W. Noel Haskins-Hafer CISA, CISM, CGEIT, CRISC, … County/IIA OC...W. Noel Haskins-Hafer CISA, CISM, CGEIT, CRISC, CRMA, CFE, SCPM Compliance Program Manager Intuit Consumer Ecosystems

W. Noel Haskins-Hafer

CISA, CISM, CGEIT, CRISC, CRMA, CFE, SCPM

Compliance Program Manager

Intuit Consumer Ecosystems Group

IIA Orange County / ISACA Orange County Spring Educational Conference

13 March, 2014

1

DisclaimerUnless otherwise specified, the views expressed in this

presentation are my own, and not those of any other

individual or individuals connected with my current or

former employers.

All names, logos, and other outside material attributed to

other sources remain the property of their respective

copyright owners and are used here in accordance with

the Fair Use doctrine.

2

Agenda

� Social Media Defined

� Risks and Opportunities in Social Media

� Components of a Social Media Program

� Social Media Audit Best Practices

� The Imperative To Audit Social Media

3

Assumptions

� Basic knowledge of tools and concepts of social media

� Understanding of auditing techniques and practices

� Recognition that no two audit programs are exactly alike

4

Social Media Defined

The use of web-based and mobile technology to

enable interactive communication between,

across and about people, organizations and

communities

5

Social media is about sociology and psychology more

than technologyBrian Solis, Principal of FutureWorks and author of Engage!

Social Media Expectations

�Dialog

�Active contribution

�Viral distribution of content

�Customization of technologies and

interfaces to suit the users

6

Social media is social because it works best

when you are having a conversation

The Social Shift

7

Yesterday Today

• Users, communities and

experiences rule

• Constantly changing

• Flexible

• Collaborative

• Engaged users

• Multilateral

• Institutions, platforms,

technology set the rules

• Structured

• Siloed

• One size fits all

• Passive audience

• Unilateral

Social Media is a fundamental shift in the way we

communicate

Adapted from Managing Social Media Risk (IIA-SF presentation, March 2012)

8

Social Media Uses and Benefits

9

Brand

Sales

Service

Innovation

Recruit

• Build and maintain reputation

• Find and communicate with customers

• Increase customer loyalty

• Develop, market and promote products and

services

• Increase productivity, creativity and

innovation

• Recruit new employees and suppliers

• Build the team regardless of location

• Share knowledge

• Find funding

…Essentially, to improve processes and results

Adapted from Peter Scott and J. Mike Jacka, Auditing Social Media: A Gover-

nance and Risk Guide (Institute of Internal Auditors Research Foundation, 2011)

The Social Media Program Challenge

How to be sensible and prudent in

managing the risks

Lewis Segall, Sr. Corporate Counsel, Google

Shop Talk: Compliance Risks in New Data Technologies

Compliance Week July 7, 2010

10

Social Media Program Risks� Average company polled experienced

� 9 social media incidents in 12 months prior to the poll

� 94% suffered negative consequences

� Per company recovery costs were $4 million annually

� Top Risks� Employees sharing too much information in public forums (46%)

� Loss or exposure of confidential or proprietary information (41%)

� Embarrassment or damage to brand or reputation (40%)

� Increased exposure to litigation (37%)

� Malware (37%)

� Violation of regulatory rules (36%)Symantec Social Media Protection 2011 Flash Poll

www.slideshare.net/symantec/symantec-2011-social-media-protection-flash-poll-global-results

11

Cost of SM Incidents

�Reduced stock price - $1,038,401

� Litigation costs - $650,361

�Direct financial cost - $641,993

�Damaged brand / trust - $638,496

� Lost Revenue - $619,360

12

Symantec Social Media Protection 2011 Flash Pollwww.slideshare.net/symantec/symantec-2011-social-media-

protection-flash-poll-global-results

You Make The News For…� Not doing due diligence before launching social media

campaigns

� Not creating and communicating social media policies

� Not managing social media as a core program

� Not monitoring the social media space appropriately

� Not building relationships instead of growing sales

� Not training employees on social media awareness

� Not complying with relevant laws and regulations

� And sometimes, for doing something right

13

Audit Objective

To provide management with an independent

assessment relating to the effectiveness of

controls over the enterprise’s social media

policies, program and processes

Adapted from

Social Media Audit/Assurance Program (ISACA 2011)

14

Key Areas to Audit

� Strategy

� Governance and compliance

� Processes, including

� Internal and external policies and program execution

� Metrics and monitoring

� Third party relationship management

� People

� Training and awareness

� Recruiting and work force management

15

Key Areas to Audit, continued

� Technology

� Information systems operations

� Network management

� Third party management

� Information security and privacy

16

Let’s Get Started!

