Having trouble viewing this email? View it in your browser.

Internal Auditing

Case in Point:
Lessons for the pro-active manager

April 2014
Vol. 6 No. 4
''Obedience of the law is demanded; not asked as a favor.''

-- Theodore Roosevelt

We continue our look back at 2013 and the events we observed here in Case-in-Point (CIP). This month we focus on the largest category in terms of stories linked in CIP which is the Compliance and Legal category encompassing roughly one-third of all stories we included here.

The compliance burden on institutions appears to be increasing, and at least anecdotally, seems to be at an all-time high. We can only speculate as to why there is growth with respect to compliance mandates, but our top two would be:

  1. The number of high profile incidents/failures within higher education: Incidents that years ago may have attracted little attention can now become national new stories due to the advent of social media and technology. Generally speaking when a major incident occurs, the compliance focus and burden increases for everyone within the industry.
  2. Greater demand for accountability and transparency: This is driven largely by budget pressures. Scarce dollars increase the scrutiny by both regulators and the public of how funds are used.

Categorizing these items can be difficult as, frequently, they cross into multiple compliance issues, but in terms of our ranking, the top five we noted are:

  1. Issues related to crime occurring on campus;
  2. Federal regulations (which affect a wide range of areas from financial aid to research and many others);
  3. Discrimination issues (which normally involves federal regulations but we break out for monitoring here);
  4. Clery Act issues (related to the first item and another federal requirement but an area of growing emphasis and monitored separately);
  5. Employment issues (which can involve federal, state, or even institutional policy issues not included earlier).

Considering your unique and important compliance issues is more important than ever. Common best practices with respect to compliance should include at a minimum ensuring policies are in place where needed; training on important compliance issues is provided to faculty, staff and administrators; monitoring is a normal part of your processes; and potential incidents are followed up on and investigated.

While compliance issues are vitally important, as you will note again the number of risks within higher education are vast and diverse. We again invite you to review those items of note during the past month. As always we encourage your feedback.

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing

Information Security & Technology Events

Apr. 29, 2014: An unspecified number of current and former employees at University of North Carolina in Wilmington and a group of foreign language students are about to learn that their key personal data was exposed during a recent data intrusion. This marks #12 for the UNC system since 2007. (link)

Apr. 26, 2014: More than 2,000 Social Security numbers of former Johns Hopkins University graduate students were exposed to potential hackers, the university confirmed Saturday. Hopkins officials discovered on March 19 that the names and Social Security numbers of 2,166 former students were stored on a server that was accessible to the Internet, said Dennis O'Shea, a university spokesman. "Somebody had stashed them on a machine, not realizing that when they did that, the files would be accessible on the Internet," O'Shea said. (link)

Apr. 25, 2014: The Rochester Housing Authority says a security breach has caused the names and social security numbers of up to 180 residents to be compromised. RHA executive director Alex Castro says a housing specialist printed out a list containing the names and social security numbers of the residents of Lexington Court for a resident council president who wanted to do some outreach. "This information is available for the staff, but there is a confidentiality agreement that every staff member signs that they know not to share that information. Unfortunately, this person did not follow through." (link)

Apr. 25, 2014: Grand Valley State University says student social security numbers were not accessible last week when a university vendor accidentally posted online a list of names, addresses and internal id numbers of more than 10,000 students.(link)

Apr. 22, 2014: Servers containing the social security numbers of almost 30,000 Iowa State University students were compromised in a security breach, university officials announced Tuesday. Information technology staff discovered a breach of five departmental servers that contained social security and university ID numbers for students who took classes in computer science, world languages and cultures and materials science and engineering. (link)

Apr. 24, 2014: College students are not embracing tablets as many experts had expected when the devices were introduced a few years ago, says a new report from Ball State University. (link)

Apr. 20, 2014: Students and employees of the University of Virginia (UVa) may be scratching their heads today and wondering what UVa can or will do to secure its servers better. The university, which was hacked in 2012 by @AnonAntidote and again in 2013 by a former UVa student known as @R00tTh3B0x, has reportedly been hacked yet again – this time by @NullCrew_FTS, who have just now publicly admitted that they were @R00tTh3B0x. (link)

