Adding Social Media to the Audit Plan
Whether incorporated as part of a larger audit or conducted independently, social media should be on an auditor’s radar. After all, a company without a social media presence is essentially unheard of in today’s digitally driven era.
The need for social media audits centres around risk and governance. Whilst auditors do not write social media policies, an audit of these policies and practices ensures what is being shared aligns with company branding, complies with copyright laws, is within a businesses’ risk scope and beyond.
The first step in examining social media is outlining what platforms a company is active on and the company’s objective on each of these platforms. LinkedIn, Instagram, Facebook and Twitter are among the most popular social platforms and are a good starting point. Unauthorised and inauthentic accounts should be included in the social media scan. Knowing exactly where the company is online is the aim, along with understanding the objective of using the specific social platform. LinkedIn, for example, has a completely different purpose when compared to Twitter, and a company does not need to be across all social platforms if some are not suitable for the business’ aims.
Following from this, who has logins to each platform and how these logins are managed should be known. This should include knowing how often these logins are changed, the process of storing these logins and any social media scheduling tools used.
Beyond what the company shares, what external parties are sharing about the company is within this social media scope. Whether a disgruntled former employee airing frustration on Facebook or a confused customer seeking assistance on Twitter, this external content is arguably more important than what the company shares.
An action plan that outlines how any negative content is responded to should be clear and understood by all relevant parties. For example, if there are inappropriate comments on an Instagram post should they be instantly removed, reported to Instagram, ignored completely or responded to? What does the company define as inappropriate on social media? Does this definition align with the wider organisation’s definition? These questions and beyond must be answered as part of the organisation’s social media risk guidelines.
Finally, the social media pages of employees have also made headlines before with inappropriate content impacting their employer’s reputation. Whether it is employee’s talking negatively about the company or an employee sharing racist or sexist opinions, even though not directly posted by a company, such information can have detrimental impacts to an organisation’s reputation.
With these potential impacts in mind, clearly informing employees what consists of inappropriate and appropriate social media behaviour should be part of the onboarding process. This should include the potential consequences of operating beyond this appropriate behavior and should be information accessible to all employees.
Given the instant and accessible nature of social media, this monitoring and measuring of social platforms is one of the latest jobs of both internal and external auditors. By adding social media to an auditor’s docket, companies are prepared to address any reputational situations and align practices with risk and compliance requirements.