8 risk categories and an audit approach for a social media audit

Theory and practice are often two very different things. This is why, Dr. Urban Becker, Head of Auditing at Melitta, has developed a procedure model for the auditing of social media. In collaboration with various experts in auditing and social media, eight risk categories that need to be taken into account in any social media audit were identified. You can find all the details of these categories in this blog article. Now, Dr. Urban Becker, the stage is yours!

Which topics are relevant for social media audits?

In our two previous blog posts, starting points for social media audits were identified both in the broader sense, as well as through the use of frameworks. A holistic approach to the auditing of social media was however still lacking. Nevertheless, by conducting research into the literature and interviews with audit and social media experts as part of a master’s thesis done at the Fernuniversität Hagen, it has proved possible to identify eight relevant risk categories for social media audits as follows:

Strategic risksReputational risksSales and marketing risks
Personnel risksSocial media risksLegal & compliance risks
Loss of control risksIT-related risksProcess risks

Audit of strategic risks

Strategic risks arise from a lack of strategy or a strategy that is not sufficiently geared to a company or a brand with its competitive environment for or against the use of social media. As a result, social media is not used efficiently.

When examining the strategic risks associated with the use of social media, the social media strategy must be requested and checked for plausibility and feasibility in a first audit step. If social media is used without a strategy or a process model adapted to the corporate strategy, the activities are less targeted and resources may be wasted. From an economic point of view, the risk of low effectiveness and efficiency in the absence of a strategy is therefore high.

If the company or brand in question is not present on social media, it must be assessed within the framework of the audit whether this may be strategically meaningful. In most markets, consumers are expected to use social media, so that negative effects on business development can be expected in the absence of a social media presence.

If a social media strategy is in place but does not cover all potentially relevant social media platforms, topics and technologies, this possible gap in the assessment must be evaluated and a revision of strategy proposed as a measure. If the comparison between the social media strategy shows recognizable differences between the corporate strategy and the strategic social media orientation, a stronger alignment of the strategic approach is recommended. The dependence on the account provider (e.g. Facebook, Instagram) must also be considered as a strategic risk. If a presence is considered necessary, this risk must be accepted, as there are no alternative courses of action.

Audit of reputational risks

Reputational risks arise from poor communication within the company or from poor performance or products. Communication between users on social media can lead to an escalation in mood and thus to a loss of reputation. The terms “shitstorm” or “bad news” are now commonly used to refer to these forms of reputational risks on a massive scale.

The first step in the auditing of reputational risks is to determine the development of the reputation of the company or the brand under consideration over time. Analyses of the monitoring of social media platforms or cross-system analysis platforms can be used as indicators for this. Interviews with key persons from communications management, marketing or public relations can also be used as a source of information. Particularly in the case of a negative development of reputation, it is necessary to determine the causes for this development. This can be investigated using various random samples: For example, the quality of communication may be inadequate, since

  • the “do’s and don’ts” for comments are ignored,
  • posts do not build clearly on each other, as coordination and approval rules are not observed, or
  • the communications content is not in line with the strategy and is therefore perceived as uncoordinated.

In order to carry out the random samples, the target specifications, for example in the form of “dos and don’ts”, the defined coordination and approval rules and the communications strategy, must be requested and compared with the communicated content. Recognized deviations are to be evaluated with regard to their effects on reputation.

A crisis in the sense of a massive loss of reputation can occur suddenly if, for example, social media users express massive criticism of individual contents or real facts, which can occur in the extreme form of what is now commonly referred to as a “shitstorm”. In order to be able to assess the situation, contact persons should be asked whether a shitstorm has already occurred in the company in question and what experiences have been drawn from it. Irrespective of whether a shitstorm or another massive form of loss of reputation has occurred so far or not, the degree of preparation for a crisis must be taken into account in audit activities. This can be done by conducting the following audit activities:

It must be determined whether a crisis management manual exists within the company and whether the crisis management manual contains a massive negative escalation of communication, as occurs in the case of a shitstorm, as a possible scenario.

