w. noel haskins-hafer cisa, cism, cgeit, crisc, …. noel haskins-hafer cisa, cism, cgeit, crisc,...

W. Noel Haskins-Hafer CISA, CISM, CGEIT, CRISC, CRMA, CFE, SCPM Compliance Program Manager Intuit Consumer Ecosystems Group IIA Orange County / ISACA Orange County Spring Educational Conference 13 March, 2014 1

Upload: danghanh

Post on 13-Mar-2018




3 download


W. Noel Haskins-Hafer


Compliance Program Manager

Intuit Consumer Ecosystems Group

IIA Orange County / ISACA Orange County Spring Educational Conference

13 March, 2014


DisclaimerUnless otherwise specified, the views expressed in this

presentation are my own, and not those of any other

individual or individuals connected with my current or

former employers.

All names, logos, and other outside material attributed to

other sources remain the property of their respective

copyright owners and are used here in accordance with

the Fair Use doctrine.



� Social Media Defined

� Risks and Opportunities in Social Media

� Components of a Social Media Program

� Social Media Audit Best Practices

� The Imperative To Audit Social Media



� Basic knowledge of tools and concepts of social media

� Understanding of auditing techniques and practices

� Recognition that no two audit programs are exactly alike


Social Media Defined

The use of web-based and mobile technology to

enable interactive communication between,

across and about people, organizations and



Social media is about sociology and psychology more

than technologyBrian Solis, Principal of FutureWorks and author of Engage!

Social Media Expectations


�Active contribution

�Viral distribution of content

�Customization of technologies and

interfaces to suit the users


Social media is social because it works best

when you are having a conversation

The Social Shift


Yesterday Today

• Users, communities and

experiences rule

• Constantly changing

• Flexible

• Collaborative

• Engaged users

• Multilateral

• Institutions, platforms,

technology set the rules

• Structured

• Siloed

• One size fits all

• Passive audience

• Unilateral

Social Media is a fundamental shift in the way we


Adapted from Managing Social Media Risk (IIA-SF presentation, March 2012)


Social Media Uses and Benefits







• Build and maintain reputation

• Find and communicate with customers

• Increase customer loyalty

• Develop, market and promote products and


• Increase productivity, creativity and


• Recruit new employees and suppliers

• Build the team regardless of location

• Share knowledge

• Find funding

…Essentially, to improve processes and results

Adapted from Peter Scott and J. Mike Jacka, Auditing Social Media: A Gover-

nance and Risk Guide (Institute of Internal Auditors Research Foundation, 2011)

The Social Media Program Challenge

How to be sensible and prudent in

managing the risks

Lewis Segall, Sr. Corporate Counsel, Google

Shop Talk: Compliance Risks in New Data Technologies

Compliance Week July 7, 2010


Social Media Program Risks� Average company polled experienced

� 9 social media incidents in 12 months prior to the poll

� 94% suffered negative consequences

� Per company recovery costs were $4 million annually

� Top Risks� Employees sharing too much information in public forums (46%)

� Loss or exposure of confidential or proprietary information (41%)

� Embarrassment or damage to brand or reputation (40%)

� Increased exposure to litigation (37%)

� Malware (37%)

� Violation of regulatory rules (36%)Symantec Social Media Protection 2011 Flash Poll



Cost of SM Incidents

�Reduced stock price - $1,038,401

� Litigation costs - $650,361

�Direct financial cost - $641,993

�Damaged brand / trust - $638,496

� Lost Revenue - $619,360


Symantec Social Media Protection 2011 Flash Pollwww.slideshare.net/symantec/symantec-2011-social-media-


You Make The News For…� Not doing due diligence before launching social media


� Not creating and communicating social media policies

� Not managing social media as a core program

� Not monitoring the social media space appropriately

� Not building relationships instead of growing sales

� Not training employees on social media awareness

� Not complying with relevant laws and regulations

� And sometimes, for doing something right


Audit Objective

To provide management with an independent

assessment relating to the effectiveness of

controls over the enterprise’s social media

policies, program and processes

Adapted from

Social Media Audit/Assurance Program (ISACA 2011)


Key Areas to Audit

� Strategy

� Governance and compliance

� Processes, including

� Internal and external policies and program execution

� Metrics and monitoring

� Third party relationship management

� People

� Training and awareness

� Recruiting and work force management


Key Areas to Audit, continued

� Technology

� Information systems operations

� Network management

� Third party management

� Information security and privacy


Let’s Get Started!