Apr. 17, 2014: The scope of an identity theft scheme at UPMC widened on Thursday as the health care giant confirmed personal information for as many as 27,000 workers might have been compromised. (link)

Apr. 10, 2014: A former contract worker for the University of Maryland said he hacked into scores of data­bases in the school's computer system and posted the university president's ''private information'' online to draw attention to security problems. (link)

Apr. 9, 2014: In 2013, HALOCK Security Labs noted information security vulnerabilities at colleges and universities along with numerous challenges that plague these institutions across the United States. More breaches may come to light if higher education institutions do not rethink their security measures. (link)

Apr. 8, 2014: Microsoft Corp released its final security updates for Windows XP and Office 2003 on Tuesday as security experts warned users that they could soon be prime targets for cyber attacks if they do not abandon the products. (link)

Apr. 7, 2014: Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data. (link)

Apr. 1, 2014: Even absent liability, defense costs, regulatory fines or penalties, responding to a data breach incident is likely to be expensive. For instance, mailing notification letters can run about a dollar per letter. Credit monitoring, a standard offering for those whose information is compromised, can run $12 to $15 per person. Specialized privacy counsel--needed to sort through the myriad legal and regulatory issues involved--can cost thousands of dollars, as can the fees for a reputational management firm and forensic experts. Setting up call centers is costly. And the list goes on. All of these expenses must be considered in advance and the question asked during planning: Who will pay? (link)

Mar. 30, 2014: The mysterious visitor called himself Gary Host at first, then Grace Host, which he shortened for his made-up e-mail address to ''ghost,'' a joke apparently, perhaps signaling mischievousness -- or menace. The intruder was lurking somewhere on the MIT campus, downloading academic journal articles by the hundreds of thousands. The interloper was eventually traced to a laptop under a box in a basement wiring closet. He was Aaron Swartz, a brilliant young programmer and political activist. The cascade of events that followed would culminate in tragedy: a Secret Service investigation, a federal prosecution, and ultimately Swartz's suicide. (link)

Fraud & Ethics Related Events

Apr. 29, 2014: Two University of Houston professors have been accused of falsely obtaining approximately $1.3 million from a federal small business program over 13 years, according to the U.S. Department of Justice. (link)

Apr. 23, 2014: Massachusetts Attorney General Martha Coakley sued the former president of a tiny Falmouth college on Tuesday, seeking to force him to repay the school millions that he allegedly squandered on excessive compensation, Mercedes automobiles, and a quarter-million-dollar timeshare in the Caribbean. (link)

Apr. 23, 2014: Wayland Baptist University's former Chief Financial Officer James E. ''Jim'' Smith will spend the next five years in state prison after pleading guilty on Thursday to first degree felony theft charges. District Attorney Wally Hatch said Smith, who was dismissed from Wayland a year ago amid allegations of financial impropriety, appeared before 64th District Court Judge Rob Kincaid. Hatch said the defendant was taken into custody immediately following the hearing and is in Hale County jail pending transfer into state custody. Smith waived his rights to appeal. The judge also ordered Smith to make $1,318,000 in restitution payments to Wayland. (link)

Apr. 18, 2014: Financial documents released by the University of North Texas show accounting irregularities that have overstated the university's financial position by as much as $23 million. Audits conducted by the university and a private firm show misleading budget entries made since 2012 to account for unresolved collections. But they were registered as accounts receivable, which are often recorded as assets. (link)

Apr. 17, 2014: Former Northern Kentucky University Athletic Director Scott Eaton accepted a 10-year prison sentence Thursday when he pleaded guilty to theft charges in Campbell County. Eaton was fired in March 2013 after admitting to having inappropriate relationships with four NKU employees and one adult student. An NKU investigation found he had diverted $311,215 to his personal use. (link)

Apr. 16, 2014: New York University's controversial penchant under President John Sexton for doling out real-estate perks to top professors and executives also extended to his son. Jed Sexton, whose sole affiliation with NYU was his status as the president's son, for years enjoyed a spacious faculty apartment while the university experienced a ''severe'' housing shortage, The Post has learned. (link)

