ICYMI | Social Media Policies Matter

Today, most people use social media to stay connected to each other, especially since the move to remote work caused by the coronavirus (COVID-19) pandemic. As the use of these technologies grows, the risks associated with using social media continue to increase; as such, it is important for internal auditors to address these risks within their organizations. The following is an overview of the use of social media by business, the serious risks associated with social media use, the extent to which internal audit departments are addressing these types of risks, and the best practices for mitigating the risks associated with social media use.

Use of Social Media

Over the past 10 years, the use of social media applications such as Twitter, Instagram, LinkedIn, and Facebook for business purposes has significantly increased, as more than half of all S&P 1500 companies now use social media to connect with investors and customers. Furthermore, companies are increasingly using social media to distribute financial information, as over 90% of Fortune 500 companies are actively using Twitter, Facebook, and LinkedIn (Barnes, N.G., A. Mazzola, and M. Kileen, “Oversaturation & Disengagement: The 2019 Fortune 500 Social Media Dance,” Center for Marketing Research UMass Dartmouth, 2020. Available at: https://www.umassd.edu/cmr/research/2019-fortune-500.html/). This trend is likely to accelerate, as social media channels provide a fast and economical method of sharing financial information.

Although social media provides advantages to companies, it also presents significant risks, which are compounded when personal posts from company executives and employees are treated as representative of the company itself. Recent examples of companies facing social media blunders include Netflix, when CEO Reed Hastings came under SEC investigation related to a potential violation of fair disclosure laws for making a Facebook post regarding the number of hours streamed in a month; Snapchat, which ran a distasteful social media ad regarding domestic abuse that resulted in an $800 million decrease in market value; and Tesla, whose CEO Elon Musk tweeted that the company’s stock price was too high, resulting in a $14 billion loss in market value. These examples are likely the first of many to come, given the inexpensive and efficient manner of information distribution provided by social media channels.

Research from Symantec Corporation provides a broader picture of consequences associated with corporate social media use. Results from a survey of 1,225 enterprises showed that 94% of companies surveyed experienced negative consequences associated with social media use and reported an average of nine incidents over a one-year period. Those surveyed indicated that social media incidents cost them an average of $4 million per year (“Social Media Protection Flash Poll: Global Key Findings,” 2011, https://bit.ly/3iRkOrP). Another study by Deloitte and Forbes Insights found that nearly all of the 192 executives surveyed considered social media risk on par with financial risk because it has the ability to rapidly accelerate other types of risks (“The digital grapevine: Social media and the role of Internal Audit,” 2013, https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Risk/gx-risk-social-media-internal-audit-digital-grapevine.pdf ). The damages outlined in these surveys are hardly immaterial, and they represent opportunities for corporations to avoid unnecessary expenses and losses by appropriately responding to the risks associated with social media use.

What Are the Risks Associated with Social Media Use?

The authors’ research identified three primary risks (Table 1) that internal auditors should focus on when considering how social media use may impact their organization—regulatory compliance risk, financial risk, and operational risk.

Regulatory compliance risk.

As illustrated in the above examples of Tesla and Netflix, distributing corporate information over social media channels can potentially violate laws and regulations. Historically, the regulatory risks associated with social media use that have created major problems for companies are as follows:

• SEC Fair Disclosure (Regulation FD) prohibits public companies from distributing significant information to certain parties unless disclosed to the public first or concurrently.
• International operations with other countries and jurisdictions must recognize that different cultural and social norms must be followed to avoid breaching local laws or customs.
• Potential copyright infringement can occur through the use of protected content without the owner’s permission.

At a minimum, internal audit departments need to consider how these regulatory risks could negatively impact their companies. This information should be shared with all company executives and employees to encourage compliance and reduce the risk of a violation. Past experience has shown that violations of laws and regulations often occur unintentionally, so education regarding these risks can go a long way in preventing them. Lastly, internal audit departments should consider working closely with the company’s legal counsel to identify other relevant regulatory risks that may negatively impact the company.

Financial risk.

Companies suffer significant monetary losses as a result of social media incidents every year. These losses arrive primarily as a result of the following:

• Social media incidents have a significant impact on a company’s share price, as SnapChat demonstrated in the example cited above.
• Reputational incidents have long-lasting negative impacts on both business performance and the brand; in a well-publicized 2009 incident, United Airlines refused to pay for the damage caused when it broke country singer Dave Carroll’s guitar during flight.
• Regulatory and legal violations often result in legal ramifications including high fines and penalties, including the multi-billion settlement required Volkswagen required to resolve alleged Clean Air Act violations.