Planning the Audit� Understand the business and culture

� Determine the objectives, scope, model and placement of the

social media program

� Identify key players, roles and responsibilities

� Inventory the social media projects

� Categorize and prioritize social media channels used

� Map out key interactions between departments and third


� Understand compliance requirements, including archiving


What should we look for?

SM Strategy Best Practices

� Is led by an executive champion

� Provides direction for all stakeholders

� Defines social media program model

� Aligns with business objectives

� Aligns with organization’s other strategies

� Identifies metrics to measure effectiveness

� Is pervasive and integrated throughout the business

� Defines target audiences and channels

� Is adequately funded and staffed


SM Governance Audit Best Practices� Defines appropriate policies for social media

� Establishes social media program oversight responsibility

� Board-level awareness

� Qualified program champion

� Effective oversight for all social media use

� Program monitoring and reporting

� Balances risks and opportunities

� Includes effective oversight for social media use

� Management awareness and monitoring

� Responses to social media events


SM Compliance Best Practices

� Identifies all relevant laws and regulations

� Local and global

� PCI and other relevant standards

� Recognizes how social media increases compliance efforts

� Extends compliance, supervision and surveillance practices to interactive content

� Monitors social media use for violations

� Monitors compliance environment for potential changes related to social media

� Includes guidance for collecting and archiving social media content and activities (e-discovery)


SM Policy Best Practices� Aligns with business objectives, culture and core values

� Defines platforms, formats and tools used to support social media

� Stakeholders

� Social media initiatives, including crisis communication

� Outlines monitoring practices for social media conversations

� Information collected

� Competition monitoring

� Reputational risk monitoring

� Defines management reporting

� Covers both internal and external constituencies

� Is vetted by key players throughout the organization


Internal Social Media Policy

� Defines what workers and 3rd parties may and may not do

both professionally and personally

� Establishes workers’ expectation of privacy

� Discloses what the organization will do

� Monitor, curate, investigate, discipline, terminate

� Location expectations


External Social Media Policy

� Discloses organization’s sites and account names used

� Defines acceptable use and content on organization’s online


� Discloses what the organization will do

� Monitor, curate, investigate, litigate

� Account and content banning

� Defines SLAs

� Hours

� Response time

� Error correction


Overlapping Policies

� These should incorporate social media

� IT compliance policies and controls

� Employee conduct

� Harassment

� Ethics

� Confidentiality and IP

� Third Party policies and agreements


SM Policy Team� Executive champion

� Marketing

� Public Relations

� Human Resources

� Information Technology and Security

� Product Development

� Customer Service

� Legal

� Risk Management


SM Metrics Best Practices� Provide insights into success and failure of social media


� Align with business objectives

� Are consistent across business units

� Are defined for each social media initiative

� Are both qualitative and quantitative measures

� Support regulatory compliance requirements

� Are shared with business units and social media



Social is measured in Relationship Building –

Not in Units Sold

Intuit HR Social Media Metrics


from “Social Media and the Talent Landscape: What HR Needs to Know about

Social Media” (Manpower US March 30, 2012)

SM Monitoring Best Practices� Encompasses active listening, monitoring and responding

� Includes processes and tools for monitoring communications

� Keywords, topics and issues

� Trend analysis and comparison

� Competitive intelligence

� Gives customers an opportunity to provide insight and feedback

� Uses those comments to improve products, services and processes

� Matches customers’ preferred communication methods and styles

� Provides guidance for responding to issues

� Social Media Triage Chart



SM Third Party Management Best

Practices� Recognizes all relevant content may not be in control of

the social media program

� Includes cross-functional review of contracts for social

media relevance

� Provides guidance on how contracts and agreements

affect organization’s operations, risk and compliance


� Includes risk assessments for third parties

� Addresses organization’s requirements for records



What are SM users doing?� 64% click on links even if they don’t know where the links

will take them

� >50% let friends access social networks on their


� 47% have been infected by malware

� 26% share files within the social network

� 21% accept contact offerings from strangers

� 20% have experienced identify theft


SM Training Best Practices� Required at least annually

� Offered enterprise-wide

� Incorporates awareness campaigns

� Includes additional training for core social media team

� Covers:

