what

job title, keywords

where

city, state, zip

 

 

As online social media continue to gain mainstream acceptance, traditional face-to-face contact is taking a back seat as the networking method of choice. Facebook, Twitter and LinkedIn are gradually changing the protocol of how businesses and professionals operate.
 

In the past, for someone to do the bulk of their communication online would have been unusual, whereas now that is the norm. Everyone is e-mailing, blogging, using wikis or all of the above to give their business a boost. It is a paradigm shift that has brought with it new demands on building an internal control environment that specifically addresses the social media process.

The lines are not clearly drawn. While some individuals insist social media is the way they communicate only for non-business purposes, it is making inroads in the business community. (There is a generational gap that is causing the perfect storm where technology clashes head-on with a cultural phenomenon). The reality is that sometimes business and non-business communications mingle.

 

Since social media is still evolving, many organizations have yet to provide direction or develop policies on its use. Employees themselves are often unsure (from a business perspective) about the generally accepted rules of online behavior.

Some forward-thinking organizations are building social communications into their policies and procedures, but many are still trying to navigate the uncharted waters to reconcile the new avenues with organizational policies. Those policies relate to ethics and behavioral aspects of communicating – not only within the organization among employees and supervisors, but also externally with vendors and customers.

Social media controls are becoming more important for audit organizations to address. They cross different lines, dealing with IT systems and tools like the Internet, blogging and various software applications that individuals use to access social media.
 

What Policies Should Govern These Tools?
Some companies, like IBM, have developed social media and computer policies. In addition, many high-tech firms, like Microsoft and other software and Internet-based businesses, are on the forefront in recognizing social media as a phenomenon that is here to stay. Organizations will have to change the way they try to control this new communication mode.

In this context, performing a risk assessment might be the first order of the day. What strategy does an organization have that applies to social networking? Will it continue to allow employees to access social networks in the office or block them? Will it implement policies whereby corporate resources are restricted from social networking possibilities?

There is a real push and shove between different departments within an organization: marketing relishes signing on to Facebook, Twitter and its kin to disseminate information and reach customers. But auditors are looking at it and asking: What kind of risk does this expose our organization to? And it is not just IT risk, but possible risk to plagiarism, sharing of information, legal liability and intellectual property (employees giving away corporate secretes). Reputation risk, too, is a big concern.
 

Monitoring What Goes On
Most organizations have some type of network oversight capability so they can monitor activity. But this becomes a privacy issue; and if an organization is going to do this, it needs to be consistent and have a specific policy defining what is acceptable behavior on the part of an employee. It also must inform employees that their online activities will be subject to scrutiny.

Another issue many communicators today disregard is the permanence of the internet. For example, pictures posted during college years relating to offensive behavior, whether they depict drinking or sexual activity, have a way of coming back to haunt. One thing I recommend is keeping one’s business contacts separate from social contacts; never mix the two. Do not post anything on the internet that you would not want your parents (or future employer) to see!

It behooves an organization to have a policy in place whereby it is monitoring network activity and checking to see whether employees are violating their own internal rules regarding communication. Furthermore, to avoid legal liability, companies should treat all employees equally. The tone at the top must send a clear message about proper social networking behavior just as it does on fraud and ethics.

When it comes to social media, a number of IT controls need to be in place (e.g., protection that guards against viruses on an organization’s network). Employee productivity is another social networking issue; although I do not view it differently from an employee’s personal use of the telephone or surfing on the internet. You cannot enforce a policy prohibiting employees from using the phone. Also, keep in mind that once employees leave the office, they are on their own. Potential risk is magnified, especially if they make references to their employer in their personal communications.

Once individuals start using Twitter and similar applications, they tend to view them as channels for outbound communication. The reality is that when this type of communication is initiated, it provides a gateway in, which is why many organizations, concerned about vulnerability, are blocking social media traffic and social media sites.

I have yet to encounter an organization that is auditing internal controls on social media. Typically, auditors first need to understand the technology. That is what they are doing now as they look at threat potential: whether the risks are high, medium or low and what sort of associated risks might be lurking on the sidelines. Then they can move to the next step and perform a risk assessment of the entire social media issue.

Accordingly, I think auditors will start developing ways to audit social networks based on:

• Level of risk assessment
• The organization’s compliance and non-compliance with policies and procedures
• Soft controls in place from an ethical standpoint
• The top-down organizational tone

If an organization does nothing about the use of social media, it very well may find itself open to legal action by employees, e.g., if someone is fired for using social media and no policy is in place. Similarly, as public relations becomes a social media process between an organization and its vendors, you could have competitors looking at how people are communicating via social networking; if they are slandering another organization, there will be push-back in terms of a PR nightmare with organizational reputation at risk.

Looking ahead, during the next two or three years, this is an area where audit departments will develop programs to audit social networking and the inherent risk they expose to an organization. This link provides guidance and examples from many well-known organizations on establishing social media principles and policies. For further details visit www.socialmediagovernance.com.

 

About the Author
Jim Kaplan, Founder and CEO of AuditNet®, the global resource for auditors, is an Internet for auditors pioneer. As the founder and principal of AuditNet®, he developed an internet website that links auditors around the world with over 1,300 audit-related resources and over 2,000 audit work programs. The AuditNet® website www.auditnet.org is used by auditors at Fortune 500 companies, public and private companies, government agencies, and organizations around the world searching for audit-related information. This article is a natural outgrowth of his original idea of developing an online information network for auditors. Jim can be reached at info@auditnet.org.

Download the article:

 

According to a recent poll conducted by Protiviti KnowledgeLeader

---

The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®