The next step is to determine whether rules have been defined in the handbook for such a crisis. If rules have been defined, another interesting question to ask is whether these rules have already been tested and whether personnel have been trained to apply them.

A comparison with the current organizational structure of the company can determine whether the composition of the crisis team has been updated.

If a shitstorm or a crisis caused by the use of social media has already occurred, a comparison between the crisis management manual and the activities actually carried out can be an interesting audit option.

If an audit of these essential prerequisites for effective crisis management can be considered to have already been completed, there is a good chance that your company is in a position to respond appropriately to any potential social media “shitstorm”.

Audit of sales and marketing risks

Sales and marketing risks arise from the low level of attention paid by users to social media offerings. As a result, expected positive effects on market positioning and sales success fail to materialize.

A significant risk for sales and marketing is that the success of sales- and marketing-oriented activities in social media is not measured. One reason for this is that it is not easy to make an objective assessment. One way of assessing success is to use key figures or target values as metrics. Within the framework of an audit, an activity can consist of determining which instruments are used to measure success. The procedure must be evaluated to determine whether it is comprehensible and suitable for an assessment of success.

Not only are the company’s own sales measures relevant, but the behavior of the competition also has to be taken into consideration. In this respect, the audit must determine whether the success of social media activities is also being surveyed and evaluated.

Of particular importance is the measurement of the direction of customer reactions. Negative user assessments are especially critical. Negative assessments can trigger a fundamental rejection of the provider and can even lead to reactions on a massive scale. Ultimately, loyal users can be annoyed by negative perceptions and ‘burned’ as a community.

If interested users cannot find the social media offer of a company without prolonged searching, this is another sales-relevant risk. In order to be able to address this risk through auditing activities, it is necessary to determine whether measures have been taken to make it easier for a user to find the provider’s social media sites. One possible way of doing this is search engine optimization. If companies use social media not only to communicate with their customers, but can also accept orders, the audit of the interface from the social media application to order processing and order documentation is another interesting point worth addressing.

Audit of personnel risks

Personnel risks can arise from employees who are not trained to perform their duties or who are not highly motivated, and from comments made by employees about their company on social media. Further risks arise from the requirements for compliance with working hours, which are laid down by law or may have been agreed in company or collective agreements. Another problem area is the targeted acquisition of information by third parties with the aim of causing damage to the company. Such acquisition of information is sometimes made possible by content published carelessly by employees or executives of the company.

The qualification and experience of the employees is of decisive importance for the quality of the presentation and the content of a company’s own social media offer. Also relevant in this respect are ‘typical’ topics of testing personnel after the task has already been defined, for example in job descriptions, as well as employee management. In the context of an audit, the level of training and experience of employees working with social media within the company could also be examined. This status can then be compared with the reports and analyses on user satisfaction in order to identify any need for action.

This is a fundamental risk posed by employees who are themselves active on social media and who may express critical or even insulting views with regard to their employer. The delimitation of how employees deal with their employer is something that should be regulated in a social media guideline in order to create clear legal boundaries. The audit activity should therefore determine whether a social media guideline exists in the company and whether it regulates how employees communicate as private individuals on social media. A social media guideline may consist of direct rules of conduct for employees engaged in social media activities, as well as a differentiating between corporate and private social media content for all employees. For example, a comprehensive social media guideline can also regulate the style of communication and processes to be followed.

In order to determine whether employees are expressing critical views with regard to the company, it is necessary that content relating to the company or the brand be evaluated and examined for anomalies on a regular basis. One audit action consists of determining whether such a check has been implemented.

Information published on social media can also include content that is classified as sensitive from the company’s point of view or which is covered by intellectual property rights. Such sensitive information can be particularly at risk when it comes to the acquisition of information by cyberfraud in the context of targeted social engineering. Here, information about the organizational structure and the availability of contact persons can be obtained in order to commit fraud. One of the possible audit actions to be taken here is to conduct an analysis of content communicated with regard to sensitive information on the basis of a keyword search. With regard to social engineering, it is also worth asking whether the company has already been targeted by such attacks and whether employees have been made aware of the risks of contacts made via social media. Another question that should also be asked here is whether possible critical content has been subsequently deleted in order to make it more difficult to extract data on the basis of historical data.

