Social media platforms are invaluable for connecting companies with their customers, the financial community, and the media. Sharing information on social media can reduce the information asymmetry between companies and their stakeholders in a timely manner.1 However, several factors, including a lack of planning, controls, and training, combined with the unpredictability of online behavior, can expose companies to considerable risk. Our research found that company managers and internal auditors lack sufficient awareness of these risks and should take a more active role in regulating and monitoring social media activity.
Ill-advised social media posts and lax oversight can cause serious damage to a company’s reputation, trigger investigations by regulators, damage long-term relationships, and introduce cybersecurity threats. Of course, companies and individuals can try to be selective about the disclosures they make on social media and avoid tweeting negative information.2 But even positive and well-meaning posts can lead to negative outcomes. In 2012, for example, the U.S. Securities and Exchange Commission (SEC) came down on Netflix CEO Reed Hastings for posting information on his personal Facebook account about the company’s impressive video streaming numbers.3 The day after Hastings’s post, Netflix saw a 700% increase in trading volume and a 20% jump in its share price.4 Although the information Reed posted on Facebook proved accurate, investors who didn’t follow him missed out. In response, the SEC issued new guidelines for social media use: Companies are now required to notify investors in advance about which information channels they plan to use to distribute important information.5
Despite increased scrutiny, risky online behavior continues to be a big issue. In 2018, for example, Tesla CEO Elon Musk tweeted that the electric car company (whose stock had been performing poorly) was in talks to go private. The market response was swift: By the next day, Tesla’s share price had shot up 11%. The SEC proceeded to charge Musk with making false and misleading statements, which resulted in a 14% drop in the share price.6 Several shareholders sued Tesla and Musk for intentional stock price manipulation.7
Given the inherent risks, companies need to become more disciplined about their social media activities and monitor them more closely. In a survey we conducted through regional chapters of a professional organization for internal auditors in the United States,8 we found that many organizations aren’t fully cognizant of the risks or adequately prepared to manage them. In this article, we examine the current practices of internal auditing in assessing and monitoring social media risk, paying particular attention to the challenges auditors face in monitoring social media and how they can adapt and take on more responsibility.
Nearly two-thirds of the 103 respondents to our survey had more than 10 years of experience in internal auditing, and 72% were working at a supervisor level or above. Yet despite calls for companies to be more attentive to how they use social media9 and for internal auditors to become more involved,10 we found that companies and internal auditors have a long way to go toward understanding the various risks.
Rules for Social Media Disclosures
Since 2013, the SEC has required companies to notify investors about which media and information outlets (including social media sites) they will use to post information.11 The SEC does not sanction using personal social media accounts to disseminate company information.
Of the internal auditors we surveyed, only 56% were aware that the SEC now considers corporate social media sites to be a recognized channel of information; 46% knew that personal social media sites are off-limits for distributing investor information. However, only 24% indicated that their company has had internal policy discussions regarding social media and Regulation FD, the SEC rule that mandates fair disclosure by public companies.
Nearly all of the respondents said that their company discloses key financial and nonfinancial information on its website. Less than 10% said that their company uses social media to disclose financial information, while 30% to 40% release nonfinancial information on social media. Twenty-seven percent of respondents indicated that their company has notified investors that company information is disseminated on social media; 47% did not know whether investors are notified.
Protecting Against Reputational Risk
In addition to ensuring the fair disclosure of key information, risk management practices can also protect companies from the reputational risks arising on social media from events such as critical comments by customers and negative publicity.12 Reputational risks can harm a company’s competitiveness, attractiveness to investors, relationships with customers and other stakeholders, and perceived legitimacy.13
Sixty-seven percent of the people we surveyed expressed concern that their company might someday suffer reputational damage due to social media use, but only 42% indicated that their company has plans in place to monitor social media for reputational threats.
Managing Cyber Risks
The factors driving heightened concerns about cybersecurity are well known. The dramatic increase in the volume of data, technology expansion, new business models, and a growing number of motivated attackers have heightened the need for companies to monitor the digital access points of the business more closely. Management needs to clarify the roles and responsibilities of IT, marketing, and internal auditing departments to address these vulnerabilities.14 Limiting the number of corporate and individual social media accounts gives potential criminals fewer access points into company systems. Some 46% of our survey respondents said that their company advises employees to seek clearance from their department before engaging with certain social media sites; 55% said they knew which departments engage in social media on the company’s behalf, but only 37% were able to identify specific employees with access to those accounts. Closing the knowledge gap makes it easier to assess security risks.
Another way to manage cyber risks is to block access to social media sites such as Facebook, Twitter, Instagram, and LinkedIn. A relatively small share of survey respondents (18%) said they work at an organization that limits employee access to social media on their work computers. Internal auditors need to be aware of potential entry points and any block lists used by the company in order to properly assess cybersecurity risks.