Planning the Audit� Understand the business and culture

� Determine the objectives, scope, model and placement of the

social media program

� Identify key players, roles and responsibilities

� Inventory the social media projects

� Categorize and prioritize social media channels used

� Map out key interactions between departments and third

parties

� Understand compliance requirements, including archiving

17

What should we look for?

SM Strategy Best Practices

� Is led by an executive champion

� Provides direction for all stakeholders

� Defines social media program model

� Aligns with business objectives

� Aligns with organization’s other strategies

� Identifies metrics to measure effectiveness

� Is pervasive and integrated throughout the business

� Defines target audiences and channels

� Is adequately funded and staffed

18

SM Governance Audit Best Practices� Defines appropriate policies for social media

� Establishes social media program oversight responsibility

� Board-level awareness

� Qualified program champion

� Effective oversight for all social media use

� Program monitoring and reporting

� Balances risks and opportunities

� Includes effective oversight for social media use

� Management awareness and monitoring

� Responses to social media events

19

SM Compliance Best Practices

� Identifies all relevant laws and regulations

� Local and global

� PCI and other relevant standards

� Recognizes how social media increases compliance efforts

� Extends compliance, supervision and surveillance practices to interactive content

� Monitors social media use for violations

� Monitors compliance environment for potential changes related to social media

� Includes guidance for collecting and archiving social media content and activities (e-discovery)

20

SM Policy Best Practices� Aligns with business objectives, culture and core values

� Defines platforms, formats and tools used to support social media

� Stakeholders

� Social media initiatives, including crisis communication

� Outlines monitoring practices for social media conversations

� Information collected

� Competition monitoring

� Reputational risk monitoring

� Defines management reporting

� Covers both internal and external constituencies

� Is vetted by key players throughout the organization

21

Internal Social Media Policy

� Defines what workers and 3rd parties may and may not do

both professionally and personally

� Establishes workers’ expectation of privacy

� Discloses what the organization will do

� Monitor, curate, investigate, discipline, terminate

� Location expectations

22

External Social Media Policy

� Discloses organization’s sites and account names used

� Defines acceptable use and content on organization’s online

sites

� Discloses what the organization will do

� Monitor, curate, investigate, litigate

� Account and content banning

� Defines SLAs

� Hours

� Response time

� Error correction

23

Overlapping Policies

� These should incorporate social media

� IT compliance policies and controls

� Employee conduct

� Harassment

� Ethics

� Confidentiality and IP

� Third Party policies and agreements

24

SM Policy Team� Executive champion

� Marketing

� Public Relations

� Human Resources

� Information Technology and Security

� Product Development

� Customer Service

� Legal

� Risk Management

25

SM Metrics Best Practices� Provide insights into success and failure of social media

activities

� Align with business objectives

� Are consistent across business units

� Are defined for each social media initiative

� Are both qualitative and quantitative measures

� Support regulatory compliance requirements

� Are shared with business units and social media

champion

26

Social is measured in Relationship Building –

Not in Units Sold

Intuit HR Social Media Metrics

27

from “Social Media and the Talent Landscape: What HR Needs to Know about

Social Media” (Manpower US March 30, 2012)

SM Monitoring Best Practices� Encompasses active listening, monitoring and responding

