Professional Documents
Culture Documents
well as compliancy with firm branding standards. This document has been provided for reference
purposes only. Every slide in this document must be modified and tailored to your client’s
specific needs and objectives, and reapproved by the Partner and GB&RC as per formal approval
processes. The materials contained within the document may have come from a different
member firm and may not have relevance, or may have a different meaning, in your jurisdiction.
AUDIT REPORT
Date: Mo/Da/Yr
[Name]
EVP Corporate Affair, P&E Policy
Social Media
Executive Summary
Corporate Audit performed an assessment of the key controls surrounding Social Media. The assessment
was conducted as part of Corporate Audit's [Year] risk based audit. Our objective was to assess the
design effectiveness of the key procedures and controls relating to these processes. We did not
specifically test to determine if the controls were working as designed.
Assessment of the maturity of the social media strategy developed by [Business Unit A],
[Business Unit B] and [Business Unit C] and identify opportunities for consolidation and
cooperation;
Review the policies and guidelines for completeness in regards to corporate and personal use of
social media and determine the effectiveness of how the policies are communicated to
stakeholders;
Evaluation of training opportunities considered for deployment in regards to the understanding of
social media policies and guidelines;
Evaluation of the use of monitoring tools for social media activity; and
Assessment of the protocols under development for issue and incident management, possible
integration with policies and training materials, as well as, an assessment the effectiveness of
responses to mitigate risk of reputational damage.
The results of our audit indicated that the design of the general control environment within the [Business
Unit A], [Business Unit B] and [Business Unit C] Social Media processes, which includes those activities
necessary to provide reasonable assurance that risks are being managed and objectives are met, is Not
Fully Effective.
Corporate Audit noted 3 issues as detailed below. Management should make implementation of the
recommended control enhancements a priority in order to mitigate future potential errors.
The aforementioned high priority risk rated issues need to be communicated to the Audit Committee. The
next Audit Committee meeting will be held on [Month Day, Year] and at that time; the business process
owner needs to be prepared to discuss how the issue will be addressed.
Background
As the use of Social Media has grown, businesses have become increasingly concerned regarding risks
related to the use of these rapidly evolving tools. Accordingly, the Corporate Audit Department
conducted an enterprise-wide risk based audit of [Company]’s Social Media function.
CONFIDENTIAL
2
AUDIT REPORT
The audit team was informed that there are # social media pages for [Business Unit A], [Business Unit B]
and [Business Unit C] related to LinkedIn, Twitter, YouTube, Facebook, Flicker, MySpace and internally
developed blogs. Furthermore, it was reported via the monitoring site www.socialmention.com that
during the 30 days leading to [Month Day, Year], [Company] had been mentioned # times in social media
channels, such as Twitter, Google blogs and Yahoo. In other words, for the last month [Company] has
been mentioned at a social media channel an average of once # hour(s).
Below is a chart that identifies the number of Social Media pages associated with each Business Unit
Through our review, we completed detailed process documentation of the Social Media process as it
pertains to posting and monitoring posts. This process documentation has been provided to management
to assist audit dialogue with the various stakeholders as they considered draft audit findings on their
social media program.
Audit Procedures
Our procedures were primarily comprised of:
Interviewing key personnel to gain an understanding of the current business processes;
Reviewing relevant [Business Unit A], [Business Unit B] and [Business Unit C] Social Media
documentation;
Identifying risks inherent in the Social Media process;
Identifying corresponding controls to mitigate the risks identified; and
Developing flowcharts to refine our understanding of the Social Media process of posting and
monitoring posts.
CONFIDENTIAL
3
AUDIT REPORT
Audit Issues
Issue Issue Name: Priority Risk Impacts SOX Key Key Control #
Number: Rating: Control(s)?
1 A comprehensive social High No N/A
media plan including
strategy, objectives,
organizational structure,
policy and procedures has
not been defined.
Issue Details: Corporate Audit noted that [Bus Unit B and Bus Unit C] can speak to informal
procedures around proactive, responsive and employee posting. However, there
is no finalized social media plan that defines the strategy, objectives,
organizational structure and policy and procedures. Without a finalized plan the
social media initiative lacks structure and governance. The current informal
procedures lack credibility and enforcement.