� Social media roles, responsibilities and expectations

� Especially for crisis communications

� Level of representation for the company

� Relevant policies and best practices

� Social media rules of the road

� Social engineering, security, privacy and data protection

� Guidance for triaging and responding� Not every post needs an instantaneous response

� Make sure legal and compliance processes are streamlined for SM


SM Technical Best Practices� Monitors for

� Malware and viruses

� Data leakage/theft

� Owned systems (zombies)

� System downtime

� Recovery resources

� Brand hijacking

� Customer backlash/adverse legal reaction

� Data exposure

� Reputation

� Targeted phishing


More SM Technical Best Practices� Documents how customer interactions are integrated

with existing systems and databases

� Clearly defines interfaces with customer and third party


� Includes alerting tools for key topics, comments,

commentators and sentiment of activity


Use the Best Practices to guide audit inquiry and



Overwhelmed?� You can do this

� Standard audit concepts still rule

� Focus on balancing opportunities and risks

� Remember the social media uses and benefits

� Use Best Practices as template for audit inquiry and testing

� COSO still matters

� The same laws apply

� You will make a difference


Questions & Responses




References and Recommended Readings

� Peter Scott and J. Mike Jacka, Auditing Social Media: A Governance and Risk Guide

(Institute of Internal Auditors Research Foundation, 2011)

� Social Media and the Talent Landscape: What HR Needs to Know about Social

Media (Manpower US March 30, 2012)

� Social Media Governance: An Ounce of Prevention (Gartner, December 17, 2010)

� Social Networking And Reputational Risk In The Workplace (Deloitte LLP, July 2009)

� Advocacy Drives Growth (London School of Economics, 2005)

� theultimatequestion.com (Bain & Company, 2006)

� Eric Qualman, Social Media Revolution 4


� Social Media Starter Kit (manpowerblogs.com/toth)

� Compliance in the Age of Social Media (Compliance Week, November 2011)

� Social Media Audit/Assurance Program (ISACA, 2011)

� Social Media: Business Benefits and Security, Governance and Assurance

Perspectives (ISACA 2010)


Resources, continued

� Social Media Triage Chart (http://www.socialfish.org/2010/11/social-media-response-triage.html)

� Managing Risk in a Social Media-Driven Society (Protiviti, 2011)� Brian Solis & JESS3, The Conversation Prism (www.theconversationprism.com) � Blog Assessment, Dell � http://www.slideshare.net/hawk9698/social-media-comment-response-protocol� http://www.slideshare.net/Dell/dell-outreach-in-the-blogosphere� Social Media Risks and Mitigations (BITS The Financial Services Roundtable,

June 2011)� Managing Social Media Risk (IIA-San Francisco presentation, March 2012)� http://www.mindflash.com/blog/2012/03/infographic-how-to-train-your-

employees-to-handle-your-social-media/?view=mindflashgraphic� http://socialmediavoice.com/2012/01/10-social-media-law-governance.html


Social Media Policy Guidelines� Tie to vision + code of conduct/ethics + handbook

� Set clear and reasonable expectations

� Define social media broadly

� Protect trade secrets

� Clarify who owns what

� Ban disparagement / harassment

� Respect copyrights

� Include NLRA disclaimer

� Impose duty to report violations

� Include consequences

� Enforce “up to and including discharge”


Social Communications Policy Framework

� Who may participate in organization’s Social Media program

� When and why to participate

� Guiding Principles� Disclose affiliations

� Clearly state when you’re talking for the company or yourself

� Pay attention to tone of voice

� Be aware of language usage and interpretation

� Comply with Code of Conduct

� Be accurate and honest� Awareness of potential to be held responsible for unsubstantiated or

misleading claims and endorsements� Could include “liking” and “friending”