� Includes processes and tools for monitoring communications

� Keywords, topics and issues

� Trend analysis and comparison

� Competitive intelligence

� Gives customers an opportunity to provide insight and feedback

� Uses those comments to improve products, services and processes

� Matches customers’ preferred communication methods and styles

� Provides guidance for responding to issues

� Social Media Triage Chart

28

29

SM Third Party Management Best

Practices� Recognizes all relevant content may not be in control of

the social media program

� Includes cross-functional review of contracts for social

media relevance

� Provides guidance on how contracts and agreements

affect organization’s operations, risk and compliance

positions

� Includes risk assessments for third parties

� Addresses organization’s requirements for records

retention

30

What are SM users doing?� 64% click on links even if they don’t know where the links

will take them

� >50% let friends access social networks on their

computers

� 47% have been infected by malware

� 26% share files within the social network

� 21% accept contact offerings from strangers

� 20% have experienced identify theft

31

SM Training Best Practices� Required at least annually

� Offered enterprise-wide

� Incorporates awareness campaigns

� Includes additional training for core social media team

� Covers:

� Social media roles, responsibilities and expectations

� Especially for crisis communications

� Level of representation for the company

� Relevant policies and best practices

� Social media rules of the road

� Social engineering, security, privacy and data protection

� Guidance for triaging and responding� Not every post needs an instantaneous response

� Make sure legal and compliance processes are streamlined for SM

32

SM Technical Best Practices� Monitors for

� Malware and viruses

� Data leakage/theft

� Owned systems (zombies)

� System downtime

� Recovery resources

� Brand hijacking

� Customer backlash/adverse legal reaction

� Data exposure

� Reputation

� Targeted phishing

33

More SM Technical Best Practices� Documents how customer interactions are integrated

with existing systems and databases

� Clearly defines interfaces with customer and third party

systems

� Includes alerting tools for key topics, comments,

commentators and sentiment of activity

34

Use the Best Practices to guide audit inquiry and

testing

35

Overwhelmed?� You can do this

� Standard audit concepts still rule

� Focus on balancing opportunities and risks

� Remember the social media uses and benefits

� Use Best Practices as template for audit inquiry and testing

� COSO still matters

� The same laws apply

� You will make a difference

36

Questions & Responses

37

Appendix

38

References and Recommended Readings

� Peter Scott and J. Mike Jacka, Auditing Social Media: A Governance and Risk Guide

(Institute of Internal Auditors Research Foundation, 2011)

� Social Media and the Talent Landscape: What HR Needs to Know about Social

Media (Manpower US March 30, 2012)

� Social Media Governance: An Ounce of Prevention (Gartner, December 17, 2010)

� Social Networking And Reputational Risk In The Workplace (Deloitte LLP, July 2009)

� Advocacy Drives Growth (London School of Economics, 2005)

� theultimatequestion.com (Bain & Company, 2006)

� Eric Qualman, Social Media Revolution 4

(http://www.youtube.com/watch?v=0eUeL3n7fDs)

� Social Media Starter Kit (manpowerblogs.com/toth)

� Compliance in the Age of Social Media (Compliance Week, November 2011)

� Social Media Audit/Assurance Program (ISACA, 2011)

� Social Media: Business Benefits and Security, Governance and Assurance

Perspectives (ISACA 2010)

39

Resources, continued

� Social Media Triage Chart (http://www.socialfish.org/2010/11/social-media-response-triage.html)

� Managing Risk in a Social Media-Driven Society (Protiviti, 2011)� Brian Solis & JESS3, The Conversation Prism (www.theconversationprism.com) � Blog Assessment, Dell � http://www.slideshare.net/hawk9698/social-media-comment-response-protocol� http://www.slideshare.net/Dell/dell-outreach-in-the-blogosphere� Social Media Risks and Mitigations (BITS The Financial Services Roundtable,

June 2011)� Managing Social Media Risk (IIA-San Francisco presentation, March 2012)� http://www.mindflash.com/blog/2012/03/infographic-how-to-train-your-

employees-to-handle-your-social-media/?view=mindflashgraphic� http://socialmediavoice.com/2012/01/10-social-media-law-governance.html

40

Social Media Policy Guidelines� Tie to vision + code of conduct/ethics + handbook

� Set clear and reasonable expectations

� Define social media broadly

� Protect trade secrets

� Clarify who owns what

� Ban disparagement / harassment

� Respect copyrights

� Include NLRA disclaimer

� Impose duty to report violations

� Include consequences

� Enforce “up to and including discharge”

