Having trouble viewing this email? View it in your browser.

Internal Auditing

Case in Point:
Lessons for the pro-active manager

March 2014
Vol. 6 No. 3
''A leader leads by example, whether he intends to or not.''

-- Unknown

This month we continue our look back at the events from 2013 focusing on the category of Fraud & Ethics Related Events. During 2013 we linked 106 stories in this category in Case-in-Point. The breakdown of stories in this category is fairly consistent with what we have seen in prior years:

  • Occupational Fraud 50%
  • Academic Fraud 17%
  • Use of Funds/Conflict of Interest 14%
  • False Reporting 9%
  • Other Misc. 10%

Occupational Fraud occurs when an employee uses their position to commit fraud against their employer. Typically three elements are present when occupational fraud occurs: 1. Pressure of some kind (e.g. financial stress); 2. Rationalization (e.g. I'm only borrowing the funds); and 3. Opportunity (e.g. access to resources in the course of their work). In most cases where occupational fraud occurs, internal controls are very weak, and it is common for the greatest weakness to be that one person has total control of some process with virtually no oversight or monitoring by supervisors or management. The best prevention with respect to occupational fraud and avoiding it within your area is strong internal control.

The academic fraud cases involved a range of activities from falsifying credentials to grade changes. Once again as with occupational fraud, having controls in place is the best way to reduce the likelihood of this type of fraud affecting your operations.

Two areas that seem to be rising in importance involve the use of funds and false reporting. Transparency and accountability for how we use our resources have never been greater within higher education, so considering the scrutiny/appearance of how resources are used should be something we all consider in making decisions. False reporting typically involves non-financial issues within higher education. Ensuring what we report to outside agencies and the public is another thing we should consider and ensure accuracy with the increased scrutiny regarding reported figures and data in higher education.

We again invite you to review the events occurring within higher education over the past month and consider whether there are similar risks here that may require your attention. If you have any comments or suggestions, we always welcome your feedback.

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing

Information Security & Technology Events

Mar 28, 2014: The University of Wisconsin-Parkside is notifying approximately 15,000 students about a data breach after the campus IT staff, while performing routine maintenance, discovered that hackers had installed malware on one of the university's servers.(link)

Mar. 27, 2014: The University of Maryland president testifies on Capitol Hill about the widespread data breach that exposed hundreds of thousands of people's personal information. ''We were just flying by the seat of our pants....I was surprised that it even happened in the first place. I thought Maryland was more secure than that,'' Damilola Otukoya said. (link)

Mar. 26, 2014: The Financial Aid Office of Loyola Law School in Los Angeles inadvertently exposed the personal information of what may very well have been the school's entire 395-member student body to 14 members of its May 2014 graduating class. (link)

Mar. 20, 2014: Auburn University in Alabama has been hit by another data breach. This time, the cause appears to be a leaky server connected with Auburn's College of Business. A letter to victims is signed by Dean Bill Hardgrave and dated March 20, 2014. A copy of the letter obtained by idRADAR News was filed with the Vermont Attorney General's office to satisfy that state's data notification laws. The text references discovery of the server compromise on November 20, 2013--a full four months before this notification--but provides only a few details of the breach. However those details are significant. (link)

Mar. 20, 2014: The University of Maryland says someone hacked into its computer network and obtained personal information for the second time in four weeks. Chief Information Officer Ann Wylie revealed the breach Thursday in a letter to administrators and department chairs. (link)

Mar. 20, 2014: The University of California, San Francisco, is warning nearly 10,000 people that their personal information may have been compromised after desktop computers were stolen in January. (link)

Mar. 20, 2014: Another admissions cycle; another batch of acceptance letters sent to rejected students. The shift away from physical admission decisions to electronic notifications has led to speedier notification of decisions to applicants, but it has also opened the door to more mistakes. (link)

Mar. 19, 2014: A state audit found unencrypted laptops and portable devices that may store sensitive information at the University of Northern Iowa could pose a risk to the university, but UNI officials said there's no evidence that's the source of the mass identity theft that cropped up after employees filed their taxes this year. (link)

Mar. 17, 2014: A data breach at Indiana University, which exposed personal information of 146,000 students and recent graduates, has cost the university more than $80,000 and 700 personnel hours so far. (link)

Mar. 15, 2014: Colleges and universities often are attractive targets for hackers because there are many access points into their networks, which contain not just financial and personal data but also valuable intellectual property. That threat is forcing academics to reassess the way they keep and protect vast collections of information, often held in decentralized computer networks accessible to thousands of students, professors and researchers. (link)

Mar. 14, 2014: The University of Central Oklahoma announced that someone was able to access personal information that was stored on one of the school's servers. (link)

