Social media is a vital and necessary business tool that needs to be on the radar of all internal auditors. When it comes to social media risks, companies need to know what they’re exposing themselves to. It’s essential that companies and employees contend with three reality checks:

  1. Once your company has signed up with a social media site — a cloud-based service — you’ve got no control over the system or how they use your data.
  2. Your company social media managers don’t always know who is posting to your company’s account: the manager often has no focus on “getting to know your customer.”
  3. Constant monitoring is needed to mitigate potential social media risks.

In this article, I share five key areas of concern with social media — and things that auditors can do to help companies safeguard data and their reputation

Who is responsible for social media governance?

It’s critical that your company explains the potential risks to everyone. All employees should be educated about social media interaction and monitoring, while IT auditors and audit committees should be involved in social media governance. 

How can internal auditors help companies effectively identify and address social media weaknesses before they become headlines? I suggest that companies think about three questions:

  1. What are the underlying problems? 
  2. Where are the threats coming from?  
  3. How can we deal with it now? 

I also think it’s important to highlight five potential risk points companies need to look at from a control weakness frame of mind. 

Auditing Social Media: 5 Areas of Concern

1. Social media site security vulnerabilities

Are social media sites secure? Some 22% of social media users have fallen victim to a security-related incident — most social site security is not inherently strong. Your company has little control and can’t impose your organization’s policies onto a social media site, with your data often accessible by social media site employees or sold to third parties. 

Steps to address security vulnerabilities:
  • Review social media providers as you would any other cloud provider. 
  • Check contracts and ensure you have a cloud audit program.
  • Review security vulnerabilities: settings, patches, browser updates, operating systems, business continuity, and response plans. 
  • Regularly monitor activity, password policies, and leverage social media management tools.
  • Don’t be too trusting; only use where necessary.

2. Site impersonation

From fake social media profiles to social media impersonators, perpetrators use phishing attacks and other tactics that can be devastating. Businesses and individuals should know basic information about whom they are doing business with — but social media leaves little room for this — leaving the door open for data laundering by virtually anyone without proof of identity or the need to fact-check sources.

Steps to address impersonation risks:
  • Train your employees on dangerous links and phishing scams.
  • Check each social platform for the “verified” label to ensure the public can identify your account as legitimate. 
  • Ensure your website has links to your social media channels. 
  • Implement a social media strategy to watch for brand misuse, conduct appropriate enforcement measures, and monitor compliance using tools.

3. Public posting on your organization’s sites

Social media is just that — social. This means your customers are continually posting on your social media channels, and this is a risk point. 

Steps to address public posting concerns:
  • Provide your employees and auditors tools to get insight into your customers i.e., the public who posts on your site.
  • Regularly monitor posts to check for damaging content. Delete immediately — and be aware of the impact.

4. Employees posting on your organization’s sites

Employee access and security, posting policies, and third-party outsourcing should be carefully handled. Sometimes employee actions like poor credential management can lead to security issues. Unhappy employees may post negative or controversial opinions. Some companies may choose to outsource posting to a third-party — which requires additional care.

Steps to address employee access and posting  
  • Limit who can access and post on each of your company’s social media channels — and assign an administrator.
  • Establish clear social media controls, posting policies and a signed statement of compliance, including disciplinary action if the protocols are broken.
  • Ensure postings are reviewed and approved prior to posting; monitor and moderate social media posts.
  • If outsourcing to a third party, ensure your contract outlines performance, quality, value, and remedies.

5. Employees posting on other company sites

Employees post to other company sites or social media accounts — the trouble arises when they do so without thinking about the consequences. 

Steps to address employees’ external postings 
  • Develop a policy so employees must gain prior approval before reposting company information anywhere.
  • Identify content sources.
  • State that personal employee postings are not representing your company.

To close, there are three key things all companies should do to reduce social media risks:

  1. Remain vigilant and develop controls.
  2. Educate everyone in the company.
  3. Monitor your accounts.

Remember, your company doesn’t control social media systems, how they work, or what they do with your data. Social media is fundamentally insecure. It’s your company’s responsibility — along with its employees and internal auditors, to develop and follow policies and practices that limit risks.


Learn how AuditBoard's integrated suite of easy-to-use software (audit management software, SOX compliance software, risk management software, audit workflow software, and compliance management software) can empower your team.


Robert Findlay
About the author: Robert Findlay is Global Head of IT Audit at Glanbia. Before Glanbia, he has worked in almost every IT role — including information security, project management, programming, computer operations, and IT consulting for companies like British Airways, Credit Lyonnais, British Gas, Aryzta, Paddy Power, and Ernst & Young.