This document has not been risk reviewed and may lack the appropriate copyright/disclaimers as

well as compliancy with firm branding standards. This document has been provided for reference
purposes only. Every slide in this document must be modified and tailored to your client’s
specific needs and objectives, and reapproved by the Partner and GB&RC as per formal approval
processes. The materials contained within the document may have come from a different
member firm and may not have relevance, or may have a different meaning, in your jurisdiction.
 AUDIT REPORT
Date: Mo/Da/Yr
[Name]
EVP Corporate Affair, P&E Policy

Social Media

Executive Summary
Corporate Audit performed an assessment of the key controls surrounding Social Media. The assessment
was conducted as part of Corporate Audit's [Year] risk based audit. Our objective was to assess the
design effectiveness of the key procedures and controls relating to these processes. We did not
specifically test to determine if the controls were working as designed.

Specifically, Corporate Audit performed the following:

 Assessment of the maturity of the social media strategy developed by [Business Unit A],
[Business Unit B] and [Business Unit C] and identify opportunities for consolidation and
cooperation;
 Review the policies and guidelines for completeness in regards to corporate and personal use of
social media and determine the effectiveness of how the policies are communicated to
stakeholders;
 Evaluation of training opportunities considered for deployment in regards to the understanding of
social media policies and guidelines;
 Evaluation of the use of monitoring tools for social media activity; and
 Assessment of the protocols under development for issue and incident management, possible
integration with policies and training materials, as well as, an assessment the effectiveness of
responses to mitigate risk of reputational damage.

The results of our audit indicated that the design of the general control environment within the [Business
Unit A], [Business Unit B] and [Business Unit C] Social Media processes, which includes those activities
necessary to provide reasonable assurance that risks are being managed and objectives are met, is Not
Fully Effective.

Corporate Audit noted 3 issues as detailed below. Management should make implementation of the
recommended control enhancements a priority in order to mitigate future potential errors.

The aforementioned high priority risk rated issues need to be communicated to the Audit Committee. The
next Audit Committee meeting will be held on [Month Day, Year] and at that time; the business process
owner needs to be prepared to discuss how the issue will be addressed.

Background
As the use of Social Media has grown, businesses have become increasingly concerned regarding risks
related to the use of these rapidly evolving tools. Accordingly, the Corporate Audit Department
conducted an enterprise-wide risk based audit of [Company]’s Social Media function.

CONFIDENTIAL
2
 AUDIT REPORT
The audit team was informed that there are # social media pages for [Business Unit A], [Business Unit B]
and [Business Unit C] related to LinkedIn, Twitter, YouTube, Facebook, Flicker, MySpace and internally
developed blogs. Furthermore, it was reported via the monitoring site www.socialmention.com that
during the 30 days leading to [Month Day, Year], [Company] had been mentioned # times in social media
channels, such as Twitter, Google blogs and Yahoo. In other words, for the last month [Company] has
been mentioned at a social media channel an average of once # hour(s).

Below is a chart that identifies the number of Social Media pages associated with each Business Unit

Social Media Channels Bus Unit A Bus Unit B Bus Unit C

Linkedin, Twitter, YouTube, # pages # pages # pages

Facebook, Blogs & Flickr

Through our review, we completed detailed process documentation of the Social Media process as it
pertains to posting and monitoring posts. This process documentation has been provided to management
to assist audit dialogue with the various stakeholders as they considered draft audit findings on their
social media program.

Scope Limitations / Areas Not Covered

 Actual rate of return of social media activities
 Corporate Marketing use of social media
 Specific promotional activities
 [Company]’s Social Media strategies and policies

Audit Procedures
Our procedures were primarily comprised of:
 Interviewing key personnel to gain an understanding of the current business processes;
 Reviewing relevant [Business Unit A], [Business Unit B] and [Business Unit C] Social Media
documentation;
 Identifying risks inherent in the Social Media process;
 Identifying corresponding controls to mitigate the risks identified; and
 Developing flowcharts to refine our understanding of the Social Media process of posting and
monitoring posts.

CONFIDENTIAL
3
 AUDIT REPORT
Audit Issues
Issue Issue Name: Priority Risk Impacts SOX Key Key Control #
Number: Rating: Control(s)?
1 A comprehensive social High No N/A
media plan including
strategy, objectives,
organizational structure,
policy and procedures has
not been defined.
Issue Details: Corporate Audit noted that [Bus Unit B and Bus Unit C] can speak to informal
procedures around proactive, responsive and employee posting. However, there
is no finalized social media plan that defines the strategy, objectives,
organizational structure and policy and procedures. Without a finalized plan the
social media initiative lacks structure and governance. The current informal
procedures lack credibility and enforcement.
Issue Impact Without a documented Social Media Plan, [Bus Unit B and Bus Unit C] could be
Statement: susceptible to a negative reputation leading to a financial loss or valuation
reduction.
Recommended If [Bus Unit B and Bus Unit C] intend to continue use of social media, they
Control should then create a comprehensive Social Media plan that include the following
Enhancements: best practice components:
1) Strategy and Business Objective-, [Bus Unit B and Bus Unit C] should
identify, finalize and document its business objectives within the Social
Media plan. There can be a various objectives in using social media. The
objectives can include increase in revenue, customer satisfaction,
recruiting and retaining best talent, product development and innovation,
enhancing brand awareness and perception. Once the objective is
established the social media strategy should give direction in attaining
that objective. It is critical that strategy is aligned with the business
objectives.

