I'm doing one right now. Well, I'm doing a marketing audit, and a good chunk of it is social media. For that portion, generally...
- Review our social media presence. Both what they identify, and by doing a Google search in attempt to test for completeness.
- Review a sample of posts to ensure compliance with policies procedures (and regs if your audit includes that portion)
- Review/policies procedures (including how to respond to customers on social media i.e. complying with complaint policy and mitigating reputation risk).
- Interview a sample of employees to determine if they understand what's expect of them (i.e. to not respond on behalf of the bank, who to notify, whether they can mention the bank on their personal social media, etc).
- Evaluate logical security controls (Who has access to social media? How frequently is the password changed?)
- Ensure the marketing department is monitoring the bank's name and names of key personnel for reputation risk (or any items which may require complaint response)
- Incident Response (ensure it addresses social media takeover)
I'd be interested in other people's input as well.