May, 2012
© 2014, Jacka & Scott
© 2014, Jacka & Scott
By the end of this seminar, you will have had an
opportunity to:
◦ Develop an understanding what is meant by social
media, the full spectrum of opportunities, and how
companies use this new tool
◦ Develop an understanding of what makes up good
social media strategies, governance, and policies.
◦ Identify the risks in various aspects of social media
◦ Identify the elements of an audit over an
organization’s social media activities
© 2014, Jacka & Scott
If you know nothing about social media you
should leave here knowing:

◦ What’s going on
◦ What your organization is facing
◦ Where the risks are
◦ How the organization and auditing can
respond
© 2014, Jacka & Scott
If you already know something about social
media you should leave here knowing:

◦ More about what’s going on
◦ More about what your organization is facing
◦ More about where the risks are
◦ More about how the organization and
auditing can respond
© 2014, Jacka & Scott
The following topics will be covered during the
seminar:

Social Media Defined

Social Media Strategies

Governance and Social Media

Measuring and Monitoring

The Regulators

Social Media Risks

The Social Media Audit
© 2014, Jacka & Scott
© 2014, Jacka & Scott

A brief history of social media

Social media – a definition

Social media – the conversation

Lessons for Internal Audit
© 2014, Jacka & Scott

BBS, Usenet, Listserv

CompuServ, Prodigy, Genie

GeoCities, theGlobe.com

Classmates, SixDegrees, Friendster

MySpace, LinkedIn, Facebook, Twitter

YGIAGAM
© 2014, Jacka & Scott
Your customers/your potential customers/your
advocates/your competitors…getting together
to talk about you
Comic-Con
(or, what I learned from my kids’ summer vacation)
© 2014, Jacka & Scott
The #1 Risk
REPUTATION
PROTECTING AND CONTROLLING YOUR
BRAND
Controlling (as best as possible) the conversation
about your brand
© 2014, Jacka & Scott
The online forms of communicating to the masses which include blogs,
microblogs, social networking sites, and podcasts (Answer.com)
Social media is the new term for socializing online. It allows people to
freely interact with each other online whenever and wherever they want.
(CubixDev)
An umbrella term that defines the various activities that integrate
technology, social interaction, and the construction of words and
pictures. (iContact)
Social media is technically a means for social interaction through the
web. (Online Schools)
Social media are media for social interaction, using highly accessible
and scalable publishing techniques. (Wikipedia)
© 2014, Jacka & Scott
A Set of web-based broadcast technologies that
enable the democratization of content, giving
people the ability to emerge from consumers of
content to publishers.
© 2014, Jacka & Scott
Survey to find how the organization is using
social media

◦ Include in meetings within the organization
◦ Survey

Search to find the conversations
◦ Google search
◦ Top site searches
© 2014, Jacka & Scott
© 2014, Jacka & Scott

The social media strategy

Who uses social media

Brand and social media

The social media plan

Lessons for internal audit
© 2014, Jacka & Scott
◦ Ignoring Social Media
◦ Assuming Non-Participation Needs No
Further Strategy
◦ No Overarching Strategy
◦ Converted strategies are sufficient
© 2014, Jacka & Scott
“What is our business, who is our customer,
what is our value to our customer, what will our
business be, and what should it be?”
“Analytical thinking & commitment of resources
to action and innovation. Making decisions
today about an uncertain future. Taking the
right risks while exploring opportunities”
- Peter Drucker
© 2014, Jacka & Scott
◦ Focuses on Strategy, not tactics
◦ Promotes a unique value proposition
◦ Addresses real customer needs
◦ Has a 3-5 year outlook
◦ Lays the groundwork for implementation
◦ Is appropriately documented
© 2014, Jacka & Scott
◦ Aligns with business objectives
◦ Incorporated in other strategies
◦ Identify target market and how each uses
social media
© 2014, Jacka & Scott
Seven categories of participation in social media not exclusive and people may participate in more
than one category at any given time.
Creators - People who publish blogs, develop
images, create video content, host podcasts, etc.

Conversationalists - People who provide status
updates in sites like Twitter

Critics - People who provide reviews and
comments on blogs and forums

Lee & Bernoff - 2007
© 2014, Jacka & Scott
Collectors - People who vote on and tag articles
and other content

Joiners - People who join larger social networking
sites such as Facebook and LinkedIn and create
profiles

Spectators - People who are more passive, but
enjoy reading, watching, and listening to social
media that has been developed by creators,
conversationalists, and critics.

