Social Media Policy is Missing in Over 50% of all Organizations
Internal audit has never been easy, and a recent survey shows that 43% of companies have no social media policy within their organization. Among those with a policy, many fail to address even the most basic issues, such as information security and approved use of social media applications.
More than half (51%) of organizations do not address social media risk as a part of their risk assessment process – 45% have no plans to do so in the coming year. Of those that do address social media, 84% rated their organization’s social media risk-assessment capability as not effective or moderately effective.
The survey findings are surprising in that they show how many businesses are either inadequately prepared or altogether inactive in putting effective processes and policies in place around social media. From a risk management perspective, this poses significant potential problems for businesses that can range from reputation risk to IT infrastructure risk as a result of unchecked exposures to customer, vendor and company information.
Other findings related to internal audit include:
- Continuous auditing was the top priority in terms of audit process knowledge in 2011 and 2012, but dropped down to #18 in the 2013 rankings.
- For audit process knowledge, auditing IT – new technologies was the third-highest needs-improvement priority, and scored significantly lower than any other area evaluated with regard to existing competency.
- Concerns among chief audit executives were generally aligned with the broader sampling of respondents. However, they did rank audit process knowledge around Computer-assisted Audit Techniques (CAATs) as a higher priority for improvement, compared to the overall ranking.
We can no longer view social media as a new risk. Businesses must prepare for the worst, whether it’s an attack on a company’s reputation via Facebook or a rogue employee stealing an organization’s Twitter account password, social media risk can manifest itself in many ways. There is only one way for companies to deal with it, however.
Implement a policy and be prepared