduction of viruses and malware to the organizational network through the allowed use of social media sites.

• Data leakage/theft • “Owned” systems

(zombies) • System downtime • Additional unplanned

resources required to clean systems

• Anti-virus/malware installed on systems & updated daily

• Content filtering technology to restrict or limit access to social media sites to appropriate users only

• Establish or update policies and standards

• Inform employees of the risks involved with using social media sites

43




Excessive employee use of social media in the workplace.

• Network utilization issues

• Productivity loss • Increased risk of

exposure to viruses and malware due to longer duration of sessions

• Manage accessibility to social media sites through content filtering or by limiting network throughput to social media sites

44




Use of personal accounts to communicate work-related information.

• Privacy violations • Reputational damage • Loss of competitive

advantage • Trade secret exposure • Transmission of sensitive

data

• Work with the HR department to establish new policies or ensure that existing policies address employee posting of work-related information

• Work with the HR department to develop awareness training and campaigns that reinforce these policies

45




Employee posting of pictures or information that link them to the enterprise.

• Brand damage • Reputational damage • Trade secret exposure • Customer loss

• Work with the HR department to develop a policy that specifies how employees may use enterprise- related images, assets, and intellectual property (IP) in their personal online presence

• Self police or monitor each other as best you can

46



• What is the most pervasive Social Media risk?

Financial risk

Reputational risk

Environmental risk

Physical risk

47


COMMON THEMES AMONG MITIGATION STRATEGY

48

• Policies and procedures – Making sure employees read and understand

them

– Training on the policy and procedures

• Assess risk on a continual basis

• Limit, control and monitor access to the corporate social media presence

• Monitor the corporate page and for fake pages


CONTROL IMPLEMENTATION STRATEGY: ASSESS RISK

• Determine which risks are most applicable to your organization – Determine impact of the risks

– Determine likelihood of occurrence

– Even attempt to assign a rough estimate dollar value to the potential loss associated with each risk

• Revisit the assessment at least on an annual basis

49


CONTROL IMPLEMENTATION STRATEGY: POLICIES, PROCEDURES & TRAINING

• Involve the key stakeholders – Communications – Sales & Marketing – Technology

• Define what social media will be officially used for and in what capacity

• Develop a right sized training approach based on risk – Face to face, webinar, online document, etc.

• Ensure your organization possess the right capabilities and fill in the missing links 50


CONTROL IMPLEMENTATION STRATEGY: CONTROL & MONITOR

• Restrict user access to official pages • Determine chain of approval for various levels of content

(text, media, sales messages, etc.) • Set frequency of monitoring activities • Determine which tools to use:

– Google alerts (free tool) – Google trends (free tool) – Socialmention.com (free tool) – Tweetscan.com (free tool) – Lithium (paid service) – Radian6 (paid service) – Market Sentinel (paid service)

51


CONTROL IMPLEMENTATION STRATEGY: CONTROL & MONITOR CONT’D

52


CONTROL IMPLEMENTATION STRATEGY: CONTROL & MONITOR CONT’D

53


RISKS OF TOO MANY CONTROLS

• Stifle business/marketing efforts • Legal risks

– If policies are too stringent they may be unlawful under the National Labor Relations Act

• Disenchanted employees if the company blocks social media sites – In reference to the Millennial generation, a recent Cisco report

noted, “The ability to use social media, mobile devices, and the Internet more freely in the workplace is strong enough to influence job choice, sometimes more than salary.”

• While many social media sites are free the cost of FTEs to monitor and control the corporate social media presence can be staggering

54


TESTING APPROACH

• Review formal policies related to Social Media – If formal policies are in place this provides Internal

Audit with actual metrics and standards to audit against

– Review policy for key elements: Protocols for communication Standard phrases and tone that convey the corporate voice Use of company logos/brand marks Employee use of social media using personal devices Use of mobile devices to access social media Response protocols on social media sites Review and monitoring protocols

55


TESTING APPROACH

• Policy Review for Key Elements Cont’d: – Personal Use in the Workplace

Is it allowed Posting of business related content Prohibited disclosure of certain work related topics

– Personal Use Outside the Workplace Prohibited disclosure of certain work related topics Dangers of posting too much personal information

– Business Use Is it allowed and for whom Process for gaining access Appropriate usage guidelines for the org

56


TESTING APPROACH

• Interview personnel that use Social Media from every angle (Communications, Marketing, Sales, HR, etc.) and understand how they use it

• Review the Risk Assessment to ascertain if Social Media has been a part of the risk process and if management understands the risks involved

57


TESTING APPROACH

• Determine if there is Social Media awareness training by HR for the appropriate employees

• Determine if there are appropriate personnel in charge of the Social Media function and that staffing is adequate to monitor

• Determine if access to corporate Social Media outlets follow the access management policy No shared IDs

Routine password changes, 8 characters in length, etc

Pages not linked to personal accounts 58


TESTING APPROACH

• Determine if appropriate safeguards are in place over computer assets used for official Social Media purposes Antivirus/Antimalware

Lockout, passwords on smartphones/iPads/tablets

Remote wipe capabilities

• Determine if there is an incident response plan for Social Media in the event something goes wrong (see Social Media disasters)

59



• What is the cornerstone control of Social Media risk management?

Monitoring employee Facebook pages

Social Media policy acknowledgement with regular training

Strong passwords

Don’t use it

60


SOCIAL MEDIA DISASTERS

• McDonald’s tried to promote the quality of their ingredients and have fans share positive experiences via a Twitter campaign

• Instead, the tag became a way for animal activists and less-than-satisfied diners to air their grievances

• The #McFail hash tag was born

• A very big lesson learned for all parties involved

61



• A drunk Red Cross employee accidentally tweeted from the official account on his phone

62

• He thought it was his personal account



• A hacking group gained access to Fox’s Twitter accounts and started tweeting that President Obama had been assassinated and that ground zero had been attacked

• They promptly removed the false reports and worked with Twitter to prevent future compromise

63


64

QUESTIONS

THE ESSENTIAL RESOURCE FOR AUDIT EXECUTIVES

AUDITING SOCIAL MEDIA:

THE CAE TOOLKIT

JUNE 28, 2012

Presenter

Dan Desko, Senior

Schneider Downs & Co., Inc.

Technology Advisors/Internal Audit

auditing social media: the cae toolkit

Documents