Mar. 7, 2014: Names, email addresses and phone numbers from about 850 current and former Johns Hopkins University biomedical engineering students were posted online Thursday, stolen by someone claiming to be part of the hacker group known as Anonymous. The breached server did not contain Social Security or credit card numbers, or any other data that would make identity theft a concern, university spokesman Dennis O'Shea said. The hacker was attempting to extort the university for further access to its servers, threatening to post the information online unless officials handed over server passwords, O'Shea said. The university did not comply, he said. (link)

Mar. 6, 2014: North Dakota University System officials said Thursday they have talked to the FBI and an independent cybersecurity group about helping with an investigation into a breach on the system's computer server. The system's interim chancellor announced Wednesday that names and Social Security numbers of more than 290,000 current and former students and nearly 800 faculty and staff were on the server, which was hacked in early February. It's not known if the information was stolen. It did not include bank or credit card information. (link)

Mar. 6, 2014: As many as 322 UPMC employees -- 300 more than initially reported -- have been affected by a data breach and identity theft scheme, the hospital system said on Thursday. The breach allowed someone to use the employees' personal information to electronically file fraudulent income tax returns. (link)

Mar. 5, 2014: The college district that serves the Phoenix area stands to spend more than $17 million because of a computer breach. Costs anticipated by the Maricopa County Community College District include work to fix the computer system, pay for lawyers and provide credit monitoring to 2.4 million current and former students and other affected individuals. (link)

Mar. 4, 2014: Recent data breaches at some of America's largest higher education institutions are highlighting the vulnerability of students' and faculty's private information -- and the constant threat universities across the country face. ''Unfortunately, every organization in the world is vulnerable and is at a risk of being breached by a hacker or group of hackers,'' said Bogdan Vykhovanyuk, associate director of UCIT information security. (link)

Mar. 5, 2014: Point Park University on Wednesday alerted employees to a potential data breach involving names, home addresses, Social Security numbers and other information. The potential data breach was announced in an email to employees by Point Park President Paul Hennigan. As many as 1,800 employees could have been impacted by the incident that is under investigation, the university said. (link)

Mar. 3, 2014: The cost to deal with the breach in the computer system at the Maricopa County Community College District could total $17.1 million, with most of that spent on lawyers and services to the millions of people whose personal data was exposed. Over the past 10 months, about $6.8 million has been authorized to repair the system. In November, the district disclosed that hackers had invaded a server in April, exposing Social Security numbers and banking information of 2.4 million current and former students, faculty members and vendors from as long as 30 years ago. (link)

Mar. 1, 2014: University of Maryland President Wallace D . Loh said Friday that while ''reasonable measures'' will be taken to mitigate last week's major database breach, it will likely cost the university millions of dollars. Loh said the credit monitoring provided by the university through Experian could cost up to $20 per person -- if all 309,079 people affected by the hack signed up, that could cost the university up to $6.2 million. (link) The data breach at the University of Maryland is smaller than first announced. According to the university's website, there were 287,580 records breached, about 21,499 fewer than first reported. (link) The University has begun purging data. (link)

Feb 28, 2014: After two years in a well-paying job, Sun went back to college in his native Massachusetts for a master's degree, until it became public that he had changed his grades at Purdue University and was facing felony computer tampering charges. Sun explained how he and Shirasaki had perfected a system of hacking into professors' accounts about 10 minutes before the professors' deadline to submit final grades for the semester. They knew the deadline because they had hacked the professors' accounts, and the deadline was generally late at night, Sun said, and was not a time that a professor would likely catch them. (link)

Fraud & Ethics Related Events

Mar. 26, 2014: The University of South Florida was unable to hire Manhattan College's Steve Masiello as its men's basketball coach because he lied on his résumé and never completed his bachelor's degree at the University of Kentucky.(link)

Mar. 20, 2014: Police have arrested three York University employees over an alleged $1.6-million fraud -- the second seven-figure theft uncovered at the school in the past four years. The alleged scheme involved fraudulent billing over seven years -- from November, 2005 to October, 2012 -- when York officials were alerted by a whistle-blower and contacted police. (link)

Mar. 16, 2014: The University of Louisville last year paid three officials close to President James Ramsey twice as much to take early retirement as other administrators, so they would keep quiet about sensitive information the university did not want them to disclose. (link)

Mar. 12, 2014: Former Florida A&M University dean of students Henry Kirby and Student Government Association coordinator Morris Hawkins stole money from a university fund that paid for students to attend FAMU football games, according to a Florida Department of Law Enforcement investigation. Kirby, 60, told FDLE and FAMU police investigators he took $2,000 from the fund. Hawkins, 40, who was scrutinized for questionable bookkeeping of the SGA budget in 2011, admitted to stealing at least $7,500 and receiving more than $6,000 in reimbursement costs that he paid for with university money. (link)