� Don’t disclose personal or confidential information

� Think before posting

� Instructions for dealing with media, bloggers, and other outsiders


Electronic Communications Policy Content� Population covered by policy

� Equipment covered

� Devices

� Networks

� Guardrails for electronic communications

� Professional, courteous, law-abiding

� Protect confidential information

� Expectation of privacy

� Appropriate use of media and devices

� What organization may do

� Monitor, block, modify, delete

� When and under what circumstances

� Filtering

� Protection of confidential information and trade secrets

� Define confidential information

� Check distribution lists for need to know

� Be aware of international laws

� Attorney Client Privilege considerations

� Tie in with Code of Conduct, Non-Disclosure Agreement, Intellectual Property Agreements

� Consequences of non-compliance

� Responsibilities & Points of contact for additional information and guidance


Social Media Content Best Practices� Add value

� Conversational style

� Honesty and respect

� Transparency and disclosure

� Confidentiality / PII

� Ownership and property registration

� Endorsements and recommendations

� Boundaries of personal and professional use

� What you can and can’t disclose


Organizational Models� Organic

� Growth from several sources in the organization

� Inconsistent user experience (reputational risk)

� Centralized� Social media managed from one department

� Good for highly regulated industries

� Risk: Social media becomes just another distribution point

� Coordinated� Multiple sources coordinated through a committee

� Risk: information hoarding rather than enabler

� Hub and Spoke� Autonomous groups with guidelines for common experience

� Good for organizations spanning cultures, languages and governments

� Risk: costly, requires excellent intra-organizational communications

� Honeycomb� Requires organization to embrace social media as core to business

� Everyone actively participates in social media

� Risk: cultural commitment and extensive training and support

From Auditing Social Media: A Governance and Risk Guide Peter R. Scott & J. Mike Jacka

Institute of Internal Auditors Research Foundation, 2011





Brand Awareness & Advocacy - Use� Stakeholder education

� Community development

� Subject matter expertise

� Product sampling and reviews

� Advocacy development

� Promotions and contests

� Crisis communications

� Reputation management


Adapted from Evaluating Your Organization’s Social Media Efforts (IIA Webinar series,

October 2011)

Brand Metrics� Stakeholder Engagement

� Advocate Engagement

� Share of Voice

� Sentiment

� Fans & Follower Count

� Common, but does not fully measure engagement


Adapted from Evaluating Your Organization’s Social Media Efforts (IIA Webinar series,

October 2011)

Sales - Use� Channel-only specials

� Lead generation

� E-commerce / F-commerce

� Profile updates

� Mobile promotions


Adapted from Evaluating Your Organization’s Social Media Efforts (IIA Webinar series,

October 2011)

Sales - Metrics� Leads generated

� Revenue from social media activities

� Customer Lifetime Value

� New customer acquisition

� Customer purchase patterns

� Repeat business

� Product patterns

� Average purchase amount


Adapted from Evaluating Your Organization’s Social Media Efforts (IIA Webinar series,

October 2011)

Customer Service - Use

� Customer problem resolution

� Chat

� Community or P2P service


Adapted from Evaluating Your Organization’s Social Media Efforts (IIA Webinar series,

October 2011)

Customer Service - Metrics� Issue submission percentage

� Issue resolution rate

� Issue resolution time

� Financial Impact

� Customer satisfaction rate

� Advocate engagement rate and sentiment

� Peer-to-Peer interaction and voice


Evaluating Your Organization’s Social Media Efforts (IIA Webinar series, October 2011)

Innovation - Use� Idea sourcing

� Competitive Intelligence

� Feedback

� Co-creation


Adapted from Evaluating Your Organization’s Social Media Efforts (IIA Webinar series,

October 2011)

Innovation - Metrics� Issues reported

� Number of conversations

� Ideas submitted

� Idea and Issue Impact

� Financial impact


Evaluating Your Organization’s Social Media Efforts (IIA Webinar series, October 2011)

Recruitment - Use� Employee empowerment

� Organizational culture

� Organizational insights

� Candidate identification and nurturing

� Employee alumni


Adapted from Evaluating Your Organization’s Social Media Efforts (IIA Webinar series,

October 2011)

Recruitment - Metrics� Potential candidate engagement

� New hire rate

� Social Media-sourced employee retention rate

� Financial impact of recruiting through social media

� Employee sentiment

� Employee reach, influence and impact


Evaluating Your Organization’s Social Media Efforts (IIA Webinar series, October 2011)

Social Media Governance� Strategy

� Review the social media strategy, program goals, and organization model.

� Assess if these have been formalized and communicated to all relevant teams.

� Evaluate alignment of the strategy with company goals.

� Policy

� Review the social media policy and confirm that elements related to

disclosure, ethics, community and privacy are included.

� Identify gaps and test awareness of the policy.

� Roadmap

� Assess the adequacy of the social media roadmap, including if it is global /

localized and whether short-term and long-term program milestones have

been defined.

� Team Structure

– Assess if roles of key owners and stakeholders in the social media program are

defined and clearly communicated (e.g. executive sponsorship,

communications / PR, employees, Legal, IT, Support, R&D, Product, etc).

59Managing Social Media Risk (IIA-SF presentation, March 2012)

Preparedness and Response

� Customer Profiles and Market Analyses:

� Review customer profile and market analyze

� Evaluate if all products are covered, the appropriate target customers have been identified, including the desired relationship and engagement model.

� Tools and Analytics:

� Understand how customer interactions via social media are integrated with internal infrastructure (databases, systems, processes)

� Assess process and tools for identifying key topics, comments, commentators, and sentiment from website activity.

� Evaluate KPIs and metrics against best practices and alignment of metrics with the social media strategy.

� Processes:

� Test the policies and procedures to verify messaging is consistent with the social media strategy / plan.

� Review and test policies, processes and procedures used for triage, crisis response, intake and response to customer insights.

� Understand how customer insights are monitored, tracked, and shared with relevant teams (product marketing, R&D, Support, etc) for action.

60Managing Social Media Risk (IIA-SF presentation, March 2012)

Training and Education

� Education

� Evaluate the types of training programs implemented to share best practices and rules of the road within the social media team

� Understand how social media best practices are shared cross functionally with other functions in the organization, such as recruiting, sales, product, etc.


� Monitoring and Compliance

� Understand whether compliance with the social media policy is monitored both internally and externally

� Perform procedures to test compliance with the social media policy within selected social media tools

61Managing Social Media Risk (IIA-SF presentation, March 2012)

Training Best Practice Examples� Intel’s Digital IQ program

� Beginning: Raise awareness of social media policy

� Now: 60 online courses

� 6,000 employees completed 2,000 courses

� Rebecca Brown, Directory of social media strategy, Intel

� Monthly newsletter

� Program updates

� Best practices

� Updates from Social Media Professionals

� Coca Cola

� Employees may participate freely after taking a certification program

� Best Buy

� Twelpforce volunteers must be trained before becoming an agent


HR Laws in Social Media� Discrimination

� National Labor Relations Act

� Fair Credit Reporting Act (FCRA)

� Genetic Information Nondescrimination Act (GINA)

� Negligent hiring

� Off-duty conduct

� Arrest records

� Background check information

� Ultimate test: Is it job related?Adapted from “Social Media and the Talent Landscape: What HR Needs to Know about

Social Media” (Manpower US March 30, 2012)


HR Stay out of Court Basics� Know the law

� Adopt and consistently enforce a reasonable policy

� Consider social media and employment agreements

� Who owns terminated employees’ followers? (PhoneDog.com)

� Limit the number of searchers, managers, and 3rd Parties

� Maintain segregation of duties for search and hiring

� Train searchers and managers

� Make sure they understand the value of maintaining good

documentationAdapted from “Social Media and the Talent Landscape: What HR Needs to Know about

Social Media” (Manpower US March 30, 2012)


Suggested COBIT v4.1 ProcessesPO1 – Define a strategic IT plan

PO2 – Define the information architecture

PO4 – Define the IT processes, organization and relationships

PO6 – Communicate management aims and directions

PO7 – Manage IT human resources

PO9 – Assess and manage IT risks

DS2 – Manage third party services

DS5 – Ensure systems security

DS8 – Manage service desk and incidents

DS7 – Educate and train users

ME3 – Ensure compliance with external requirements

ME4 – Provide IT governance


Derived from Social Media Audit/Assurance Program (ISACA 2011)