Internal Auditing

Case in Point:
Lessons for the pro-active manager

March 2009
Vol. 1 No. 3
Point to Ponder...


Every manager
a risk manager.


Each month this newsletter brings you various instances across higher education where risks have either gone unmanaged, were poorly managed or for some reason the management efforts simply didn't work effectively. We all face a myriad of risks in carrying out the mission of Auburn University. It is important to proactively consider what specific risks you face in achieving your objectives and think about how to manage them.

We define risk very simply as "anything bad that might happen and prevent us from successfully achieving our objectives." Our philosophy in Internal Auditing is that we are in the success business. This is a somewhat different approach than many internal audit departments, but one we believe is the most effective approach. Our role is to help you succeed in achieving your objectives by having appropriate (and functioning) controls in place and to help you proactively manage the risks particular to your area.

Another philosophy we have is that "every manager is a risk manager." You may not wear the title and probably don't. Yet you make decisions each day that affect the management of risk at our institution. All too often the "risk management expert" within our industry is the institution who went through a major crisis or scandal. This may be a simple philosophy, but we believe it's best to learn from these other incidents and proactively manage our risks rather than become the expert the hard way.

As you scan these cases, keep in mind the philosophy that "every manager is a risk manager" along with the thought of "how can I prevent this from occurring at Auburn University?" As always, we welcome your input, comments or suggestions.


M. Kevin Robinson, CIA, CFE
Executive Director, Internal Auditing

Information Security Related Events

Mar. 12, 2009: Jim Lowe, chief information security officer at University of Wisconsin, said last semester one phishing e-mail scam was sent out to 6,300 students and staff. Ninety five of those students and staff, or just over one percent, gave up their credentials in response to the e-mail, creating a large problem for the UW list server and the DoIT Wiscmail team. (link)

Mar. 5, 2009: John Correlli of Los Angeles-based JMC Privacy Consulting Group has recently published a detailed analysis of the topic, "Breaches in the Academia Sector." Correlli identifies the top three root causes of university breaches: unauthorized access, usually inside jobs; accidental online exposures; and stolen laptops. Correlli also points to unique threats and vulnerabilities in academia: 1) The open nature of the university physical and technical environment. 2) Department fiefdoms inhibiting central policy enforcement. 3) A customer user population that is relatively low paid, lives "on site" and experiences high turnover. (link)

Mar. 3, 2009: About 1,500 users of the Western Oklahoma State College library may have had Social Security numbers and other personal information exposed because of a computer breach. (link)

Feb 24, 2009: A UMass Dartmouth graduate and on-campus computer administrator faces charges that he illegally obtained nude and semi-nude photos of about 16 female students by hacking into their UMass e-mail accounts and Facebook files.(link)

Feb 23, 2009: For the second time in three months, the University of Florida in Gainesville has acknowledged a major data breach -- and a statement posted on the University's Web site indicates that there was a third, less public, breach discovered by the school during the same period. (link)

Feb 20, 2009: While identity theft can be broken down into many sectors--such as business, criminal, financial and medical-- the most common form found on campus deals with the international sector often known as a Nigerian scam. Baker has seen students become victims of this scam while selling their books online. The scam occurs when, as a form of payment, students receive a check that is written out for more than the amount requested. (link)

Feb 19, 2009: Roughly 9,000 memory sticks were accidentally left in clothes taken to the dry cleaners in Great Britain last year, according to a survey by Dallas-based data security consultants Credant Technologies. In an informal survey, a dozen Lexington dry cleaning establishments reported they were finding from "several memory sticks a month," to "maybe a couple a week." Doyle Friskney, chief technology officer at the University of Kentucky, acknowledges the challenges. "Portable memory storage devices are a way of life, especially on a university campus. If you can type a copy command or do 'copy/paste' with your mouse, you can move massive amounts of data today in very short amounts of time. So it's very easy to do this." (link)

Feb 16, 2009: About 37,000 individuals are being contacted by the University of Alabama after computer hackers found their way into computers that contained personal information from the University's Office of Information Technology.(link)

 Misappropriation/Fraud/Ethics Events

Mar. 12, 2009: An employee responsible for collecting and depositing money from machines that take cash, then converting it into credits on University of Wisconsin-Parkside identification cards, will be charged with theft. School officials began to track collections in June 2007, after $10,345 was reported missing for the fiscal year. A report showed that money was collected but not deposited a total of 26 times. (link)

Mar. 11, 2009: Medical journals have been asked to retract 21 studies that touted the benefits of Vioxx, Celebrex and other drugs. According to The Wall Street Journal, Baystate Medical Center, Springfield, Mass. is asking the journals to make the retractions because its former chief of acute pain, Dr. Scott S. Reuben, had faked data used in the studies. Baystate Medical Center has placed Reuben on indefinite leave. He has also vacated an appointment as a professor at Tufts University's medical school, the Journal said. (link)