2) Organizational Structure- It is important that the employees and

managers involved in Social Media are competent and are aware of
company policy and procedures. Without a proper organizational
structure the business units are at risk of improper posts.

3) Policies and Procedures- Documented procedures should include the

following:
a) Proactive Protocols- Proactive posts p rovide customers with
information that allows them to prepare for possible changes,
inconveniences, etc. Some proactive communication should be
shared as general open posts for all to see. Others should be posted
only on pages/venues that target those most affected by the
information.
b) Responsive Activities- Provide facts and data to address rising
stakeholder issues or complaints, misinformation or unfavorable

CONFIDENTIAL
4
 AUDIT REPORT
opinions.
c) Engagement Protocols- The primary goal of the social media
engagement should be to better connect with stakeholders by
providing information and assistance with issues, increasing
response time to customers, and improving and building
relationships. To effectively deliver its messages and counter
potential, far-reaching negative attacks, [Bus Unit B and Bus Unit
C] should engage stakeholders in social media communities and
networks that are relevant to its mission and activities, and
proactively distribute information that both reinforces core messages
and provides important, up-to-date information to stakeholders.

4) Governance- The interaction of a governing board will be dependent on

the extent of social media engagement. If social media is to be a
significant part of the organizations strategy then the board should be
apprised of the actions and associated risks. Otherwise there would be a
more limited reporting to a board. However, at a minimum the reliance
upon corporate communications across the organization for workforce
policy and compliance needs to be better defined to evaluate and respond
to employee adoption of social communication channels.

5) Assessments, Measurement & Analytics- In order to ensure messages

that are sent through social media are effective, it’s important that
management identify their social media audiences. Utilizing social
media monitoring tools will allow management to gain active insight
into what is being said by those outside the organization about the
programs and other initiatives. Armed with this information,
management will be better positioned to address questions and enhance
education based on customer priorities and understanding of the
customer voice. Specifically, management should establish a custom
dynamic dashboard that should aggregate conversation volume,
sentiment, topic trends and influencers across multiple monitoring tools.
The dashboard will include the following features:
a) Real time conversation reporting.
b) Multiple tabs with customized dashboards for specific
programs or issues.
c) Exportable graphs/portions to share as reports in whole or by
individual program, data type (e.g., sentiment, volume,
influencer engagement), or media type (e.g., traditional +
bloggers, Twitter and Facebook).

Also, there should be a team that manages the metrics associated with
social media. Commonly used metrics include:
a) Stakeholder engagement- Include a number of comments,
bookmarks, images, pictures and videos that mention the business
unit in some fashion.
b) Issue submission percentage- The percentage of issues submitted
using social media channels compared to total number of issues

CONFIDENTIAL
5
 AUDIT REPORT
from all channels.
c) External Customer engagement- How much customers are
discussing the service level provided through their social media
networks. This should be measured related to sentiment, influence,
and reach to gauge the net impact
d) Issues reported and number of conversations- The number of issues
reported, the number that led to discussions, and the number upon
which the organization acted.
Management
Response/
Remediation Plan:
Remediation All Remediation Implementation Dates should be set as the last day in the month
Implementation management has indicated the remediation will be completed (e.g. Month Day,
Date: Year or Month Day, Year)
Remediation
Owners:

Issue Issue Name: Priority Impacts SOX Key Control #

Number: Risk Rating: Key Control(s)?
2 Lack formal corporate Moderate No N/A
governance of Social
Media
Issue Details: Corporate Audit appreciates that should [Acquiror]’s acquisition of [Company]
be completed, the use of Social Media within [Company] will cease. In addition,
Corporate Audit understands that [Company]’s current use of use of social media
is limited. However, since [Company] has a presence within Social Media, at a
minimum, [Company] should have a governance structure over its use.
Corporate Audit also noted that [Company] does not have formal governance
over its business units active in Social Media, outside of setting standard
corporate policies.
Issue Impact Without a governance structure [Company] is at risk that negative publicity
Statement: generated by themselves or by its business units could cause a decline in the
company’s valuation.
Recommended Corporate Audit recommends that [Company] develop a governance structure to
Control ensure the current social media activities are managed properly.
Enhancements:
Management
Response/
Remediation Plan:
Remediation All Remediation Implementation Dates should be set as the last day in the month
Implementation management has indicated the remediation will be completed (e.g. Month Day,
Date: Year or Month Day, Year).
Remediation
Owners:

