Issue

Social media is not only becoming a part of everyday busi-

ness operations, but also a competitive necessity. Yet in
many organizations, the potential risks related to employ-
ees use of social networking sites, as well as tools and
technologies for communication and collaboration, are not
closely monitored or fully assessed by internal auditing
teams. In fact, a recent KnowledgeLeader
SM
survey revealed
that 55 percent of organizations did not even include the
evaluation of social media risks in their 2011 audit plans.
1

One reason many rms have not made assessing social
media-related risks a priority is the perception that social
media itself falls outside the boundaries of company policies
and enforceable actions. As a result, even IT auditors those
responsible for reviewing risks related to IT systems and
processes and assessing the effectiveness of information
security and other IT strategies, policies and practices
typically do not view social media as an area that should be
risk-assessed annually and audited as necessary. However,
given the risks involved, this attitude must change.
Challenges and Opportunities
Social media presents an array of signicant risks to the
enterprise. In addition to the potential loss of intellectual
property, which could undermine an organizations com-
petitive edge, and the communication of sensitive data to
unauthorized parties, which could result in costly compli-
ance violations, improper use of social media could lead to:
Reputation risk Slanderous remarks and comments
posted on social networking sites by disgruntled workers,
clients or customers who have malicious intent can
damage the rms image signicantly and even irrepa-
rably. There also is the risk of inadvertent or accidental
reputation damage that can occur when, for example,
a company employee posts a personal and perhaps
inappropriate message on Twitter while signed on to
the companys account instead of his personal one.


Financial risk Remarks made in the social sphere
about the company and its performance could affect
stock price and performance.
Safety risk Release of information through social media
channels about what executives or other employees are
doing or where they are traveling could put them at risk.
Lack of strategy Strategies for using social media
and ensuring they are well-thought-out and monitored
so that organizations benet from them need to be
coordinated. Otherwise, they waste time and money on
something that fails to increase customer loyalty and
satisfaction or attract new customers.
Many of the potential risks to the enterprise that social
media presents, whether related to IT security or market-
ing-related activities, are not new. But because of the rapid
exchange of information occurring through social media
channels and the vastly wider audience that may witness
or feel the impact of a negative event, these risks must be
taken seriously, and closely monitored, by businesses.
For many organizations, IT auditors will be at the forefront
of efforts to monitor and manage these risks.
Our Point of View
Social media risk, like any risk, should be monitored and
managed through training, awareness, policies and proce-
dures, and with appropriate controls to test the effective-
ness of those measures. Many enterprises likely are already
monitoring a wide range of IT risks. They just need to expand
their scope to include social media.
Also, access to social media not only is virtually instant,
but available to a broad audience that includes clients,
customers, shareholders and the public, as well as company
personnel. These employees, in particular, may create addi-
tional risks by accessing social media platforms on mobile
devices that do not comply with the companys security
policies. These and other risks must be assessed, managed
and monitored carefully.
IT audit planning and execution involves examining the
companys risk prole and determining the right things to
IT Auditing Expanding Scope
to Encompass Social Media
POWERF UL I NSI GHT S
1
Social Media Risk Poll, KnowledgeLeader.com, June 27, 2011.
About Protiviti
Protiviti (www.protiviti.com) is a global consulting rm that helps companies solve problems in nance, technology, operations,
governance, risk and internal audit. Through our network of more than 70 ofces in over 20 countries, we have served more than 35
percent of FORTUNE

1000 and Global 500 companies. We also work with smaller, growing companies, including those looking to go
public, as well as with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a
member of the S&P 500 index.
PROVEN DEL I VERY
How We Help Companies Succeed
Protiviti IT Audit professionals assist companies world-
wide in assessing compliance with internal IT policies and
procedures as well as legal and regulatory requirements
related to social media. We work with our clients to perform
a broad scope of social media-related internal audits, includ-
ing controls and supporting processes in the following areas:
Policies
Management
Data privacy and security
Regulatory tracking
Monitoring and alerts
Training and awareness
Vendor management
Example
A nancial services provider selected Protiviti to evaluate
its social media policy and presence. We worked with our
client to:
Compare its policy to best practices and recommend
enhancements.
Search for sensitive information that may harm the
clients reputation or disclose details about its IT
infrastructure.
Search public databases, forums and discussion boards
to identify client employees who may have posted
inappropriate information about the company.
Through the review, our client was able to update its social
media policy to comply with new regulatory requirements
and gain comfort that inappropriate content had not been
posted by employees.
Contacts
David Brand
+1.312.476.6401
david.brand@protiviti.com
2011 Protiviti Inc. An Equal Opportunity Employer. PRO-1111-107118
Protiviti is not licensed or registered as a public accounting rm and does
not issue opinions on nancial statements or offer attestation services.
audit, including IT infrastructure components such as data-
bases, operating systems, networks and data centers. To
determine what aspects of social media should be assessed
and monitored and to identify potential risk areas, IT audi-
tors should ask the following questions about the organi-
zations current approach to social media:
How is social media being used by the business, and by
which employees?
Does our organization have a formal social media strategy?
Do our current policies support our approach to social
media and help to protect the enterprise?
How are we educating our employees about social media-
related risks?
What measures are in place to protect our data?
What data might be leaving our organization via social
media channels?
Is our organization in compliance with applicable privacy
laws and regulations?
By working with management and other key stakeholders
in the organization to answer these types of questions, IT
auditors can verify that appropriate policies and controls
are in place around the use of social media by the business
and its employees. They also can more condently focus
resources toward monitoring social media-related risks that
the enterprise should be most concerned about based on
its compliance requirements and business objectives.
James Armetta
+1.212.399.8606
james.armetta@protiviti.com
Anthony Samer
+1.415.402.3627
anthony.samer@protiviti.com