In December, we brought you 5 Critical Social Media Tips for Auditors in which we outlined how you can use social media to expose security gaps. So let’s take it from a different angle: how about auditing social media itself.

How effective is your social media presence and how do you audit it? This article should get you started on auditing social media within a larger audit (or on its own).

Simply put, a social media audit reviews what’s working, what’s not working, and what can be improved across your social media channels. Auditing social media helps the company capture what consumers say about a brand, what competitors are doing, and how the brand itself is performing.

Within a communications group, chances are that someone is performing a level of auditing of weekly or monthly online analytics already. But it doesn’t hurt to talk to these people and fill in any gaps you discover. Analyze how your social media measures up next to company policy, branding, and the overall risk framework. You might even consider the role social media plays within a larger, more integrated audit.

But auditing social media is going to be, dare I say, a little bit fun. Let’s get started.

Define your objective

For the larger audit, you always define an objective and the scope for the audit. It’s also important to define social media objectives. What does the company hope to achieve by gaining a presence on a specific platform? Does the company hope to expand its demographics? Does the company want to drive more traffic to the website? Does the company want to exchange ideas?

We own a publishing company, JD Publishing, where we publish several magazines, one of which is Tahoe Quarterly. One of our main objectives for Instagram is to attract tourism into Lake Tahoe. We post beautiful pictures relating to the Tahoe lifestyle, from great architecture and design to the best outdoor activities land or lake can offer.

A company needs to have specific and quantifiable goals for specific social media sites. This way, you can benchmark the progress the company makes on each platform and determine if the objectives are being met.

Plan Your Audit

The first time you’re doing a social media audit, do some research. If you’re a member of ISACA, you can download a planning template. There are also several great strategies and templates that you can download for free on the Internet. Just do a search for social media audit template. It’s a candy store out there. We’ve even attached a template here to get you started.

First, figure out where the company is online. Talk to the marketing and social communications departments. Make a list of all the social media platforms the company currently uses and have used in the past. Below are a few examples of lists you can make:

Screen Shot 2018-01-16 at 9.30.54 PM

This table will vary between companies and platforms. Another table you can make is from the perspective of a journalist answering the 5 W’s of each social media platform (who, where, what, when, and why). 

Screen Shot 2018-01-16 at 9.32.52 PM

With these and similar tables, you can analyze whether you have a presence on each site. Including the objective for each site will help you analyze each platform’s performance against the objective and whether the objective needs some updating as the company has changed.

Also look for obscure sites that may have been set up years ago and flopped (MySpace anyone?). Or a YouTube channel set up by a well-meaning project that didn’t fly. Or a rogue site set up by a scammer. You want to see where your brand is everywhere online and then narrow down the social platforms where you want to focus your audit (e.g., if you get the most out of Facebook and Instagram, but little out of Twitter, note the discrepancy and focus on Facebook and Instagram – or focus on why Twitter isn’t performing).

Use Analytics

Analytics help quantify the company’s performance on each site. Such analysis provides a wide variety of information, including browser types, geographic locations, demographics, popular pages or article shares, time on site, and more.

Part of your research is leveraging the tools that already exist to your company’s benefit. Talk to your IT operations department and see what tools they have available. Tools like Visio analytics or Google analytics allow you to do comparisons month-to-month and year-to-year and look at who is actually using the websites and which parts of the website are top-performers.

The other part of the research is applying free tools (although with many of these, you’ll have to upgrade to get the most out of the tool). Once again, a marketing or communications manager might have these tools already on hand. Some popular third-party tools include:

  • Hootsuite
  • Tweetdeck
  • Agorapulse
  • Buffer

As you gather information and do your research, stay focused on some main questions such as,

  • What are the objectives of the media program?
  • What is the marketing communications department trying to achieve?
  • How do they measure whether they are actually achieving these objectives?

{tweetme}The first time you’re doing a social media audit, make sure to do some research. #audit{/tweetme}

Analyze Risk and Branding

Has social media been part of the organization risk assessment? If so, then part of the social media audit should be included in the risk assessment.

Even if you have the memory of an elephant, you’re going to need to put your findings on a spreadsheet. This website has a free spreadsheet you can download to get you started. Companies go across too many platforms to remember who’s on what base and which platforms perform at what rate. When it comes to analyzing risk, you’re looking at what marketing and communications are doing for social media protection.

You’ve already listed which websites are being used, so now dive a little deeper. Ask questions:


  • Who on staff has access to each site?
  • What is the emergency posting process? Who can post something quickly?
  • How does the team manage the user IDs and passwords?
  • How does the team control posts and what is the review process? (i.e., Solely-owned companies can do whatever they want, but if there is a board, then a review process would be more appropriate)
  • Is there a way to quickly remove posts that shouldn’t have gone up?


  • Are you looking for brand infringement? Is someone using your company name on social media?

Customer PR

  • What does the company post? What do others post about the company?
  • When a customer comments, does someone respond promptly and politely?


  • What do your competitors do? Where do they have success (Twitter, Instagram, etc.)?
  • Is the company on the right social media platforms? Is there anything new out there the company isn’t using but is worth establishing a presence on (chances to be early adopters)?

Link and old platform analysis

  • Which sites work and which ones don’t? Should any be shut down?
  • When you post to Instagram, does it also cross-post to Facebook and Twitter? When you tweet, does it also post to Facebook? Is this appropriate?
  • Check the links themselves. Sometimes links from various sites will link up to an old site or an old project. It’s easy to overlook but should be checked.
  • Are old links working to old pages? Are old updates up that should be taken down?

Social media expert Kate Mullin points out that, “One of the things that people forget about all the time is old posts. Are you still making sure that the links are working on these old web pages? Are you making sure that the postings on your websites are following privacy and security statements set forth by the company?”

Remember the Dark Side of Media

There is a dark side to social media. One of the dark sides is that people can post some pretty awful things. What is your policy for removing terrible posts? And what do you do if any of those posts are threatening to your company or employees?

For example, Twitter will block people from making threatening posts. One role of audit might be to consider the rules if interactive posting is allowed. Mullin emphasizes that social media protocol should be written in a company-wide social media policy.

“You should have something in your social media policy that says what posts can be removed. There are cases of people actually getting death threats (such as the Vanderbilt surgeon receiving death threats from his social media post). What happens when you receive those death threats to an employee?”

It’s a two-edged sword. You want press about your company, but you want it to be positive. You need to have someone who monitors major platforms and responds quickly (and respectfully, such as, Sorry this didn’t meet expectations, let’s do this...) to fix problems.

Final notes on social media policies

Although audit isn’t responsible for writing social media policies, it’s helpful to provide your audit client with direction. A simple search for social media policies will provide examples. According to Mullin, just make sure that people are responsible for what they’re writing, respecting copyrights, and protecting confidential and proprietary data.        


For everything you do in life, there are risks. A car is dangerous, so you wear a seatbelt. For a company (and us personally), social media can be dangerous too. So you audit your platforms often and enforce your social media policies. In the end, just like accepting the risk of driving a car, you also accept a certain level of risk for company success on social media.