A data analysis within the framework of an audit can also provide indications of conspicuous user behavior, such as a high frequency of access to data.

Audit of legal and compliance risks

Legal & compliance risks arise through the publication of content that violates the rights of third parties, or critical content such as depictions of sex, war and violence, and through the breach of data protection requirements or incorrect information provided in the legal information on a company website. There are also competition law risks arising from legal requirements relating the acquisition of influencers and prize draws or competitions.

Legal regulations and compliance requirements are something that is still liable to undergo to numerous changes as it is a comparatively recent field of law. It must therefore first be established whether these changes are regularly monitored by the company itself so that it can react to them in good time.

Published content also has to have a legal basis to ensure that such a publication is permissible in the first place or that the rights of other parties are not violated. It may be that published content infringes upon the rights of third parties, as no rights of use or image rights have been agreed or violations of personal rights, trademarks and copyright have occurred. Rights can also be limited in time. When endorsements and testimonials are used, for example, the agreed period of use may have expired. Such circumstances could give rise to problems of liability for the company. One possible way of addressing of these risks within the scope of an audit can, for example, consist of performing a spot check where published content is compared with its underlying legal basis.

The identification of influencer advertising is a legal requirement for social media.

In addition, it may also be the case that content on the company’s social media site concerns critical content which, from the company’s point of view, is not to be communicated from an ethical point of view or whose publication is not permitted under criminal law. Here, the necessary audit procedures are divided into two steps: The first step is to determine whether the company has published rules on what content may not be published on the company’s social media platforms and which must therefore be blocked. If corresponding rules do exist, the settings on the social media platforms used can be checked to see whether such content is set to “blocked” or “not to be published” in accordance with the rules.

It is also possible for other social media users to copy content that their own company has posted and publish it as their own content. Here, you can investigate whether this is something that is being regularly observed and whether legal action is being taken if necessary.

Social media content also contains personal data. In this respect, data protection regulations must also be observed. Audit procedures in this respect must determine whether rules for data protection in social media applications are defined in the company and whether social media use is included in the company’s lists of procedures.

Furthermore, it must be observed from the point of view of data protection that the reports required by the providers of social media platforms are submitted correctly in order to be able to evaluate existing data on usage behavior in accordance with the law.

The demarcation between private and company-related communication of content published by employees can be regulated in a social media guideline. For this purpose, it must be determined whether a guideline already exists which sets out corresponding rules of delimitation and whether controls have been implemented in order to monitor compliance with these rules.

When registering a social media account, there may be a legal gray area in which the registration was made on behalf of an employee. This can lead to legal problems if employees assert claims to accounts and contacts. An audit must determine if there any cases where social media accounts which have been registered other than on the company’s behalf and, if so, whether there is a contractual arrangement with the employee or third party for the transfer of rights.

Legal and compliance risks are a very complex area and one which it is often difficult for non-lawyers to understand. So here it is helpful to involve lawyers at an early stage.

Audit of risks due to loss of control

Risks due to loss of control arise from a lack of control by the company over published content (time pressure, large number of social media platforms, unclear coordination, lack of coordination) and unclear origin of users (fake accounts).

From the company’s point of view, the use of social media offers fewer possibilities to monitor content and the quality of the content communicated than with more traditional modes of communication. Due to short response times and the potential for user queries to be answered by a range of different people, the usual forms and rules of communication may be observed to varying degrees of intensity. If user queries have to be answered for which the personnel at the communication interface do not have the necessary knowledge and experience, this leads to the personnel involved being put in a situation of uncertainty. An immediate response can lead to errors in content; while escalation of the matter to a specialist leads to a significant increase in response time. This is a potential area of conflict that has an impact on control-related risks.