Although many of the risks noted relate to internal business risk, monetary loss has a direct effect on external shareholders, making this risk of particular concern to internal auditors. They should be aware of the potential for financial loss and include financial risks associated with social media use in their risk assessment process.

Operational risks.

Risks that relate to the impact social media use has on the day-to-day operations of the company include the following:

• Decreased productivity of employees using social media for personal use rather than company use.
• Cyber-security threats, including malware, phishing, and other more sophisticated methods are increasingly being distributed via social media channels.
• Confidential information about products, services, employees, or customers may be leaked through social media to a public audience.

Operational risks are difficult to quantify, but one study estimated that these types of risks cost the U.S. economy billions per year (Robert S. Dunnett, Cindy B. Levy, and Antonio P. Simoes, “The Hidden Costs of Operational Risk,” McKinsey & Company, 2005). Management should work closely with the internal audit department to assess which of these operational risks could negatively affect the company. Fortunately, unlike regulatory and financial risks, operational risks are predictable, giving management and internal auditors the opportunity to develop policies to mitigate these risks.

Internal auditors should bear responsibility for assisting in the creation, implementation, monitoring, and enforcement of company social media policies, especially in areas where these policies address financial and operational risks. In addition, internal audit has a broad perspective of the organization, which gives them the unique ability to assist the organization in managing social media risks. Given the increased importance of these risks to the internal audit function, the authors conducted a more in-depth survey and obtained 78 responses from internal auditors. (See the participant demographics in Table 2.)

The results are concerning, as only 52% of those surveyed indicated that the internal audit function at their company includes a formal risk assessment of social media use. Even more troubling was that only 35% of those surveyed indicated that their company has any mandates in place for monitoring content on social media.

Survey respondents were also asked about the existence of social media policies at their respective companies. Although 70% reported that their company had a formal set of policies and procedures in place, internal auditors were mostly absent from the policy creation process, with only 17% of the respondents indicating that the internal audit function had a voice in crafting their companies’ social media policies.

These results indicate that the internal audit profession is in its early stages of understanding and mitigating risks associated with social media use. The authors acknowledge that some aspects of social media risk do fall outside the scope of the audit profession; however, the overall trend in these results indicates a need for the profession to become more engaged in evaluating and addressing the risks posed by social media use. Internal audit professionals need to educate themselves on the risks associated with social media use and ensure that they are actively assisting in communicating these risks to company leadership. Furthermore, internal audit departments should be consulted when crafting a sound set of social media policies. To assist in this process, it is necessary to take a deeper look into the important aspects of these policies as they relate to auditors.

Social Media Policies and Auditors

Professionals agree that the best line of defense in mitigating social media risk is a sound set of social media policies (Sidebar). These govern instances of employees engaging on social media regarding company matters using either their personal or company-related social media account. These policies vary in their complexity. Responsibility for the creation and oversight of these policies includes several areas and requires expertise from a wide range of disciplines. The following discussion will focus on the aspects of these policies that pertain to the auditing profession.

Auditors should ensure that their company’s social media policies include key elements that relate to their roles and responsibilities. To safeguard against regulatory compliance risk, they should guarantee that policies include the following:

• Complete documentation of applicable legal and regulatory policies
• Education and training materials for employees on Regulation FD, because the SEC actively monitors social media for compliance violations
• Implementation of continuous monitoring to ensure compliance with regulations; for example, auditors may suggest that the company use data analytics to supplement human monitoring.

To safeguard against financial risk, auditors should ensure that policies include the following:

• A system to identify violations before they become a problem; if a problem does occur, the company should have a crisis management plan in place to reduce the potential effects to profitability, reputation, and operations
• A determination of which type of information the company will and will not share over social media to avoid the risk of increased transparency to competitors
• A process of approval for public messages
• Implementation of continuous monitoring to safeguard against reputational risk. Areas to monitor should include customer feedback, customer demands, and customer demographics. Data analytics can be used to supplement human monitoring as well to address issues in a timelier manner.

To safeguard against operational risk, auditors should ensure policies include the following:

• Effective use of technologies for proper data security and storage to improve data management
• A list of social media platforms and channels that are acceptable for employee use
• Guidance to prevent unintentional dissemination of sensitive information
• Educational and training materials for employees on the CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act of 2003 and rules for e-mail communications if being used for marketing or advertising.

Overall, internal auditors want to ensure that all areas of the company work together to define the roles and responsibilities of the employees and identify clear reporting lines to management. Management must maintain a strong presence at the top so that employees adhere to the policies and remain accountable. Addressing social media risks to increase company compliance and boost the company’s public relations image should be a top priority for management.