Establishing Policies and Procedures
In 2010, ISACA (formerly known as the Information Systems Audit and Control Association), an international professional association focused on IT governance, urged members to develop policies for how organizations and employees should conduct themselves online.15 ISACA, the SEC, and industry regulators such as the Financial Industry Regulatory Authority (FINRA) all say that companies should develop social media strategies with input from relevant stakeholders, including leadership, marketing, human resources, information technology, and legal.16 This strategy should inform policies and procedures designed to regulate and monitor employees’ social media use, especially when they speak for the company.
Among those surveyed, 70% reported that their company has a formal set of policies and procedures in place for how to use social media. However, less than one quarter of the organizations included internal auditors in the policy creation process. And at the companies where a policy is in place, only 75% of respondents said that management enforces the stated policy.
Auditing Social Media
ISACA, the SEC, and industry regulators indicate that it is critical for an organization’s social media policy to include guidelines on proactively auditing social media use to identify the risks and develop controls to mitigate them. In order to do this, auditors must be aware of the active social media accounts, who maintains the accounts, and which employees have clearance to make financial or nonfinancial disclosures on the company’s behalf.17 Auditors need training on how to monitor social media activity and assess the risks in both a broad sense (identifying macro-level threats to the business or brand) and more narrowly (identifying micro-level threats related to employee posting behavior). Public social media chatter on company channels and trending topics tied to the brand can harm the company in a broad sense. However, the posting behavior of employees or even the CEO can introduce more specific problems that can be avoided with proper training. Although half of the respondents indicated that they and their department colleagues are able to assess the general risks of social media, few do it frequently. Most companies do it on a quarterly or semiannual basis and lump it into their overall marketing audits.
Assessing the risks related to employee social media behavior requires monitoring multiple corporate and individual accounts and/or making use of advanced social media analytics. Most auditors said they think it is important to monitor social media but don’t believe others in the company consider it as important as they do. In fact, 65% of the respondents reported that their company is not currently auditing social media posts; 27% indicated that their company is not yet conducting audits but have discussed it in meetings; and 34% reported that their company has neither conducted social media audits nor discussed it in meetings. Of the companies that do audit social media, only 4% do it as part of their internal auditing.
Most of the internal auditors we surveyed reported that they are confident in their own and their colleagues’ ability to audit social media activity. They agreed that auditing social media requires considerable training. However, they questioned whether companies would be willing to pay for additional training or hire a third party to monitor social media.
Given these concerns, internal auditors may need to communicate the risks associated with social media to the audit committee and upper management. Twenty-three percent of the survey respondents indicated that they have made changes to their audit plans over concerns about social media, but 67% have not yet done so. Sixty-five percent indicated that they have informed the audit committee about the risks; 19% have discussed the issue with the company’s board of directors; and 60% have passed the report on to some other level of management.
Steps Managers Can Take
In light of the risks that social media presents, companies can’t afford to sit back and hope for the best. Responsible managers and auditors need to make sure they understand the dangers and how to protect themselves. Here are five ways to prepare:
- Pay attention to the evolving regulatory landscape. Social media is new ground for government regulators. Management must be aware of the impact of past incidents on corporate social media policy. Internal auditors need to anticipate potential regulatory changes related to disclosing financial and nonfinancial information on social media, notifying investors of official disclosure channels, and not using social media channels to intentionally mislead the market.
- Monitor the company’s reputation on social media. Most of the internal auditors we surveyed were worried about reputational damage to their organizations, but few thought companies were taking sufficient precautions. A company’s reputation is everything, and nothing threatens to disrupt a well-crafted image more than unpredictable events and trends on social media. Companies need to actively monitor social media for reputational threats, assess the potential risks, and have an established process for responding.
- Tighten access to social media. Unrestricted access to social media sites can create numerous entry points for cybercriminals to access a company’s systems. Knowing which departments and individuals can access the company’s social media platforms will help mitigate many of the risks we have identified. In addition, organizations should train employees to understand how sharing information can make it easier for bad actors to launch phishing attacks.
- Give internal auditors a voice in social media policy. In most companies, social media has largely been the purview of the marketing and corporate communications departments. But the focus of these departments has been expanding the audience and converting visitors into customers, not regulating or managing risk. Internal auditors need to play a more influential role in developing social media policy.
- Support auditors with training and resources. Top management needs to recognize the critical role internal auditors play and provide the necessary resources. This includes training to assess and monitor social media risk, software to analyze social media activity, and support for using outside resources or consultants to monitor social media use.
Are You Managing Your Risks From Social Media?
No comments:
Post a Comment