What Every IT Auditor Should Know About Auditing Social Media 

Download Article Article in Digital Form

Social media has taken the planet by storm over the last few years. Much has been said and written about the potential advantages of using social media for business or organizational purposes. Those advantages include, among others, enabling 24/7 communications with customers and prospects; finding, attracting or reaching new customers; building new business opportunities; increasing customer loyalty; diversifying marketing channels; recruiting IT-savvy employees; increasing collaboration among employees; and building personal, professional and organizational networks. One survey found that 40 percent of executives, not the typical users of social media, use social media multiple times a day.1

For example, Ford Fiesta used social network systems (SNS) in the US to generate a mass reach of its target market and to build relationships with customers and potential buyers. Ford achieved reservation to conversion sales rates 10 times higher than expected with SNS. Over 40 million impressions occurred with Twitter, and 30 percent of those were people under 25 (i.e., repeat buyers).2

Facebook is growing by an additional 100 million users every three months since it reached its first 100 million, and is approaching 1 billion users today.3 Twitter has about 140 million members and 340 million tweets are sent per day.4 Businesses use YouTube as a social media and training facility. For example, Red Robin Restaurants offers its training regarding the proper temperature for food as a video online on YouTube, and it is the conventional comedic videos found on YouTube that go viral. There are more than 150 million blogs in existence, and they have millions of followers and readers.5 LinkedIn has 135 million members worldwide and is commonly used by professionals to build networks.6 Other SNS include Xing and Plaxo (similar to LinkedIn), Ning (allows individuals to build a custom SNS), Rediff (India portal), Pinterest (pinning things of interest), and a host of others.

As is true with all IT, social media also brings inherent risk. These risk areas are similar to those brought about by other IT, such as inefficiency, wasted investment, insufficient effectiveness and lost opportunity. But, it also has some unique risk areas, including public image damage created by negative comments and postings in social media venues.

For the purposes of this article, the definition of social media will be “using Internet-based applications or broadcast capabilities to disseminate and/or collaborate on information.”7

A Framework for Auditing Social Media

There are really two different spheres of risk and concern regarding social media: public image and operational effectiveness.

Public image is related to an entity trying to manage and protect its public image. It is quite easy for almost anyone to post something negative and false about an entity. It is vital that entities with social media risk are proactive in their searches for and management of false statements and negative postings on the web.

Like any other IT, the entity’s management should be concerned with the operational effectiveness of using social media tools and, thus, needs to include social media audits in its internal audit function. This audit is not unlike all other audits—beginning with a risk assessment, determining management’s goals (which should be tied back to the business model, goals and objectives of the entity), and auditing for effectiveness and efficiency in using the particular IT.

The Risk

Figure 1 presents some of the main risk areas when using the framework discussed previously. As can be ascertained, many of the effectiveness/operational risk areas, if they occur, are likely to result in damage to reputation/public image. Those risk areas are probably higher than ones with a single-side impact.

Figure 1

Statistics show that, with regard to employees using social media at work, there is considerable risk beyond the risk of lost productivity (see figure 2).

Figure 2

One of the things that makes social media risk different from other IT risk is risk velocity. That is, information spreads extremely quickly across SNS, and transitions to conventional news media, in some cases, within a few minutes of some controversial statement or inappropriate remarks. Thus, the velocity is very quick in SNS, while in other IT arenas, the pace is not quite as fast or broad. Some videos, e.g., Susan Boyle singing on a British TV program, get millions of hits in a very short time; this is described as “going viral”—a now common term in SNS and in general. Going viral is an illustration of the extremely high-risk velocity SNS objects can attain. This is of particular importance in building controls and countermeasures for social media risk and should be factored into the risk assessment of an entity’s social media.

