PRSA presentation auditing social media presented by PeteScott, APR @prscott

How  to  Conduct  an  Effec/ve  Social  Media  Audit

Pete  Sco7,  APR  @prsco7

flickr.com/photos/lendingmemo/

Overview• The  Disconnect    

• How  I  Got  Here  

• The  Major  Risks    

• A  Governance  Structure    

• The  Social  Media  Audit    

• Three  Cases  

• Ques/ons  

disconnect

flickr.com/photos/nikonvscanon/

Our  Influencers

What  They  Say• How  good  the  company  is  in  leveraging  the  various  social  media  tools?  !

• How  good  the  company  is  in  engaging  with  the  target  audience?  !

• How  good  the  company  is  in  amplifying  its  messages?  !

• How  good  the  company  is  in  targe/ng  customers?  !

• How  good  the  company  is  in  building  posi/ve  influence  among  customers?

This  is  all  necessary,  but..

C-­‐Suite  and  Board  Influencers

What  they  saySocial  media  oversight  is  lagging  in  firms  !The  evalua;on  and  monitoring  of  risk  needs  to  be  a  key  component  of  any  organiza;on’s  social  media  strategy    !Organiza;ons  do  not  have  an  adequate  social  media  governance  program  in  place  !For  all  its  advantages,  social  media  also  brings  inherent  risks,  including  threats  to  confiden;al  informa;on,  intellectual  property,  and  reputa;on  as  well  as  the  poten/al  for  regulatory  infrac/ons  !Governance  for  social  media  compliance  remains  fragmented      

They  are  taking  it    much  further  

How  I  Got  Here

Trained  over  5,000  internal  auditors  globally  Most  of  the  Fortune  500    All  of  the  Big  Four  and  major  professional  services  firms  

What  Went  Wrong?  • United  Airlines  -­‐  baggage  handling  -­‐  YouTube      

• Nestle  -­‐  product  sourcing  -­‐  Facebook  

• Francesca  Holdings  -­‐  financial  communica/ons  -­‐  Twi7er    

• Dell  -­‐  customer  service  -­‐  Blog  

• Chrysler  -­‐  third  party  agency  -­‐  Twi7er    

• Taco  Bell  and  Domino’s  Pizza  -­‐  employee  training  -­‐  Facebook  &  YouTube  

What  Went  Wrong?  • Kenneth  Cole  -­‐  employee  training  -­‐  Twi7er    

• Hooters  -­‐  employee  policies    

• ADT  -­‐  disclosure  -­‐  Twi7er  and  Facebook  

• Delta  Airlines  -­‐  Twi7er    

Proac/vely  Solved  Issue:  

• Best  Buy  -­‐  employee  compensa/on  -­‐  Twi7er  

Major  Risk  Areas• Brand  &  Reputa/on  Risk    

• Strategic  Risks    

• Technology  and  Data  Leakage  Risks  

• Third  Party  Risks    

• Legal  Risks    

• Governance  Risks  

Examples  from  an  Actual  Social  Media  Audit

Brand  &  Reputa/on  Risk

flickr.com/photos/89275439@N07/

Brand  &  Reputa/on  Risk  Iden%fying  Risk    • Accelerated  Corporate  Reputa/on  Loss  

• CASE:    TripAdvisor  Ra;ngs    • Financial  Loss  from  Inaccurate  Social  Media  Posts    • Ineffec/ve  Crisis  Management  

• CASE:  Discovery  Communica;ons  • Accelerated  Consumer  /Employee  Dissa/sfac/on  

• CASE:  Dell  Hell  

Brand  &  Reputa/on  Risk  Mi%ga%ng  Risk    • Social  Media  Strategy,  Plans  and  Metrics  aligned  with  Business  

Objec/ves    • Social  Media  Policies    • Employee  Training    • Social  Media  Monitoring    • Social  Media  Triage  • Incident  Escala/on  Policies  and  Procedures

Brand  &  Reputa/on  Risk  Mi%ga%ng  Risk    • Account  Inventory    

• Person(s)  Accountable  • Ac2vity  Level    • Content  Ownership  • Account  Ownership  &  Iden2fica2on    

• CASE:    Dell,  Delta  and  TD  Bank    • Content  Taxonomy    

• Oversight    • On  Message?    • Achieving  Objec2ves?      

