Having trouble viewing this email? View it in your browser.

Internal Auditing

Case in Point:
Lessons for the pro-active manager

June 2011
Vol. 3 No. 6
Quotable...
“To know what is right and to not do it is the worst cowardice.”

-- Confucius

If you “Google” the term “culture change,” you will get more than 48 million results dealing with every organization and industry imaginable.   One thing that becomes clear very quickly when scanning a few of these search results is the universal consensus that culture change is hard.  Culture develops over time and is the result of past experiences, history, and even leadership, so changing culture is a tough job.

One thing that can quickly change a culture is a crisis.  All too often in our industry this is the spark that leads to culture change, whether you are talking about student safety, regulatory compliance, or even data security.   Unfortunately, this path toward culture change is typically the most costly, and in an era of tight finances, few of us have the resources to spend this way.     

For example, last month we focused on data security, which is an area of struggle for higher education.  This data security struggle largely comes from our historic culture of openness with information and sharing.  Yet this is one area where new threats and regulations are requiring culture change.  The question before us is whether we will be proactive in changing this culture or whether we will wait for the crisis and then get serious about data protection.   Data security is, again, just one example of the myriad risks we face each day in higher education.     

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing


Information Security Related Events

June 27, 2011: The U.S. Department of Homeland Security ran a test this year to see how hard it was for hackers to corrupt workers and gain access to computer systems. Not very, it turned out. (link)

June 23, 2011: A former college student has admitted taking part in a criminal scheme that used malware to steal and sell large databases of faculty and alumni, change grades, and siphon funds from other students' accounts. (link)

June 22, 2011: Ninety percent of businesses have been hit by a cybersecurity breach in the past year. Breaches cost 41 percent of businesses $500,000 or more. And the top two endpoints under attack are laptops and mobile devices. (link)

June 21, 2011: Online storage service Dropbox accidentally turned off password authentication for its 25 million users for four hours on Monday -- although "much less than 1%" of those accounts were accessed during the period, the company said. It is still investigating whether any of those accounts were improperly accessed.(link)

June 13, 2011: Documents with the personal information of dozens of former St. Louis University students were littered near a dumpster in a back alley. How did they get there and why weren't they shredded? The university is searching for answers. (link)

June 8, 2011: A lapse in information security procedures at the University of Mary Washington left personal information of more than 7,500 students exposed on an internal university computer network. (link)

June 3, 2011: The MacDefender developers are continuing to uphold their criminal attempts to steal Mac users' information by changing the name of their scam software yet again. So far they have been using the naming scheme of the word "Mac" followed by a security-related word such as Defender, Security, or Protector. (link)

June 2, 2011: Wake Forest Baptist Medical Center said Wednesday that it has fired an employee who had boxes of medical records and documents in a home she owns. The discovery of the documents is the second incident involving medical records' security at Wake Forest Baptist. (link)

June 2, 2011: Tennessee lawmakers have passed a bill that would make sharing log-in information, including usernames and passwords, illegal within the state's borders, the Associated Press reports. (link)

June 2, 2011: In a May 27 filing, Oracle has denied the charges listed in a Montclair State University complaint that Oracle failed to live up the terms of an enterprise resource planning (ERP) installation at the school. (link)


Misappropriation/Fraud/Ethics Events

June 25, 2011: People involved in college admissions say family connections are often delicate issues, and in this case everyone says the rules were followed. But some wonder whether the university's president would have been wiser to have asked his granddaughter not to apply, to avoid the appearance of impropriety. (link). The president's granddaughter eventually turned down the scholarhsip offer. (link)

June 23, 2011: Manhattan prosecutors have expanded their probe into the alleged theft of nearly $6 million from Columbia University, charging two additional men with participating in the fraud. (link)

June 16, 2011: Several of Ohio State's athletic administrators workers drive courtesy cars that are provided by local car dealers, including the director of NCAA compliance. "In the real world, if you're regulating somebody, you're not cozying up to the people who you are regulating." (link)

June 8, 2011: A former inmate at a South Carolina correctional facility is likely headed to federal prison after admitting to a student financial aid fraud involving Webster University totaling $467,500. (link)


Compliance/Regulatory Events

June 29, 2011: Two blind students filed suit today against Florida State University (FSU) and its board of trustees, alleging that FSU discriminated against them by failing to provide them with proper accommodations. They allege violations including requiring them to use an inaccessible Web-based application to complete homework assignments, tests, and quizzes; requiring the use of clickers that cannot be used by a blind person to respond to in-class questions and obtain bonus credit; failing to provide Braille versions of the required textbooks in violation of agreed-upon accommodation plans; and engaging in retaliatory actions when they complained. (link

June 29, 2011: A labor arbitrator has ruled that a University of New Hampshire professor convicted of indecent exposure should keep his job. (link)

June 28, 2011: Michael D. Pottenger of Santa Monica, Calif., has pleaded not guilty to five counts of wire fraud in a federal case alleging he accepted a grant of nearly $100,000 that he wasn't eligible to receive. (link)

June 27, 2011: The mother of a 19-year-old Cornell University student who died during an alcohol-related fraternity hazing ritual filed a multimillion-dollar wrongful-death lawsuit against the national fraternity on Monday. (link)

June 25, 2011: An East Tennessee State University College of Medicine faculty member and director of the school’s internal medicine residency program has been suspended from administrative duties pending an investigation into allegations of a hostile work environment existing in the program for some residents and the revealing of confidential information about some residents to others. (link)

June 23, 2011: California State University’s Accessible Technology Initiative suggests in a report released this week that universities limit their campuswide use of Google’s free Web services based on what it calls a variety of inaccessibility issues for the blind and those with other disabilities. (link)

June 22, 2011: Marquette University officials acknowledged Wednesday that the university made mistakes in how it handled student reports of sexual assaults and said they've worked out a way to improve how they report sexual assaults to city police. (link)

June 22, 2011: Veterinarians who recently launched a clinic in Des Moines will pay $100,000, give up some of their revenue and lose one of their colleagues for two years to settle a messy legal dispute with a competing animal hospital run by Iowa State University, according to settlement documents released Wednesday. (link)

June 18, 2011: Slippery Rock University's longtime women's volleyball coach and an assistant to the athletic director filed a lawsuit Friday claiming they were victims of retaliation after they spoke against athletic director Paul Lueken. (link)

June 17, 2011: When a researcher at the University of Rochester School of Medicine and Dentistry could not coax a monkey that he was working with out of its cage last August, he decided not to feed it — in effect, to starve the monkey out. (link)

June 14, 2011: Four former Bethune-Cookman University professors have sued the university, saying they were fired in retaliation for making complaints about campus conditions. (link)

June 9, 2011: Alabama’s bill goes beyond Arizona’s. It bars illegal immigrants from enrolling in any public college after high school. It obliges public schools to determine the immigration status of all students, requiring parents of foreign-born students to report the immigration status of their children. (link)

June 7, 2011: Students in China, are in love with Open Yale Courses, the free online videos of popular Yale classes. But it seems that one Chinese university is looking for love in the wrong place — and thereby earning the attention of Yale’s lawyers. (link) (June 16, 2011) Yale has received a formal apology from a Chinese book distributor that was responsible for a book illegally containing the content of five Open Yale Courses.(link)

June 6, 2011: The Supreme Court ruled on Monday against Stanford University in a case that is viewed as a victory for faculty members and private companies involved in technology transfer and research partnerships. The ruling was also a warning to universities to carefully check the language and grammar of the contracts they sign with researchers.(link)

June 5, 2011: American courts take exacting precautions to avoid convicting an innocent person of a crime. It was therefore startling to read the April 4, 2011, directive on sexual violence sent by the U.S. Department of Education's assistant secretary for civil rights, Russlynn H. Ali, to college officials across the country. In an effort to make campuses safe and equitable for women, Ali, with the full support of her department, advocates procedures that are unjust to men. (link)


Other News & Events

June 21, 2011: A new study has found that two of the four main parts of the ACT -- science and reading -- have "little or no" ability to help colleges predict whether applicants will succeed. The analysis also found that the other two parts -- English and mathematics -- are "highly predictive" of college success. But because most colleges rely on the composite ACT score, rather than individual subject scores, the value of the entire exam is questioned by the study. (link)

June 21, 2011: A New Jersey physics professor faces charges for running a massive online prostitution ring from his second home in New Mexico, an activity he said was a hobby, an Albuquerque police detective told Reuters on Tuesday. (link)


If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at http://www.auburn.edu/audit.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director
robinmk@auburn.edu
334.844.4389

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.