Auditing Proactively for Image and Public Relations

The control for reputation and public image risk is to proactively search SNS regularly (risk might require it to be daily) for negative comments and postings, and to have a plan on how to respond to both true negative comments as well as false postings. The main thing is for someone familiar with social media to spend time daily searching the Internet/SNS for damaging posts. To be actively engaged in responding to comments and statements that could adversely affect the organization, this person should be active in all major SNS. While this process/control is not complicated, it is not without substantial costs, as specialists may need to spend all of their work hours on monitoring social media and an enterprise may even require more than one expert. The greater the reputation risk, naturally, the more necessary this kind of audit is.

Auditing Traditionally for Operational Effectiveness

Auditing social media for operational effectiveness is not much different from other IT audits of systems and technologies. What is the risk assessment, in particular the inherent risk? What controls are in place to mitigate the risk, and to what degree do they reduce the inherent risk? The risk areas can be ranked using a combination of impact and probability. In this case, the IT auditor should include the aspect of risk velocity as well. Then, starting with the highest risk, the IT auditor should begin to audit and evaluate the controls.

In addition, the IT auditor should consider what organizational goals and objectives are tied to the use of SNS. Then, the IT auditor should audit the effectiveness of social media compared to a metric or benchmark of the goal, objective or business model. This audit would benefit from the use of the COBIT 4.1 Plan and Organize domain (e.g., PO1 Define a strategic plan, PO3 Determine the technological direction and PO5 Manage the IT investment).


The proliferation of social media and the fact that major risk areas are associated with it (whether an organization uses it or not) create a need for IT auditors to assist management in managing the associated risk and making sure that social media is an effective tool. The effectiveness is tied to organizational goals, objectives or strategies (if the entity is actively involved with SNS). A framework for social media is presented in this article, which suggests that the audit of the social media IT (being used by the organization) be separate from the auditing/monitoring of the social media being used (SNS in general).

The audit of the IT (social media) itself is not much different from the approach used in other IT audits, but the risk assessment component has some special considerations (e.g., risk velocity, employee abuse). As usual, COBIT provides an effectual tool to do the audit. Such an audit, as with most IT audits, would involve auditing the controls’ operational effectiveness and the organizational (managerial) strategic effectiveness.

Social media should be proactively monitored to minimize adverse effects of SNS on the organization, especially from false or negative postings. This audit/monitoring increases in importance based on how much the organization is being discussed on SNS, and could require one or more full-time employees spending all of their work hours monitoring the various SNS.


The author would like to thank Allen Johnston, Ph.D., and Jamey Worrell, Ph.D., of the University of Alabama at Birmingham for their insights and assistance with this content.


1 Horton, Mark; “How Executives Are Using Social Media,” Socialcast Inc., 6 October 2010, http://blog.socialcast.com/how-executives.are-using-social-media/
2 Protiviti, “Managing Privacy Risks in Social Media-driven Society,” www.protiviti.com
3 Hachman, Mark; “Facebook Now Totals 901 Million Users, Profits Slip,” PCMag.com, 23 April 2012, www.pcmag.com/article2/0,2817,2403410,00.asp
4 Twitter Blog, “Twitter Turns Six,” 21 March, 2012, http://blog.twitter.com/2012/03/twitter-turns-six.html
5 QSpike, What Is Social Media?, http://qspike.com/what-is-social-media/
6 LinkedIn, Press Center, http://press.linkedin.com/about
7 Hanson, Ron; “The Art of Dis-Connecting: Social Networking Risk Management,” presentation, ISACA Perth Chapter, www.isaca.org/chapters2/Perth/Documents/Social%20Networking%20Session%20-%20Rob%20Hanson.pdf

Tommie W. Singleton, Ph.D., CISA, CGEIT, CITP, CPA, is an associate professor of information systems (IS) at Columbus State University (Columbus, Georgia, USA). Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995, Singleton was president of a small, value-added dealer of accounting using microcomputers. Singleton is also a scholar-in-residence for IT audit and forensic accounting at Carr, Riggs & Ingram, a large regional public accounting firm in the southeastern US. In 1999, the Alabama Society of CPAs awarded Singleton the 1998–1999 Innovative User of Technology Award. His articles on fraud, IT/IS, IT auditing and IT governance have appeared in numerous publications.

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2012 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.