EuroCACS 2016: Audit social media like other core IT functions

News by Tom Reeve

Social media is no different that other IT functions when it comes to the need to ask questions and test internal controls, it was argued at EuroCACS 2016.

Companies should commission information security auditors to test social media policies, processes and procedures as they do for other IT functions, it was argued at EuroCACS 2016 in Dublin.

Speaking on Tuesday afternoon at ISACA's flagship European event, Tiochaona Zororo from Enterprise Governance of IT (EGIT), based in South Africa, explained the business case for auditing social media. “From my point of view, social media is no different than other auditing. In terms of the core objective, it's about adding value and improving the operations and organisation,” he said. 

As anyone who has followed the fortunes of organisations and individuals who have fallen foul of social media knows, there are risks associated with carrying around what amounts to a megaphone in your pocket.

A careful analysis of social media disasters led Zororo to develop his top tip: Don't tweet (or use any other social media for that matter) when drunk or under the influence of other drugs. What seems like a funny or pithy statement at 1am in a bar probably isn't.

However, even on a deeper strategic basis, there is a huge gulf between the companies that are doing social media well and those who aren't, and for those who don't do social media well, it can have severe implications on the brand, the value of the company and the career prospects of senior management.

An example of good practice was Tony Fernandes, CEO of AirAsia,who used social media to communicate his compassion for the victims and his commitment to uncover the cause of the crash of flight 8501 on 28 December 2014.

Along with regular communications, the company also took the brilliant but simple step of modifying its logo on its social media pages, turning it from red and white to shades of grey.

A company that fared badly from social media was BP following the Deepwater Horizon oil spill in the Gulf of Mexico in April 2010. To this day, the Boycott BP page on Facebook has well over 600,000 followers while BP's official page has around 220,000.

“If you try to bend the truth or hide the truth, it will get you,” Zororo told

To audit social media, the auditor needs to ask many of the same questions as they would for any audit, he said. “What is their core objectives, what is their five-step strategic plan? How does social media fit into the performance objectives? Is our social media strategy aligned to our overall strategy?”

This is followed by looking at processes, policies and procedures. “What are the procedures? What should you do to comply with your company's social media procedures and policies? Are they even there in the first place?” he said.

Is social media an agenda item on board of directors' meetings?

Following this high level view, it's time to examine the nitty-gritty, starting by asking, how many social media pages does the company have? “If I go on Facebook, can I find 20 social media pages for your company?”

Who has access to those pages? Who approves the content before it goes live? Do you have a stylesheet and are you consistent with spellings and presentations – eg, do you spell your company name the same way every time?

It's vital that all staff understand who is authorised to speak on behalf of the company and that these people are properly trained. “What if someone started to go on social media and complain about your company or decide that he is the official spokesman for your company? What impact would that have?” he asked.

Questions also need to be asked about password sharing and credential controls within the company. And if you have outsourced the social media work – as many companies do – do you have service level agreements in place and appropriate credential controls?

Does your company have social media monitoring tools? If someone starts complaining about your company on social media, how quickly will you pick that up and what procedures do you have in place to address that?

And it's not like organisations can afford not to have social media.

Zororo pointed to the example of a South African construction company, Roberts and Murray. A temporary bridge they were building collapsed in 2015 resulting in the deaths of three people and injury of 22. Zororo said the company did everything it should have including having the CEO onsite within 30 minutes of the disaster.

However, the company didn't have any social media, and as a result, said Zororo, there were 23,000 tweets an hour going out at one stage spreading mostly negative news about the company. The traditional corporate responses of doing TV interviews and producing a press release weren't quick enough, resulting in a significant fall in the company's share price.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews