Having trouble viewing this email? View it in your browser.

Internal Auditing

Case in Point:
Lessons for the pro-active manager

December 2010
Vol. 2 No. 12

Quotable...
''Each time history repeats itself, the price goes up. ''

-- Unknown

2010 Year in Review

This month we take a look back at the events of the past twelve months and consider the themes and frequent occurrences of risk management failures across our industry.

Information Security Related Events

A staggering 75% of the stories noted in the information technology area for the past year involved data loss or breach. As an industry we continue to fall short with respect to protecting confidential data. Frequently, the loss of protected data came from the theft of a laptop or jump drive that contained the sensitive data. Be very careful about the type of data you put on these devices to limit your exposure in this area. In most cases, encryption would be a wise way to manage this risk if data must be placed outside the central depository.

Pay special attention to the story at Ohio State University (OSU) in this month's newsletter where a ''hack'' of their system will cost OSU $4 million dollars. In the time of declining resources this is probably not a way any institution would choose to spend their funds.

Misappropriation/Fraud/Ethics Related Events

Fifty-two percent of the events in this category were dealing with fraud or theft. The best protection against problems associated with these risks is strong internal controls. Remember that one person should not have complete control of a process whether its collections, purchasing cards, expense transactions or anything else. Oversight and monitoring are crucial components of a strong control environment.

A full 25% of these events involved questionable spending. While these items may not reach the level of fraud per the legal definition, it is important to remember that public scrutiny is at an all-time high. When deciding whether to enter into some transaction, remember the ''newspaper test'' and how such an item would appear if written about by a reporter.

Compliance and Regulatory Events

Surprisingly, the largest category noted in this area involved admissions and residency related items. Based on the national discussion involving immigration, there have been numerous stories regarding students in the country illegally and what they pay in tuition. Perhaps the best advice is to evaluate in advance how to handle questions should they arise on this topic. Consistency is also a must regarding how we charge our students in like circumstances.

Other Events

We continue to see a large number of stories dealing with safety on campus. Considering where your safety risks are and what actions you are taking to limit these risks is a good idea based on the visibility of this topic.

As you scan the stories below, we again suggest you consider any similar risks you have and think of ways you can proactively manage the risks here at Auburn University.

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing


Information Security Related Events

Dec. 16, 2010: After almost months of investigations, Ohio State University revealed that it is notifying about 760,000 students, professors, and other employees that their names and Social Security numbers may have been stolen. The university will spend $4 million to pay for the investigation and credit-protection services for those who have been affected by the attack, which is one of the largest to hit a university. (link)

December 9, 2010: A hacker exposed the Social Security numbers and names of 60,000 University of Wisconsin students earlier this fall, University of Wisconsin officials announced Thursday night. (link)

Dec. 2, 2010: The study painted a grim picture about lost and stolen laptops. It found that laptops have a 5% to 10% chance of being lost or stolen over three years. Only 5% of lost laptops are ever recovered. Results show the rate of laptop loss is related to industry classification. Clearly, educational institutions have the highest loss ratios, while financial service companies have the lowest loss ratios (link) (link)

Dec. 2, 2010: A missing hard drive prompted University of Arizona officials to notify 8,300 former students that their identities could be at risk. (link)


Misappropriation/Fraud/Ethics Events

Dec. 16, 2010: Adam Wheeler, the former Harvard student accused of conning his way into one of the nation’s most prestigious universities by fabricating a stellar academic record, pleaded guilty this afternoon in Middlesex Superior Court to larceny, identity fraud, and other charges. (link)

Dec. 16, 2010: The former coach of North Carolina State University's dance team pleaded guilty Thursday to embezzling from the team. (link)

Dec. 15, 2010: The United States Attorney’s Office announced Wednesday that Michelle Owens allegedly submitted fraudulent Webster University applications and fraudulent Department of Education financial aid applications in the names of twenty-three different Leath Correctional Institution inmates seeking admission and student loans in the approximate amount of $467,500. (link)

Dec. 15, 2010: Forty-three people will travel to the Rose Bowl as part of the UW-Madison official party, including Chancellor Biddy Martin, Gov. Jim Doyle, and members of the UW Board of Regents. It's a smaller group than 11 years ago, the last time the Badgers went to the Rose Bowl. (link)

