Internal Auditing

Case in Point:
Lessons for the pro-active manager

July 2010
Vol. 2 No. 7

An ounce of prevention is worth a pound of cure.

- Benjamin Franklin

Last month we discussed some of the significant findings in the Association of Certified Fraud Examiners' (ACFE) 2010 Report to the Nations on Occupational Fraud and Abuse. This month we will review the four most significant weaknesses that contributed to fraud occurring according to the ACFE report. These four items below account for over 80% of the weaknesses noted.

  1. Lack of Internal Controls - This was by far considered the most significant factor that allowed a fraud to be perpetrated. Your role as the leader of a unit involves assuring you have appropriate controls in place. These controls protect you, your employees, and our institution in a variety of ways.
  2. Override of Existing Controls - Controls are important; however, if employees or managers go around the controls at times, you have a situation which can lend itself to fraud occurring. Controls cannot be optional or just when convenient; they must be followed every time without exception.
  3. Lack of Management Review - While management review is essentially an internal control, the report breaks this item out separately with good reason. Perception of detection is the greatest deterrent to occupational fraud, and if no one is paying attention there is little perceived chance of detection. In my review of cases at our institution, the failure of management to review what was occurring was a major contributing factor in every single case we have reviewed over the past twenty years. If you do not pay attention to what is occurring in your unit, you have substantial risk that fraud will occur, typically by someone you trust and who you never imagined could take such actions.
  4. Poor Tone at the Top - This is something that we have discussed routinely in this newsletter due to its importance. Universities are unique in that we have tone set in a number of decentralized places. Certainly, the president and board set a tone, but also each dean, director, and department head have great influence in the tone in their specific unit. Tone is affected not only by what you say, but perhaps more importantly by what your staff sees you do.
The Report also lists a few recommendations for the prevention and detection of fraud. Two of these items we'd like to share with you.
  1. Fraud reporting mechanisms are critical components of effective fraud detection and prevention systems. This is something we have implemented here at Auburn University. We have an outside company, EthicsPoint, which operates our anonymous reporting system. Employees can report via the web or by phone. Having the system is very important, but we need your help to ensure your staff is aware it is available and that we need their help in detecting and deterring fraud. Simply by pointing this out you can impact the tone you set within your unit.
  2. Employee education is the foundation of preventing and detecting occupational fraud. You might recall from last month's newsletter that employee tips are the biggest source for fraud discovery. This makes sense since employees are routinely near the operations and more likely to see a problem or suspect transaction. Part of the goal of this newsletter is education so feel free to share it with those in your unit. If you would like some specific training on these issues for your area just contact us. We will be happy to come to your unit and discuss this important issue. We have presented to a number of different departments across campus and would welcome the opportunity to speak with your staff.

While these last two months have dealt exclusively with the risk of occupational fraud on campus, you will again note that the risks faced by institutions of higher education are much broader than just this one topic. As you review the events happening across our industry, I again request that you consider how you can proactively manage similar risks here at Auburn University.

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing

Information Security Related Events

July 23, 2010: Somebody peered electronically into a file server at the University of Texas at Arlington, leaving health data on 27,000 students, faculty and staff potentially exposed to snooping eyes, the school said Friday in a news release.(link)

July 17, 2010: After hiring a computer forensics team to conduct an investigation, Buena Vista University (BVU) said today that a data breach has occurred on its campus, potentially exposing the personal information of 93,000 people. (link)

July 14, 2010: Oregon State University is notifying 34,000 current and former employees that a computer containing some of their personal information was recently infected by a virus, even though the university's computer experts say it is ''highly unlikely'' that the virus put any of that information in the hands of unauthorized users, OSU officials say. (link)

July 8, 2010: A routine audit discovered that unauthorized access to a computer server used by the University of Hawai'i at Mānoa Parking Office. The server that was breached contained personal information, including names, Social Secuirty numbers, addresses, driver's license numbers, vehicle information, and credit card information. (link)

July 6, 2010: University of Florida officials have notified 2,047 people that their Social Security or Medicaid identification numbers were included on address labels affixed to letters inviting them to participate in a research study. (link)

July 1, 2010: A provision of the Higher Education Opportunity Act of 2008 is making schools a reluctant ally in the entertainment industry's campaign to stamp out unauthorized distribution of copyrighted music, movies and TV shows. (link)

June 30, 2010: California State University San Bernardino is investigating possible disclosure of personal student information, including names and social security numbers. The personal information from one computer science and engineering class roster file of 36 students was ''inadvertently made public through a Web server,'' according to a press release. (link)