In this context, however, it is also possible to consider the personnel deployed for communication on the social media channels used. If insufficient resources are deployed, response times will be high; but an overdeployment of personnel will be disadvantageous from the point of view of efficiency.

An audit can verify whether rules exist for the release of planned content such as posts and whether rules have been established for direct communication with users for dos and don’ts and for the escalation of specific requests or comments from users. If rules do exist, a sample of communication elements can be used to check whether the defined rules have been adhered to.

Another consideration that results in a high degree of uncertainty is the fact that false information can only be corrected to a limited extent. Corrections are often subject to particularly intensive scrutiny from users, so that it is recommended to deal with such cases with the necessary sensitivity. Where corrections are communicated through third parties, it is however difficult to avoid users paying particularly close attention.

Nor can it be ruled out that sensitive information that ought to remain protected may mistakenly be communicated via social media, meaning it can then be exploited by competitors, for example. Within the framework of an audit, it should also be determined whether controls have been set up for such cases.

Audit of IT-related risks

IT security risks generally correspond to more conventional security risks in other areas of application (e.g. Internet, email). They, for example, cover matters such as access protection (permissions, role concept, password use) and general network security, virus protection, firewall, encryption, etc. of the systems via which social media is used.

The risk of inadequate password protection and inadequate access regulations for social media accounts was highlighted in several interviews. The audit activities for this focus on collecting the rules and evaluating actual use by examining connection logs.

“Classic” IT risks such as viruses and malware, availability, data loss or the risks posed by cybercrime were all cited as IT-related risks in the literature and in the interviews. Audit activities that cover these risks in the area of network security must be carried out with reference to social media use. These should examine the configuration of virus scanners, firewalls, and the network and connection infrastructure, as well as the protection of cloud services. Appropriate countermeasures must be taken on the basis of detected weak points.

Audit of process risks

Process risks arise from non-compliance with specifications and targets, for example with regard to defined regulations of approval/release for communications content, budget specifications, inadequate control over processes due to a lack of contracts, rules and guidelines.

Process risks relate both to work done within the company and other service providers involved. For example, service providers may not have been commissioned to perform tasks on behalf of the company properly or cooperation with external agencies may not have been sufficiently regulated. Regulations, guidelines or specifications are necessary both for matters dealt with purely internally and when external partners are involved. For this purpose, the audit must determine which regulations and guidelines exist within the company for the control of social media activities. Documents are to be used to assess whether these regulations are suitable for regulating the cooperation of participants in an appropriate manner and whether processes are really being carried out in accordance with the specifications. This applies, for example, to compliance with release regulations for communications content such as posts, blogs, images or videos, as well as to costs and use of resources.

The quality of the content can also be analyzed in terms of whether the benefits offered by social media are actually being taken advantage of thanks to greater richness of information and the establishment of dialog with users. If this is not the case, then other media must be used.

Budgets also represent targets that can be taken into consideration in the context of audit assessments. Budgets may concern both one-off costs for the implementation or fundamental redesign of a social media presence, as well as running costs. In addition to checking whether budget targets have not been met, audit activities should also take the implemented control mechanisms for budget compliance into consideration.

From the perspective of learning and improvement, it is essential that any error messages reported by users are actually acted upon, after being evaluated and transferred to the responsible department within the company. To ensure this happens, a systematic and effective process for recording, evaluating and monitoring the implementation of activities resulting from such error messages has to be put in place. Within the scope of the audit, error messages reported by users are to be identified, and used as a basis for performing a random check on the handling of error messages.

The social media process also includes content management. To this end, it is necessary to examine to what extent systematic documentation is maintained to ensure that such content can be accessed again at a later point in time.


When performing an audit, it is advisable to select risk-oriented focal points from the proposed subject areas.

For a social media audit, it may be advisable to conduct an analysis of stakeholders in order to determine which functional areas of operations may be influenced or affected by social media content.

Artikel teilen