Strategic  Risk

http://blog.90octane.com/

Strategic  Risk  Iden%fying  Risk    • Lack  of  Enterprise  Strategy    • Failure  to  fully  leverage  Social  Media  Opportuni/es  to  full  poten/al    

• Inability  to  determine  return  on  investment  of  social  media  • CASE:  NAVC  

• Speed  of  Service  Inadequate  for  consumers    and  employees  • CASE:  Delta  Airlines    

• Lack  of  resource  commitment  to  social  media  impac/ng  consumers

Strategic  Risk  Mi%ga%ng  Risk    • Social  Media  Strategy  • Tracking  and  KPI’s  • Professional  Development  • Business  Case  for  Social  Media

Technology  Risks

Technology  &  Data  Leakage  Iden%fying  Risk    • Data  Leakage    

• CASE:  DM  from  CEO  • CASE:  TheOldCFO  

• Increase  in  Cyber  Threats    • Lack  of  Auditability

Technology  &  Data  Leakage  Mi%ga%ng  Risk    • Social  Media  Policies  • Employee  Training  • Social  Media  Monitoring  • Data  Archiving  • IT  Security  

Third  Party  Risk

Third  Party  RisksIden%fying  Risk  • Lack  of  Control  over  Agency  Rela/onships  • Lack  of  Func/onality  Control  on  Third  Party  Sites    

• POTENTIAL  CASE:    Facebook  • Lack  of  Business  Con/nuity  onThird  Party  Sites    

• POTENTIAL  CASE:    TwiUer  • Lack  of  Content  Control  on  Third  Party  Sites  

• CASE:  Novar;s  • Lack  of  Control  over  Hijacked  Accounts  for  Fake  Sites  

• CASE:  Farmer’s  Insurance  • Lack  of  Control  over  Depar/ng  Employees

Third  Party  RisksMi%ga%ng  Risk  • Set  expecta/ons  on  employee  training  and  oversight  in  agency  agreements    

• Conduct  periodic  audits  of  the  agency  • Set  goals,  expecta/ons,  metrics,  policies  and  accountabili/es        • Establish  social  media  monitoring  program,  even  if  using  an  agency  for  monitoring      • CASE:  Major  SoVware  Company  

• Establish  escala/on  and  triage  policies      • Establish  policies  and  tes/ng  plan  for  removing  access  to  social  media  accounts  

Legal  Risk

Legal  RisksIden%fying  Risk  • Expansive  Federal  and  State  Legal  and  Regulatory  Concerns  

• Inadequate  Contracts    

• Online  Bullying/  Harassment  /  Personal  Reputa/on  

• Negligent  Hiring  &  Reten/on  Liability

Governance  Risks

Governance  Risks

Doing  What  You  Are  Supposed  to  Do

Governance  RisksIden%fying  Risk  • Lack  of  Enterprise  Governance    • Lack  of  Compliance  • Inadequate  Policies    • Inadequate  Training

U.S.  Guidelines• FTC  -­‐  Social  Media  Disclosures    

• NLRB  -­‐  Social  Media  Policies    

• HIPPA  -­‐  Healthcare  Disclosure    

• FFIEC  -­‐  Banks  and  Financial  Ins%tu%ons    

• SEC/FINRA  -­‐  Financial  Advisors    

• FDA  -­‐  Pharmaceu%cal

U.S.  Guidelines• TTB  -­‐  Alcohol    

• State  Guidelines  -­‐  Insurance  Companies  

• CASE:  Farmer’s  Insurance      

• ASRC  -­‐  (NAD)  Self  Regula%on  in  Adver%sing  

• Others  -­‐  Compensa%on,  Harassment,  Employment  

FTC  Guidelines

State of Sponsored Social Report Izea.com (December 2013)

h7p://www.olshanlaw.com/resources-­‐events-­‐Webinar-­‐Digital-­‐Social-­‐Media-­‐Promo/ons.html

Establishing  a  Governance  Structure

Relying  on  one  department  or  person  is  inadequate,    but  it  does  need  a  leader  

Team  Effort  • Managing  social  risk  is  oaen  found  in  numerous  business  units    

• Communica/ons    

• Marke/ng    

• Customer  Service    

• Product  Development  

• IT  

• Human  Resources  

• Legal  

• Internal  Audit  

Governance  Architecture• The  governance  architecture  should  detail:  

• Social  Media  Objec;ves  -­‐  strategy,  objec;ves  and  goals    

• Departmental  responsibili;es    

• Individual  accountabili;es    

• Brand  guidelines  

• Approval  processes  and  procedures    

• Training  

Why  You?  

Why  You?  • Though  the  risk  might  not  happen  in  your  area,  it  will  probably  become  your  issue    

• Why  are  we  doing  this?      

• How  did  this  happen?      What  did  you  do?    

• Chances  are,  you  manage  or  have  influence  over:    

• The  voice,  brand,  reputa/on,  ac/vi/es,  strategies,  plans  and  monitoring    

• An  opportunity  to  demonstrate  value  at  the  highest  levels  

How  to  Audit    Social  Media

The  Audit  Process

Identify Risk

Assess Risk

Identify Controls

Assess Controls

Develop Plan

Objec/ves  of  an  AuditIden/fica/on  of  Risks  • Iden;fy  all  poten;al  risks    • Assess  likelihood  and  significance      • Set  priori;es    !Controls  to  Mi/gate  Risks      • Verifying  documents,  policies,  procedures  and  ac;vi;es    !Tes/ng    • Is  the  procedure  followed?  • Could  the  procedure  be  improved?  • Could  work  prac;ces  be  improved?  • Is  risk  mi;gated?    • Are  opportuni;es  leveraged?    

