Having trouble viewing this email? View it in your browser.

Internal Auditing

Case in Point:
Lessons for the pro-active manager

October 2013
Vol. 5 No. 10
''Intellectuals solve problems, geniuses prevent them.''

-- Albert Einstein

As we conclude the month of October, this marks the end of another National Cyber Security Awareness Month. For the past two months, Case in Point has focused on information technology (IT) related issues.

Two months ago we talked about phishing attacks which are occurring frequently across institutions of higher education. You will note one story in this month's issue that discusses a recent phishing attack at Michigan State University. As is true every month in this publication, you will also see several stories about private data being disclosed through both outside computer hackers inappropriately accessing computer systems and also by employees accidentally disclosing data through human error. We again remind everyone to practice the safe computing tips we mentioned in last month's issue.

While IT risks are substantial and real, you can read one story this month where the data disclosure involved hard copy records that were found in a ''box of office supplies purchased at a South Side yard sale.'' This is a good reminder that our protected data doesn’t always reside on computer systems but sometimes is still in paper form. This particular story reinforces the idea that as stewards of private information we have a responsibility to our stakeholders to be vigilant in protecting their records.

IT brings with it numerous benefits and risks in our operations; however, there are many other issues we need to evaluate and proactively manage in the educational environment. We again invite you to review the stories across higher education and think about what high risk items you may need to provide some additional management for in your area of influence.

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing

Information Security & Technology Events

Oct. 27, 2013: What makes Harvard's technology infrastructure so appealing to hackers is not simply the information that passes through the system. If effectively breached, Harvard's servers are powerful enough to be used as a weapon against other cyber systems, can be repurposed to store outsiders' sometimes illegal data, and can be destabilized to shut down crucial components of the University's operations. (link)

Oct. 25, 2013: Michigan State University (MSU) has announced that its EBS HR/Payroll systems were recently taken offline after two employees reported receiving e-mail confirmation of changes to their direct deposit designations on October 18, 2013. (link)

Oct. 24, 2013: Doodling and passing notes in class have been replaced by texting, sending e-mails and checking Facebook. More than 90 percent of college students admitted they use digital devices for non-class activities during class, according to a recent survey, reported in Inside Higher Ed. (link)

Oct. 23, 2013: Brandon University is dealing with the aftermath of a major security breach. The university sent a letter to students last week, informing them that one of their servers had been hacked and student information had been accessed. University president Deborah Poff said officials learned of the breach when they received an email from the hacker. (link)

Oct. 23, 2013: University of Iowa officials confirmed Wednesday that a teaching assistant emailed ''inappropriate content to her students'' --- nude photographs --- Tuesday night and they are looking into the matter. (link)

Oct. 22, 2013: A total of $380,000 was spent investigating and providing services for those affected by a data security breach at Ferris State University that put at risk personal information of 62,000 people, according to a university report. (link)

Oct. 17, 2013: Student records from Pueblo Community College, including Social Security numbers, were found by a Pueblo woman in a box of office supplies purchased at a South Side yard sale last summer in Pueblo. (link)

Oct. 17, 2013: As professors step out from behind lecterns to stand beside laptops or in front of cameras---or both---the top concern for campus information-technology departments across the country is how they can help faculty members move smoothly into the digital age of learning. (link)

Oct. 17, 2013: A computer security breach involving the University of Arizona law college may have provided a hacker with access to names and Social Security numbers of 9,000 former students and applicants. (link)

Oct. 16, 2013: The personal information of nearly 2,000 Sacramento State employees may have been compromised after a computer system was breached. News of the August breach is just trickling out. It took the university about a month to figure out the scope of the breach and are only this week reaching out to affected employees. (link)

Oct. 15, 2013: Courtney Rubin's report in The New York Times that students find e-mail ''a boring thing'' and would prefer, please, that their professors text them or friend them on Facebook. An experiment performed by Reynol Junco at Purdue found that students spent an average of six minutes a day on e-mail, less than a fifth of the time they were spending on social networking. (link) (link)

Oct. 14, 2013: Campus-technology officials say they struggle to maintain and expand wireless-network capacity in heavily taxed locations, such as lecture halls, common areas, and sports venues. They are excited about integrating wireless technology into classroom learning, but worry about safeguarding personal and research data increasingly viewed on mobile devices. Underscoring their concerns are budget realities and an obligation to transparency and collaboration. (link)

Oct. 11, 2013: An email intended for applicants to a new online program at the University of Virginia instead was sent by a third-party vendor to a marketing list of people with no connection to the program, officials said. UVa's McIntire School of Commerce intended for the email to inform about 85 people that their applications to a business certification program had been received. (link)

