Auditing Social Media - for Internal Auditors

Transcript

1. Auditing Social Media The Practicalities SOPAC2103 – Session 1B by

   [email protected] m: +61 403 345 632 Twitter: @adamson 4 March 2013, Brisbane, Australia

2. Contents 1. Having a Social Media Strategy is Key 2.

   Governance 3. Auditing Practicalities Presentation at: www.slideshare.net/kinshipdigital/

3. About me

4. Hypothetical Risk • NOT just PR / brand reputation •

   BUT also implications for logistics, retail stores, customer experience, purchasing, supplier relations, purchasing, government relations, regulators e.g. ACCC DO YOU have cross-functional social media risk management plans? 4

5. Objectives 1. To convey the importance of an effective social

   media Strategy 2. To outline the components of social media Governance 3. To address some auditing practicalities

6. Key aspects of social media in business Strategy formulating policy

   and strategy through researching your brand, customers, partners and competitors Intelligence monitoring, collecting and analyzing social data to make informed, agile business and policy decisions Communities building ‘owned’ social platforms for listening, support, building, collaborating, content Governance social business metrics, ROI, policy and guidelines, processes, risk management, compliance

7. About you? Personal audience poll - show of hands On

   which networks are you active?

8. Having a Social Media STRATEGY is Key This is the

   first question for auditors

9. Social Media Policy is not Strategy χ NOT Strategy χ

   NOT Governance But is important, and specifically, it should:  Educate employees, then empower them;  Help employees understand and own the risks;  Hold employees accountable;  Address organization social media account “ownership” and hand- offs when spokespeople leave.

10. Good news! There IS a methodology 1.Assess 2.Strategise 3.Create 4.Protect

    5.Participate 6.Share 7.Engage 8.Monitor Social Business Framework

11. Key is to integrate social with business 1. Social strategy

    which aligns with business strategy 2. Social business risk which is part of business risk management and compliance programs Regulators ? Advertising Standards Bureau, ACCC, Australian Association of National Advertisers (AANA), ASIC, APRA, etc.

12. Cross-functional A social risk management program needs cross-functional input: Compliance

    Technology Information Security Legal HR PR & Comms Digital Marketing Social Media! 12

13. Governance Social Media Strategy Regular Reporting of ROI Mandatory Monitoring

    of Social Channels Social Media Policy Plans, Action, Compliance Management of 3rd Party Vendors Employee Training Compliance Protocols

14. Governance - Heads-Up – Be prepared ! Social Media Strategy

    Required • A strategic plan with actions and operational descriptions. • Clear roles and responsibilities whereby the board of directors and/or senior management spell out how use of social media contributes to the strategic goals of the institution, while also spelling out what kind of controls will be put in place. • How ongoing social media risks will be monitored and assessed. Regular Reporting of ROI • Regular reports to the board of directors and/or senior management, which enable a periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives. 14

15. Governance - Heads-Up – Be prepared 2 Mandatory Monitoring of

    Social Channels • An oversight process for monitoring information posted to social media sites (administered by the institution or a contracted third party). Social Media Policies & Procedures & Compliance • Policies regarding the use and monitoring of social media, and compliance with all applicable consumer protection laws. • Social media policies should incorporate procedures addressing risks from online postings, edits and replies. 15

16. Governance - Heads-Up – Be prepared 3 Manage 3rd-Party Vendors

    Ensure Customers Are Protected • Customer privacy and security of their personal data are a top concern. • Institutions working with third-party social media vendors will be required to manage those relationships within defined parameters to ensure compliance with all regulations You Have to Tell Employees What’s Okay and What’s Not • An employee training program that incorporates the organisations’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities. Compliance Protocols • Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance. 16

