Internal Auditing

Case in Point:
Lessons for the pro-active manager

August 2009
Vol. 1 No. 8

"Wisdom consists in being able to distinguish among dangers and make a choice of the least harmful."

- Niccolo Machiavelli, The Prince

One of the most difficult jobs in a university environment is protecting confidential data. Almost daily we read of an institution where someone gained inappropriate access to a server, and confidential data was lost. As an industry, we may well be the worst of all at securing confidential data. However, that does not mean that Auburn University has to follow the trend.

On a university campus there will always remain a certain tension between the open sharing of information verses the protection of some data. Do you know who can access confidential information in your area? Can you identify and locate all of your unit's confidential information? Who has access to what and why? The answers are not always easy, but they certainly are worthy of discussion and thoughtful consideration.

One interesting story this month comes to us from the State of Texas where a lack of controls resulted in an embarrassing situation for UT-Brownsville. The distance education department failed to maintain adequate controls within a critical system and paid a steep public price for their failure. Within this system the standard recommendation was for only two people to have access at the highest level. Yet somewhere along the line fifteen people were granted access including some student employees who even shared access. My guess is that granting this additional access seemed like a good idea at the time. Someone just "had to have it to do their job." Now this institution finds itself in the midst of an investigation regarding academic fraud as this access was apparently used to cheat on exams by some employees and students. Not only does this institution bear significant investigative and remediation costs from this incident, perhaps more importantly they have damaged their reputation in a way that can take years to overcome.

Sometimes maintaining appropriate controls may not seem to be the most convenient way to do things, but frequently this "inconvenience" can serve a valuable purpose. It can even keep you out of the newspapers and help you avoid an embarrassing investigation. Just something to think about as you help lead and manage our institution. Once again we ask you to consider these items in conjunction with your role here at Auburn University and how you can pro-actively prevent similar incidents and scandals here.

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing

Information Security Related Events

Aug. 13, 2009: The University of California-Berkeley is notifying 493 applicants to the Graduate School of Journalism that their Social Security numbers and other personal information may have been stolen in a server data breach. (link)

Aug. 13, 2009: Florida Keys Community College officials have hired an outside investigator to scrutinize the school's e-mail system in light of an alleged breach of security that allowed someone to gain access to the college president's e-mail account and forward three of her messages to various people. (link)

Aug. 4, 2009: The University of Oregon has fixed a security breach in its DuckWeb system after a student used it to look at three other students’ degree audits.
The hole in DuckWeb’s security allowed Web users to view certain other students' degree audits by changing digits in the URL for a printer-friendly version of their own audits, which contain information about a student’s grades and his or her progress toward a degree. (link)

Aug. 2, 2009: A two-month investigation by University of Texas-Brownsville/Texas Southmost College police found school employees in 2008 had committed ''gross academic fraud'' after student employees and regular staff used their positions to steal test answers, according to a UTB police report obtained by The Brownsville Herald. (link)

July 17, 2009: The hotline established by UCSD's Moores Cancer Center after a hacker breached the center's computers and gained access to patients' personal information has been swamped with hundreds of calls from worried patients. Their primary concern has been whether their Social Security numbers were among the information stolen by whomever obtained the electronic files of 30,000 patients, according to DeAnn Marshall, UCSD Health Sciences chief of marketing and communications officer. (link)

Misappropriation/Fraud/Ethics Events

Aug. 16, 2009: The standoff between University of Illinois trustees and Gov. Pat Quinn could move into uncharted territory if neither side backs down soon. Not a single trustee has stepped down since the governor called for letters of resignation from the entire board on Aug. 7. Three board members, including Chairman Niranjan Shah, had previously volunteered to leave. (link)

July 16, 2009: A University of Central Missouri police sergeant and his wife have been arrested in an identity theft involving the stolen Social Security numbers for 7,000 students and alumni. James and Amanda Drake have been charged with fraud, forgery, illegal credit card use and filing a false police report. (link)

Compliance/Regulatory Failure Events

Aug. 10, 2009: The University of Utah has settled a lawsuit brought by the families of seven Chinese scholars killed in a 2003 van rollover, cutting short a two-week trial in a Salt Lake City courtroom. State officials agreed to pay the plaintiffs, who include three men injured in the crash, nearly $500,000, just under a ceiling above which any settlement would require legislative approval. When the University of Utah agreed to host the Chinese delegation in 2002, the school assumed responsibility for arranging the scholars' travel within the U.S., court records indicate. Attorneys for the families alleged the university acted negligently by contracting with an unlicensed travel business in New York, which in turn hired a driver unqualified to pilot the oversized van that plunged off a snow-covered Pennsylvania highway and folded against a tree. (link)

July 23, 2009: On Jan. 1, 2008, the University of Georgia implemented a new employee arrest policy, requiring all faculty and staff to self-report any arrests within 72 hours and convictions within 24 hours to the Office of Legal Affairs. But an investigation by The Red & Black revealed employees arrested in Athens-Clarke County report their arrests to the University only 50 percent of the time, even though arrest logs of these employees reside a simple Web site visit away.(link)

July 21, 2009: The University of Georgia was cited earlier this month by the Georgia Environmental Protection Division for operating three incinerators out of compliance with its air quality permit under the Georgia Air Quality Act, University officials said Tuesday. The incinerators in question - located at the Veterinary Diagnostic Laboratory, the Poultry Diagnostic Research Center and the Animal Health Research Center - were burning waste defined as "medical/infectious," but were only permitted to burn "pathological waste." (link)

Other Events

Aug. 17, 2009: California State University students have sued the CSU Board of Trustees, claiming the university illegally billed them twice for tuition - accepting one payment in June for the fall semester and then demanding more money this month for the same semester. (link)

Aug. 4, 2009: A recent college graduate is suing her alma mater for $72,000 -- the full cost of her tuition and then some -- because she cannot find a job. (link)

July 15, 2009: The University of Kansas may soon allow student housing supervisors to enter dorm rooms without the occupants' permission to stop suspected alcohol or drug use. (link)

If you have any suggestions, questions or feedback, please e-mail me at We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director
© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.