Risk  Assessment

Significance  

Risk  Ra/ng Descrip/on  

Managable Small  impact,  able  to  recover  with  minor  effort

Major   Medium  to  serious  impact,  able  to  recover  with  serious  effort  

Cri;cal Very  serious  impact,  very  difficult  recovery  

Likelihood

Risk  Ra/ng   Descrip/on  

Remote Small  impact,  able  to  recover  with  minor  effort

Possible Possible  and  could  occur  during  the  period  

Likely Expected  to  occur  

Risk  Assessment

Medium High Critical

Low Medium High

Low Low Medium

Significance

Manageable

Major

Critical

Remote Possible Likely Likelihood

Controls• Exis/ng  Controls  

• Plans    

• Policies  

• Processes  

• Ac/vi/es    

• Control  Objec/ves    

• Gaps  in  Controls  

Tes/ng• Iden/fy  Gaps  and  Inadequate  Controls      

• Develop  Work  Plan  to  Close  Gaps  

Three  Cases• Francesca  Holdings  -­‐  Inappropriate  Tweets  by  CFO    

• Hooters  -­‐  Social  Media  Policy    

• Best  Buy

Risks:  • Employee  Use  of  Social  Media  • Lack  of  Iden/fica/on  of    Inappropriate  Posts

Francesca  HoldingsThe  Issue:    Inappropriate  Tweets    by  Gene  Morphis,  CFO  -­‐  Francesca  Holdings  !March  6  2012  he  tweeted:    !"Dinner  w/Board  tonite.  Used  to  be  fun.  Now  one  must  be  on  guard  every  second."    !March  7,  2012  he  tweeted    !"Board  mee/ng.  Good  numbers=Happy  Board.”  !Stock  increased  15%  

Francesca  Holdings

The  Result  -­‐  On  May  14,  2012  !

CFO  Fired  Stock  temporarily  dropped  by  more  than  20%  

Audit• Risk  was  Iden/fied:    Employees  Use  of  Social  Media,  especially  as  a  public  company    

• Risk  was  Assessed:    Likelihood  and  Severity  Assessed    

• Controls  Established:    Employee  Policies  Were  in  Place  

• Controls  Tested:    There  was  inadequate  training  on  use  of  policy  and  there  was  a  lack  of  monitoring  of  key  employees  

• Work  Plan:    Reassess  Policy  and  Training  Plan,  Update  Monitoring  Plan    

Risk:  Out  of  Date  Policies

Alexis  Hanson

Result  A  New  York  Na;onal  Labor  Rela;ons  Board  judge  ruled  that  a  Hooters  franchise  cannot  force  its  employees  to  act  in  a  respecaul  manner  toward  customers,  nor  could  managers  punish  employees  for  

insubordina;on.

The  Issue:    A  Tirade  Over  A  Rigged  Bikini  Contest

Courtesy

 Courtesy:  Courtesy  is  the  responsibility  of  every  employee.  Everyone  is  expected  to  be  courteous,  polite  and  friendly  to  our  customers,  vendors  and  suppliers,  as  well  as  to  their  fellow  employees.  No  one  should  be  disrespecaul  or  use  profanity  or  any  other  language  which  injures  the  image  or  reputa;on  of  the  Dealership.

Audit• Risk  was  Iden/fied:    Employees  Disrespect  and  Use  via  Social  Media  

• Risk  was  Assessed:    Likelihood  and  Severity  Assessed    

• Controls  Established:    Employee  Policies  Were  in  Place  

• Controls  Tested:    The  Policy  Was  Not  Updated  in  Light  of  Updated  NLRB  Guidelines    

• Work  Plan:    Update  the  Policy  and  Communicate  and  Train  All  Staff

Risk:  Employee  Compensa/on

Best  Buy  

Result  As  Best  Buy  developed  a  plan  to  compensate  associates  for  Twelpforce,  

so  they  can  answer  ques;ons  on  TwiUer  from  customers

The  Issue:    Compensa/ng  Employees  for  Social  Media  Engagement

Audit• Risk  was  Iden/fied:    Employees  Needed  to  be  Compensated  for  Work  

• Risk  was  Assessed:    Likelihood  and  Severity  Assessed    

• Controls  Established:    A  Compensa/on  Program  was  Developed  

• Controls  Tested:    Were  Employees  Compensated?    Review  of  Payroll  Records  was  Conducted    

• Work  Plan:    Periodic  Review  of  Compensa/on  Records  as  well  as  Tweets  to  Mi/gate  Employee  Fraud

It  Can  Take  Time  !

But  the  Benefits    Can  Be  Huge

!

If  Internal  Audit  Comes,  It’s  Much  Be7er  To

Ques/ons?  

Thank  You.    

Peter  Sco7,  APR    !

[email protected]  !

@prsco7