“Social media is the biggest risk your organization faces.”
This is how I started a presentation at the Institute of Internal Auditors, Pensacola, Florida chapter meeting. At that moment I felt like I was on the Gong Show, Showtime at the Apollo, American Idol, or any other show where people judge you based on their initial impression.
If looks could kill, I knew exactly what the audience was thinking.
“Get out of here. That’s nonsense.”
Convincing them social media is a risk worth auditing
But after the presentation, numerous people said thanks for a presentation highlighting relevant social media business risk. But I also realize there was a Freudian slip in my introduction. If you’ve ever seen me present, you know that I make bold statements and then back it up with examples. But it was a mistake when I said social media was the biggest risk to your organization. I meant to say your reputation is one of the biggest risks organizations face. Hence the stares at the beginning. What a relief that was to clear that up. It could have ruined my reputation 🙂
But nowadays, your reputation is made or broken on social media in a matter of minutes with the click of a mouse. Social media is a multi billion dollar industry affecting millions of people. Social media managers make good money curating content and managing messages, while building and maintaining your company’s brand.
As a matter of fact, the first article I wrote about social media risk was in 2012. Check it out later. To summarize, a CFO tweeted that he had a good board meeting. Obviously Wall Street went wild. The stock shot up. He made the market move with the click of a mouse. This kind of thing was fairly new back then, but its impact is long lasting. Many regulators have taken notice. Over the years, they have implemented rules and have fined individuals for similar activities.
Surely most companies have adequate social media controls
And that brings us to today’s example. Let me introduce you to Seth Dunlap. He was a radio host on WWL, a radio station in New Orleans, Louisiana. His nightly sports talk show, The Last Lap with Dunlap was very popular in the region. That is, until his company allegedly tweeted something derogatory about him.
Now you might be wondering if his company tweeted something about him, how is he now the former radio host? So here’s the backstory.
It is alleged that the radio station tweeted an offensive slur about Mr Dunlap. (see image, I have marked out the word). The radio stations 30,000 Twitter followers went crazy. Upset at the impact this was having on its reputation, the radio station launched an investigation.
They hired a digital forensics firm, who discovered the tweet originated from a cell phone belonging to Mr Dunlap. Mr Dunlap denies sending the tweet and says that he never had access to the station’s Twitter account.
If this is true, what has happened is an anomalous event that may violate several computer science principles. You see, they traced the tweet back to his IP address.
Let’s assume there was some magical glitch in the system that allowed a tweet to originate from his cell phone. Mr Dunlap threatened to sue for $1.8 million. Frankly, I’ve had my feelings hurt before. But I’ve never expected anyone to pay me a million dollars for my hurt feelings.
They also discovered that Mr Dunlap was allegedly in a lot of debt. Some radio station personnel disclosed that debt collectors were calling him on the job. Now I think that’s illegal too, but that’s a subject for another article.
Now we can assume that either (1)maybe someone spoofed Mr Dunlap’s IP address or (2) he sent the tweet to extort money from his company or (3) some magical clown fairy stole his phone and sent the tweet.
Either way, there was a breakdown in some basic business controls.
- To post to a twitter account, someone needed to create content, enter it into the system and hit the tweet button. Surely auditors can see that this is an inappropriate segregation of duties. One person has the ability to create, review, approve and distribute a transaction.
- Now let’s talk about twitter account access. It’s fairly obvious that multiple people had access to the account and/or multiple people had the wrong type of access. System access to your organization’s social media accounts is definitely something internal auditors can review.
The cost of weak social media management controls
Now imagine not only the reputation damage, but also the following cost: (1) the forensics firm (they aren’t cheap. if you are one, chime in and let them know how much it will cost), (2) internal personnel time, (3) court cost, and (4) attorney fees. All because of inadequate social media controls.
So the question I ask is, are you auditing your organization’s social media business processes?
I have been auditing social media since 2005. Over the years, we have seen social media faux pas from too many organizations to keep count. If you wanna hear some strange stories, let’s talk.
Let’s audit your social media management processes
I have partnered with John Blackshire over at Corporate Compliance Seminars. We’re having a 2 hour Auditing Social Media Management webinar. It will make you think twice about reputation risks. I also have an online course that will teach you most of the basics. Afterward you will have enough knowledge to communicate the risks to management.
If you would like to discuss performing a social media management audit in your organization, hit the contact us link below and let’s chat. I love doing these engagements.
While you’re here, read a new chapter from my soon to be released book Creating Wonderful Workpapers – The Auditor’s Essential Guide to Creating Good Documentation.