The document outlines a webinar aimed at helping internal auditors effectively manage social media audits by understanding governance, risk, and the inherent lack of control over information shared online. It emphasizes the importance of aligning social media strategies with business objectives, fostering employee awareness and accountability while implementing monitoring and risk management frameworks. Additionally, the document suggests a structured approach to assessing social media presence, governance, and compliance, ensuring that organizations can navigate the complexities of social media effectively.

1. Social media
Beyond the risks,
how it can work in organisations
For the Institute of Internal Auditors, Australia
Walter Adamson
GM Victoria, iGo2 Group
walter.adamson@igo2group.com
4 December 2012

2. Objectives of this webinar
To allow Internal Auditors to:
 communicate effectively with those managing the use of social
media when they are conducting an audit
 to understand the inherent release of control of information posted
in social media
 to understand the tools and systems which might be in use to
distribute and monitor social media activity
 to understand what governance and control means regarding
social media when its utility is heavily linked to not being ‘in control’

3. Walter Adamson
 Set up BHP IS Audit Group
 Certified IS Auditor
 CIO (Asia Pacific Minerals)
 Certified Social Media Strategist (2009)
 Linkedin.com/in/adamson
 My social web: xeeme.com/walter
@adamson

4. Audience poll #1
Which networks do you
currently use?

5. COMMUNICATE – CORE TERMS

6. Some key social media facets
formulating policy and strategy through researching
Strategy your brand, customers, partners and competitors
monitoring, collecting and analyzing social data to
Intelligence make informed, agile business and policy decisions
building ‘owned’ social platforms for listening, support,
Communities building, collaborating, content
social business metrics, ROI, policy and guidelines,
Governance processes

7. How to think about social
Elevate your view. Take a look
down from on high:
 It’s not about the tools but
about what you want to
achieve

8. Social network fundamentals
Three key issues:
1. N – Network size
2. C – Contribution
3. P – Participation
The behavioural and methodological foundation of success
in social media lays in the NCP Model

9. Social Presence
What is Presence?
 Presence is about your voice
being heard
 Reach is about increasing the
pathways for your voice to
travel
 Influence is about increasing
the impact your voice has on
others.

10. Social Architecture

11. Social Media Policy
Specifically, it should:
 Educate employees, then empower them;
 Help employees understand and own the risks;
 Hold employees accountable;
 Address organization social media account “ownership” and hand-
offs when spokespeople leave.

12. RELEASE OF CONTROL

13. Audience poll #2
Do you find social media to be
challenging to audit because it
is changing so fast?

14. Challenge
Simply put, the risk challenge with social is because of its
potential viral and permanent nature.

15. Loss of control
Hashtags become Bashtags
 “Dude, I used to work at McDonald’s. The #McDStories I could tell
would raise your hair.” (via Twitter)
 “#McDStories I lost 50lbs in 6 months after I quit working and eating
at McDonald’s” (via The Daily Mail)
 “These #McDStories never get old, kinda like a box of McDonald’s
10 piece chicken McNuggets left in the sun for a week” (via The LA
Times)
McDonald’s execs recognized the PR disaster in progress and ended
the campaign after two hours. But it was too late. The trending topic
had already gained a life of its own.

16. Good news! There IS a methodology
1.Assess
8.Monitor 2.Strategise
Social
7.Engage Business 3.Create
Framework
6.Share 4.Protect
5.Participate

17. Examine risks by business use case
 Recruitment & Retention
 Investor relations
 Public relations
 Marketing / branding
 Lead generation
 Customer service & complaints
 Innovation & product development
 Employee relations
 Business partner relations

18. Key is to integrate social with business
1. Social strategy which aligns with
business strategy
2. Social business risk which is part
of business risk management and
compliance programs
Regulators ? Advertising Standards
Bureau, ACCC, Australian
Association of National Advertisers
(AANA), ASIC, APRA, etc.

19. Internal audit as a partner
 “As advisers, internal audit can
partner with management to
develop a strategy in such a
way that it does not violate
the International Standards for
the Professional Practice of
Internal Auditing. You can’t
even address lower issues
until you’ve really got a
strategy and governance
process in place.”
- Mike Jacka, a senior audit manager with
Farmers Insurance Group (Phoenix).

20. TOOLS AND SYSTEMS

21. When Social goes Wrong
 Governance
 Monitoring
 Risk Management
 Crisis Management
Bankrupt!

22. Customer Brand
(You)
Partner Competitor

23. 1. Assess
8.Monitor
2.Strategis
e
6.Share 3.Create
Phase 8 – Monitor
6.Share 4.Protect
5.Participat
 Monitoring tools and services
e
decided
 Keyword and location searches
 Competitor tracking
 Brand tracking
 Key measures agreed
 Integration in place
 Workflow and escalation processes
defined
 Mobile considered

24. Monitoring fundamentals
Be aware that tools have 3 parts:
1. Social data sourcing
2. Data processing and analysis
3. Reporting and insight delivery

25. Does Listening support governance?
 Does the listening platform
support governance rules and
roles and workflow?
 If it can’t exceptions are created.

26. Social listening post - tools

27. Workflow and decision tree

28. GOVERNANCE AND CONTROL
What would it mean to you if you could assure your
organisation that social media was well controlled?

29. Social Media “Marketing” Has Caused
Internal Business Challenges
EMPLOYEES EXPANDING
Inappropriate use of social media Social media footprint
INTERNAL NON-EXISTENT
Confusion of roles & responsibilities Governance models & policies
INCONSISTENT DISJOINTED
Social media measurement practices Content & Community Practices
OUTDATED TECHNOLOGY
Crisis communications models Disjointed and uncoordinated

30. Confusion of Roles and Responsibilities
This is one of the most
common problems we see

31. Confusion of Roles and Responsibilities
It’s not just the Team
It’s about cross-organisational roles and coordination.

32. 6 Step Audit Approach
1. Strategy Assessment – overall goals
2. Presence Assessment – where are you the social web
3. Listening Assessment – what data and how managed
4. Organisation & Internal Culture Assessment
5. Process Assessment – workflow, timeliness, escalation
6. Governance Assessment
• Policy
• Roles
• Risk Assessment
• Compliance

33. Consider starting with an Assessment
 “A big challenge is trying to
figure out everything that’s going
on, because you will be shocked
by the different people doing
social media that you don’t even
know about,” says Mike Jacka.

34. Organisational Model for Social Media
Then, get a grip on the model
OR

35. Check Approval Workflows
e.g. For New Presence Creation
Be sure to
Yes connect with
them.
Reach out to the
Do you know the Social Business
No
internal contact? Center of
Yes Excellence
Yes See #2.
1. Have you
notified your
manager about
this? No
Be sure to discuss
Is there a pre- with your manager
existing presence Looks like you
Yes
you can partner may need to
Is there a true with? No create a presence
need to create but two Create a presence
Yes a new social considerations. and not social
Yes
media media team.. Share
2. Do you have PW with manager
Have you channel? Hold off until resources to
reviewed the there is sustain the
Social Media No presence long
community Click here to
Guidelines? demand I’m term?
connect with the Discuss needs with
Review Social Not No
Sure
Social Business manager
No Media COE to discuss.
Guidelines

36. Finish
To allow Internal Auditors to:
 communicate effectively with those managing the use of social
media when they are conducting an audit
 to understand the inherent release of control of information posted
in social media
 to understand the tools and systems which might be in use to
distribute and monitor social media activity
 to understand what governance and control means regarding
social media when its utility is heavily linked to not being ‘in control’

37. CONCLUSION
You can successfully apply internal audit frameworks
to social media.

38. APPENDICES
FOR REFERENCE

39. 1. Assess
2.Strategis
8.Monitor e
7.Engage 3.Create
4. Protect Phase of iGo2 Strategy Methodology
6.Share
Overview
4.Protect
5.Participat
e
 Regulatory compliance considered
 Data collection, retention and archiving determined
 Employee protections in place, including the social media policy and training
 Company protections in place, including legal
 Social architecture assessed in context of risk and monitoring
 Crisis management plan developed and integrated
 Risk assessment and risk management in place – and practice is conducted
 Executive and Board reporting in place – critical items in relation to
business strategy and risk

40. 1. Assess
2.Strategis
8.Monitor e
7.Engage 3.Create
4. Protect Phase
6.Share
4.Protect
Risk Management - 1
5.Participat
e
 Identify – listening, brainstorming, reviewing
 Assign an owner
 Qualitative or quantitative evaluation
 Mitigation – accept, reduce, reject, transfer
 Categorising social media risk:
 Reputation
 Compliance and regulatory
 Legal, IP, Privacy
 Operational – reducing employee productivity

41. 1. Assess
2.Strategis
8.Monitor e
7.Engage 3.Create
4. Protect Phase
6.Share
4.Protect
Risk Management - 2
5.Participat
e
 Identify and review risks
 Review historical activities
 Workflow triage from listening
 Review 3rd party case studies and reports
 Create and review threat lists
 Incorporate risk management into social initiatives
 Keep up with platform developments and associated legal terms

42. A Multi-level Governance Model
 0th level: Terms of Usage posted with some very simple
"guidelines" (not policy, not rules, etc.)
 1st level: community managers and/or helpful individuals
 2nd level: corporate platform managers
 3rd level: exec sponsors
 4th level: ad-hoc committee of exec VPs (IT, HR, etc.) for issues that
requires serious discussion
 Levels 0 through 2 open and transparent, e.g. anyone can comment
and/or contribute.

43. Awareness
 Mark Pearson @journlaw
 Social media best practice: New
guidelines released Australian
Association of National Advertisers
(AANA) see
http://www.leadingcompany.com.au/technolog
y/social-media-best-practice-new-guidelines-
released/201211283150