41

Social Communications Policy Framework

� Who may participate in organization’s Social Media program

� When and why to participate

� Guiding Principles� Disclose affiliations

� Clearly state when you’re talking for the company or yourself

� Pay attention to tone of voice

� Be aware of language usage and interpretation

� Comply with Code of Conduct

� Be accurate and honest� Awareness of potential to be held responsible for unsubstantiated or

misleading claims and endorsements� Could include “liking” and “friending”

� Don’t disclose personal or confidential information

� Think before posting

� Instructions for dealing with media, bloggers, and other outsiders

42

Electronic Communications Policy Content� Population covered by policy

� Equipment covered

� Devices

� Networks

� Guardrails for electronic communications

� Professional, courteous, law-abiding

� Protect confidential information

� Expectation of privacy

� Appropriate use of media and devices

� What organization may do

� Monitor, block, modify, delete

� When and under what circumstances

� Filtering

� Protection of confidential information and trade secrets

� Define confidential information

� Check distribution lists for need to know

� Be aware of international laws

� Attorney Client Privilege considerations

� Tie in with Code of Conduct, Non-Disclosure Agreement, Intellectual Property Agreements

� Consequences of non-compliance

� Responsibilities & Points of contact for additional information and guidance

43

Social Media Content Best Practices� Add value

� Conversational style

� Honesty and respect

� Transparency and disclosure

� Confidentiality / PII

� Ownership and property registration

� Endorsements and recommendations

� Boundaries of personal and professional use

� What you can and can’t disclose

44

Organizational Models� Organic

� Growth from several sources in the organization

� Inconsistent user experience (reputational risk)

� Centralized� Social media managed from one department

� Good for highly regulated industries

� Risk: Social media becomes just another distribution point

� Coordinated� Multiple sources coordinated through a committee

� Risk: information hoarding rather than enabler

� Hub and Spoke� Autonomous groups with guidelines for common experience

� Good for organizations spanning cultures, languages and governments

� Risk: costly, requires excellent intra-organizational communications

� Honeycomb� Requires organization to embrace social media as core to business

� Everyone actively participates in social media

� Risk: cultural commitment and extensive training and support

From Auditing Social Media: A Governance and Risk Guide Peter R. Scott & J. Mike Jacka

Institute of Internal Auditors Research Foundation, 2011

45

46

47http://www.slideshare.net/Dell/dell-outreach-in-the-blogosphere

48http://www.slideshare.net/hawk9698/social-media-comment-response-protocol

Brand Awareness & Advocacy - Use� Stakeholder education

� Community development

� Subject matter expertise

� Product sampling and reviews

� Advocacy development

� Promotions and contests

� Crisis communications

� Reputation management

49

Adapted from Evaluating Your Organization’s Social Media Efforts (IIA Webinar series,

October 2011)

Brand Metrics� Stakeholder Engagement

� Advocate Engagement

� Share of Voice

� Sentiment

� Fans & Follower Count

� Common, but does not fully measure engagement

50


October 2011)

Sales - Use� Channel-only specials

� Lead generation

� E-commerce / F-commerce

� Profile updates

� Mobile promotions

51


October 2011)

Sales - Metrics� Leads generated

� Revenue from social media activities

� Customer Lifetime Value

� New customer acquisition

� Customer purchase patterns

� Repeat business

� Product patterns

� Average purchase amount

52


October 2011)

Customer Service - Use

� Customer problem resolution

� Chat

� Community or P2P service

53


October 2011)

Customer Service - Metrics� Issue submission percentage

� Issue resolution rate

� Issue resolution time

� Financial Impact

� Customer satisfaction rate

� Advocate engagement rate and sentiment

� Peer-to-Peer interaction and voice

54

Evaluating Your Organization’s Social Media Efforts (IIA Webinar series, October 2011)

Innovation - Use� Idea sourcing

� Competitive Intelligence

� Feedback

� Co-creation

55


October 2011)

Innovation - Metrics� Issues reported

� Number of conversations

� Ideas submitted

� Idea and Issue Impact

� Financial impact

56


Recruitment - Use� Employee empowerment

� Organizational culture

� Organizational insights

� Candidate identification and nurturing

� Employee alumni

57


October 2011)

Recruitment - Metrics� Potential candidate engagement

� New hire rate

� Social Media-sourced employee retention rate

� Financial impact of recruiting through social media

� Employee sentiment

� Employee reach, influence and impact

58


Social Media Governance� Strategy

� Review the social media strategy, program goals, and organization model.

