In our last blog article, Dr. Urban Becker already presented the various risks and audit approaches for the auditing of social media. However, the question of whether and to what extent existing frameworks such as COSO, COBIT, ITIL or various ISO standards can be applied to an audit remains unanswered. COBIT 5 in particular seems to be well suited for an audit of social media. Dr. Urban Becker from Melitta explains the reasons why.
Which frameworks can be used for social media audits at all?
Frameworks provide auditors with guidelines for planning, preparing and conducting audits. Thus the frameworks can be used effectively as a structuring basis. The COSO Framework for Internal Control (IC) published by the COSO organization in 2013 and the COSO Enterprise Risk Management (ERM), which in the 2004 version was based on a three-dimensional structure similar to that of the COSO IC and in the 2017 version however underwent a fundamental conceptual review, play a predominant role due to their general applicability. For the Internal Control Framework, the generally applicable principles of control environment, risk assessment, control activities, information and communication and monitoring activities play a central role. Eight components form the focus of the 2004 ERM model: internal environment, target setting, event identification, risk assessment, risk management, control activities, information and communication, and monitoring. In the 2017 model, a distinction was made between 20 components and principles. The strength of the COSO model lies in its general classification. There is no technical reference to the audit fields of social media. For example, the COSO ERM framework can be used as the basis for a formalized process for identifying and assessing risks. Alternatively, the ISO 31000 family of standards can be used.
Like in other audit fields, instruments such as checklists, workshops, surveys, brainstorming and error analysis tools are used for the actual identification of risks.
Specific standards such as COBIT or ITIL can also be used for revision audits where IT applications are included in the analysis.
Compared to earlier versions, the current COBIT version 5 also contains more management aspects. ITIL is a framework for the control, coordination and management of IT service processes that was originally developed for the authorities in Great Britain. COBIT and ITIL can also be adapted for use with social media issues.
The ISO 27000 series of standards for the testing of IT systems and ISO 20000 for IT service processes, as well as the BSI’s IT baseline protection catalogues are only suitable for the audit of social media issues subject to certain conditions due to their stronger IT orientation.
Which approaches can actually be used for social media audits?
COBIT is mentioned by several sources in relation to social media audits:
- In ISACA's social media audit approach (2011, p. 10), nine essential COBIT 4.1 processes and their relevant activities are listed. The activities of the COBIT 4.1 model are referenced in a quite comprehensive checklist of audit steps according to the risk areas of strategy, employees, processes and technology, insofar as these are applicable. In individual cases, other COBIT processes or their activities are also referenced that were not included in the list of key processes. On the basis of the COBIT 4.1 processes characterized as essential, a maturity level assessment is additionally proposed.
- The approach of Lehr & Robrecht (2012) is defined according to whether the processes contained in COBIT 4.1 are directly applicable to social media activities, whether these can be derived or whether they are not covered by COBIT. The assignment of the seven directly applicable COBIT processes only corresponded in four cases to the classification of the essential COBIT processes according to the ISACA approach (2011). Eight processes could be derived from the social media questions, which also included the five other key processes of the ISACA approach. The authors assign the other activities of communication campaign management and community management relevant for a social media audit to the DS group (Deliver, Support) and the web monitoring is assigned to the ME group (Monitor, Evaluate), although these cannot be derived from the COBIT processes according to the authors’ assessment. However, Lehr & Robrecht's approach is suitable for the use of a framework that is not directly tailored to a specific topic. For the presentation and documentation of the audit procedure, the demarcation between questions of a framework which are applicable, derivable and not contained in the framework is exemplary.
- In the Gerber approach (2015 and 2016), the COBIT 5 processes are evaluated for their applicability of four derived risks through social media use. A total of 17 COBIT processes from the areas EDM (Evaluate, Direct and Monitor), APO (Align, Plan and Organize) and DSS (Deliver, Service and Support) are considered relevant. In contrast to the approaches of ISACA and Lehr & Robrecht, no reference is made to the MEA (Monitor, Evaluate, Access) and BAI (Build, Acquire, Implement) processes. Gerber develops concretizations from the descriptions of the COBIT processes for use in the field of social media.
- These three approaches analyzed differ widely in the procedure they adopt. This is due to the fact that COBIT has a rather general structure and therefore requires adaptation to a given question.
How could ITIL be used for social media audits?
According to ITIL’s understanding of IT, IT is organizationally divided into the areas of IT applications and IT infrastructure, as well as IT service and is oriented towards business goals. ITIL is often used in conjunction with other frameworks such as COBIT. According to the ITIL approach, a study by Aliman is based on five phases (Aliman, 2017): Strategy, Design, Service Transition, Service Operation and Continuous Improvement. The first part of the study included a literature review. Based on this, improvements for social media management are derived. In contrast to the approaches with the COBIT framework shown above, a focus on a view of auditing as a time-related auditing activity is not to be found. The phase-oriented view would be a possible option for carrying out project-accompanying revisions for the implementation of social media use in the company.
What conclusions can we draw from this?
- COBIT and ITIL are possible approaches.
- COBIT offers broad starting points that can be adapted to the social media audit issues.
- ITL can best be used for project-accompanying audits.
- With both approaches, however, a transfer to adapt the frameworks to the specific issues of social media audits is always necessary.
Aliman, M., Bertin, E. & Crespi, N. (2017). ITIL perspective on enterprise social media. International Journal of Information Management, 37(4), 317-326
Gerber, P. (2015). Addressing the incremental risks associated with social media by using the COBIT 5 Control Framework. Master Thesis, Stellenbosch University-ZA
Gerber, P. (2016). Achieving IT Governance of social media at strategic and operational levels. International Business & Economics Research Journal, 15(4), 147-162
ISACA (2011). Social Media - Audit/Assurance Program. Information Systems Audit and Control Association (ISACA) (Eds.), Rolling Meadows, IL (USA). www.isaca.org<http://www.isaca.org/>. Last accessed 28.12.2017
Lehr, C. & Robrecht, A. (2012). Derivation of a Social Media Governance from COBIT, in: IT-Governance, 2012(11), 2-7