Issue Impact Without a documented Social Media Plan, [Bus Unit B and Bus Unit C] could be
Statement: susceptible to a negative reputation leading to a financial loss or valuation
reduction.
Recommended If [Bus Unit B and Bus Unit C] intend to continue use of social media, they
Control should then create a comprehensive Social Media plan that include the following
Enhancements: best practice components:
1) Strategy and Business Objective-, [Bus Unit B and Bus Unit C] should
identify, finalize and document its business objectives within the Social
Media plan. There can be a various objectives in using social media. The
objectives can include increase in revenue, customer satisfaction,
recruiting and retaining best talent, product development and innovation,
enhancing brand awareness and perception. Once the objective is
established the social media strategy should give direction in attaining
that objective. It is critical that strategy is aligned with the business
objectives.
CONFIDENTIAL
4
AUDIT REPORT
opinions.
c) Engagement Protocols- The primary goal of the social media
engagement should be to better connect with stakeholders by
providing information and assistance with issues, increasing
response time to customers, and improving and building
relationships. To effectively deliver its messages and counter
potential, far-reaching negative attacks, [Bus Unit B and Bus Unit
C] should engage stakeholders in social media communities and
networks that are relevant to its mission and activities, and
proactively distribute information that both reinforces core messages
and provides important, up-to-date information to stakeholders.
Also, there should be a team that manages the metrics associated with
social media. Commonly used metrics include:
a) Stakeholder engagement- Include a number of comments,
bookmarks, images, pictures and videos that mention the business
unit in some fashion.
b) Issue submission percentage- The percentage of issues submitted
using social media channels compared to total number of issues
CONFIDENTIAL
5
AUDIT REPORT
from all channels.
c) External Customer engagement- How much customers are
discussing the service level provided through their social media
networks. This should be measured related to sentiment, influence,
and reach to gauge the net impact
d) Issues reported and number of conversations- The number of issues
reported, the number that led to discussions, and the number upon
which the organization acted.
Management
Response/
Remediation Plan:
Remediation All Remediation Implementation Dates should be set as the last day in the month
Implementation management has indicated the remediation will be completed (e.g. Month Day,
Date: Year or Month Day, Year)
Remediation
Owners:
CONFIDENTIAL
6
AUDIT REPORT
CONFIDENTIAL
7
AUDIT REPORT
4 Crisis Management High No N/A
Communications
Issue Details: Corporate Audit noted that [Company] and its business units involved in social
media at the moment do not have a comprehensive crisis management
communication plan that takes advantage of social media channels through
mechanisms such as preapproved posts to address crisis situations.
Issue Impact Without a predefined crisis management communication plan, [Company] is at
Statement: risk that negative publicity regarding business practices, whether true or not, will
be widely communicated at viral speeds through social media channels. This
negative publicity could cause a decline in the customer base, costly litigation,
revenue reductions, or company valuation.
Recommended Corporate Audit recommends that [Company] and its business units implement a
Control crisis management program as soon as practical to ensure that the business is
Enhancements: prepared to deal with any potential crisis management issues. The plan should
include prewritten crisis communication statements and authorized personnel to
produce and post response. Also, it is important to include language within the
plan that clearly states that employees cannot represent the company as a
spokesperson for the company without expressed permission.
Management
Response/
Remediation Plan:
Remediation All Remediation Implementation Dates should be set as the last day in the month
Implementation management has indicated the remediation will be completed (e.g. Month Day,
Date: Year or Month Day, Year).
Remediation
Owners:
……………………………………………………………………………………….
If you should have any questions or comments regarding this report, please contact [Name, Phone or
Name, Phone].
CC:
Names,etc.
Note: The reference to appendices below should be deleted for general (e.g. [Company] Senior
Management) distributions.
Appendix A: AUDIT ISSUE MATRIX – Low Priority Issues
Appendix B: AUDIT CONCLUSION RATINGS
CONFIDENTIAL
8
AUDIT REPORT
APPENDIX B
_____________________________________________________________________________________
Remediation Timeline:
*Low priority issues are communicated to the appropriate business leader and the remediation
timeline is determined by that leader.
**Actual remediation timelines are developed based on the facts and circumstances of the
moderate issue (s).
CONFIDENTIAL
9