� Assess if these have been formalized and communicated to all relevant teams.

� Evaluate alignment of the strategy with company goals.

� Policy

� Review the social media policy and confirm that elements related to

disclosure, ethics, community and privacy are included.

� Identify gaps and test awareness of the policy.

� Roadmap

� Assess the adequacy of the social media roadmap, including if it is global /

localized and whether short-term and long-term program milestones have

been defined.

� Team Structure

– Assess if roles of key owners and stakeholders in the social media program are

defined and clearly communicated (e.g. executive sponsorship,

communications / PR, employees, Legal, IT, Support, R&D, Product, etc).

59Managing Social Media Risk (IIA-SF presentation, March 2012)

Preparedness and Response

� Customer Profiles and Market Analyses:

� Review customer profile and market analyze

� Evaluate if all products are covered, the appropriate target customers have been identified, including the desired relationship and engagement model.

� Tools and Analytics:

� Understand how customer interactions via social media are integrated with internal infrastructure (databases, systems, processes)

� Assess process and tools for identifying key topics, comments, commentators, and sentiment from website activity.

� Evaluate KPIs and metrics against best practices and alignment of metrics with the social media strategy.

� Processes:

� Test the policies and procedures to verify messaging is consistent with the social media strategy / plan.

� Review and test policies, processes and procedures used for triage, crisis response, intake and response to customer insights.

� Understand how customer insights are monitored, tracked, and shared with relevant teams (product marketing, R&D, Support, etc) for action.


Training and Education

� Education

� Evaluate the types of training programs implemented to share best practices and rules of the road within the social media team

� Understand how social media best practices are shared cross functionally with other functions in the organization, such as recruiting, sales, product, etc.

Compliance

� Monitoring and Compliance

� Understand whether compliance with the social media policy is monitored both internally and externally

� Perform procedures to test compliance with the social media policy within selected social media tools


Training Best Practice Examples� Intel’s Digital IQ program

� Beginning: Raise awareness of social media policy

� Now: 60 online courses

� 6,000 employees completed 2,000 courses

� Rebecca Brown, Directory of social media strategy, Intel

� Monthly newsletter

� Program updates

� Best practices

� Updates from Social Media Professionals

� Coca Cola

� Employees may participate freely after taking a certification program

� Best Buy

� Twelpforce volunteers must be trained before becoming an agent

62

HR Laws in Social Media� Discrimination

� National Labor Relations Act

� Fair Credit Reporting Act (FCRA)

� Genetic Information Nondescrimination Act (GINA)

� Negligent hiring

� Off-duty conduct

� Arrest records

� Background check information

� Ultimate test: Is it job related?Adapted from “Social Media and the Talent Landscape: What HR Needs to Know about


63

HR Stay out of Court Basics� Know the law

� Adopt and consistently enforce a reasonable policy

� Consider social media and employment agreements

� Who owns terminated employees’ followers? (PhoneDog.com)

� Limit the number of searchers, managers, and 3rd Parties

� Maintain segregation of duties for search and hiring

� Train searchers and managers

� Make sure they understand the value of maintaining good

documentationAdapted from “Social Media and the Talent Landscape: What HR Needs to Know about


64

Suggested COBIT v4.1 ProcessesPO1 – Define a strategic IT plan

PO2 – Define the information architecture

PO4 – Define the IT processes, organization and relationships

PO6 – Communicate management aims and directions

PO7 – Manage IT human resources

PO9 – Assess and manage IT risks

DS2 – Manage third party services

DS5 – Ensure systems security

DS8 – Manage service desk and incidents

DS7 – Educate and train users

ME3 – Ensure compliance with external requirements

ME4 – Provide IT governance

65

Derived from Social Media Audit/Assurance Program (ISACA 2011)