Social media has long since made its arrival in companies. But, for quite some time now, the emphasis has no longer been on the networking of users. Many companies have discovered the possibilities of using social media for their own purposes, e.g. for HR recruiting. In the meantime, a huge industry has grown up around social media. Starting with influencers, who receive money for presenting products on social networks, through to companies, such as Cambridge Analytica, which have analyzed huge amounts of data from Facebook user profiles in order to influence public opinion. The opportunities and risks are enormous. But what about your company? Have you ever audited your social media presence, or perhaps it is included in your audit plan? Dr. Urban Becker, Head of Internal Auditing at Melitta, addressed this topic in his master thesis and developed a framework for auditing social media as part of internal auditing. In the first part of this series, he presents the risks and audit approaches to be found in the literature on the subject. So please, take it from here, Dr. Becker:
Use of social media by companies
Digital media are increasingly changing the way people communicate. Social media, as one part of digital media, is increasingly used by private individuals, as well as by organizations and companies. Social media are Internet-based applications based on the ideology and technological platform of Web 2.0, with which users can not only read information, but also set up their own profiles and communicate with other users with whom they share a connection. Social media applications include numerous platforms such as Facebook, Instagram, Google +, Pinterest, LinkedIn, Xing, YouTube, Twitter, Skype, WhatsApp and Wikipedia. The number of users of these applications has been growing steadily for years. According to Kaplan & Haenlein (2010), social media applications can be classified according to the richness of the media and the self-presentation behavior of a user.
Social presence / Media richness | ||||
Low | Medium | High | ||
Self-presentation / Self-disclosure | High | Blogs, Microblogs (e.g. Twitter) | Social networks (e.g. Facebook) | Virtual social worlds (e.g. Second Life) |
Low | Collaborative projects (e.g. Wikipedia) | Content communities (e.g. YouTube) | Virtual game worlds (e.g. World of Warcraft) |
Table 1: Classification of social media by richness and self-disclosure
Source (Kaplan & Haenlein, p. 62)
Thus the richness of text information is less than that of an image or video presentation. A user’s self-presentation depends on how much he reveals about himself in a medium. The motives for using social media therefore differ.
There are two target groups for the use of social media by companies:
- Internal communication with employees and managers in the fields of knowledge, content, document and project management.
- External communication in the fields of public relations, marketing, sales, service and information provision, personnel recruitment and procurement. The goals for the assignment are manifold and include building up a network, increasing the brand and company awareness, positioning as an employer and influencing topics.
Relevance of a review of social media by the audit department
The use of social media is associated with new uncertainties that have not been relevant for companies until now. These uncertainties arise from the internal coordination of activities, the response to information published to and about the company, and bilateral and multilateral communication with the company’s stakeholders. For this reason, there are so far only a few sources that deal intensively with the risks and possible audit approaches to social media.
These uncertainties can be actively dealt with by means of:
- risk management or
- conducting an audit.
In risk management, the activities are carried out by employees responsible for the process, who systematically identify risks and analyze and evaluate them in terms of their probability of occurrence and the extent of possible damage. Based on this, risk management measures are derived according to materiality and targeted monitoring is set up. These measures include approaches to avoid, reduce or share risks with other parties, thereby avoiding the complete assumption of risk.
Audits are assessed by independent persons such as the internal audit department of a company. In addition to internal audits, external social media experts, certification organizations and auditors are also considered. There are important arguments for assigning the task of a social media audit to Internal Audit. In contrast to other departments, internal auditing is characterized by good integration into the company, which enables the knowledge gained to remain within the company. It is the mission of Internal Audit to increase and protect the value of its organization through risk-oriented and objective auditing and consulting. The high quality of the audit results is guaranteed by the principles of integrity, objectivity, confidentiality and professional competence to be observed.
According to the Three-Lines-of-Defense model, Internal Audit complements the control systems of an organization’s operational functions (first line) and monitoring systems (second line).