Oct. 8, 2013: Saint Louis University (SLU) is in the process of reporting a health data breach that affected 3,000 patients and occurred in early August. According to KSDK.com, a few SLU employees gave out their account information by mistake as part of a phishing scam email they received. (link)

Fraud & Ethics Related Events

Oct. 29, 2013: A former student trustee at the University of Connecticut faces attempted larceny charges after allegedly transferring $73,000 in financial aid to students before they were authorized to receive the money. (link)

Oct. 15-30, 2013: Gov. Robert Bentley's office released a forensic audit report Monday outlining possible fraud, waste and abuse at Alabama State University, which the governor said raises serious questions about the university's governance. The audit, which Bentley said he plans to turn over to state and federal authorities for possible criminal prosecution, and other documents point to concerns about family and friends of board members Elton Dean and Marvin Wiggins, and former board member Dr. Lawrence Lemak, receiving work or money through contracts with the school. Alabama State University filed a lawsuit against the auditing firm Forensic Strategic Solutions, accusing FSS of interfering with the university's economic interests by preparing a false and misleading audit report.(link) (link) (link) (link) (link) (link)

Oct. 9, 2013: Two Bethany College employees have been fired after an investigation revealed more than $500,000 was embezzled from the school. One employee who managed the cashier's office was fired after allegedly admitting to the crime. The director of finance for the college – who was responsible for reconciling the account in question – has also been terminated. (link)

Oct. 7, 2013: A University of Washington audit has uncovered at least $74,000 in falsified expenses, fake receipts and fake expense reports in a UW program on global health that operates in Africa, the state auditor reported Monday. (link)

Compliance/Regulatory & Legal Events

Oct. 31, 2013: A Tuscaloosa judge is considering whether Greek-letter groups at the University of Alabama can get involved in an election challenge involving a city school board race. (link)

Oct. 31, 2013: Buried in an NCAA news release on Wednesday about football rules changes was word that the association's Division I Board of Directors had asked for an examination of online courses and how much athletes should rely on them. (link)

Oct. 31, 2013: Penn State officials announced Monday (Oct. 28) that over the past few months the University has reached agreement with 26 of the victims of former assistant football coach Gerald Sandusky. The terms of the settlements, which include a release of all claims against Penn State and other parties, are subject to confidentiality agreements. Of the 26 settlements, 23 are fully signed and three are agreed in principle, with final documentation expected within the next few weeks. (link)

Oct. 29, 2013: Sodexo's plan to change benefits eligibility for many of its hourly employees has run into a roadblock at another institution where it has a food-service contract: Vermont State Colleges. Sodexo's plan to change benefits eligibility for many of its hourly employees has run into a roadblock at another institution where it has a food-service contract: Vermont State Colleges. (link)

Oct. 29, 2013: A union representing faculty members at Cleveland State University's Cleveland-Marshall College of Law has filed an unfair-labor-practice charge with Ohio's labor-relations board, claiming that the law school's dean retaliated against union organizers by giving them $666 raises, ''in effect'' calling them Satan. (link)

Oct. 24, 2013: One of three former Florida A&M University students involved in a 2010 scheme to steal financial aid money from other students was sentenced to two years in federal prison Thursday. Christopher J. Wright, 23, of Fort Lauderdale was sentenced on charges of aggravated identity theft and access device fraud after he and two co-defendants accessed the university's internal computer system and other students' financial aid accounts while they were also students at FAMU. (link)

Oct. 23, 2013: Case Western Reserve Law Professor Raymond Ku filed a lawsuit today against Law School Dean Lawrence Mitchell and the university alleging that he reported that Mitchell had potentially sexually harassed a woman and suffered retaliation. (link)

Oct. 21, 2013: Seven students and former students filed a federal discrimination complaint against the University of Connecticut Monday, alleging the university failed to protect them from sexual assault on campus and to respond adequately after they reported the assaults. (link)

Oct. 18, 2013: While chairman of the board at Ivy Tech Community College, V. Bruce Walkup bombarded college officials and powerful friends with emails filled with political diatribes and sexist jokes, some that included nude pictures of women. (link)

Oct. 18, 2013: A jury dealt a swift blow to Brian Calhoun's justification for fighting with a female student in March, taking only one hour to find the former Fresno City College instructor guilty of misdemeanor battery. (link)

Oct. 18, 2013: Ernesto Perez is the politically influential CEO of Dade Medical College --- but also, he is a man with a criminal past. Perez's apparent failure to acknowledge his old brushes with the law, even in sworn statements to the government, has now led to a new batch of criminal charges. (link)

