Due to its rapidly growing use throughout the enterprise, social media has become a key focal point for management and boards of directors seeking to understand, assess, manage and mitigate the risks associated with its usage by employees. Within many firms, these risk management responsibilities are falling to internal auditors. As indicated in the results of Protiviti’s "2013 Internal Audit Capabilities and Needs Survey," an annual study that assesses current skill levels and areas of priority for audit executives and professionals, social media risk management expertise has quickly become a must-have capability within most organizations.

Social media use on the rise; process in infancy
Social media platforms and applications have been implemented rapidly by most organizations over the past two years. However, the precise nature of social media use within companies, along with its new and rapidly evolving nature, remains rife with uncertainty. New ways to utilize social media crop up weekly, and new social media tools seem to hit the market just as frequently.

For executive management and boards of directors, the evolving use of social media within the enterprise presents significant challenges from a risk management standpoint. An initial step in addressing uncertainty surrounding social media risks involves gaining a better and clearer understanding of its use throughout the organization–and the degree to which that use is, or is not, governed by a formal strategy and social media policy.

According to the results from Protiviti’s survey:
  • 64% of companies leverage social media for external communication.
  • 44% leverage social media for internal communication.
  • Social media use may be on the rise, but formalized processes to manage it are in their infancy–three out of four companies consider their social media processes at one of the two lowest stages of a five-stage capability maturity model.

The results from this survey suggest that social media risk will soon be a fundamental component of most audit plans. In fact, a majority of companies are evaluating and auditing social media risk as part of their current audit plan, or plan to include these activities in next year’s audit plan.

There are a number of compelling reasons for integrating social media risk evaluations into the normal flow of risk management and internal auditing activities. From a risk management perspective, social media use poses the highest level of risk for organizations in the form of:
  • Brand and/or reputational damage
  • Data security
  • Regulatory and compliance violations
  • Data leakage
  • Viruses and malware

Of note, those organizations that are currently addressing social media risk indicate that doing so generates value, including being able to: monitor reputation risk; identify issues, risks or control problems early; improve overall business strategy; and achieve stronger regulatory compliance.


Key Findings from Protiviti’s 2013 Internal Audit Capabilities and Needs Survey:
 »Organizational social media use is rising and growing increasingly important from a risk management standpoint; yet, formal processes for it remain a rarity. 
 »The evaluation and monitoring of social media risk is or will soon become a key part of audit plans. 
 »The precise nature of organizational social media risk is rapidly changing, which generates confusion as well as obstacles internal auditors must recognize and address.


Obstacles to effective social media risk management
The results of the survey suggest that while more organizations are undertaking, or planning to undertake, efforts to address their social media risk, there is a substantial degree of uncertainty around the effectiveness of social media risk management activities to date. Such uncertainty can be mitigated by addressing the obstacles currently inhibiting management’s and internal audit’s involvement in the assessment of these social media risks.

As noted previously, most organizations view their social media processes as relatively immature. Additionally, there are still many organizations that do not address social media risk as part of the audit plan (and have no plans to do so), and many also view their organization’s social media risk-assessment capability as less than effective. Yet, most internal audit functions (according to the survey results) appear to possess sufficient resources and skills to address social media risk.

So, why aren’t more internal audit functions achieving greater levels of success in integrating social media risk management processes and activities into their work? The answer points to several obstacles that require attention. The first, and perhaps overarching, obstacle is clarity: While most internal audit functions possess sufficient resources and skill-sets, they also realize these resources have not been trained extensively in social media-related risks and, thus, lack the skills necessary to have a deeper involvement in this area.

This confusion can be eliminated by developing a more effective understanding of the skills that social media risk identification, assessment and mitigation require—namely, intensive internal collaboration with IT, executive management, business process owners and more, as well as with external experts.

Armed with this understanding, organizations can more effectively address other inhibitors, including, but not limited to, confusing perceptions of social media risk throughout the organization, lack of management support, inadequate technology and lack of IT support.


BRIAN CHRISTENSEN is executive vice president of global internal audit for Protiviti, a global business consulting and internal audit firm. For the full results of Protiviti’s "2013 Internal Audit Capabilities and Needs Survey" report, visit www.protiviti.com/IAsurvey.