Inactives - People who do not participate in any
form of social media

Lee & Bernoff - 2007
© 2014, Jacka & Scott
© 2014, Jacka & Scott
“The set of expectations, memories, stories,
and relationships that, taken together, account
for a consumer’s decision to choose one
product or service over another”
- Seth Godin
© 2014, Jacka & Scott
Understanding and trying to influence every
possible touch point the business has with
stakeholders/customers
© 2014, Jacka & Scott

Goals and Objectives

Channels

Engagement

Staffing and Funding

Metrics
(to be discussed later in detail)
© 2014, Jacka & Scott

Increasing revenue

Improving customer satisfaction and loyalty

Recruiting and retaining the best talent

Product development and innovation

Enhancing brand awareness and perception
© 2014, Jacka & Scott

Determine who is driving social media activities

Get the strategies and plans
◦ Include brand strategies
◦ What are they trying to do with social media?
◦ Do they permeate other strategies and plans?

What types of customers have been identified?

Consider doing a strategic level review
© 2014, Jacka & Scott
© 2014, Jacka & Scott

Governance and frameworks

Roles of governance providers

Social media policies
© 2014, Jacka & Scott
The combination of processes and structures
implemented by the board to inform, direct,
manage, and monitor the activities of the
organization toward the achievement of
objectives

© 2014, Jacka & Scott
© 2014, Jacka & Scott
Governance
Compliance
Risk
Management
◦ Governance: The systems and processes by which the
organization is directed, controlled, and held to account
◦ Risk Management: The culture, processes, and structures that are
directed to the effective management of potential opportunities
and adverse effects
◦ Compliance: The systems and processes that ensure conformity
with business rules, policy and legislation
© 2014, Jacka & Scott
© 2014, Jacka & Scott

No Group Responsible
◦ Starts everywhere at once
◦ No single “champion”

Missed Risks and Rewards
◦ Misunderstand underlying risks
◦ Focus on controls and risk versus opportunities

“Wrong” Group in Charge
◦ No wrong group, but…
◦ Examples – Risk, Compliance, Legal, IT
© 2014, Jacka & Scott
Provides broad oversight on all strategic
decisions – including social media

Should understand why decisions were made
and the related risks


Properly educated on social media

Updated as appropriate
© 2014, Jacka & Scott

Properly educated on social media

Projects are advancing as expected
Continued alignment with overall strategies
and objectives

Significant issues are brought to executives’
attention


Overall objectives are being met

Periodically updated
© 2014, Jacka & Scott

Liaison with executive management

Coordinates interdepartmental activities

Regular meetings with updates

Ultimately responsible for success

Properly educated on social media
© 2014, Jacka & Scott
Keys to Successful Social Media Committees
 Committee makeup/department feedback
 Knowledge of the unique situation
 Roles and responsibilities
 Objectives
 Requirements of social media
 Task definitions
 Measures of Success
 Prioritization
 Issue Elevation
 Statement of direction
© 2014, Jacka & Scott
Clear communications on what employees can and cannot do
on social networks
 Specific restrictions regarding use of social media for nonwork related activities
 Considerations for all social media communications
◦ Add value
◦ Conversational style
◦ Honesty and respect
◦ Transparency and disclosure
◦ Confidentiality
◦ Ownership and registering properties
◦ Endorsements and recommendations
◦ Degree of personal and professional use

© 2014, Jacka & Scott
The organization’s monitoring practices
 An outline of other policies that may be impacted
by social media
 Guidance on Conflicts of Interest Issues
 IT requirements related to UserIds and passwords
 Guidance on responding to comments
 Guidance for crisis communication
 Requirements that all applicable laws will be
followed
 Consequences

© 2014, Jacka & Scott
External social media policies should include:

Commenting allowed and disallowed

Comment moderation
◦ Offensive language
◦ Attacks and threats
◦ Off topic
◦ Proprietary information
◦ Banning
© 2014, Jacka & Scott

Proactive and reactive management

Social media account disclosure

Service-level agreements
◦ Hours of operation and response time
◦ Error correction
◦ What the organization will disclose and
comment on
© 2014, Jacka & Scott

Discuss with the board

Discuss with executive management

Coordinate with assurance providers

Review social media policies
© 2014, Jacka & Scott
© 2014, Jacka & Scott

Metrics – Considerations

Value Added Metrics

Monitoring – Considerations

Who is Your Spokesperson?

Triage

Crisis Management
© 2014, Jacka & Scott

No Metrics
◦ With no measures, how do you determine
success

Misaligned with Organizational Goals
◦ Is everyone measuring the same thing

Poor Metrics
◦ What is a poor metric?
© 2014, Jacka & Scott

Website hits
◦ “There have been 60,000 page views on our new website!!”