Oct. 18, 2013: UCLA's policies and procedures are inadequate to deal with increasing complaints of racial bias among faculty --- nearly all of whom surveyed said they had experienced some level of discrimination, according to an internal report obtained by The Los Angeles Times. (link)

Oct. 16, 2013: Holy Cross women's basketball coach Bill Gibbons voluntarily stepped aside from his coaching duties, one day after he was accused in a lawsuit of verbally and physically abusing his players at games and practices. (link)

Oct. 15, 2013: It's a case of either colossal inefficiency or supreme accountability. Earlier this year, the Education Department suddenly told officials at two universities they needed to pay up for minor infractions of federal student aid rules alleged to have occurred from 1994 to 1996.(link)

Oct. 7, 2013: Amid federal investigations of their handling of campus sexual assaults, USC and Occidental College have disclosed that they underreported the number of cases in recent years, a potential violation of federal law. (link)

Oct. 3, 2013: The former UNC-Chapel Hill tutor who figured prominently in the NCAA infractions found within the Tar Heel football program has taken on a new role as the 2010 scandal moves from the sports arena to the field of law. Jennifer Wiley Thompson, whom NCAA investigators accused of improperly helping football players with papers and writing assignments, now is accused criminally of working to encourage a student athlete to sign with a professional sports agent.(link)

Oct. 1, 2013: A federal court has ruled that Boston University can proceed with its decade-long push to study some of the world's deadliest infectious diseases in a South End laboratory, a decision that leaves the university needing only permission from local health officials before the controversial research can begin.(link)

Sept. 30, 2013: Gallaudet University's chief diversity officer has accused her employer of violating a D.C. anti-discrimination law after a controversy last year that stemmed from her signing a petition that forced a public referendum on Maryland's gay-marriage law. (link)

Sept. 30, 2013: A federal  judge has dismissed the University of Alabama's trademark lawsuit against artist Daniel A. Moore and his company New Life Art. U.S. District Court Judge Abdul Kallon on Friday ruled in favor of Moore and against the University in the eight-year legal fight. (link)

Campus Life & Safety Events

Oct. 30, 2013: College coaches and administrators concerned about their tweeting athletes also should be wary of their tweeting fans. Social media experts pointed to vitriolic messages directed at football players from Missouri and Nebraska last weekend as examples of why schools should counsel athletes on how to cope with criticism that crosses the line from heckling to hate. (link)

Oct. 29, 2013: The administration at Amherst College is apologizing over a memo that a residential area coordinator sent out ahead of homecoming weekend that reportedly suggested that students should watch out for ''unwanted sexual advances'' by drunken alumni. ( link)

Oct. 29, 2013: A new report has found that about 19 percent of underage and 22 percent of college students ages 21 to 24 in Maryland show signs of alcohol abuse or dependency. (link)

Oct. 28, 2013: University of Florida President Bernie Machen sent a letter Monday to the members of Alpha Tau Omega, reprimanding them for what he called a ''hateful incident'' involving a fraternity member yelling racial slurs and sexual comments at a black female student. (link)

Oct. 25, 2013: A University of Wisconsin-Superior professor who was placed on leave while the university investigated details of a decades-old conviction in Utah of attempted child sexual abuse has resigned, the school announced today. (link)

Oct. 23, 2013: A University of Rochester student says college officials violated his right to free expression by forcing him to take down a Confederate flag he had put in the window of his room on campus. ( link)

Oct. 22, 2013: The University of Louisiana system and Grambling State University will work together on an internal review of the university, after Grambling football players this week ended a boycott protesting concerns they had raised about substandard athletics facilities, unhealthy conditions, and other issues. (link)

Oct. 12, 2013: The sculpture was meant to anchor Three Rivers Community College's campus: A combination of public art and functional space that officials said was the perfect symbol of a higher learning institution. Instead, the gradual dismantling of The Nautilus --- a $510,000 project envisioned as an outdoor amphitheater --- has created ill will toward the school from a world-renowned New York-based artist commissioned to carry out the project. Yet interim college President Grace Jones and state officials stand by the move, saying it was necessary to protect the safety of students. (link)

Oct. 10, 2013: Vanderbilt University has suspended the Alpha Tau Omega fraternity for a rush-related email making light of an ongoing rape case. The profanity-laced and sexually charged email was sent out Sept. 22 to prospective members of the fraternity and was eventually brought to the university's attention. The university --- and Alpha Tau Omega's national office --- suspended the Vanderbilt chapter on Oct. 3. (link)

Oct. 9, 2013: Parent awareness of their college-student children's drinking patterns and problems can help reduce the scourge of binge drinking on campuses across the state, officials said Wednesday. (link)

