Having trouble viewing this email? View it in your browser.

Internal Auditing

Case in Point:
Lessons for the pro-active manager

January 2011
Vol. 3 No. 1
Quotable...
''Communication is the real work of leadership.''

-- Nitin Nohria*

Policies and procedures, the mere mention of them brings excitement and energy to most people. Well, maybe not, but there are some very good reasons for having policies and procedures which help us manage not only operations but ultimately our risks.

As to definition, a policy usually refers to our intent on a somewhat general level (e.g., ''a money back guarantee if not completely satisfied''). A procedure tells us more specifically how we carry out a policy (e.g., to process a refund to an unsatisfied customer do steps x-y-z). This month we share a few thoughts on the topic of policies and procedures.

Two Reasons for Policies and Procedures

  1. To ensure consistency in operations across our organization. This is important due to our decentralized structure and is also important for each unit as personnel changes over time.
  2. To help ensure compliance with regulatory issues. Compliance can be difficult in higher education due to our structure. Every dollar we lose to compliance failures and their remediation are dollars lost to our primary mission.

Three Ways to Have Poor Policies and Procedures

  1. Don't follow policies and procedures consistently. Enforce them in some areas but not others. By doing this you send a message that they are only sometimes important.
  2. Don't communicate policies and procedures well. Make them hard to find, do not provide training, and write them in a language your personnel cannot easily understand.
  3. Don't keep policies and procedures updated. One good way to ensure this is to only update by memo, but don't send the memo to everyone.

Four Ways You Can Help With Policies and Procedures

  1. Make sure you know policies and procedures. If you don't know or can't find them ask questions.
  2. Set a tone for your area of responsibility by following policies and procedures yourself consistently. What you say does matter, but what you do matters more and your employees are watching you.
  3. If you are aware of an area where an institutional policy or procedure is needed, let someone know. Particularly our policy coordinator who works out of the Office of the General Counsel.
  4. Think about any specific operations you have, where departmental policies may be needed. Some areas have unique operations that need their own specific policies and procedures that are not institution wide.

As you scan the events across our industry this month, we again suggest you think about whether you have some of these same risks and how you are managing them here. As always, we welcome your comments.

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing


Information Security Related Events

Jan 24, 2011: Hundreds of participants of University of Missouri’s health insurance program are being told to be on the look-out for insurance fraud after several hundred insurance communications were mailed to the wrong person. (link)

Jan 24, 2011: The personal information of as many as 1,300 current and former students at the Wentworth Institute of Technology was inadvertently put online. (link)

Jan 19, 2011: Warner Pacific College reported a laptop containing the names, addresses, dates of birth, telephone numbers and Social Security Numbers of 1,536 students stolen from an employee's home. (pdf)

Jan 12, 2011: The University of Hawaii says it needs $1.9 million to tighten its Web security and lessen the chance of future data breaches of individual privacy. In addition, the 10-campus system would need about $764,000 a year to maintain and operate the upgraded system, said David Lassner, the university's vice president for information technology. (link)

Jan 11, 2011: The UConn Co-op was informed by its vendor that there has been a data security incident involving the customer database for the UConn Co-op’s website HuskyDirect.com that may have exposed the billing information of HuskyDirect customers. This information includes name, address, e-mail, telephone number, and credit card number, expiration date, and security code. (link)

Jan 10, 2011: A data breach last summer of computers at the University of Maine’s counseling center caused the University of Maine System to take steps quickly to ensure that personal information stored on computers at all seven campuses and the system office is secure, the board of trustees was told Monday. Costs for the increased data security were estimated to be more than $860,000 a year over the next three years, according to a draft of the system’s Strategic Information Security Plan. (link)

Jan 7, 2011: A Tulane University-owned laptop was stolen last year that had a file containing private information of each person employed at the university in the past year, according to school officials. The computer had W-2 information, names, Social Security numbers, address and salary for every employee, including student and part-time employees and anyone who will receive a 2010 W-2. (link) (pdf)

Jan 3, 2011: A U.S. Department of Homeland Security investigation dubbed "Operation eMule" has led federal agents to a pair of 22-year-old foreign-exchange students in Winona who are suspected to be part of a sophisticated cyber crime ring based in Vietnam that has been misusing the identities of countless Americans to bilk online retailers out of millions of dollars. (link)

Dec. 31, 2010: Several hundred Armstrong Atlantic State University alumni's Social Security numbers have been compromised following the theft of a hard drive from the school's campus in early October. (link)

Dec. 24, 2010: Saint Louis University faculty, students and staff have been notified about a computer breach of the university's network. A security team had determined that a database containing some personal information of employees, including Social Security Numbers, was accessed illegally. (link)