Mar. 10, 2009: Springfield police are investigating the alleged embezzlement of more than $500,000 from St. John's College of Nursing and Health Sciences at Southwest Baptist University in Bolivar. (link)

Mar. 10, 2009: About 40 current and former Southeastern Louisiana University staffers wrongly benefited from more than $30,000 in free on-campus meals and other purchases from 2000 to 2008, according to a legislative audit report released Monday.
An accounting coordinator fraudulently manipulated the magnetic strip on her Lagniappe card to absorb the leftover funds from the accounts of former students, according to the report. This activity totaled more than $2,000. She also placed an additional $3,317 in Aramark meal plan dollars on her account without consent, the report states. She put nearly $3,000 on the former office director's account as well and more than $2,000 on the accounts of three other employees in that office, according to the report. (link)

Mar. 9, 2009: A former Georgia Tech employee likely will go to trial after changing her mind about pleading guilty to felony racketeering charges. She is charged with spending nearly $175,000 over four years using her state-issued purchasing card - called a p-card - and altering receipts to cover up her abuse. Prosecutors say Harris used her p-card from June 2003 to May 2007 to pay for diamond earrings, car insurance, groceries and catering for a wedding, among hundreds of other personal expenses.(link)

Mar. 7, 2009: College of William & Mary Police are investigating a college employee suspected of selling college- owned laptops on the website craigslist. (link)

Mar. 2, 2009: Carnegie Mellon lost nearly $50 million to two money managers who spent a chunk of the cash on teddy bears and other luxuries, according to a Securities and Exchange Commission (SEC) lawsuit filed last Thursday. The potentially irretrievable 5 percent loss to the endowment's value hits the university in a year already expected to produce significant financial setbacks due to global recession. (link)

Feb 26, 2009: Federal authorities raided the office of a University of Florida professor on Wednesday who, along with his wife, is suspected of defrauding NASA. (link)

Feb 23, 2009: A former manager of construction services at the University of Maryland, Baltimore County, was sentenced yesterday to three years in prison for masterminding a theft and corruption scheme, the state attorney general's office announced. George Flores Alinsod, 58, was also sentenced in Baltimore County Circuit Court to concurrent three-year terms for soliciting bribes and for procurement fraud. (link) (back story link)

Feb 20, 2009: As if times aren't tough enough for students trying to pay for college, now comes word that they are being scammed. People claiming to represent the U.S. Education Department are calling students to offer scholarships and grants. The callers ask for a bank or credit-card number, saying the information will be used for a $249 processing fee. But it's a fake. (link)

Feb 20, 2009: The Johnson City Police Department is attempting "to make all businesses aware of a scam going on" in that city. "Investigators of the Johnson City Police Department are currently investigating a fraud/scam involving a suspect allegedly soliciting advertisements to go in an upcoming University of Tennessee calendar," police said. "The suspect may have identified himself [as] affiliated with a company known as Dreams Unlimited." (link)

Feb 16, 2009: According to investigators, state officials recently uncovered evidence that some $2.5 million had been transferred from the state's coffers into various holding accounts. According to the Salt Lake Tribune, the chain of events leading to the theft were set in motion when one of the would-be thieves (or an associate) acquired a vendor number for the University of Utah's design and construction department. That information allowed the miscreants to forge documents changing the bank account information for the account in question. Once the account was under new management, the criminals invoiced the state of Utah for various imaginary repairs and/or expenses with instructions to deposit the cash into the hacked account (a Bank of America account in Texas). (link)

Feb 15, 2009: The publisher of the Oxford American magazine (operating out of the University of Mississippi) says the periodical is more than $200,000 in the hole because of an employee charged with embezzlement. (link)

Compliance/Regulatory Failure Events

Mar. 11, 2009: Dr. Deming Pan, a tenured chemistry professor at Mid-Plains Community College , was removed from her classroom Feb. 20 and placed on administrative leave for insubordination. The college accused Pan of violating the Family Educational Rights and Privacy Act (FERPA) for sending three student's records to an accreditation agency as a protest for what she believed was a ''lowering of standards'' for students. The college also accused Pan of denigrating her colleagues with her e-mail complaints. (link)

March 6, 2009: The University of Minnesota (U of M) has agreed to pay $60,000 for two asbestos violations which occurred in 2007, even though university officials deny any responsibility for the occurrences. According to the U of M they are not responsible for the fact that neither the contractor nor the specialist did their jobs correctly. In spite of that, U of M officials agreed to pay the fine "...because they didn't think it was worth arguing about any further". (link)

March 5, 2009: The University of Louisiana at Lafayette has been accused of animal welfare statute violations at a major primate research laboratory. Investigators from US animal welfare group the Humane Society have passed a complaint to the US Department of Agriculture detailing ''a minimum of 338 possible violations'' at the New Iberia Research Center (NIRC) in Lafayette, Louisiana. US Secretary of Agriculture Tom Vilack has pledged a thorough review of the allegations, which the university denies. (link)

March 1, 2009: UCLA's Molecular Sciences Building was mostly closed for the holidays on Dec. 29 as research assistant Sheri Sangji worked on an organic chemistry experiment. Only three months into her job in the lab, the 23-year-old Pomona College graduate was using a plastic syringe to extract from a sealed container a small quantity of t-butyl lithium -- a chemical compound that ignites instantly when exposed to air. As she withdrew the liquid, the syringe came apart in her hands, spewing flaming chemicals, according to a UCLA accident report. A flash fire set her clothing ablaze and spread second- and third-degree burns over 43% of her body. It was totally preventable," said Neal Langerman, a San Diego consultant and former head of the American Chemical Society's Division of Chemical Health and Safety, whose members were given a detailed account of the incident by a University of California safety official. "Poor training, poor technique, lack of supervision and improper method. This was just not the right way to transfer these things," Langerman said. (link)

Feb 27, 2009: Six current and former ESU students filed a lawsuit Feb. 13 alleging that Isaac Sanders, the former vice president of advancement and executive director of the private ESU Foundation, provided gifts, scholarships and jobs in exchange for unwanted attempts at sexual intimacy. It also names other top campus officials, trustees and the university itself for allegedly covering up the issue. (link)

Feb 16, 2009: Sexual harassment broke into the national consciousness in 1991, when Anita Hill accused Clarence Thomas -- then a nominee to the U.S. Supreme Court -- of having made sexually inappropriate comments to her. The controversy spawned a flood of charges nationwide, including on college campuses. Since then colleges have tried to stem harassment with awareness programs and have created procedures to handle complaints. At the University of Iowa, students have filed 11 sexual-harassment complaints against eight professors over the last five years. (link-Subscription required) (link - alternate)

Other Events

March 6, 2009: An 18-year-old woman faces charges for allegedly setting a series of small fires at the College of Mount Saint Joseph in Delhi Township Thursday. The fires caused the campus to be evacuated. (link)

Feb 26, 2009: Four members of the University of North Alabama cross country team have been arrested and expelled after being accused of discharging a homemade acid bomb outside fraternity row during the weekend, authorities said. (link)

Feb 21, 2009: Four animal activists have been arrested for their alleged roles in attacking and harassing animal researchers at UC Berkeley and UC Santa Cruz over the last 18 months, the FBI announced Friday. Extremists' attacks at the three UC campuses have been intended to halt researchers' use of animals in experiments, according to a website that advocates violent action to protect lab animals. (link)

Feb 19, 2009: From 2007 to 2008, according to data provided by Cal Poly Police Department Records Manager Fred Mills, on-campus theft of office equipment (including computers) tripled (from seven incidents to 21), while thievery of TVs, radios, stereos and other electronics (including iPods and DVD players) increased 56 percent (from nine to 14). The value of the office equipment stolen rose from $5,950 to $21,414 (or 260 percent). (link)

Feb 19, 2009: The Southern University marching band, one of the nation's premier college marching bands, has been temporarily disbanded as the East Baton Rouge district attorney investigates a hazing incident that led to several band members being hospitalized over the Bayou Classic weekend and arrests of seven band members in alleged hazing violations last fall. (link)

Feb 17, 2009: Beginning in 2001, the University of California expanded its consideration of applicants' personal accomplishments, alongside their grades and test scores, and soon stepped further into its truth squad effort. Broadening the area for investigation to students' extracurricular activities, it commissioned the Educational Testing Service to cull a small but statistically significant random sample of applications each January and February, before entrance decisions are made. Those selected are asked for proof of just one verifiable contention, chosen on a rotating basis from among eight categories of information on the application. It could be a claim that the student was a football quarterback, worked 15 hours a week at McDonald's or volunteered often for a food bank. (link)

Feb 16, 2009: A Los Angeles City College student has filed a lawsuit claiming a public speaking professor berated him and refused to let him finish a speech opposing same-sex marriage. In the suit filed last week in a Los Angeles federal court, student Jonathan Lopez said that midway through his speech when he recited a dictionary definition of marriage and recited a pair of bible verses, professor John Matteson cut him off, called him a "fascist bastard" and would not allow him to finish. The suit says Matteson told students they could leave if they were offended, and when no one left he dismissed the class. (link)

Feb 15, 2009: Car break-ins also spiked in January at Oregon State University, where 21 ''car clouts'' were reported. That's up from only one in January of the previous year, and a total of 10 from September through December. (link)

If you have any suggestions, questions or feedback, please e-mail me at We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director
© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.