|''The corporate culture is the most powerful control in any organization.''
-- James (Jim) Roth, PhD, author of Best Practices: Evaluating the Corporate Culture*
Last month, I discussed how frequently the simple things are the best controls. Things like paying attention and asking questions when something seems unusual. This month I will continue that theme by discussing what auditors frequently call "soft controls."
Soft controls are subjective and intangible and refer to the culture of an organization and the prevailing attitude toward things like compliance and ethics. I would suggest it could also encompass an organization's attitude about managing risks and whether that is done in a proactive manner. Terms associated with soft controls include: morale, ethics, philosophy, values, integrity, and the like.
In all organizations, a tone is set by the board and executive leadership that forms the basis for the organization's soft controls. However, subunits develop their own soft controls based on their local leadership. In universities, this is set by deans, directors and department heads. A weak subculture can develop in any subunit separately and independent of what is being said or done at the top. This allows a compliance or risk failure to occur more easily than if the subunit has a strong emphasis on the soft controls.
Author Jim Roth recently stated, "The root cause of every major control breakdown -- Enron, WorldCom, Tyco, etc. is a weakness in culture." Enron is a classic case where the organization's documented policies and ethics statements said all the right things and were even held up as a model for other organizations; yet, underneath the written documents was the absence of strong soft controls and the organization was set on a path of self-destruction.
So this month, ask yourself how you believe the soft controls are within your sphere of influence. Does your unit value compliance and doing the right thing? If your employees were asked by someone from outside your area how important those things were, what would they say? These are important questions to think about as we seek to proactively manage risk at our institution.
M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing
Information Security Related Events
Mar 31, 2011: The continuing failure by most enterprises to encrypt sensitive data stored on laptops and other mobile devices is inexcusable, analysts said following BP's disclosure this week of a data compromise involving a lost laptop . (link)
Mar 28, 2011: Facebook users obviously don't care that their privacy has been compromised. They clearly don't appreciate or understand the risk, in large part because Facebook still appears to be magical to them. (Arthur C. Clarke's famous line that "any sufficiently advanced technology is indistinguishable from magic" applies not just to Facebook but to Google's search algorithms and other successful Web services as well.) (link)
Mar. 11, 2011: A sophisticated data mining virus that has emptied bank accounts in the United Kingdom was found last month to have infected a computer in the Virginia Tech controller's office, the university confirmed Thursday. The Zeus virus was found during a security audit on computers that store Social Security numbers and other sensitive data on current and former Tech employees, university spokesman Mark Owczarski said. (link)
Mar. 9, 2011: The University of Massachusetts Amherst on March 7 started notifying 942 patients of University Health Services of a breach of protected health information that occurred on June 30, 2010. (link)
Mar. 9, 2011: Midlands Technical College warned employees last month that a flash drive containing some of their personal information was taken from a human resources office at the college.
The flash drive, since returned — without the personal data it previously held — could compromise the personal information of some of the college's 500 employees. (link)
Mar. 8, 2011: Negligence is the biggest cause of data breaches at corporations, but criminal attacks are growing fastest, a study released today concludes. (link)
Mar. 8, 2011: A backup hard drive containing names and social security numbers of several hundred current and former students and faculty members is missing, Western Michigan University spokeswoman Cheryl Roland said. (link)
Mar. 4, 2011: The University of South Carolina has experienced computer security breach that has exposed 31,000 people's private information, including social security numbers, on the internet. (link)
Mar. 3, 2011: A Missouri State University employee posted lists of student names with their Social Security numbers on an unsecured server late last year, which made the information available on the Internet, resulting in an internal security breach, a university news release said. (link)
Mar. 30, 2011: A former systems analyst at the University of Kansas ticket office has been sentenced to 37 months in prison for her part in a $2 million ticket scalping conspiracy. (link)
Mar. 26, 2011: An assistant Colorado State University football coach arrested earlier this year on suspicion of check fraud avoided possible jail time Friday when he pleaded guilty to a misdemeanor theft charge. (link)
Mar. 25, 2011: A political science professor at Vermont's Middlebury College is facing charges she embezzled $4,800 from the Salisbury Historical Society to help pay for a series of class trips with college students. (link)
Mar. 24, 2011: A St. Louis man, Allen Dean Ritchie, 42, pleaded guilty Thursday to a federal identity theft charge and admitted using money from a law firm's client trust accounts and Washington University for his personal use. Ritchie also admitted "accessing and using the credit and financial accounts" of Washington University and alumni between 2007 and 2008, his plea agreement says. (link)
Mar. 22, 2011: A former financial-aid officer at El Camino College Compton Center has been indicted in an alleged con that embezzled more than $56,000 in federal financial aid. (link)
Mar. 10, 2011: The former cheerleading club coach for San Francisco State University has pleaded guilty to embezzling cash from the squad to go on a personal spending spree that included a trip to Las Vegas. (link)
Mar. 9, 2011: A Catholic nun who ran a suburban New York City college's finances has admitted to stealing more than $850,000 from the school. (link)
Mar. 3, 2011: A former University of Central Arkansas president pleaded guilty Monday to two felony charges in connection with $200,000 in illegal bonuses he received while leader of the Conway campus. (link)
Mar. 29, 2011: The Department of Education fined Virginia Tech $55,000 on Tuesday for waiting too long to notify students after the 2007 campus shooting that left 33 people dead. (link)
Mar. 23, 2011: The Air Force faulted a pilot Wednesday for flying too low and too fast during a spectacular military flyover before an Iowa football game last fall, saying he had been punished for violating rules and was leaving the service. (link)
Mar. 14, 2011: A former assistant professor of psychology at John F. Kennedy University in Pleasant Hill, Calif., has sued the institution for sex discrimination, alleging that she was fired for performing in an off-campus burlesque act. (link)
Mar. 9, 2011: Eastern Michigan University is investigating two former student employees who are believed to have taken personal identifiable information of approximately 45 students and improperly provided it to a third party. (link)
Mar. 8, 2011: The U.S. Supreme Court decided it will not hear the University of Wisconsin-Madison's appeal of a lower court decision that found denying funding to the Catholic student group Badger Catholic violates the First Amendment. (link)
Mar. 1, 2011: The Iowa House Education Committee approved the bill 23-0 Monday. It requires public university and community college faculty on a paid leave of absence after being charged with a felony or serious or aggravated misdemeanor to repay all salary during the absence if convicted. (link)
Other News & Events
Mar. 27, 2011: On a recent Friday night, a UCLA student posted a video on YouTube. The young woman made the video, in which she complained about and mocked Asian students at UCLA, the day after the Japan earthquake. She took down the clip within hours of posting it. She was too late. By then it was being reposted and remixed, taking on a life of its own. (link)
Mar. 25, 2011: A Connecticut man has been charged with threatening to blow up a Massachusetts college and kill two staff members. (link)
Mar 16, 2011: A disagreement between two students about who had dibs on a study room in a George Mason University library led to a felony abduction charge against a senior and a vigorous Internet campaign to clear his name. (link)
If you have any suggestions, questions or feedback, please e-mail me at email@example.com. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports,
colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at http://www.auburn.edu/audit.
If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at firstname.lastname@example.org.
Back to top