Free Excel download β’ Edit online β’ Save & share with Drive β’ Export to PDF
A Social Media Audit is a formal document that records a structured, binding review of a business's social media presence across all active platforms β assessing content performance, audience data, brand consistency, platform policy compliance, and strategic gaps. When conducted as a professional engagement between an auditing party and a client, it functions as a legal agreement that defines the scope of work, governs the handling of confidential analytics data, establishes IP ownership over the findings report, and binds both parties to agreed remediation timelines. Unlike an informal checklist, a signed social media audit creates enforceable obligations and a documented baseline that can be referenced in future disputes, regulatory inquiries, or due diligence processes.
Without a signed audit agreement, both the auditor and the client are exposed on multiple fronts simultaneously. The auditor has no documented cap on liability if a compliance finding is missed and the client's account is subsequently suspended. The client has no enforceable right to a specific deliverable by a specific date, no protection for their confidential audience data, and no clear path to remediation if the findings are disputed. Regulated industries face additional risk: a social media audit that surfaces FTC disclosure violations, GDPR-noncompliant pixels, or unauthorized financial promotions creates potential reporting obligations β and without a signed document, there is no clear record of when findings were communicated and what corrective action was agreed. This template gives agencies, consultants, and in-house teams a ready-to-use framework that protects both sides, creates a defensible audit record, and ensures findings translate into action rather than unresolved liability.
| If your situation is⦠| Use this template |
|---|---|
| Auditing a client's accounts at the start of a paid agency engagement | Social Media Audit (Agency Client) |
| Reviewing brand compliance across accounts before a corporate merger | Social Media Audit (M&A Due Diligence) |
| Checking a single platform such as Instagram or LinkedIn only | Single-Platform Social Media Audit |
| Auditing paid advertising accounts for spend efficiency and policy compliance | Paid Social Media Audit |
| Producing a quarterly performance review for an ongoing retainer client | Social Media Performance Report |
| Establishing baseline metrics as part of a broader digital marketing audit | Digital Marketing Audit |
| Documenting social media policy adherence for HR and employee conduct purposes | Social Media Policy |
Why it matters: Display names can be changed by any account owner at any time. If a handle dispute or impersonation claim arises, an audit referencing display names alone cannot confirm which account was reviewed.
Fix: Record the permanent account URL or unique platform ID for every account in the scope section of the agreement before the audit begins.
Why it matters: Full admin credentials expose the auditor to liability if the account is used improperly during the engagement, and expose the client to risk if the auditor's systems are compromised.
Fix: Specify the minimum permission level required for each platform in the access clause and confirm that level has been granted before beginning data collection.
Why it matters: A findings report without a defined measurement period cannot be used as a baseline for future audits, cannot be fairly compared to competitor benchmarks, and cannot support a regulatory defense if advertising claims are challenged.
Fix: State an explicit start date and end date for data collection in the methodology clause and record the export timestamp for each data set in Schedule A.
Why it matters: When the report identifies a critical compliance violation but neither party has explicit responsibility for fixing it, violations persist β and the client remains exposed to platform suspension or regulatory penalty while both sides wait for the other to act.
Fix: Assign every finding rated Medium or above to a named responsible party β auditor or client β with a specific deadline in the remediation plan before the report is signed off.
Why it matters: A single missed FTC disclosure violation or GDPR-noncompliant pixel can result in enforcement action with fines that far exceed the audit fee. Without a cap, the auditor faces disproportionate financial exposure.
Fix: Include a limitation of liability clause capping total auditor exposure at the fees paid in the preceding three months, with an explicit disclaimer for post-audit platform policy changes.
Why it matters: An unsigned report delivered in good faith can be shared externally, published, or used in ways the auditor did not intend β and the confidentiality, IP, and liability clauses that were meant to protect the auditor never take legal effect.
Fix: Require countersignature on the agreement β and, for higher-stakes engagements, on the report cover page β before releasing any findings, even in draft form.
In plain language: Identifies the auditor (agency or consultant) and the client as legal entities, defines which platforms and accounts are in scope, and records the date the audit engagement begins.