CONFIDENTIAL
6
 AUDIT REPORT

Issue Issue Name: Priority Impacts SOX Key Control #

Number: Risk Rating: Key Control(s)?
3 Training programs have High No N/A
not been developed for all
employees and authorized
responders
Issue Details: A formal training program has not been developed for all [Bus Unit A, Bus Unit
B, and Bus Unit C] employees responsible for posting as either authors of the
company voice in social media or as authorized responders to public social
media postings. In addition, [Bus Unit A, Bus Unit B, and Bus Unit C] are
relying upon the corporate-wide employee social media usage guidelines and are
not actively managing this governance area at the business level. At this time,
no training program beyond distribution of written policy has been planned. The
lack of impactful training procedures for the entire workforce could lead to
ignorance of expectations of proper company representation and information
protection by workforce members with resulting breaches of confidentiality in
terms of company data and workplace issues.
Issue Impact Without training for all employees, addition, [Bus Unit A, Bus Unit B, and Bus
Statement: Unit C] is at risk that negative publicity regarding business practices, whether
true or not, could cause a decline in the customer base, costly litigation, or
revenue reductions.
Recommended Corporate Audit recommends that addition, [Bus Unit A, Bus Unit B, and Bus
Control Unit C] implement a training program as soon as practical to ensure authorized
Enhancements: employee awareness of company social media policy as well as general
workforce training to more effectively communicate enterprise-wide
expectations with regard to employee personal use. Training should also be
established to ensure all employees understand what the organization is doing
with social media networking and the role each of them plays. Company position
on monitoring of employee postings should also be covered if only to
demonstrate that monitoring “can” occur as a right of the company to review
public postings that mention company matters. This should include how each
employees personal interactions impact the company.
Management
Response/
Remediation Plan:
Remediation All Remediation Implementation Dates should be set as the last day in the month
Implementation management has indicated the remediation will be completed (e.g. Month Day,
Date: Year or Month Day, Year).
Remediation
Owners:

Issue Issue Name: Priority Impacts SOX Key Control #

Number: Risk Rating: Key Control(s)?

CONFIDENTIAL
7
 AUDIT REPORT
4 Crisis Management High No N/A
Communications

Issue Details: Corporate Audit noted that [Company] and its business units involved in social
media at the moment do not have a comprehensive crisis management
communication plan that takes advantage of social media channels through
mechanisms such as preapproved posts to address crisis situations.
Issue Impact Without a predefined crisis management communication plan, [Company] is at
Statement: risk that negative publicity regarding business practices, whether true or not, will
be widely communicated at viral speeds through social media channels. This
negative publicity could cause a decline in the customer base, costly litigation,
revenue reductions, or company valuation.
Recommended Corporate Audit recommends that [Company] and its business units implement a
Control crisis management program as soon as practical to ensure that the business is
Enhancements: prepared to deal with any potential crisis management issues. The plan should
include prewritten crisis communication statements and authorized personnel to
produce and post response. Also, it is important to include language within the
plan that clearly states that employees cannot represent the company as a
spokesperson for the company without expressed permission.
Management
Response/
Remediation Plan:
Remediation All Remediation Implementation Dates should be set as the last day in the month
Implementation management has indicated the remediation will be completed (e.g. Month Day,
Date: Year or Month Day, Year).
Remediation
Owners:

……………………………………………………………………………………….

If you should have any questions or comments regarding this report, please contact [Name, Phone or
Name, Phone].

CC:

Names,etc.

Note: The reference to appendices below should be deleted for general (e.g. [Company] Senior
Management) distributions.
Appendix A: AUDIT ISSUE MATRIX – Low Priority Issues
Appendix B: AUDIT CONCLUSION RATINGS

CONFIDENTIAL
8
 AUDIT REPORT

APPENDIX B
_____________________________________________________________________________________

AUDIT CONCLUSION RATINGS

Rating: Rating Description:

No critical or high priority findings (Minor operational or financial

Effective
effects from moderate/low findings)

No critical or high priority findings (Moderate operational and

Generally Effective
financial effects from moderate/low findings)

No critical priority findings (Moderate to high operational and

Not Fully Effective
financial effects from high or moderate priority findings)

High financial and operational effects that require immediate

Not Effective
Management attention from critical or high priority findings

AUDIT FINDING GUIDANCE

Remediation Timeline:

Develop Plan Remediate

Rating Priority*: Attention Required By: Within Within

CEO/Management Committee # Days # Months

Critical
Member

High Senior Business Management # Days # Months

Moderate Senior Business Management # Days # Months**

*Low priority issues are communicated to the appropriate business leader and the remediation
timeline is determined by that leader.
**Actual remediation timelines are developed based on the facts and circumstances of the
moderate issue (s).

CONFIDENTIAL
9