Internal audit survey shows organizations without social media policy face ‘plague’ of unnecessary risks

What may be the most striking result from the survey is that more than half (51 percent) of organizations do not address social media risk as part of their risk assessment process, with 45 percent indicating that they have no plans to do so in the coming year’s audit plan.

Additionally, of those that do address social media risk, 84 percent rated their organizations social media risk-assessment capability as “not effective” or just “moderately effective.”

“The survey findings are surprising in that they show how many businesses are either inadequately prepared or altogether inactive in putting effective processes and policies in place around social media,” said Brian Christensen, executive vice president, global internal audit, at Protiviti.

“From a risk management perspective, this poses significant potential problems for businesses that can range from reputational risk to IT infrastructure risk as a result of unchecked exposures to customer, vendor and company information.”

Evaluating Technical and Audit Process Knowledge

In terms of rating general technical knowledge, internal auditors identified social media applications as the top area for improvement – by a substantial margin – mirroring the 2012 findings.  Issues related to cloud computing and fraud risk management are also among the top priorities on the list of areas that need to improve. Notably, fraud risk management ranked 13 out of 51 evaluated areas, despite respondents giving it one of the highest scores for existing competency.

Respondents also evaluated 42 areas of audit process knowledge in terms of where they need to improve, and ranked data analysis tools and fraud as the predominant issues of concern. Eight of the top 10 priorities in audit process knowledge that most need improvement were related to data analysis tools (data manipulation ranked #1; statistical analysis ranked #5; sampling ranked #9) and fraud (monitoring ranked #1; fraud risk assessment ranked #4; fraud detection/investigation ranked #6; fraud auditing ranked #10).  In contrast, there were no fraud related issues ranked among the top five areas for improvement in 2012 or 2011.

“The internal audit function has a tremendous responsibility for ensuring that rigorous and systematic scrutiny is applied to business processes and emerging risks in real-time,” said Christensen. “Organizations can’t afford to have inefficiencies or undue exposure to risk, and a critical aspect of eliminating these problems is to understand areas that require improvement.”

Other Key Survey Findings

Continuous auditing was the top priority in terms of audit process knowledge in 2011 and 2012, but dropped down to #18 in the 2013 rankings. For audit process knowledge, auditing IT – new technologies was the third highest needs-improvement priority, and scored significantly lower than any other area evaluated with regard to existing competency.

Concerns among chief audit executives were generally aligned with the broader sampling of respondents.  However, they did rank audit process knowledge around Computer-assisted Audit Techniques (CAATs) as a higher priority for improvement, compared to the overall ranking. 

Protiviti’s 2013 Internal Audit Capabilities and Needs Survey Report was fielded between September and October 2012 and respondents answered more than 130 questions in three categories: Technical Knowledge, Audit Process Capabilities, and Personal Skills and Capabilities.  More than one-third of the participants work in publicly traded companies and represent virtually all industry sectors, with others working across a variety of private, government, and not-for-profit organizations. The full report is available at www.protiviti.com/IAsurvey.