Oct. 8, 2013: Yeshiva University, still reeling from allegations that for decades its leaders dealt improperly with the specter of sexual abuse, has hired a new faculty member convicted of inappropriate sexual behavior with boys, the Forward has learned. (link)

Oct. 8, 2013: When Swarthmore College senior Marian Firke saw a photograph on Facebook of a fraternity's flier inviting new members to join, she got mad. The flier, she said, was a collage of photos of naked women. A fellow senior told her that the frat, Phi Psi, had used it as a bid letter for at least four years. (link)

Oct. 7, 2013: he sent an email to his fraternity brothers, offering advice for ''luring rapebait'' at parties. If it was supposed to be a joke, it wasn't funny. But students, graduates, the institute and the national fraternity office all agreed on one thing: It was embarrassing and derogatory, bringing unflattering attention to the university. (link)

Oct. 7, 2013: Colorado Springs Police on Monday identified a suspect in two peeping Tom incidents at Colorado College over the weekend of Sept. 28-29. (link)

Oct. 3, 2013: College students, you might want to give your phones a rest for the sake of your sleep. A small new study from Washington and Lee University researchers shows an association between more texting among college freshmen, and worse sleep. (link)

Oct. 3, 2013: A Carlow University student who painted his face to look like the Batman villain the Joker was arrested after campus police said he acted disorderly, spit on an officer, threatened them and resisted their efforts to arrest him. (link)

Oct. 2, 2013: Boston College is moving to discipline a student who allegedly wrote anonymously on Facebook that he had raped three women while at BC, before later turning himself in to university police and administrators to tell them the online post was a hoax. (link)

Oct. 2, 2013: In the late evening of Sept. 7, Lucy Fleming '16 opened the dryer in the Saybrook College laundry room to an unpleasant surprise. Her clothes were soiled with human feces, and it took the physical delivery of the excrement to the Saybrook Master's Office to catch administrators' attention. (link)

Oct. 1, 2013: Penn State employees who complete the new wellness health program will be rewarded for their participation, the university announced Tuesday. Penn State will give $100 to each employee who completes an online health profile through WebMD, has a biometric screening done and agrees to see a doctor for a preventative-care medical exam. Spouses or same-sex partners who go through the same process will bump up the level of the bonus to $150 total, the university said. (link)

Sept. 30, 2013: UC Berkeley experienced a widespread power outage at approximately 4:40 p.m. on Monday (Sept. 30) that led to an explosion in an underground steam tunnel, leaving at least one student with minor injuries. The student with minor injuries was transported to a medical facility and later released. Up to four other people with minor injuries declined aid. The affiliation with the campus of those who declined medical aid is unknown. (link)

Other News & Events

Oct. 30, 2013: The federal shutdown might be over, but officials at the University of Michigan are bracing for the next round of across-the-board spending cuts that, if enacted, could affect millions in research funding at the Ann Arbor school. (link)

Oct. 27, 2013: More than 11,000 Georgians lost HOPE grants to attend state technical colleges when the state Legislature imposed tougher academic requirements in 2011, and more than half have not re-enrolled in school as of this fall, according to Technical College System of Georgia statistics.(link)

Oct. 21, 2013: Students at America's high schools, colleges, and universities are well into their first semesters. But while they plow through their assigned readings and write essays, administrators are turning their grades and their professors' evaluations into millions upon millions of tiny data points. Much like every other field in the world, education is embracing big data--only, this time, they're using it to determine who will thrive in college, who will fail, and who will need some extra help. (link)

Oct. 21, 2013: George Washington University admitted publicly for the first time Friday that it puts hundreds of undergraduate applicants on its waitlist each year because they cannot pay GW's tuition. Administrators now say the admissions process has always factored in financial need. But that contradicts messaging from the admissions and financial aid offices that, as recently as Saturday, have regularly attested that the University remained need-blind. (link)

Oct. 18, 2013: If your institution missed its enrollment and revenue goals this fall (or for the last two or three falls), an obvious question pops to mind: What are you going to do about it? (link)

Oct. 14, 2013: UT officials have placed the director of the Pride of the Southland Marching Band on administrative leave after claims that band traditions were being threatened by the athletic department. (link)

Oct. 12, 2013: With early admission deadlines looming for hundreds of thousands of students, the new version of the online Common Application shared by more than 500 colleges and universities has been plagued by numerous malfunctions, alarming students and parents and putting admissions offices weeks behind schedule. (link)

Oct. 11, 2013: Success in big-time college sports can increase universities' visibility and improve their brands, but a heightened focus on athletics also presents increasing financial and reputational risks, Moody's Investors Service said in a report released on Friday. (link)

If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at https://www.auburn.edu/administration/oacp.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.