Skip to main navigation

BoardMatters Quarterly, April 2011 - Audit committees are waking up to the risks of social networking - EY - United States

BoardMatters Quarterly, April 2011Audit committees are waking up to the risks of social networking

“One of the key [growth] opportunities in both my companies is in response to social media, [but it is also] our biggest risk.”Audit committee chair

Forward View by Tapestry Networks

With the use of social networking sites such as Facebook, Twitter and LinkedIn on the rise, every employee can become an unsupervised spokesperson for the company. Unmonitored activity in this area could cause significant reputational harm to the company, and may also invoke penalties from regulators and become cause for litigation.

For example, in 2008, the U.S. Securities and Exchange Commission (SEC) issued interpretive guidance that all communications made by or on behalf of a company, including those made by employees on social media and other online forums, are subject to relevant provisions of federal securities laws. Think of the danger of an employee posting inside information about a promising new product hours before the company’s earnings release.

The catch-22 many companies are facing today is:

  • Allow employees to access social networking sites while at work, despite the risks?

    An IT expert recently told a gathering of audit committee chairs, “When employees are looking at joining a company, they expect they can work in an environment where they have access to the same tools that they have access to in their private lives.”

    Access to social media may also have strategic rationale — many companies use social media in their investor relations and marketing programs, so employees may need access to these sites while at work.

    An audit committee chair recently said, “One of the key [growth] opportunities in both my companies is in response to social media, [but it is also] our biggest risk.”

  • Or ban access to these sites to minimize risks, and face consequences?

    A study by Robert Half Technology found that 54% of 1,400 CIOs from across the US say their firms completely ban the use of social media while in the office.1 Critics of this approach say companies risk losing talent, or encourage employees to pursue workarounds, that can be as dangerous as the risks the companies are trying to avoid in the first place.

The issue has hit audit committee agendas

Many board members readily admit a lack of direct experience with social media, its use, misuse and the potential legal and regulatory consequences. However, given the dramatic rise in risks, more audit committee chairs are requesting that their CIOs and external IT advisors attend audit committee meetings in order to explain and substantiate the risks their companies face with social media.

Leading audit committees are seeking to:

  • Make certain the company has clear policies in place for use of social media.

    An IT expert speaking to a gathering of audit committee chairs said, “Ask management, 'What are our [social media] policies? How are the policies rationalized?’ Be clear, because ambiguity is a policy all to itself … good policies are short and clear.”

    A global survey sponsored by Cisco found that only 20% of respondents said his or her company had any policies in place concerning the use of consumer-based social networking technologies.2

    Experts also say policies should be regularly updated and communicated given the rapidly changing environment.

  • Invest in training and education for employees on the usage of social media.

    Issuing a social media policy is not enough. Like board directors, many employees are unaware of the risks and will benefit from training and clear guidance on the ethical considerations involved when using social media.

  • Have internal audit teams comb social media sites, looking for examples of leakage and misuse.

    Insight gained from examples of misuse can guide policy formation and training programs as well as inform public relations responses to external criticism. Increasingly, PR experts are advising companies to address online criticism. Employee blogs and tweets can be a powerful voice to combat its effects.

  • Have top executives (and possibly their family members) receive briefings about their online presence.

    Those looking for insider information might track the online posts of the children of executives, who could unknowingly post information about a parent’s travel or personal views. These individuals should be educated about both the personal and professional risks of such online postings.

  • Understand investment in information security relative to spending on IT platforms and databases.

    Is it sufficient? How much is allowing employees’ access to social media costing the company? For example, an audit committee chair for a large company recently noted that the costs associated with employee use of You Tube and social media sites took up 30% of the company’s total computing cost.

Looking ahead

Social media makes it possible for employees to be more innovative and productive by sharing information and ideas. For many companies social media is a critical marketing tool. However, unrestricted access to social media also presents major risks.

Boards and audit committees are increasingly seeking the advice of technology experts to help quantify these risks and determine that the company has taken steps to mitigate them properly.

Still, as boards recruit new members, they may want to consider bringing in those with greater depth of understanding of technology and its implications for the business.

1 Robert Half Technology, “Whistle but don’t tweet while you work,” Press Release, 6 October 2009.
2 Cisco, "Global Study Reveals Proliferation of Consumer-based Social Networking Throughout the Enterprise and a Growing Need for Governance and IT Involvement," Press Release, 13 January 2010.

Forward View is prepared by Tapestry Networks. Views expressed by Tapestry Networks are those of Tapestry Networks and not necessarily of any EY member firm. Tapestry Networks convenes seven audit committee networks sponsored by EY that collectively consist of nearly 150 individuals, who chair more than 200 audit committees and sit on over 300 boards at some of the world’s most admired companies. EY refers to the global organization of member firms of EY Global Ltd., each of which is a separate legal entity. Ernst & Young LLP is a client-serving member firm in the US.

Used by permission of Tapestry Networks. This article may not be reproduced, distributed, displayed or published without the express written consent of Ernst & Young LLP and Tapestry Networks.

« Previous


Related content


Back to top