This Social Media Audit Agreement is entered into on [DATE] between [AUDITOR LEGAL NAME], a [STATE/PROVINCE] [ENTITY TYPE] ('Auditor'), and [CLIENT LEGAL NAME], a [STATE/PROVINCE] [ENTITY TYPE] ('Client'). The audit covers the following platforms and accounts: [LIST PLATFORMS AND HANDLES].
Common mistake: Listing platform handles by display name rather than unique account URL or ID. Display names can be changed; account URLs provide a permanent audit trail.
In plain language: Specifies how the auditor will receive and handle login credentials, admin permissions, and read-only access tokens β and what happens to those credentials when the audit concludes.
Client shall provide Auditor with [read-only access / admin access] to each platform listed in Schedule A no later than [DATE]. Auditor shall not post, modify, or delete any content without prior written approval. All credentials shall be revoked or transferred within [5] business days of audit completion.
Common mistake: Granting full admin access when read-only or analyst-level access is sufficient. Excess permissions create liability if the auditor account is compromised during the engagement.
In plain language: Prevents the auditor from disclosing the client's audience data, performance metrics, or strategic findings to third parties β and prevents the client from misrepresenting the audit conclusions externally.
Auditor agrees to hold all Confidential Information β including analytics data, audience demographics, and audit findings β in strict confidence and shall not disclose such information to any third party without Client's prior written consent. 'Confidential Information' excludes information already in the public domain.
Common mistake: Using only a mutual NDA and not including audit-specific confidentiality language in the audit document itself. The NDA may not cover forward-looking strategic recommendations produced during the engagement.
In plain language: Documents the tools, date ranges, and metrics used to collect data β so findings can be reproduced, disputed, or updated with comparable parameters in a future audit.
Auditor shall collect platform data using [TOOLS β e.g., Sprout Social, native analytics, SEMrush] covering the period from [START DATE] to [END DATE]. Metrics analyzed shall include, at minimum: follower count, engagement rate, reach, impressions, posting frequency, and audience demographics for each platform.
Common mistake: Omitting the measurement period from the methodology. A follower count or engagement rate without a defined date range is meaningless for benchmarking or year-over-year comparison.
In plain language: Requires the auditor to flag any content, advertising claims, or account practices that violate platform terms of service, applicable advertising standards, or data privacy regulations.
Auditor shall review all content published during the audit period against each platform's current terms of service and community guidelines, applicable advertising standards (including [FTC/ASA/CAD] requirements), and relevant data privacy laws. Violations shall be documented in Schedule B with a severity rating of [Low / Medium / High / Critical].
Common mistake: Limiting the compliance review to content only and ignoring advertising account settings, pixel configurations, and data collection practices β all of which are subject to platform policy and privacy law enforcement.
In plain language: Defines the format, content, and delivery date of the written audit report β including the specific sections, charts, and benchmarks the client is entitled to receive.
Auditor shall deliver a written Findings Report to Client no later than [DATE], in [PDF / Word / presentation] format. The report shall include: platform inventory, performance benchmarks, content gap analysis, compliance flags, competitive landscape summary, and strategic recommendations as set out in Schedule C.
Common mistake: Not specifying the deliverable format or deadline in the engagement clause. Disputes over what was promised are the most common reason audit engagements end in client dissatisfaction.
In plain language: Allocates responsibility for fixing identified issues β distinguishing what the auditor will fix, what the client must fix, and the timeline for completing remediation before follow-up review.
Auditor shall provide written remediation recommendations for all issues rated Medium or above. Client is responsible for implementing all recommended changes unless Auditor is separately engaged to do so. Client shall complete remediation of Critical findings within [10] business days of report delivery.
Common mistake: Leaving remediation responsibility ambiguous. When neither party has explicit ownership, critical compliance violations can remain unaddressed β creating regulatory or reputational exposure for the client.
In plain language: Clarifies who owns the audit report, the methodology, the underlying data, and any strategic frameworks or templates used β and what rights the client has to reuse or share the deliverable.