Apr. 10, 2014: Two 18-year-old Wayne State University students have been charged in the theft of more than $42,000 in checks payable to a radio station. (link)

Apr. 4, 2014: A former head cashier for the Robert Wood Johnson University Medical Group pleaded guilty Friday to embezzling approximately $42,000 from her employer, Acting Attorney General John J. Hoffman announced. Dewyna Brown, 38, of North Brunswick, the former head cashier for the Cash Administration Unit of the Robert Wood Johnson University Medical Group and the Robert Wood Johnson Medical School, pleaded guilty to a charge of third-degree theft by unlawful taking before Superior Court Judge Bradley J. Ferencz in Middlesex County. (link)

Apr. 3, 2014: The former executive director of University of Louisville's Department of Family & Geriatric Medicine was indicted Wednesday, accused of stealing $2.8 million in patient payments and other funds and failing to report $2.4 million in income. A federal grand jury in Louisville also charged Perry Chadwick Vaughn, 36, with money laundering for allegedly trying to disguise the thefts by using the money to buy or lease nine luxury vehicles and pay for real estate, luxury vacations and a $9,000 necklace. (link)

Apr. 3, 2014: A former junior college police officer pleaded guilty to stealing more than $250,000 from campus parking machines at a Northern California campus.(link)

Apr. 2, 2014: The women's basketball coach at Highland Community College in northeast Kansas, who once coached at Southeast Missouri State University, pleaded guilty to being part of a car theft ring that prosecutors said staged accidents and filed false theft reports to pocket insurance money. William J. Smith, of Highland, Kan., pleaded guilty Tuesday in federal court in St. Louis to one count of conspiracy and five counts of mail fraud. He was one of 21 people charged in a scheme to steal luxury motor vehicles from individuals and dealerships in Missouri, Iowa, Illinois and Indiana. (link)

Apr. 2, 2014: A former Santa Rosa Junior College police officer pleaded guilty today to stealing more than $150,000 in parking machine money at the college and possessing stolen property.

Apr. 1, 2014: A federal jury convicted Manoj Kumar Jha, age 46, of Severn, Maryland, today of wire fraud, mail fraud, falsification of records, and theft of government property in connection with a scheme to fraudulently obtain research grants from the National Science Foundation (NSF) and kickbacks from students' stipends. (link)

Compliance/Regulatory & Legal Events

Apr. 29, 2014: A former St. Charles Community College student on Monday pleaded guilty to disturbing the peace for making a threat against school staff on Twitter. (link)

Apr. 28, 2014: Tufts University has failed to comply with federal law when addressing sexual assault and harassment complaints on campus despite making several policy improvements since a federal investigation began in 2010, the Department of Education said. (link)

Apr. 28, 2014: A discrimination complaint over a decision by the University of New Brunswick to downgrade its women hockey team from varsity status to a non-funded club should not proceed because the complainant doesn't have a personal stake in the case, lawyers for the school argued Monday. (link)

Apr. 23, 2014: Boston University has parted ways with women's basketball coach Kelly Greenberg after four scholarship players said they quit the team last season because Greenberg emotionally abused them. (link)

Apr. 22, 2014: In a fractured decision that revealed deep divisions over what role the judiciary should play in protecting racial and ethnic minorities, the Supreme Court on Tuesday upheld a Michigan constitutional amendment that bans affirmative action in admissions to the state's public universities.(link)

Apr. 21, 2014: Maricopa County Community College District waited seven months to inform 2.5 million students, graduates, employees and vendors that its databases had been breached and their personal information made available for sale online, a class action claims in state court. Lead plaintiff Jason Liebich, a current student at Phoenix College, sued the college district in Maricopa County Court. (link)

Apr. 21, 2014: A former University of Virginia associate dean has pleaded guilty to child pornography charges. U.S. Attorney Timothy J. Heaphy says Morris possessed more than 1,000 images of child pornography and child erotica. At the time of his arrest in November 2013, Morris was an associate dean at U.Va.'s McIntyre School of Commerce. (link)