17. Relevant laws (US) Financial Institutions • Truth in Savings Act/Regulation

    DD and Part 707 • Fair Lending Laws: Equal Credit Opportunity Act/Regulation B and Fair Housing Act • Truth in Lending Act/Regulation Z • Real Estate Settlement Procedures Act • Fair Debt Collection Practices Act • Unfair, Deceptive, or Abusive Acts or Practices • Deposit Insurance or Share Insurance. • Electronic Fund Transfer Act/Regulation E • Rules Applicable to Check Transactions • Bank Secrecy Act/Anti-Money Laundering Programs (BSA/AML) • Community Reinvestment Act • Privacy Gramm-Leach-Bliley Act Privacy Rules and Data Security Guidelines. • CAN-SPAM Act and Telephone Consumer Protection Act • Children’s Online Privacy Protection Act • Fair Credit Reporting Act 17

18. Audit questions Are there methodologies, techniques and tools in place

    covering: • Social Media Strategy • Regular Reporting of ROI • Mandatory Monitoring of Social Channels • Social Media Policy Plans, Action, Compliance • Management of 3rd Party Vendors • Employee Training • Compliance Protocols 18

19. Auditing Practicalities

20. 6 Step Audit Approach 1. Strategy Assessment – overall goals,

    plans, actions, reporting? 2. Presence Assessment – where are you the social web? 3. Listening Assessment – what data and how managed? 4. Organisation & Internal Culture Assessment 5. Process Assessment – workflow, timeliness, escalation? 6. Governance Assessment • Policy • Roles • Risk Assessment • Compliance

21. Practicalities Examine risks by business use case  Recruitment &

    Retention  Investor relations  Public relations  Marketing / branding  Lead generation  Customer service & complaints  Innovation & product development  Employee relations  Business partner relations

22. Operational Risk 1. Social media is one of several platforms

    vulnerable to account takeover and the distribution of malware. 2. Organisations must ensure that the controls they implements to protect their systems and safeguard customer information from malicious software adequately address social media usage. 3. Financial institutions’ incident response protocol regarding a security event, such as a data breach or account takeover, should include social media. 22

23. Hijacked Burger King’s official Twitter handle suffered a cyber attack

    on Monday [Feb 18, 2013]. Hackers switched the branding to that of rival McDonald's and claimed the restaurant chain “just got sold ... because the whopper flopped.” The hackers sent more than 25 tweets and re-tweets on the handle, several poking fun at Burger King, insinuating unethical behaviour about its employees and using intentionally offensive language and racial slurs. http://www.foxbusiness.com/technology/2013/02/18/burger-king-twitter-account-hacked-rebranded-to-mcdonald/ 23

24. No opt-out ! An institution that has chosen not to

    use social media must still be prepared to address the potential for negative comments or complaints that may arise within social media platforms and provide guidance for employee use of social media. 24

25. Resources

26. Awareness • Mark Pearson @journlaw • Social media best practice:

    New guidelines released Australian Association of National Advertisers (AANA) see http://www.leadingcompany.com.au/technology/social-media-best- practice-new-guidelines-released/201211283150 • New US Financial Institution Regulation http://www.ffiec.gov/press/pr012213.htm

27. About KINSHIP Digital 27 KINSHIP Digital is a social consultancy

    that specialises in understanding, developing and protecting its clients’ reputation, brands, businesses and people in Social Media. Follow us @KinshipD www.kinshipdigital.com

28. Join the Social Governance Community 28 Easiest way - SEARCH

29. Walter Adamson Speaker Notes Walter Adamson is a social media

    business specialist. He is General Manager Victoria of Kinship Digital which helps clients attract & retain employees & customers by leveraging social media tools. This includes reputation monitoring, governance and risk management. Walter has an extensive background in enterprise and as an independent consultant focused on IT strategy and advising owners and managers of IT businesses. He was also the Independent Advisor to the ICT Strategy Board of the Government of Victoria for 4 years. He has held executive roles as CIO, VP International Business Development, and Corporate VP IT Strategy, and also worked in Corporate Planning at BHP. Walter established the Internal IT Audit function at BHP and led it for 3 years, and was one of the first Certified Information Systems Auditors in Australia. He is also a Certified Social Media Strategist and holds a M.Sc. in Computing Science. [email protected] Connect on Linkedin http://linkedin.com/in/adamson Follow me on Twitter @adamson m: +61 403 345 632 29