Back to the Basics Part II
Last month we briefly introduced the five basic steps of managing risks. Internal Auditing, with the Office of Risk Management, has worked through this process numerous times serving as facilitators to help departments evaluate their risks in a systematic way using these basic steps. An external facilitator can be helpful; however, you can, and in our view should, evaluate your processes in this way on your own on a regular basis. This month we describe the five steps and suggest how you can use them to proactively manage your risks.
Step 1 – The Mission: Review your unit’s written mission and ensure it accurately reflects what your unit is seeking to do. Generally, most academic departments’ missions pertain to teaching, research and outreach.
Step 2 – The Activities: List the specific activities you do to achieve this mission. You will likely have numerous and wide ranging activities. Classify these activities into the most logical categories for your unit. For example, you might have Human Resources, Information Technology, Student Services, Event Management, Compliance, or others.
Step 3 - The Risks: Now, brainstorm to identify specific risks which may be associated with each category. We have found that facilitated groups work very well with Steps 2 and 3 to obtain a wide range of input and to ensure all major concerns are included.
Step 4 – The Assessment: Using the list of risks developed in Step 3, evaluate each risk to determine its relevance and significance. Evaluating risks on the bases of Impact (the size of the problem if the event occurred) and Probability (the likelihood of the event occurring) generally assists in determining the significance of an event. This step is subjective, but the real value comes from the conversations with your leadership team in identifying risks which need proactive management.
Step 5 – The Plan: The final step in the process is to develop a plan to proactively manage each risk identified as a major concern. The plan should indicate a person to be responsible for leading the management plan and should identify target dates for required actions and periodic reporting update requirements. This step is critical to successful proactive risk management.
These five steps are the basic process for identifying and managing risks. It is imperative to keep the process simple as the issues can be quite complex. Even if you choose not to use a formal systematic process as described, you can review the current events presented below and consider ways you can proactively prevent problems within your sphere of influence here at Auburn University.
M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing
Information Security Related Events
Jan. 25, 2010: According to a Jan. 13 North Carolina State University Security and Compliance report by the Office of Information Technology, a record number of Digital Millennium Copyright Act notifications have been received by the University due to illegal file-sharing activities using the Nomad Wireless network. (link)
Jan. 4, 2010: Eastern Washington University has notified present and former students of a massive data breach of its systems that could affect up to 130 000 people. The breach occurred after administrators audited the University's network, according to a breach notification sent out to students. The intruder installed file sharing software on network machines that could have enabled the sensitive information to be filched from the network. Data involved in the breach, which dates back to 1987, includes names, social security numbers and dates of birth. (link)
Dec. 30, 2010: Three Penn State University computer breaches described by an official as apparently unrelated have prompted the school to begin notifying nearly 30,000 individuals that their Social Security numbers may have been compromised. (link)
Jan. 23, 2010: A professor at the University of Maryland, College Park is facing conflict-of- interest questions after he used university letterhead to deliver a legal opinion in his role as a consultant to a labor union. (link)
Jan. 12, 2010: The Board of Regents will pay a $500,000 settlement in light of allegations that Fort Valley State University falsely certified compliance with a grant.
