The Technical Resource for the Region’s Largest Organizations
Evaluating the Effectiveness of your Internal Audit Function by Donald R. Owens, CPA, CIA, CFF, CBA, CFSA, CRMA, Shareholder, Internal Audit and Risk Advisory Services
How do you, your executive management team and the audit committee conclude on the appropriateness of the activities being performed by your internal audit function? Is it done by soliciting the opinions of many to arrive at a consensus? Is it a collaborative process in which all parties meet and compare expectations to outcomes? Are there strictly defined key performance metrics (number of audits completed, recommendations provided, audit hours incurred, etc.) that incorporate a level of measurement? —Continued on Page 2
Staying Ahead of Social Media Risk by Daniel J. Desko, CISA, MBA, Senior Associate, Internal Audit and Risk Advisory Services
Social media is proving to be a valuable tool in the business world, and the user base is growing exponentially by the day. The rate at which information can now be shared and disseminated is far greater than just years ago. To that end, sites like Facebook, Twitter, YouTube, Pinterest and LinkedIn have all proven to be valuable tools in the corporate arena. Campaigns on these sites have been known to be very successful in generating sales and increasing brand recognition. Because of this success, investments in online advertising are on pace to surpass traditional print advertising for the first time in history this year. On the flip side, social media sites have also unfortunately proven to be a breeding ground for disasters that have tarnished the reputation of many well-known organizations and brands. For example, poor access controls allowed a major news outlet’s Twitter page to be hijacked, and it falsely reported assassination attempts on the President of the United States. Also, a large, national humanitarian nonprofit organization employee who had his personal Twitter account linked to the official organization page drunkenly “tweeted” an inappropriate message to all the organization’s followers, thinking it was his personal account. How do you think that affects the credibility of that news outlet, or how likely are you to trust your donations to that particular national nonprofit organization after experiencing something like that first-hand? The rate at which social media is growing makes it difficult to keep up with the benefits, let alone to consider and control all of the pitfalls. Despite the rate of growth, the threats and risks associated with a corporate social media presence should be assessed on a continual basis; chief among them are: • • • •
Mismanagement of content posted on official corporate social media outlets Fraudulent or hijacked corporate social media presence Trade secrets being inadvertently shared Increase in customer service expectations by adding another channel of customer feedback • Employees posting information or content that is work-related on personal sites or vice versa • Mismanagement/poor control of devices (PCs, tablets, phones, etc.) used to manage the corporate social media presence —Continued on Page 2
1133 Penn Avenue | Pittsburgh, PA 15222 | 412-261-3644 41 South High Street, Suite 2100 | Columbus, OH 43215 | 614-621-4060 www.schneiderdowns.com
Internal Audit Effectiveness continued from Page 1
Considering the broad scope of responsibilities that inherently reside with internal audit, it’s advisable that those charged with evaluating the effectiveness of an internal audit function not simply repeat the performance assessment practice employed in years past. To do so may unintentionally influence your internal audit function to direct its efforts at ensuring achievement of performance measures as opposed to focusing on evolving risks threatening the organization. To truly evaluate your audit function, ensure that the evaluators are knowledgeable of the organization’s risk management practices, corporate strategy and key risks in order to have a basis from which to evaluate the scope of work performed by internal audit. Critical to the evaluation is understanding your internal audit function’s efforts in areas such as: • Alignment of the audit plan with the organization’s risk assessment • Assistance in true integration between governance, risk management and compliance
Social Media Risks continued from Page 1
• Use of tools and techniques to track and monitor risks and adjust the audit plan when needed (staying in front of new and escalating risks) • Industry and technical training • Use of specialists in areas requiring unique skills (IT, tax, etc.) • Ability to capture and interrogate critical data/ information through the use of leading technology • Delivery of other valueadded services (fraud investigations, pre- and post-system implementation reviews, process re-engineering, etc.) With the many roles entrusted to internal audit, it is critical that the key performance measures be assessed and modified continuously by the parties charged with oversight of the function.
Don Owens is a Shareholder with Schneider Downs' Internal Audit and Risk Advisory Services. Don delivers SSAE 16 and SOC examinations, internal audit, Sarbanes-Oxley, forensic and other relevant risk advisory services (enterprise-wide risk and fraud risk assessments, process improvement reviews, etc.) to clients including publicly traded, government, nonprofit and private entities. For more information on this article, or to discuss similar topics, contact Don Owens at email@example.com.
Organizations that have a corporate social media presence are automatically subject to these threats and risks, and there are certain steps they should consider to stay ahead of it all. Developing policies, procedures and user training surrounding corporate social media use is a critical first step. In addition, organizations should consider limiting access to official corporate social media pages and defining “rules of engagement” for broadcast communications to followers. Monitoring the social media pool for fake pages that attempt to speak for the organization is also a crucial exercise that should be occurring on an ongoing basis. Organizations must be careful to not “over-control” the social media efforts of the company; otherwise, marketing and sales efforts could be stifled. Additionally, there are some legal risks associated with policy and procedures surrounding employees’ use of their own social media sites. Organizations need to be careful not to overstep employees’ rights based on federal laws such as the National Labor Relations Act. All in all, the maturity of social media and the control environment surrounding it is relatively in its infancy, which means the learning curve can be steep. Don’t fall behind. Dan Desko is a Senior Associate with Schneider Downs' Internal Audit and Risk Advisory Services. Dan specializes in providing information security consulting, audit and risk management with specific experience testing and developing Information Technology General Controls (ITGC), Sarbanes-Oxley (SOX) controls and Service Organization Control (SOC) reporting procedures. For more information on this article, or to discuss similar topics, contact Dan Desko at ddesko@ schneiderdowns.com.
Is there a topic you would like us to cover in the next issue? Contact Charles A. Oshurak, Senior Manager, at 412-697-5396 or firstname.lastname@example.org with your suggestions.