June 29, 2010: University of Maine police are investigating the breach of two UMaine computer servers holding the names, social security numbers, and clinical information of students who attended the university's Counseling Center from Aug. 8, 2002 to June 21 of this year. (link)

June 29, 2010: Federal officials are requiring colleges that use Kindles and other electronic book readers in the classroom to make sure the gadgets have accommodations for blind and vision-impaired students. (link)

Misappropriation/Fraud/Ethics Events

July 21, 2010: Food services giant Sodexo Inc. has agreed to pay $20 million to settle claims that it overcharged 21 New York school districts and the State University of New York over a five-year span. (link)

July 15, 2010: A former assistant athletics director became the second Kansas Athletics Inc. employee to plead guilty in connection with a scandal involving more than $1 million worth of tickets the university says were stolen by insiders. (link)

July 9, 2010: A former employee of the University of Maryland School of Social Work committed fraud in misusing thousands of dollars worth of gift cards intended for needy families, according to an internal review forwarded to two state legislative committees. (link)

July 7, 2010: A top executive at the financially troubled San Jose/Evergreen Community College District earned a full salary while on sick leave this spring - yet, during that same period, she earned a separate salary teaching at another nearby district. (link)

July 2, 2010: South Carolina legislators want their own investigators to find out what happened to millions of state and federal dollars used for South Carolina State University's James E. Clyburn University Transportation Center. (link)

June 29, 2010: A longtime La Salle University employee was fired this month after officials said they discovered several million dollars missing in an alleged fraud scheme dating back at least 20 years. (link)

Compliance/Regulatory Events

July 28, 2010: A group of primates participating in animal research at Princeton University may have been receiving water at levels below the minimum amount allowed by federal guidelines and also may not have been properly administered painkillers following surgeries, according to a U.S. Department of Agriculture (USDA) inspection report. (link)

July 26, 2010: During the 2010 legislative session, 16 states dealt with 39 pieces of legislation related to undocumented students, according to the National Conference of State Legislatures. (link)

July 23, 2010: A graduate student has filed a lawsuit accusing Augusta State University officials of violating her constitutional rights by ordering her to change her views opposing homosexuality. (link)

July 16, 2010: The U.S. Department of Agriculture found six repeat violations of animal welfare rules on a follow-up visit to UW-Madison this week, including expired medications and cockroaches infesting walls in two rooms that house primates. (link)

July 16, 2010: Columbia University has quietly suspended research at a nationally prominent brain-imaging center and reassigned its top managers after federal investigators found that it had routinely injected mental patients with drugs that contained potentially dangerous impurities. (link)

July 16, 2010: In an apparent violation of the state's open meeting law, the University of California regents prevented a filmmaker from entering a public meeting with a video camera Thursday on grounds that he lacked a press credential. (link)

July 8, 2010: Coppin State University failed to follow proper procedure in pursuing overdue tuition payments and allowed students who hadn't paid their bills to continue registering for courses, according to a state audit released Tuesday. (link)

Other News & Events

July 25, 2010: Thousands of freshmen and new students flocking to Texas colleges for the start of classes next month must first get the vaccine against often fatal bacterial meningitis before they'll be allowed to move into campus dorms. (link)

July 20, 2010: Students hoping to earn a little extra cash on campus this fall will have a tougher time as the number of federally funded work-study college jobs nationwide will drop by 162,000 to 768,000 for the 2010-2011 academic year. (link)

July 16, 2010: BP PLC attempted to hire the entire marine sciences department at one Alabama university, according to scientists involved in discussions with the company's lawyers. The university declined because of confidentiality restrictions that the company sought on any research. (link)

July 12, 2010: The fields and long red barns at the University of Vermont will soon house fewer cows as low milk prices, high costs and budget cuts have forced the university to sell its herd. (link)

July 10, 2010: A law requiring Texas' public colleges and universities to post detailed course information online will take effect this fall, stirring a debate between advocates of transparency and academic freedom. (link)

July 9, 2010: An adjunct professor who taught courses on Catholicism at the University of Illinois has lost his teaching job there, and he claims it is a violation of his academic freedom. (link)

July 7, 2010: Under a proposed Pennsylvania bill, publishers have to provide the cost of the textbook to a teacher who may be choosing that book for a course. Also, publishers must provide the copyright dates for three previous editions and the revisions made from the last edition to the current edition. (link)

If you have any suggestions, questions or feedback, please e-mail me at We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director
© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.