According to a news release from G.F. “Pete” Peterman III, acting United States Attorney for the Middle District of Georgia, university administrators signed a certificate of compliance with the terms of a $2.5 million cooperative agreement while not fully adhering to its terms, a violation of the False Claims Act. (link)
Jan. 11, 2010: With competition still fierce in the jobs market, some people might be tempted to beef up their resume by buying a fake degree. The problem of fake degrees is nothing new, but the Internet has made it easier than ever to obtain a bogus qualification. (link)
Jan. 7, 2010: Wesleyan University, has sued its former chief investment officer Thomas Kannam for fraud and breach of contract, charging he was working for outside companies while on the job. (link)
Jan. 5, 2010: The University of Colorado has hired an outside company to audit the benefits plans of its employees, and look for dependents who aren't actually eligible for perks like health and dental insurance. The benefits census will take about five months, and the university expects it to result in $2 million to $4 million in savings for the school every year, said Jill Pollock, chief human resources officer for the CU system. (link)
Jan. 5, 2010: A judge has sentenced a former Iowa State University official to two years probation for stealing more than $10,000 from the school. (link)
Jan. 4, 2010: Former University of Louisville education dean Robert Felner will plead guilty Friday in a case in which he and a colleague are accused of defrauding U of L and another university out of $2.3 million, his attorney said. (link)
Dec. 21, 2009: Charges are swirling over Stevens Institute of Technology in Hoboken, N.J. The state attorney general has sued the institute and its president, Harold J. Raveché, accusing him of plundering the endowment and receiving $1.8 million in illegal low-interest loans for vacation homes, with half of them later forgiven. (link)
Compliance/Regulatory Failure Events
Jan. 12, 2010: Key parts of a $10 million lawsuit filed by the families of two students slain in the mass shootings at Virginia Tech can go forward, a judge in Virginia ruled Tuesday. (link)
Jan. 11, 2010: In October 2008, the IRS sent questionnaires to 400 colleges and universities asking how they manage taxable operations as well as how they ''invest and use endowment funds,'' according to a description of the so-called compliance project on the federal agency’s Web site. The IRS is probing whether the institutions' tax-exempt status should apply to income from activities not related to their educational mission. (link)
Jan. 11, 2010: A former Cornell University employee threatened to reveal unfair admissions practices in an attempt to settle a personal lawsuit regarding overtime, Cornell officials allege. (link)
Jan. 9, 2010: Towson University has cost itself tuition money by not taking adequate steps to verify the residency of in-state students, according to a recently released state audit. (link)
Jan 6, 2010: A University of Georgia fraternity chapter won't be pledging any new members, at least for the present. According to a letter e-mailed to members of Alpha Phi Alpha on the heels of an alleged hazing incident at Fort Valley State University, the century-old fraternity won't be taking in any new members anywhere in the country for the time being. (link)
Dec. 30, 2009: Oakland University will appeal a judge's ruling that said the university violated a federal law by refusing to allow a non-degree seeking disabled student to live in a campus dorm and now must make a room available for him. (link)
Other News & Events
Jan. 26, 2010: A University of Minnesota freshman was shot for no apparent reason in what police describe as a crime spree that targeted students Monday night. (link)
Jan. 25, 2010: Freshman Alex Bullington has gotten into the swing of college life.
Studying. Eating fast food. Hanging out at the student union. Never having enough money. But it's the cost of textbooks that throws the 19-year-old biology major from Grand Island, Neb., for a loop. (link)
Jan. 20, 2010: Veterans Affairs Department officials appear to have a good jump on processing spring semester claims for Post-9/11 GI Bill benefits, and they hope that hiring more people, getting help from an outside contractor and convincing schools to submit enrollment information faster will avoid delays that plagued the program in the fall.(link)
Jan. 19, 2010: A Houston County grand jury recently returned an indictment against a Troy University criminal justice professor, charging him with sex abuse of a 21-year-old female student. (link)
Jan. 15, 2010: A University of South Florida freshman awoke Wednesday as a man raped her in her dorm room. The crime shocked other students. It also spurred the university to talk to students in every dorm Thursday about acquaintance rape and date rape. (link)
Jan. 6, 2010: Another suspicious envelope, the fifth in three days, has been found on the University of California, Irvine campus today, according to KCAL-TV. Four envelopes, all postmarked from Idaho, carrying a white powder and with the message "black death" written on it, were found on Monday and Tuesday and were all addressed to women. (link)
Jan. 5, 2010: The Massachusetts College of Pharmacy and Health Services has issued a ban on clothing that covers the faces of students. The college said all students should be identifiable for safety reasons, and the policy is not aimed at any group or individual. The ban, which includes veils and burqas, comes just a few months after the arrest of Tarek Mehanna, a Muslim student who graduated from the college in 2008. (link)
Dec. 30, 2009: North Dakota State University’s interim president pledged Monday to find out what caused a partial collapse of Minard Hall, as the university filed a $500,000 notice with the state insurance fund. Dick Hanson, who convened an emergency response team, said the safety of faculty, staff and students is paramount, and no one will be allowed into Minard Hall until structural engineers and other professionals deem it safe. (link)
If you have any suggestions, questions or feedback, please e-mail me at email@example.com. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to foward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at http://www.auburn.edu/audit.
If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at firstname.lastname@example.org.