Auditor retains ownership of all proprietary methodologies, frameworks, and tools used to conduct the audit. Client is granted a non-exclusive, non-transferable license to use the Findings Report for internal business purposes only. Client shall not resell, sublicense, or publicly publish the Findings Report without Auditor's prior written consent.
Common mistake: Assuming the client automatically owns the full report because they paid for it. Without an IP clause, the default in many jurisdictions is that the creator (auditor) retains copyright in the deliverable.
In plain language: Caps the auditor's financial exposure for errors, omissions, or missed compliance issues β and disclaims liability for platform algorithm changes or policy updates that occur after the audit date.
Auditor's total liability under this Agreement shall not exceed the fees paid by Client in the [3] months preceding the claim. Auditor makes no warranty that the Findings Report is exhaustive of all compliance issues. Platform policies and algorithms change frequently; Auditor is not responsible for changes that occur after the audit date stated in the report.
Common mistake: Omitting a liability cap entirely. Without one, an auditor who misses a critical ad policy violation can face claims disproportionate to the audit fee β especially if the client's account is subsequently suspended.
In plain language: Specifies which jurisdiction's laws govern the agreement and how disagreements over findings, deliverables, or fees are resolved.
This Agreement is governed by the laws of [STATE / PROVINCE / COUNTRY]. Any dispute arising under or relating to this Agreement shall first be submitted to good-faith mediation. If mediation fails within [30] days, disputes shall be resolved by binding arbitration in [CITY] under the rules of [AAA / JAMS / applicable body].
Common mistake: Selecting a governing law that has no connection to where either party operates. Courts in several jurisdictions apply local consumer or service-provider protection laws regardless of the contractual choice.
Enter the full legal names of the auditing party and the client. List every platform and account handle β including inactive accounts β that falls within the audit scope. Use account URLs, not just display names.
π‘ Ask the client to run a search of their business name across all major platforms before the first meeting β dormant accounts are frequently discovered at this stage.
Record the access level granted for each platform, the date access was provided, and the name of the team member who authorized it. Confirm whether admin, analyst, or read-only access was granted.
π‘ Request the minimum access level needed to pull analytics data. Read-only or analyst roles are sufficient for most platforms and reduce your liability exposure significantly.
Set the start and end date for the data collection period. List every third-party tool used alongside native platform analytics. Record the export date for each data set to establish a clear measurement baseline.
π‘ Use a rolling 90-day window as your default period β it captures seasonal variation without being so long that algorithm changes distort comparisons.
Work through the platform terms of service, advertising policies, and applicable regulatory requirements for each account. Rate each identified violation Low, Medium, High, or Critical and attach screenshots as evidence in Schedule B.
π‘ Check for FTC disclosure compliance on sponsored posts and influencer partnerships specifically β this is the most frequently cited violation category in advertising regulator enforcement actions.
Record the key metrics for each platform β follower count, engagement rate, reach, posting frequency, and audience demographics β against any available benchmarks for the client's industry and account size.
π‘ Include a simple comparison to two or three direct competitors' public-facing metrics to give the client context for their relative performance.
For every finding rated Medium or above, assign a responsible party (auditor or client), a corrective action, and a completion deadline. Use Schedule C to tabulate these systematically.
π‘ Separate 'quick wins' (fixable in under one business day) from structural recommendations that require resourcing decisions β clients act faster when the path forward is tiered.
Confirm the IP ownership clause reflects the agreed arrangement β especially if the client expects to publish findings externally or share the report with investors. Set the liability cap at a multiple of the audit fee that reflects the engagement's risk profile.
π‘ If the client is in a regulated industry such as financial services or healthcare, have a lawyer review the compliance section before the report is delivered β findings that surface regulatory violations may trigger disclosure obligations.
Both parties should sign the agreement β and ideally the findings report cover page β before the full report is released. This confirms the client has received, reviewed, and agreed to the terms governing the use of findings.
π‘ Use a timestamped eSign solution so the execution date is unambiguous if findings are later disputed or referenced in a regulatory inquiry.
A social media policy sets the internal rules governing how employees and representatives use social media on behalf of the business β it is a standing governance document, not a time-bound assessment. A social media audit reviews actual platform performance and compliance against those rules at a specific point in time. Most organizations need both: the policy defines the standard; the audit verifies adherence to it.