Blog Comments
◦ “My latest post had fifteen comments in the last half hour!”

Facebook Friends
◦ “We have successfully achieved our objective of having one
million followers on Facebook!”

Twitter Followers
◦ “Our most recent Tweet on new product development was
retweeted by half our followers!!!”
© 2014, Jacka & Scott

Brand Recognition
◦ Advocate Numbers and Frequency

Customer Service
◦ Issue Resolution Rate

Sales & Marketing
◦ Sales Generated

Human Resources
◦ Potential Candidate Engagement
© 2014, Jacka & Scott
◦ Conversations Will Occur
◦ Monitoring is Key
◦ Monitor Even Where You Are Not Leading
the Conversation
◦ The Risk of Not Paying Attention
◦ Who is watching, how often are they
watching, what do they watch, and what do
they do with what they find?
© 2014, Jacka & Scott

Listening

Learning

Responding

Measuring

Sharing
© 2014, Jacka & Scott

The Intern

The 3rd Party

The Employee

The Executive
© 2014, Jacka & Scott
© 2014, Jacka & Scott
© 2014, Jacka & Scott
Even with the best reputation management,
crises will happen

If done correctly, crisis management can
actually enhance the brand and reputation

Companies are judged not on the crisis itself,
but on the response

© 2014, Jacka & Scott

Providing no response

Replying “No Comment”

Offering disorganized, conflicting statements

Issuing a verdict before examining the facts
© 2014, Jacka & Scott
Quick and agile (minutes not days)
 Predetermine when to mobilize a response
 Keep everyone informed – transparency in
communications
 Role of the board
◦ They should ask for a crisis management plan;
they should know the plan
◦ They are not the spokespeople
◦ Predetermine what events they need to know

© 2014, Jacka & Scott

Identify media experts ahead of time

Know the local responders

Train, Re-Train, Keep Training

Conduct simulations
© 2014, Jacka & Scott

Short and practical

Who does what, when and where

List the team

Internal and external contact details

Crafted messages

Proven ability to implement

Develop a process to allow for flexibility
© 2014, Jacka & Scott

Candor

Explanation

Affirmation

Declaration

Contrition

Certification

Commitment

Restitution
© 2014, Jacka & Scott
Determine how social media success is being
measured


Find who is monitoring social media

Determine if there is a triage process
Determine if the education that occurs
regarding social media

Review the disaster recovery plan/crisis
management plan

© 2014, Jacka & Scott
© 2014, Jacka & Scott

Communication

The Cast of Characters
© 2014, Jacka & Scott

It is all about communication

An insurance example
Regulators are defining it as broadly as
possible

© 2014, Jacka & Scott
Guidance Concerning the Use of Endorsements and
Testimonials in Advertising

•
•
•
Require disclosure
The post of a blogger who receives cash or in-kind
payment to review a product is considered an
endorsement
Ann Taylor (or can you afford $11,000 per
blogger)
•
Reverb Communications – 120,000 reasons
•
Legacy Learning – 250,000 more
© 2014, Jacka & Scott
Facebook as a screening tool/Facebook as a
background check
 Civil rights, protected classes and social media
 Currently “theoretical”
 Best practices in hiring
◦ Social media checks in conjunctin with
background checks
◦ Only use public profiles
◦ Establish policies
◦ Document adverse decisions

© 2014, Jacka & Scott

Has issued guidance on SM Policies

Rulings continue to evolve
© 2014, Jacka & Scott

Testimonial Rule
◦ Third-party commentary

Fair Disclosure Rule
◦ Social media postings as good as news
releases
© 2014, Jacka & Scott

Solicitation Number 1127679
Use of Social Media to Inform and Evaluate
FDA Risk Communications

© 2014, Jacka & Scott
Federal Financial Institution Examination
Council

◦ FRB, FDIC, NCIA, OCC, CFPB

Social media defined

Risk management over social media
◦ Designed with full participation
◦ Contain all components (e.g. governance,
policies, training, etc.)

Compliance, reputation, and operational risk
© 2014, Jacka & Scott

Know your regulators

Know all your regulators

Know what other regulators are doing

Keep up-to-date
© 2014, Jacka & Scott
© 2014, Jacka & Scott

What is a Risk?