Apr. 18, 2014: The University of Louisville is paying another large settlement in connection with the retirement of a high-ranking official -- this time, $346,844 to its top lawyer. University counsel Angela Koshewa is on a three-month leave of absence before she officially retires June 1. Documents obtained under the Kentucky Open Records Act show the university is paying Koshewa -- who has questioned some expenditures and proposals backed by President James Ramsey and Dr. David Dunn, the executive vice president for Health Affairs -- twice her final salary. (link)

Apr. 11, 2014: An independent report released Friday says the University of Missouri failed to follow parts of the federal law that governs sexual harassment on campus when handling the case of a former swimmer's suicide. The report concludes administrators on the Columbia campus should have investigated 20-year-old Sasha Menu Courey's 2011 death after her parents raised questions about the events leading to her suicide. Menu Courey alleged she was sexually assaulted during her freshman year by as many as three football players, 16 months before she died. (link)

Apr. 6, 2014: A student at Princeton University has filed a lawsuit against the university and seven administrators, alleging that they discriminated against him when they reacted to a suicide attempt in his dorm room, according to The Daily Princetonian. (link)

Apr. 6, 2014: Patricia Prechter, Our Lady of Holy Cross College's chief academic officer and the leader of its nursing program, has left the Algiers campus where she has worked since 1982, touching off a heated dispute about the circumstances of her departure and a call for her reinstatement. (link)

Apr. 3, 2014: The University of Great Falls fired its director of sports information and marketing shortly after hiring him on Thursday, saying it learned he had a criminal record that an initial background check failed to uncover. (link)

Campus Life & Safety Events

Apr. 28, 2014: Could a college student become so outraged over a bad grade that they would order a ''hit'' on their professor? That's the question now being asked at Miami Dade College's Kendall campus, as police continue to investigate a brutal attack against music professor Marc Magellan. The professor appears to have been specifically targeted, and it was not a robbery -- none of his personal items were taken. (link)

Apr. 21, 2014: Come May 17th, members of Bryant University's graduating class will be all smiles for the crowd to see, but not for their iPhones to capture. Bryant officials just announced that its students will be banned from taking selfies while they accept their degrees at the podium. (link)

Apr. 17, 2014: Dartmouth College President Phil Hanlon got candid about the issues facing the Ivy League school Wednesday, saying the institution was being "hijacked by extreme behavior." "Dangerous drinking has become the rule and not the exception," Hanlon said in a speech to a group of faculty, students and staff, before going on to cite sexual violence and a "general disregard for human dignity, as exemplified by hazing, parties with racist and sexist undertones, [and] disgusting and sometimes threatening insults hurled on the Internet." (link)

Apr. 16, 2014: Alabama's Auburn University canceled classes on Wednesday after a message posted in a campus restroom that reportedly threatened a "rampage of biblical proportion." Law enforcement officials had not substantiated the threat of violence on the campus, but the university suspended normal operations for the day in light of "student and parent anxiety," according to a statement on Auburn's website. (link)

Apr. 16, 2014: Like many local students, Matthew de Grood got off work Monday night and headed out to celebrate the end of the semester at the University of Calgary. But shortly after being welcomed into a Brentwood house party, de Grood would be strapped to a stretcher and under arrest, accused of fatally stabbing five others at the gathering -- the worst mass killing in Calgary's history. (link)

Apr. 9, 2014: A University of Connecticut sorority has been suspended pending an investigation into allegations of hazing, according to university officials. Members of Delta Zeta have been accused of forcing men involved with a school fraternity to consume alcohol, eat dog treats, paint their bodies, wear women's thong underwear and take shots of alcohol off each others bodies, among other things. The incident allegedly took place March 7 at the Mansfield Apartments, a university residence hall. (link)

Apr. 9, 2014: The president of Iowa State University canceled a 92-year-old weeklong spring celebration Wednesday after the student-run event turned violent overnight. On Tuesday, thousands of people gathered around 11:30 p.m. CT, flipping over at least two cars, tearing down two light poles, ripping out four stop signs and pelting police officers with rocks and full beer cans, officials said. One student, who has not been identified, sustained severe head injuries when one of the light poles struck him; he was in stable condition Wednesday afternoon at a Des Moines hospital. (link)