In order to focus on the important areas of auditing, a risk assessment is also necessary for internal auditing. There are various approaches to identifying risks:
- Understand the use of the social media application under consideration and assess its potential risks
- Literature and online research to identify social media risks
- Adaptation of frameworks such as COSO or COBIT to address the issues raised by social media use
- Consult other audit or social media specialists
Typical risk areas cited in the literature include social media strategy, organizational and procedural issues, the existence and content of rules and regulations, legal risks, risk management for social media, personnel risks and protection against IT risks.
Based on the risk assessment, social media management must be included in the risk-oriented audit plan. On the basis of the resulting evaluation, social media must be included as an audit topic in the time-related audit plan.
The second part of this blog looks at approaches based on frameworks. In the third part, a continuous audit approach is presented, which was developed from interviews and questionnaire evaluations of audit and social media experts in the context of a master thesis. Among the different types of audits carried out by the audit department, social media audits can be assigned to the category of operational audits.
Steps in the process of a social media audit
Internal Audit works in a process-oriented way in a cycle consisting of audit preparation, audit execution, result reconciliation, reporting and follow-up. The preparation of an audit comprises planning tasks and preliminary investigations, which include, for example, the risk analysis of a field of audit, conceptual activities and the acquisition of information. The actual performance of the audit is based on interviews, data evaluation and the analysis of documents, for example in the form of random samples. It concludes with the coordination of the results and agreement on the measures to be taken. On the basis of the coordinated audit results and agreed measures, a report is prepared and the audit documents are compiled. Once the audit has been completed, the implementation of the agreed measures is monitored as part of a follow-up. Reporting and follow-up are to be processed in a structured manner for all audits, irrespective of the audit topic. It is undisputed in the literature that the “classic” audit process should also be used for social media audits.
The audit process can also be used for projects. A project-accompanying audit could be useful for the implementation of a social media presence of a company or organization. Alternatively, a review can be carried out after the implementation has been completed in order to identify possible improvements to the state of the project.
What can the preparation of an social media audit look like?
The “classic” audit process proceeding from risk assessment with subsequent selection and implementation of the audit activities on the basis of the assessed risks can also be used for social media as an audit topic.
What preparatory steps are necessary to be able to carry out a social media audit?
In order to conduct a social media audit, the topic of social media must be included in the Audit Universe, a social media audit must be included in the actual planning of the audit and the audit must be prepared:
- In order for social media to be included as a relevant field on the basis of an assessment of the audit map (Audit Universe), social media must be included as an audit field in the audit map and evaluated using the system contained therein.
- In the annual or multi-year planning, the fields in which audit activities are carried out by Internal Audit are determined for the planning period in a risk-oriented manner on the basis of the Audit Universe. The result of this planning step is, for example, the decision to carry out an audit in the field of social media by the internal audit department. Alternatively, a special audit of social media topics can also be requested by company management.
Which aspects have to be taken into consideration during the actual audit?
- When a single audit is considered, the actions to be performed are specifically planned on the basis of an approved audit plan. The result of this step is the definition of activities within the audit under consideration. Depending on the objectives of the audit, appropriate focal points can be defined, e.g. social media strategy, legal issues, social media controls or a process-oriented analysis.
- If necessary, it may be necessary to obtain and process further information in order to prepare for a social media audit, in order to determine starting points for later consolidation within the framework of the audit.
- For social media questions, the particular challenge for many auditors is that they first have to familiarize themselves with this topic area.
- Typical preparatory activities are the requirement of documents and access rights for relevant systems (e.g. a monitoring system for social media), as well as data evaluations.
- For the acquisition and processing of information within the framework of a social media audit, the methods of conducting interviews, data analysis and sampling are suitable for planning the work program.
As with other audit topics, the on-site audit begins with an introductory meeting with regard to time planning. After the audit is completed, the audit result is agreed at the final meeting as the basis for the report and subsequent follow-up. The execution of the order is to be supervised and controlled by the audit management.
Have you ever carried out a social media audit? If so, how did you proceed?
Sources:
Kaplan, A. M., & Haenlein, M. (2010). Users of the world, unite! The challenges and opportunities of Social Media. Business Horizons, 53(1), 59-68