An analytics report is a recurring performance document that tracks agreed KPIs β follower growth, engagement rate, reach β for accounts already under active management. A social media audit is a comprehensive diagnostic covering all platforms, compliance status, and strategic positioning, typically conducted once or twice per year or at the start of an engagement. The audit produces the baseline that analytics reports are subsequently measured against.
A digital marketing audit covers the full breadth of a business's online presence β website SEO, paid search, email, and social channels together. A social media audit focuses exclusively on social platforms in greater depth: platform-by-platform compliance, account access security, content quality, and audience data. When both are needed, the digital marketing audit is the broader strategic layer; the social media audit provides deeper platform-specific findings.
A marketing plan is a forward-looking strategic document that sets channel priorities, campaign budgets, and audience targets for the period ahead. A social media audit is a backward-looking and present-state diagnostic that identifies gaps, violations, and underperforming assets. The audit findings typically inform and justify the strategic choices made in the subsequent marketing plan.
Agencies use signed audit agreements to formalize scope, protect proprietary methodology, and establish a documented baseline before taking over account management for new clients.
Retailers audit platforms to identify product claim compliance issues, review customer service response practices, and assess whether influencer partnerships carry required FTC disclosures.
FINRA, FCA, and equivalent regulators require financial firms to supervise and archive social media communications β audits document that oversight obligations are being met and flag unregistered investment claims.
FDA and equivalent agency rules restrict off-label product promotion and require fair balance disclosures β social media audits identify non-compliant posts before they attract enforcement attention.
Tech companies audit social channels to confirm GDPR-compliant pixel and tracking tag configurations, review data collection disclosures, and assess organic versus paid reach efficiency.
Law firms, accountancies, and consultancies use audits to verify that published content complies with professional body advertising rules and that no unauthorized testimonials or performance guarantees appear.
FTC Endorsement Guidelines require clear disclosure of material connections on sponsored social content β audit compliance sections should reference 16 CFR Part 255 and check all influencer and paid partnership posts. CCPA applies to California-resident audience data collected through platform pixels, requiring appropriate disclosures. State-level data broker laws in Virginia, Colorado, and Connecticut also affect how audience data gathered during an audit may be retained or processed.
CASL (Canada's Anti-Spam Legislation) governs commercial electronic messages including social media direct messages used for promotional purposes β audit compliance checks should flag DM-based marketing campaigns that lack proper consent records. PIPEDA and provincial privacy laws in Quebec (Law 25) impose obligations on the collection and processing of audience demographic data. Quebec's Law 25 requires explicit consent for cross-border data transfers, which affects third-party audit tool usage.
The ASA (Advertising Standards Authority) and CAP Code require clear labeling of paid partnerships and influencer content β a common finding category in UK social media audits. UK GDPR and the Data Protection Act 2018 govern any audience data processed during the audit, including analytics exports. Post-Brexit, data transfers from the UK to non-adequate third countries require appropriate safeguards, which should be addressed in the audit agreement's data handling clause.
GDPR Articles 13 and 14 require transparency about data collected through social media tracking pixels β audits should assess whether cookie consent mechanisms are correctly configured and whether privacy notices accurately describe social platform data flows. The EU Digital Services Act (DSA) imposes additional obligations on platforms and advertisers regarding targeted advertising transparency; audit findings should flag non-compliant ad targeting practices. Member states vary in enforcement priority, but France (CNIL) and Germany (BfDI) are among the most active regulators of social media data practices.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Freelance consultants and small agencies conducting standard domestic social media audits for SMB clients | Free | 30 minutes to complete the agreement; 1β5 days for the full audit |
| Template + legal review | Agency engagements involving regulated industries, cross-border data, or audit fees above $5,000 | $200β$500 for a one-hour legal review | 2β3 days including review turnaround |
| Custom drafted | Enterprise-scale audits, multi-jurisdiction GDPR data handling, or engagements where findings will be used in regulatory filings or M&A due diligence | $1,000β$3,500+ | 1β2 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Start freeΒ Β·Β No credit card required
