How to get executives smiling about social media

9 November, 2012 - 11:09
Internal audit consultant Andrew Riley presents helpful top tips on how to wow your organisation's regulatory team over social media.

By Andrew Riley

When it comes to swaying the higher-ups to implement social media, it’s critical to make friends with all the right people. These include your company’s Head of Internal Audit, Director of Compliance, Head of Finance, Non-executive directors, Chief Information Officer and the Chief Audit Executive.

To build up a friendship, you need to understand how these people think, what they do during the day to enable them to sleep at night, and what their vision is for the organisation. The concepts of 'risk', 'creating value' and 'protecting value' are very real to them. By applying these concepts to your work in social media you can win them over to new ways of working.

Below is a plan to influence your Head of Internal Audit. It is designed to help you operate like a risk taker while demonstrating your ability to create new value through greater use of social media. From that position, you can work with your new colleague, the Head of Internal Audit, to influence the Board and others in charge of keeping the regulators and law makers happy.

What is the Board's appetite for risk?

All organizations take on risk to do business. They do it to make a profit or to offer a service. All Boards have to set a limit on the amount of risk for doing something before they take action to reduce it to an acceptable level. There is a balance to strike between innovation (such as introducing social media) and never making a change. The Head of Internal Audit will know what the business appetite for risk is overall.

Read your organization's risk register

Project managers started using risk registers long ago to assess if a project was likely to fail or succeed. The idea has since caught on with Corporate Governance regulators who now consider it essential for a Board of Directors to have and to regularly review. The register - like this one -  will be a table of strategic objectives, the key risks of what could go wrong and the controls in place to either prevent things going wrong or putting them right when they do. Each risk in the register is usually colored green, amber or red depending on how serious the risk is.

The risk register is usually a classified item so expect a bit of resistance when it comes to reading it in its entirety. However, what you do get to see will be helpful in understanding how risks concerning social media can be assessed, expressed and controlled.

Read your organisation's business strategy

The Board has to allocate resources to areas of the business that achieves its goals. It will have two key objectives:

1. Protect existing value of business

2. Create new value through new business

Linking the use of social media to both value protection and value creation will allow for the resources to be put in place and evaluate the risk levels needed in your updated register.

Be wise about risks

Heads of Internal Audit admire individuals who know the necessary details as well as the big strategic picture. You can become a trusted advisor through researching definitions, law and best practice for social media. For instance Heads of Internal Audit would appreciate a solid definition of social media such as: "online platforms, tools or technologies for users to connect, interact, network, generate content and share information."

Key risks of social media to highlight are:

• An employee breaking the law by blogging, posting or tweeting and making the employer legally liable by defamation, harassment, discrimination, or breach of copyright

• Data leakage

• Introducing viruses

• Loss of employee productivity

• Employer breaching employee privacy by the way it reviews social media postings

Financial regulatory authorities will usually require copies to be kept of all customer correspondence, and this would include social media.

You could also impress by fitting the risks you find into different categories such as HR, legal, business development, IT, operational and governance.

Suggest answers

Knowing control procedures that can reduce risk will win you admiration. Examples for employers are:

• Have a clear policy on what is acceptable and review regularly

• Communicate this policy to all employees in their contract of employment

• Make clear the employer's rights to follow disciplinary procedures

Keep up-to-date

Read what your Head of Internal Audit reads to keep ahead in this fast moving area. Various professional bodies are issuing useful guidelines. Each country will have websites for an Information Commission, Regulator, Employment Law, Internal Audit, Society for Computer and Law, Company Secretaries, and Accountants. Examples include Internal Auditor published by the IIA which was a useful source of information for the United Nations.

UN Case Study

In 2011 the United Nations (U.N.) reviewed the use of internet publishing and social media. The internal audit objective was “to assess whether the Secretariat effectively implemented adequate risk management of internet publishing and social media.” Areas looked at included the registration of domains, the creation of different channels and pages of social media sites, and evaluated the review, approval, and management for posting rights. International standards and practices were looked at, and use throughout the organization of social media. An internal controls questionnaire went out to over 20 offices on usage of social media and internet publishing.

Audit findings highlighted a number of problems. There was governance risk due to a lack of clear policies and more guidelines were needed for the use of copyrighted content. Operational risks were also high because of the wide-ranging nature of the terms of agreement for use of internet and social media services that could lead to data privacy being leaked, and inaccurate data being posted online. All of which could damage the UN’s reputation. Control procedures to reduce these risks are currently underway.

Additional top tips:

Tell a good story

A couple of quips for the Head of Internal Audit to quote will go down well. One recent UK court case dealt with a posting on Facebook that started with "I think I work in a nursery and I do not mean working with plants..."

Spit facts

Spitting is allowed in the boardroom – if it’s facts and figures. Here’s one for you – in a February 2012 survey conducted by the IIA (Institute of Internal Auditors in the USA), only 29% said their organization had a formal media strategy.

Get cosy with COSO

…and other related audit words. Internal Auditors use these verbs everyday– Identify, Assess, Align, Integrate, Control, Implement, Mitigate, and Review. You should say things such as “I want to help Identify social media risks and implement controls to mitigate and align social media objectives with business strategy." Many of these are a result of the COSO Framework that started in 1985 to address fraud in companies.

Help out

You’ve got information others need to know about. Why not put WordPress, Tumblr, Flickr, Foursquare, Yelp, Pinterest - along with Facebook and Twitter - into an easy-to-read glossary for the Head of Internal Audit to show off to his/her team. This will give them an awareness of what’s happening in the social media space and give them some high factor street credibility.

Other food for thought:

An employee internal controls questionnaire is lifeblood for some auditors. Use your skills to help make it clearer and simpler.

Employer social media policies must be clearly communicated. Offer your professional skills to the Head of Internal Audit/Compliance and you will get to understand better how People and Process risks are managed.

Eat beans regularly

Auditors and accountants don’t just count beans – they eat them too. Meet up for lunch to find out how the risk assessment is going on, and update the Head of Internal Audit with new trends and facts and figures.

Be strategic

Above all else, think strategically as you would for any other communication initiative in your organization to get the results you need and to put that smile on executives' faces.


About Andrew Riley

Andrew Riley is an independent chartered accountant specializing in assurance reporting and communications.


You can follow his blog on and via Twitter on @assurance2021. Contact him at [email protected].

    Find us on Google+