Dec. 19, 2010: The students in University of Colorado associate professor Lee Chambers' women's history course will receive final grades in the class, despite having been told they would only get incomplete marks after a teaching assistant's computer -- which contained the students' grades -- crashed last week. (link)

Dec. 18, 2010: A file containing 61,001 names and IDs of Stony Brook University students and faculty, was leaked on the Internet on Dec. 14. A 21-year-old Information Systems Engineer undergraduate student, created the file last May. He found an exploit within a system, which allowed him to change students' passwords without knowledge of the original passwords. (link)


Misappropriation/Fraud/Ethics Events

Jan 27, 2011: Federal prosecutors portrayed an elaborate scheme to steal more than $2 million in athletics tickets at the University of Kansas as more former employees (including the Director of Ticket Operations) plead guilty to conspiracy for their role in a scandal that has embarrassed the school. (link)

Jan 12, 2011: A Southern California college program director has been charged with using a bogus bank account to steal $500,000 from students. (link)

Jan 4, 2011: Ethics charges have been dismissed against a former Bishop State Community College women’s basketball coach who was one of 28 people arrested in 2007 in a financial aid scam at the school. Turner and his wife, Yolanda Denise Smoots Johnson Turner, both still face two counts of first-degree theft of property by deception. (link)

Dec. 28, 2010: It turns out that fooling the gatekeepers of the nation's most selective university wasn’t as hard as it looks. A close examination of Wheeler’s application materials, obtained by the Globe, reveals neither a meticulous feat of deceit nor a particularly elaborate charade. At times, he was just plain careless. (link)

Dec. 22, 2010: The former dean of the University of Maryland School of Law has agreed to return more than $300,000 of a $350,000 bonus questioned in a state legislative audit earlier this year, the attorney general's office announced Wednesday. (link)

Dec. 22, 2010: A former UMBC employee pleaded guilty to stealing $9,800 from the university so he could decorate his Catonsville home with oriental rugs, the attorney general's office announced Tuesday. (link)


Compliance/Regulatory Events

Jan 27, 2011: The family of a Utah State University freshman who died of alcohol poisoning in a 2008 hazing incident has agreed to dismiss their lawsuit against the Logan school after USU officials signaled they will “fine-tune” measures related to alcohol awareness and hazing. (link)

Jan. 24, 2011: A University of Missouri student came up with an idea in class one day that spawned an iPhone application that has had more than 250,000 downloads since its release in March 2009. The invention also raised a perplexing question when university lawyers abruptly demanded a 25 percent ownership stake and two-thirds of any profits. Who owns the patents and copyrights when a student creates something of value on campus, without a professor's help? (link)

Jan 22, 2011: Alabama A&M University has about three weeks to respond to a wide-ranging inquiry, as its regional accrediting organization probes matters regarding the A&M Research Institute and university finances. (link)

Jan 20, 2011: A judge decided Thursday that a lawsuit filed against Texas Christian University by a woman who says she was gang-raped on campus can go to trial. (link)

Jan. 20, 2011: The University of Iowa has revamped its policies for handling sexual misconduct cases involving students and sexual harassment complaints by staff after two investigations of the U of I's handling of allegations from a Oct. 14, 2007 incident identified policies as confusing and inadequate. (link)

Jan 18, 2011: The University of Texas’ consideration of race and ethnicity in undergraduate admissions passes legal muster, a federal appeals court ruled today. (link)

Jan 18, 2011: An astronomy professor who sued the University of Kentucky after claiming he lost out on a top job because of his Christian beliefs reached a settlement Tuesday with the school. (link)

Jan 14, 2011: Relatives of two teachers shot and killed during a faculty meeting last year at the University of Alabama in Huntsville filed lawsuits Friday claiming school administrators' failure to follow safety rules contributed to the mass slaying. (link)

Jan 13, 2011: In 2008, Sophia Chinemerem Eze went to the security staff at Brooklyn College, saying she had experienced problems with her off-campus roommates and suspected that her landlord had planted a video camera in her bedroom. She wound up on a psychiatric ward at Kings County Hospital Center, and in a lawsuit filed last week, Ms. Eze says the college played a role in hospitalizing her without cause. (link)

Jan 13, 2011: Oklahoma's chancellor of higher education vows to continue opposing any proposal to allow students to carry concealed weapons on campus. (link)

Jan 13, 2011: The University of Utah’s president asked school trustees Tuesday to help thwart possible legislation allowing the open display of firearms on campus, a move that could reopen a contentious debate between educators and lawmakers over gun policies. (link)

Jan 12, 2011: Virginia legislators once again will consider whether to bar illegal immigrants from enrolling in the state's public colleges and universities. (link)

Jan 12, 2011: A former assistant professor at the University of South Alabama is suing the school, claiming he was denied tenure and terminated based on his race. (link)