Apr. 8, 2014: An arrest has been made in connection with a peeping Tom case inside a women's bathroom on the University of Maryland's College Park campus. Police on Monday arrested Ernest Attakora Marfo, 21, of Reisterstown, and charged him with visual surveillance, disturbing activities at a school or college and molesting or threatening students or school personnel in connection with an incident at the school's Biology-Psychology Building. (link)

Apr. 7, 2014: A University of Michigan student yelling ''Go Green! Go White!'' on the Ann Arbor campus was hospitalized Sunday after being assaulted by two suspects, police said. The victim told personnel in the emergency room he was attacked about 2 a.m. on the Diagonal in the 900 block of North University, where he and a friend were shouting the popular Michigan State University chant, according to University of Michigan police. (link)

Apr. 7, 2014: About 100 people were arrested and at least 44 people were taken to the hospital during a weekend college party in Southern California that devolved into a rock- and bottle-throwing melee. (link)

Apr. 6, 2014: Frances Chan says she's done stuffing her face with ice cream and Cheetos just to make Yale University happy. After months of wrangling, the university finally agrees. The 20-year-old history major has spent the past few months sparring with Yale's health center over her low weight. Chan is 5'2'' and 92 lbs., and Yale doctors were concerned her health was severely at risk. (link)

Apr. 6, 2014: Many students celebrated responsibly Saturday night as the University of Connecticut Huskies defeated University of Florida Gators in the Final Four of the NCCA Men's Basketball Tournament. By the end of the night, there were 26 people arrested in the celebrations of the game, according to university Spokesperson Stephanie Reitz. Of those 26, 15 were students. (link)

Apr. 4, 2014: University of Arizona police say a male student is dead after falling while climbing a 30-foot tower on the roof of a university dorm in Tucson early Friday morning. (link)

Apr. 3, 2014: Livingstone College President Dr. Jimmy Jenkins responded to public criticism that the school is not doing enough to comply with state fire standards. On March 24, Fire Chief Robert Parnell sent a letter to the Livingstone Board of Trustees requesting the board's action in directing the college administration to ''meet compliance with state fire code, fix current and future violations promptly, and appropriate the funds to rectify current fire code violations.'' The Chief stated the College received more than 1,000 fire code violations in four years. (link)

Apr. 2, 2014: Kent State's campus was put into lockdown and police swarmed the area Wednesday evening after a gunman fired a shot into the ground near a classroom building. Police say a suspect was taken into custody around 11:35 p.m. after some tense hours that kept students and others locked in buildings and led to two buildings being evacuated room-by-room. (link)

Apr. 1, 2014: A University of Ottawa men's hockey player says he has been betrayed and his reputation "smeared" by the school after it suspended the entire team and blacklisted him from school functions following allegations related to a sexual assault investigation in Thunder Bay, Ont. The school suspended the team at the end of February after it received a third-party complaint of a sexual assault alleged to have occurred on the weekend of Feb. 1, when the University of Ottawa hockey team was in Thunder Bay playing two games against the Lakehead University Thunderwolves. (link)

Apr. 1, 2014: A "small explosion" was cited as the official cause of a fire that injured two construction workers at Richmond University Medical Center in West Brighton last Friday. "Fire marshals determined there was a small explosion resulting from an accumulation of acetylene gas inside a room of the construction site at the location," said Frank Dwyer of the FDNY Press Office. Dwyer confirmed that the incident was called in as a "small fire." (link)

Other News & Events

Apr. 30, 2014: UCLA will return $425,000 recently donated by the Donald T. Sterling Charitable Foundation for kidney research and will cancel an agreement that would have brought Sterling's gift to $3 million over seven years, the university announced Tuesday. (link)

Apr. 22, 2014: A University of Utah nurse has been put on paid administrative leave for making racial comments online against the Tongan community. FOX 13 News wants to warn readers, the comment you're about to read is extremely offensive. Hospital officials confronted nurse Todd Shrum Tuesday in the heart catheter lab where he works where he admitted posting the phrase ''Tongan trash … kill them all'' on social media. (link)

If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at https://www.auburn.edu/administration/oacp.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.