Dec. 14, 2010: A former Mississippi State University employee has pleaded guilty to embezzling nearly $35,000 from the state. Stacie Stroud, a former employee of MSU's research facility at the Stennis Space Center in Hancock County, received four years of supervised probation. Stroud, 33, who was employed with Mississippi State from September 2007 to February 2009, had used her state-issued procurement credit card for personal expenses including her neighborhood homeowner’s dues, a birthday party and a payment on her student account at MSU, as well as purchases through Amazon.com, Office Depot and the campus bookstore. (link)

Dec. 9, 2010: A former employee of the University of California, Davis who was accused of misusing public funds was arrested Thursday after a long investigation. (link)

Dec. 6, 2010: A Brandon woman is accused of stealing from the University of Vermont. UVM Police believe 34-year-old Olivia Chicoine misused her university-issued credit card, racking up between 17 and 22-thousand dollars worth of merchandise over a 10-year period. (link)

Nov. 30, 2010: Two Duke University employees have been arrested and charged with stealing thousands of dollars from the University. John Cotton, 49, allegedly embezzled $267,000 and stole more than $58,000 worth of goods and services for personal use. Cotton has been charged with embezzlement and obtaining property under false pretenses. Dr. Eric DeMaria, 51, was arrested Tuesday morning and charged with embezzlement of more than $100,000. (link)

Nov. 20, 2010: The former office manager of the University of Idaho Extension Office has been charged with grand theft for allegedly embezzling public funds. The felony charge against Kristan Char Peacock was filed in the magistrate division of 1st District Court on Nov. 2, nearly 10 months after the embezzlement allegations surfaced. (link)


Compliance/Regulatory Events

Dec. 13, 2010: A Sacramento federal judge has ruled that a jury must decide whether four top officials at the University of California, Davis - including the former chancellor and current athletic director - were "deliberately indifferent" to women's "constitutional right to equal treatment in athletics." (link)

Dec. 10, 2010: Eastern Michigan University has agreed to work with federal officials to improve responses to sexual assault, four years after campus officials covered up after the rape and killing of a coed in her dorm room. (link)

Dec. 9, 2010: U.S. education officials are standing by their finding that Virginia Tech broke federal law when it waited two hours to notify the campus that a gunman was on the loose at the outset of a 2007 shooting rampage, and then sent out an e-mailed warning that came too late for 30 students and faculty who'd gone to class only to be killed. (link)

Dec. 8, 2010: A mentally ill man's knife attack last year on a fellow UCLA student in a campus chemistry lab is at the center of a legal dispute over a university's responsibility to protect its students from such violence. (link)

Dec. 8, 2010: A teacher at a Georgia university has been arrested after allegedly stripping off all his clothes and standing naked in front of the accounting class he was lecturing. (link)

Dec. 7, 2010: Five Columbia University students — including a member of the student council — were arrested on campus early on Tuesday and charged with running a ring that sold drugs to students at fraternity houses and in residence halls, the police said. (link)

Dec. 1, 2010: A Turkish advocacy group has sued the University of Minnesota, claiming one department "blacklisted" its Internet site because of the group's pro-Turkish viewpoint on the killings of Armenians in the Ottoman Empire 95 years ago. (link)

Nov. 30, 2010: A chemical explosion in a beaker at the University of Colorado's Engineering Center injured the 28-year-old doctoral student who conducted the experiment and led to the evacuation of the south wing of the building Tuesday afternoon. The student was mixing chemicals in a room in the chemical engineering wing. (link)


Other News & Events

Dec. 14, 2010: A Harvard University dean says damage to three dozen books on gay and lesbian issues that appeared to have been doused in urine in a campus library was simply an accident. (link)

Dec. 7, 2010: Under pressure to cut costs, state universities and lawmakers across the nation are going after one of the oldest traditions in the academic world: the professor’s cherished sabbatical. (link)

Dec. 7, 2010: Harvard University, which has come under fire in recent years for the shortcomings of its financial oversight, announced yesterday that it plans to expand the size of its governing board for the first time since 1650.(link)


If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at http://www.auburn.edu/audit.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director
robinmk@auburn.edu
334.844.4389

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.