Jan 7, 2011: New Jersey Institute of Technology suspended a former top dean without pay last semester after a campus investigation concluded he changed a student’s grade, got a friend a job as a professor and misused campus funds. Now, former School of Management Dean David Hawk is taking the public university to court, alleging NJIT officials damaged his "reputation, good name and honor" with a secretive investigation that never gave the veteran professor a chance to defend himself. (link)

Jan 6, 2011: A former Drew University college freshman has pleaded guilty to taking valuable historic documents from the United Methodist Archives Center at the university. (link)

Jan 5, 2011: More than 40 other universities and the American Council on Education have submitted an amicus brief to the U.S. Supreme Court in support of Stanford in the case, which could have ramifications for universities that own patents resulting from federally funded research. (link)

Jan 5, 2011: A federal appeals court has upheld the conviction of a retired University of Tennessee professor for passing military secrets. (link)

Jan 4, 2011: An Iraq war veteran who was barred from the Community College of Baltimore County after publishing a provocative essay on killing says he no longer wants to return to the Catonsville campus and is contemplating legal action. (link)

Jan 3, 2011: A lawyer for the family of Jafar Karzoun, the University of Connecticut student who was assaulted during Spring Weekend last year and died days later of his injuries, has notified the university of the family's intent to sue for failure to protect him. (link)

Dec. 23, 2010: The parents of the Rutgers University student who killed himself after two fellow students allegedly used a Web cam to spy on him during a tryst with another man intend to sue the school. (link)

Dec. 22, 2010: A man charged in one incident in a rash of anti-Semitic vandalism on and around the Indiana University campus was fired from his job at the university on Tuesday. (link)

Dec. 21, 2010: An astronomer alleges he was denied a job at the University of Kentucky because of his evangelical Christian faith. (link)

Dec. 20, 2010: ProPublica, a nonprofit investigative group, is reporting that more than dozen University of Miami doctors did not properly report their earnings from drug companies as required by a medical school policy. (link)

Dec. 18, 2010: A former affirmative action officer at Rowan University is suing the college, claiming he was the victim of racial discrimination. (link)

Dec. 17, 2010: A Jefferson County judge dismissed a lawsuit Friday that sought to stop Nebraska colleges and the University of Nebraska from giving in-state tuition to children of illegal immigrants. (link)


Other News & Events

Jan 28, 2011: Thirteen University of Iowa football players remain hospitalized after becoming ill with what the university says is a little-known muscle syndrome called rhabdomyolysis. At a press conference on Wednesday, a spokesman said it's unclear how the students developed the condition. (link)

Jan 27, 2011: The president of USC is warning students not to attend raves, saying use of the illegal drug Ecstasy at the massive dance parties "can create a ripple effect of dangers that lead to catastrophic consequences." (link)

Jan 27, 2011: A last-minute decision to serve fried chicken and waffles at a campus dining hall in honor of Martin Luther King Jr. was a regrettable choice and lacked sensitivity, UC Irvine officials acknowledged Wednesday. (link)

Jan. 26, 2011: A major benefactor to the University of Connecticut wants the school to return $3 million in donations and remove his family name from its football complex because he says he was shut out of discussions about the selection of a new football coach. (link)

Jan 26, 2011: The emotional health of college freshmen — who feel buffeted by the recession and stressed by the pressures of high school — has declined to the lowest level since an annual survey of incoming students started collecting data 25 years ago. (link)

Jan 15, 2011: UC Davis officials are investigating allegations that a veterinary school professor polled students on what grade he should give one of their fellow students who had missed class after giving birth to a baby. (link)

Jan 15, 2011: A sophomore at the University of Colorado, Boulder, found a symbolic way to strike back.The student, Nic Ramos, paid his entire spring semester tuition — all $14,309.51 of it — using dollar bills, a 50-cent piece and a penny. (link)

Jan 3, 2011: A new study -- the first of its kind -- finds that college students lie on anonymous teacher evaluations, which are partly used to determine whether instructors should be re-hired and professors should earn tenure. (link)

Dec. 22, 2010: Devastated by the Senate's failure last week to grant them a path to citizenship, undocumented young people throughout California are vowing renewed activism to win legal immigration status if they attend college or serve in the military. (link)

Dec. 20, 2010: An investigation by UW-Madison journalism students, in collaboration with the Wisconsin Center for Investigative Journalism, found university officials and local law enforcement across the state have not made it a priority to track or crack down on the apparent growing abuse of Adderall, despite health and addiction risks. (link)

Dec. 17, 2010: The day before Thanksgiving break, the members of the Belmont University women’s soccer team gathered in the locker room after a strength training session. Their coach, Lisa Howe, had something to say. (link)


If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at http://www.auburn.edu/audit.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director
robinmk@auburn.edu
334.844.4389

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.