Mar. 7, 2014: A prominent Georgia Tech professor is on leave, accused of shaking down graduate students he supervises for at least $20,000. The university announced they are now taking steps to fire Dr. Jochen Teizer, an associate professor of construction engineering, after Channel 2 investigative reporter Richard Belcher notified the school of his plans to report the allegations. (link)

Mar. 5, 2014: A woman from West Virginia is accused of stealing $1 million from Bethany College, all to keep her alleged online affair a secret. But when she tried to end it, things turned worse. (link)

Mar. 2, 2014: The president of the University of West Alabama is calling for an investigation by the UWA board of trustees into allegations that some of its members and university administrators tampered with the annual presidential evaluation to skew results. (link)


Compliance/Regulatory & Legal Events

Mar. 28, 2014: Dr. Dennis Bona, president of Kellogg Community College, talked with FOX 17 on Friday. He's currently being investigated for an unspecified allegation. (link)

Mar. 26, 2014: llinois State University President Timothy Flanagan abruptly resigned last weekend after campus police finished an investigation into an allegation that he assaulted a groundskeeper at Flanagan's university-owned home. On Tuesday, he was charged by the McLean County state's attorney with one count of disorderly conduct, a misdemeanor punishable by a maximum of 30 days in jail. (link)

Mar. 26, 2014: Northwestern University athletes won their case before the National Labor Relations Board on Wednesday and were ruled to be employees eligible to form a union. (link)

Mar. 25, 2014: A black student who says his suite mates at a California university put a bike lock around his neck and racially harassed him has filed a $5 million claim against the school. Donald Williams says an adviser at his San Jose State University dormitory, Charles May, knew a lock had been fastened to his neck but did little about it, the San Jose Mercury News reported Thursday. (link)

Mar. 23, 2014: The University of Florida had to pay an education consulting company cash up front before it could help get the Legislature-mandated and state revenue-funded UF Online up and running. But UF officials have been mum on how much the university is paying Pearson Learning, the largest "enabler" of online education for nonprofit universities. In response to a public records request from The Gainesville Sun, the university this week released heavily redacted documents that blot out the amount of money UF will pay Pearson over the life of the 10-year contract -- saying that information is a trade secret exempt from the public records law. (link)

Mar. 19, 2014: A former associate golf coach at the University of Minnesota who sued the school, alleging that it fired her after learning she was a lesbian, was awarded nearly $360,000 Tuesday by a Hennepin County district judge. (link)

Mar. 18, 2014: A University of Hartford student is facing an assault charge for his alleged involvement in hazing a younger student during initiation into an "underground" fraternity. (link)

Mar. 17, 2014: The University of Wisconsin-Madison has paid a $35,000 fine to settle about half-a-dozen animal research violations, including burning a cat and euthanizing a dog without notifying the supervising veterinarian. (link)

Mar. 12, 2014: The credit rating of the University of California, the biggest U.S. system combining education, research and health care, was cut one level by Moody's Investors Service on rising debt and reduced state support. (link)

Mar. 12, 2014: The family of a construction worker killed in January while working on Baylor University's new on-campus football stadium has filed a wrongful death lawsuit against the university and several construction and equipment companies. (link)

Mar. 7, 2014: When Ginger Anderson, a Utah Valley University employee and student, made a small change to an incorrect wall map inside of one the school's buildings, she had no idea it would result in her being manhandled and arrested by police officers. The 48-year-old, who works in the information center at the university, says she marked on the map with a marker because students were having trouble getting to classes. In fact, it was literally depicted upside down. She claims she corrected the map's compass, and wrote in marker that the map was upside down. (link)

Mar. 4, 2014: Officials for Oklahoma State University (OSU) and an anti-choice student group reached a settlement in a civil rights lawsuit alleging the school violated the group's First Amendment rights when members were unable to display graphic anti-abortion imagery in high-traffic areas of campus and to hand out anti-abortion literature to those passing by. (link)

Feb 28, 2014: In an attempt to pressure employers to pay interns in accordance with Labor Department guidelines, Columbia University will no longer offer its undergraduates registration credits in exchange for internship experience. The policy takes effect immediately, though the school says it will consider exceptions for students who have already signed on for internships that expect them to be receiving ''R'' credits, which don't count towards graduation. (link)


Campus Life & Safety Events

Mar. 30, 2014: Students at the University of Arizona apparently did not take Saturday night's loss to Wisconsin in the Elite Eight well. According to student newspaper Daily Wildcat's Twitter account (@dailywildcat): ''Dozens of students shot with beanbags'' by law enforcement who were wearing riot gear and gas masks. Tucson police said they shot pepper spray at several hundred fans who took to the streets and threw beer bottles and firecrackers at officers after the team's overtime loss in the NCAA Tournament. (link)

