On 7 August 2018, Tesla founder Elon Musk issued a brief statement on his personal Twitter page: "Am considering taking Tesla private at $420. Funding secured." Nine words. Two sentences. One of the most controversial and damaging social media communication snafus in business history.
The resulting backlash has been media fodder ever since. Musk was forced to step down as Tesla’s chairman for a minimum of three years by the Securities and Exchange Commission (SEC). The case also demonstrated the power, speed and reach of social media in the 21st century.
The SEC was chiefly concerned that Musk’s tweet suggested that he’d secured the money and confirmed a price, needing only a shareholder vote to privatise Tesla. His message included a share price chosen because of its connection with a common term for marijuana usage, and he later targeted traders, complaining of defamatory attacks by the short-selling community that he believed harmed the brand.
Social media can be one of the most effective communication channels between organisations and the public. More than three billion people – nearly half the world’s population – are actively engaged in social media networks, and when you factor in its relatively low cost and the incredible speed at which social media information travels, it’s no wonder that organisations worldwide have embraced it as a marketing tool.
However, social media can also seriously damage a brand’s reputation. This is where internal audit must come in – to provide assurance that the organisation is governing and overseeing its use of social media effectively, while also providing assurance that it is using social media to greatest effect.
“All internal auditors should be asking themselves how their organisation is managing the social media space – do you have a policy and, if so, how does this link to marketing and sales?” says Liz Sandwith, professional practices adviser at the Chartered IIA. “It’s easy for social media monitoring to be entirely linked to numbers and this is dangerous – it can ramp the risks up to unacceptable levels.”
Social media audits give organisations space to think strategically about all aspects of this communication and to ensure they are monitoring what has been successful and what has not. They enable managers to understand how the company is protected against social media risks, while also revealing ways they can improve their social media presence.
Step-by-step processes and templates to aid social media audits and hold important data can be obtained via third-party tools (often free) from sites including Hootsuite, Tweetdeck, Agorapulse and Buffer.
Key questions for internal auditors include:
• Which staff members have access
to social media?
• How are IDs and passwords being
• How are posts controlled and what
steps are taken during the review process?
• Is any brand infringement occurring?
• What sites provide competitors with the most success?
• How does the company monitor and remove posts that could cause
Internal auditors should play an integral part in recommending appropriate actions when managers are drafting social media policies. The key is to ensure that people at all levels are responsible for what they’re writing, that they respect other people’s copyrights, and that they protect confidential and proprietary data.
“One big issue, as the Tesla example shows, is how you keep big personalities in line,” Sandwith says. “It’s a fine line – you need the personality on social media, but not the risks this can create.”
Musk’s tweet initially increased the company’s stock price by more than six per cent, causing NASDAQ to halt trading in Tesla shares for 90 minutes prior to an official response from the company. By close of trading, the stock price had risen by 11 per cent to finish at $379.57. According to immediate estimates from Ihor Dusaniwsky, S3’s head of predictive analytics, “the cumulative mark-to-market paper loss for Tesla short sellers is about $3bn this year.”
But behind the scenes all was not as it appeared. There had been scant discussion about taking Tesla private among the organisation’s leaders – very few even knew about the prospect. No funding had been secured and no prices had been settled. The SEC stated: “Musk’s statements were premised on a long series of baseless assumptions and were contrary to facts that Musk knew.”
On 16 October 2018, US District Judge Alison Nathan approved a settlement between Musk and the SEC that stipulated, in addition to Musk resigning as chairman for three years, that:
• The company would select a new chairman and two independent directors to the company’s board.
• Musk and Tesla would pay equal $20m fines, which the SEC said would be “distributed to harmed investors under a court-approved process”.
• The company must employ a lawyer to pre-approve any communications, including tweets generated by Musk, which could have a material impact on the company’s stock price.
Yet in February 2019 Musk again gained headlines by tweeting that the company would “make around 500k” automobiles in 2019, before clarifying four hours later, also via Twitter, that “Tesla was merely on pace to make 500,000 cars a year given its current production rate. It would probably only end up delivering 400,000 cars this year”. The SEC argued in court that Musk should be held in contempt for “violating the clear and unambiguous terms of the Court’s Oct. 16 final judgment”.
All this began from a nine-word, two-sentence tweet.
The opportunities associated with social media marketing may be boundless, but the risks pool is extremely deep. Companies without an established social media strategy are swimming without a lifejacket – it may be fun at first, but they could end up in desperate trouble.
For a start, social media has been described as the perfect hunting ground for illegal activity – more than 12 per cent of organisations have been the victim of a security breach via a socia-media-related cyber attack and social media tops the list of channels of perceived compliance risk.
Cyber breaches and other key risks from social media are often caused by human error. Internal audit can help by promoting a “security-aware” culture throughout the organisation, so that all employees are aware of their role in protecting systems against a breach, and of the processes in place to prevent inadvertent reputational damage.
When social media first took off as a business tool, most auditors and risk professionals feared that non-public information would be disclosed – either intentionally or accidentally. Today, however, reputational risk has moved to the fore. Internal audit must therefore look at how the organisation can limit the speed that damage can spread via social media, ensure that it keeps abreast of national regulations and that its social media messages and business strategy are aligned.
A strategic approach to auditing social media will focus on an overarching goal of ensuring that the organisation’s social media usage aligns with its overall strategy. Internal audit training should therefore align with the areas of greatest risk, for example:
• Reputational damage
• Data security
• Regulatory and compliance violations
• Data leaks
Internal audit should ensure that the organisation is adequately training all employees with social media access (including C-level executives) about these risks. It should also check that management has sufficient controls in place to monitor its social media presence continually, and adequate systems to detect events that could cause brand damage on social channels, that it tests these controls and is effective at delivering the level of controls needed.
In addition, internal audit can contribute to discussions about how an organisations can monitor its social media efforts to gain better returns via, for example, brand mentions, relevant hashtags, how often and where its competitors are mentioned and industry trends. Again, there are many downloadable tools designed to gather this information, and most offer tips to maximise results.
Once the initial protections are in place, auditors can suggest that management thinks about progressing its monitoring to focus more on “social media listening” – active and strategic efforts focused on future increased return on investment.
Management should move from establishing effective social media oversight, to ensuring that the company’s policies are followed and maintained. Companies with strong social media policies, continual training and regular monitoring often prosper more than those that concentrate on tightly controlling who has social media access.
No one can eliminate social media risk – Elon Musk used his personal account to post information after he lost a federal ruling. But many risk professionals agree that the greatest threat to organisational reputation is inaction. According to Peter Scott, former director of marketing and web operations at IIA Global: “If you’re a big enough company, people, including your employees, are going to be out there talking about you and your brand. If you’re not out there listening and representing your point of view, you’re basically saying ‘I don’t care’.”
Internal audit can make a significant difference to how effectively this risk is mitigated and managed.
Kevin Alvero is senior VP, internal audit, Chris Errington is senior communications specialist in internal audit and Wade Cassells is auditor at Nielsen. The Chartered IIA is running a course on "Social Media – Risks and Opportunities" on 24 October in York. Visit
iia.org.uk/courses for details.
This article was first published in July 2019.