What We’ve Already Covered

But Wait There’s More
© 2014, Jacka & Scott
The possibility that an event will occur and
adversely affect the achievement of objectives
COSO Internal Control – Integrated Framework 2013
© 2014, Jacka & Scott

Likelihood

Impact

Velocity

Persistence/Duration
© 2014, Jacka & Scott

Acceptance

Avoidance

Reduction

Sharing
© 2014, Jacka & Scott
The #1 risk is to your brand

Strategic

Governance

Planning

Monitoring

Metrics

Regulatory
© 2014, Jacka & Scott





Viruses and Malware
◦ Data leakage/theft
Brand Hijacking
◦ Customer gets exposed to hijacked and fraudulent
presence
Lack of Control Over Corporate Content
◦ Employee posting wrong or improper content
Unrealistic Customer Service Expectations
◦ Service at the speed of the internet
Mismanagement of Communications
◦ Impact of retention regulations or e-discovery
Per ISACA White Paper
© 2014, Jacka & Scott





Viruses and Malware
◦ Antivirus and anti-malware controls installed
Brand Hijacking
◦ “Find a firm to protect your brand. Update
customers”
Lack of Control Over Corporate Content
◦ Establish social media policies. Capture and log
Unrealistic Customer Service Expectations
◦ Ensure staff can handle. Timeline for responses
Mismanagement of Communications
◦ Establish policies and procedures
Per ISACA Workpaper
© 2014, Jacka & Scott

We have covered some already – HR, regulatory

Document retention/Archiving/E Discovery
Right of use/copyrights and trademarks (e.g.
images, text, music, etc.)


Celebrity Endorsements

Proprietary information

“Fake” Information

Competitors

Contracts (see next section)
© 2014, Jacka & Scott

Unqualified Vendors

Overdelegation

One-sided Contracts

Ownership of Content

Poor Metrics

Violations
© 2014, Jacka & Scott

Should contain
◦ Scope of Work
◦ Compensation
◦ SLAs
◦ Agency Expenses
◦ Ownership of Assets
◦ Copyright information
◦ Non-disclosure
◦ Team Members
◦ Conflicts
◦ Right to Audit
◦ Approval Process & Communications
© 2014, Jacka & Scott
(Yes, this is a catch-all)

Procedures

Organizational Design

Human Resources

Information & Communication


Training – Employees, Executives and the
Board
Quality Assurance
© 2014, Jacka & Scott
© 2014, Jacka & Scott











Strategy
Governance/Oversight
Planning & Plan Execution
Policies & Procedures
Metrics
Monitoring
Regulatory/Compliance
IT
Legal
Third-Party
Human Resources
© 2014, Jacka & Scott
Lack of a formal or an inadequate social media strategy could
result in poor alignment with organizational strategies, invalid
assessments of the strategies success, and inappropriate
communication related to the organization’s initiatives
To determine whether a social media strategy has been
developed that is complete, aligned with other corporate
strategies, and appropriately documented and communicated
© 2014, Jacka & Scott
Expected controls:

Strategy document

Communication process

Meeting documentation

Approvals
© 2014, Jacka & Scott
Match organizational strategies to social media strategies to
verify alignment


Review strategy to verify it includes basic requirements
◦ Strategic, not tactical, level
◦ All stakeholders considered (not just Marketing, etc.)
◦ Identify target audience, desired relationship, and desired
conversational engagement
◦ Identify social media channels
◦ Properly identifies necessary resources
© 2014, Jacka & Scott
Review business strategies to ensure social media initiatives
are included

Review necessary documentation to ensure appropriate
approvals were obtained

© 2014, Jacka & Scott
Lack of appropriate governance and oversight related to social
media initiatives could result in poorly aligned goals, mixed
messaging to customers, inadequate interdepartmental
communication, and a lack of direction related to social media
initiatives.
To determine whether effective oversight has been established
for the use of all social media, including social media specifically
developed by the organization.
© 2014, Jacka & Scott
Expected controls
 Communication process

Board of Directors Meeting Documentation
Social Media Committee Documentation Charter, Purpose, Objectives


Assurance Partners’ Reviews
© 2014, Jacka & Scott
Review meeting minutes to verify appropriate involvement at
board level

Review documented discussions to verify appropriate
involvement of executive management

Analyze training completed at the board and executive
management level to ensure all necessary parties understand the
full impact of social media

Review Social Media Committee documentation to ensure it is
providing direction to the appropriate committees

Ensure the charter, purpose, and objectives for the Social
Media Committee has been appropriately reviewed and approved

© 2014, Jacka & Scott
Review documentation on standing committee members to
verify the make up of the committee is appropriate