Mar. 27, 2014: A Genesee Community College security officer has been charged for entering on-campus apartments and stealing undergarments and swimsuits. (link)

Mar. 27, 2014: The University of Pennsylvania is facing criticism over how it responded to a recent spate of student suicides, in one case waiting months to confirm publicly that such a death had occurred. At least four students have taken their own lives at the Ivy League school in the current academic year, three of them since Christmas. (link)

Mar. 26, 2014: The University of Wisconsin-La Crosse has more on-campus alcohol arrests per capita than any other large university in the country, and the State University of New York at Oneonta nabbed the most drug busts, according to a new analysis released to The Huffington Post this week. (link)

Mar. 21, 2014: A college student has been charged with possessing a biological toxin after ricin was found in his Georgetown dorm room on Tuesday, March 18. (link)

Mar. 21, 2014: The University of Alabama SGA's Senate Thursday night failed to pass a resolution to support the full integration of its Greek system, and sent it instead to committee, where it will die with the end of the 2013-14 Senate session. (link)

Mar. 19, 2014: As Gainesville Police continues investigating a serial urinator, three more victims have come forward. The department released a composite sketch of the suspect Monday. A man is suspected of approaching females from behind and peeing on them between the 100 and 200 blocks of Northwest 17th Street and the 900 block of West University Avenue. (link)

Mar. 12, 2014: University of Tennessee President Joe DiPietro is urging lawmakers not to pursue legislation that would penalize the school over its student-run Sex Week. (link)

Mar. 9, 2014: Police in Massachusetts arrested a total of 52 people after nearly a dozen more were taken into custody early on Sunday as a pre-St. Patrick's Day party turned violent, with officers in riot gear sparring with revelers in skirmishes that lasted nearly 24 hours. Another 28 people were issued summonses since violence broke out on Saturday morning during an annual party known as the "Barney Blowout," near the University of Massachusetts, Amherst. (link)

Mar. 8, 2014: American college fraternities have been around for nearly 200 years. The first was established in 1825. One of the nation's largest fraternities - Sigma Alpha Epsilon - is banning pledging, effective Sunday. Bloomberg reports more SAE pledges died - at least 10 since 2006 - than any other fraternity. (link)

Mar. 7, 2014: A week after they arrested David Ming Lee for carrying a loaded .40-caliber Glock onto the campus of Folsom Lake College, investigators found writings in his bedroom that a prosecutor said ''indicated a plan to assault and kill.'' (link)

Mar. 5, 2014: I recently received e-mails from a frustrated graduate student with chronic disease who was tired of administrative roadblocks at her particular school, and a distraught parent of a college student who was about to withdraw from another school because of her health. Both e-mails sought commiseration and advice, and both speak to the same issue: What happens when patients with chronic illness enter higher education? (link)

Mar. 4, 2014: Public discussions about sexuality pop up on college campuses on a regular basis, and not immune from this phenomenon is our own Santa Fe University of Art and Design, where in January a spate of clitoris-themed graffiti led to uproar from school officials. (link)

Other News & Events

Mar. 24, 2014: A faculty member at Lone Star College taught the wrong chemistry course for a semester. Shortly before the the final exam, the faculty member told the class that she had NOT been teaching them the introductory course in chemistry that they originally signed up for, but an advanced course in chemistry. (link)

Mar. 5, 2014: No more SAT words or long essays: The new SAT is here, and it looks pretty different. Almost a year after first announcing the SAT would face a major redesign, College Board President David Coleman released new information this afternoon on how the exam is going to change. The College Board says it is emphasizing ''delivering opportunity'' to all students and making the SAT more reflective of high school academics. ''It is time to admit that the SAT and ACT have become disconnected from the work of our high schools,'' Coleman said in a press conference. He also said he hoped the changes would remove the ''sense of mystery and dismantle the advantages that people perceive in using costly test preparation.'' (link)

Mar. 4, 2014: Though a new law removes algebra II as a core requirement for a high school diploma, many Texas universities say they will not change their admissions standards to drop the advanced math course anytime soon. Instead, universities will likely continue to raise the threshold for new applicants, said Dominic Chavez, spokesman for the Texas Higher Education Coordinating Board. (link)

Feb 27, 2014: Purdue University, which once defended the right of a private speaker to blaspheme Jesus, has banned an alumni donor from using the word ''God'' on a plaque because it might offend someone. (link)

If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at https://www.auburn.edu/administration/oacp.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.