Social Media Risk Is a Concern for Internal Auditors

A top priority for chief audit executives (CAEs) and internal auditors this year is preventing risks – such as hits to the bottom line and a loss of productivity – that could result from social media use within their organizations, according to a survey released last week by global consulting firm Protiviti.

Of the more than 600 internal audit professionals polled for Protiviti’s 2014 Internal Audit Capabilities and Needs Survey Report, respondents believe the top five social media risks that pose the biggest threat to their businesses are:

  1. Financial loss (7.3 on a 10-point scale, with 10 representing the highest risk level and 1 indicating the lowest)
  2. Interrupted business continuity (6.9)
  3. Loss of intellectual property (6.6)
  4. Loss of employee productivity (6.1)
  5. Viruses and malware (5.6)

But even though CAEs have minimizing these risks on their radar screens this year, not even half of those surveyed (47 percent) are including social media risk in their current year audit plans. According to the report, only 25 percent have social media risk included in their plans this year, up from 20 percent last year, while 31 percent noted they will include social media risk in next year’s audit plan, down from 35 percent in 2013.

What factors inhibit internal audit’s involvement in assessing social media risk? According to the survey, the top five factors include:

  1. Perceived risk (29 percent)
  2. Inadequately trained staff (27 percent)
  3. Lack of management support (23 percent)
  4. Data availability (16 percent)
  5. Lack of IT support (15 percent)

For organizations that do have social media policies, significant concerns remain as many still fail to address critical issues. For example, in cases where respondents said a social media policy is in place, nearly 30 percent fail to address disclosure of employee information, and only 66 percent address information security, according to the survey.

“It’s clear based on the survey results that companies are not doing enough to address social media risks and safeguards and, in turn, are facing undue exposure to significant risks to their business,” Brian Christensen, executive vice president of global internal audit for Protiviti, said in a written statement. “These results should persuade the board, executive management, and CAEs to take a more active and vigilant approach to managing social media risks.”

For the survey, internal audit professionals were also asked to assess their competency in 49 areas of technical knowledge and then indicate whether they believe their knowledge is adequate or needs improvement. Based on the findings, the top five areas for technical knowledge improvement are:

  1. Mobile applications
  2. NIST (National Institute of Standards and Technology) Cybersecurity Framework
  3. Social media applications
  4. Cloud computing
  5. Data analysis technologies

Respondents also evaluated 35 areas of audit process knowledge in terms of where they need to improve. According to the survey, the top five improvement priorities are:

  1. Computer-assisted audit tools
  2. Data analysis tools for data manipulation
  3. Data analysis tools for statistical analysis
  4. Auditing IT using new technologies
  5. Data analysis tools for sampling

About the survey:
Protiviti’s 2014 Internal Audit Capabilities and Needs Survey Report was fielded between September and October 2013. A majority of the survey participants work in publicly traded and privately held companies and represent virtually all industry sectors. A small percentage of respondents work for government and not-for-profit organizations.


Already a member? log in here.

Editor's Choice