Conduct a survey for all social media activities and verify this
matches similar surveys conducted by the committee

Determine if appropriate reviews have been conducted by
assurance providers

Identify other related committees and initiatives and verify
coordination with the social media committee

Conduct a survey of employees to determine their involvement
in social media

© 2014, Jacka & Scott
Inadequate planning for social media initiatives may result in
delayed implementation, inadequate measures of success, and
wasted resources.
To determine whether the organization’s planning related to
social media is complete, in alignment with the related
strategies, and appropriately communicated
© 2014, Jacka & Scott
Expected controls

Articulated Strategy and Plan - Organization

Articulated Strategy and Plan - Department
Social Media Committee Documentation Charter, Purpose, Objectives


Approval of Goals

Approval of Vendor Contracts
© 2014, Jacka & Scott
Review social media plans for completeness
including:

◦ Specific, measurable, achievable, relevant, and time bound
◦ Social media channels
◦ Stakeholder engagement – style, frequency, consistency
◦ Departments responsible
◦ Limitations (e.g. restricted channels, resource constraints)
◦ Resource allotments
© 2014, Jacka & Scott
Compare social media plans to organizational plans to ensure
alignment


Identify all vendors used in social media initiatives and ensure:
◦ Contracts match organizational guidelines
◦ Appropriate SLAs have been established
◦ Clear measures of success and deliverables are defined
Review QA work done related to outside vendors. Re-perform
this work to ensure the accuracy of the process

© 2014, Jacka & Scott
Compare goals with the current state of the project to ensure
timely completion.

If delays have been identified, review the actions taken to
verify appropriate elevation of these issues

Analyze expenses to identify vendors who may be working on
social media.

© 2014, Jacka & Scott
Inadequate or improper metrics related to social media
operations can result in a focus on the wrong activities, an
inability to determine success, and improper reporting of overall
results.
To determine whether metrics have been established to ensure
successful implementation and use of social media.
© 2014, Jacka & Scott
Expected controls

Approval of Metrics

Policies and Procedures

Periodic status reports

Defined actions from results
© 2014, Jacka & Scott

Verify that metrics have been established

Review metrics to ensure the following
◦ Measurable
◦ Align with Strategies/Goals/Objectives (both for the
organization and social media)
◦ Are “value-add” measures
◦ Acceptable ranges defined
Verify that responsibility for gathering metrics has been
established, including appropriate reporting of results

© 2014, Jacka & Scott

Review metric reports to verify the accuracy of reporting
If metrics are falling outside the acceptable ranges, verify
appropriate actions have been taken

Review oversight committee documentation to ensure that
reporting to these groups matches the actual results of reviews

© 2014, Jacka & Scott
Poor monitoring can result in missed issues and opportunities,
poor customer service, and a negative impact on the brand.
To determine whether appropriate monitoring systems have
been established over communications related to social media.
© 2014, Jacka & Scott
Expected controls

Policies and Procedures

Periodic Reporting

Issue Escalation Process (Triage)
© 2014, Jacka & Scott
Review policies and procedures to ensure appropriate
monitoring and reporting has been established

Verify keywords, hot topics, and restricted issues have been
identified for monitoring

Discuss triage procedures with employees to ensure an
understanding of how they are used

Review previous reports and actions taken to ensure
compliance with triage procedures

Monitor current and past activities on social media to identify
potential issues and verify appropriate actions were taken

© 2014, Jacka & Scott
Poor evaluation of regulatory and compliance issues related to
social media can result in fines and penalties, as well as damage
to the organization’s reputation.
To determine whether the organization’s actions related to
social media comply with all applicable federal and local
regulatory issues.
© 2014, Jacka & Scott
Expected controls

Review of Laws and Regulations

Communication of Review Results

Tests of Compliance
© 2014, Jacka & Scott
Review pertinent regulations to determine if they were
identified by the organization

If regulations have been identified, verify that these were
appropriately communicated and necessary actions taken

Review risk assessments to ensure social media has been
included

Verify that, if social media issues are identified during risk
assessment, the results have been appropriately elevated

© 2014, Jacka & Scott
Is this an audit,
or an advisory engagement?
© 2014, Jacka & Scott
Groundswell – Charlene Li & Josh Bernoff
 Sociallyawareblog.com
◦ Socially Aware Newsletter
 Daliah Saper – saperlaw.com
 Glassdoor.com
 Jobitorial.com
 FFIEC Guidance https://www.ffiec.gov/press/pr121113.htm
 Google alert “social media risk”

© 2014, Jacka & Scott
© 2014, Jacka & Scott