Having trouble viewing this email? View it in your browser.

Internal Auditing

Case in Point:
Lessons for the pro-active manager

September 2014
Vol. 6 No. 9
''In any situation, the best thing you can do is the right thing; the next best thing you can do is the wrong thing; the worst thing you can do is nothing.''

-- Theodore Roosevelt

Recently Internal Audit worked with the Office of General Counsel to present a session to academic leaders on campus entitled, ''The Expanding Compliance Obligations in Higher Education.'' Three important concepts from this presentation were:

  1. The world has changed with respect to our responsibilities for compliance.
  2. Everyone is responsible for ensuring compliance with the various requirements the University faces, even though these requirements are not always convenient or what we'd choose to do.
  3. If you become aware of an issue, you should raise the concern to the appropriate office or area of responsibility. Failure to do so can have extremely negative consequences for the institution.

Over the past year, one-third of the items within this publication fell within the compliance/legal category; however, more often than not, even the stories listed in other categories generally have some compliance component.

In the frequently cited Penn State child abuse case, the total dollar cost stemming from that scandal is nearly $80 million to date (according to the Penn State website), and this figure does not include the almost $60 million agreed upon for settlements to victims of abuse. These amounts also do not include reputational damages and lost opportunity costs they certainly have experienced. You have no doubt read or heard about the numerous Title IX investigations in progress across the country. We have also seen repeated stories involving data loss and the fall-out from breaches at institutions every month. The world has changed and so has our need to be proactive in both managing risks before scandal and raising issues early on when discovered.

So what do you do if you are aware of an issue? Compliance at Auburn University is a decentralized effort, but we've worked with the various distributed compliance owners across campus in an effort to develop one place you can go when you are looking for compliance resources. Also note that this web page is a work in progress, and we welcome any suggestions you have to improve the site. If you can't find what you are looking for on this site, feel free to let us know, and we will connect you with the appropriate resource or will help you find an answer to your question.

While compliance is a major issue for all of us, there are many other risks we face within higher education. We invite you to review the stories reported during the past month from across the nation and consider ways you can proactively manage risk here at Auburn University.

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing

Information Security & Technology Events

Sept. 29, 2014: A privacy watchdog filed a complaint with the Federal Trade Commission against a community college district in Arizona that lost the personal data of 2.5 million students and employees in two data breaches. The Electronic Privacy Information Center (EPIC) asked the FTC in its complaint Monday to bring an enforcement action in federal district court against the Maricopa County Community College District (MCCCD) for violating the ''Safeguards Rule,'' which requires customer data to be secured. (link)

Sept. 29, 2014: State officials say that an embarrassing glitch in a state higher education website apparently did far less damage than they feared. On Sept. 5, the Minnesota Office of Higher Education disclosed that a computer error had exposed private information, including names and Social Security numbers, of potentially thousands of college students on a state database. (link)

Sept. 22, 2014: Bond has been set for a University of Southern Mississippi student who allegedly posted a threatening social media post to the popular mobile app Yik Yak. (link)

Sept. 19, 2014: Indiana State University Police have made an arrest in connection with a social media posting concerning a possible shooting. (link)

Sept. 15, 2014: Is it real or fake? An anonymous post to a Facebook page describes poisoning a college roommate with cystic fibrosis. Old Dominion University police are investigating, asking Facebook to release the user's identity. (link)

Sept. 12, 2014: George Mason University detected a malware intrusion into its travel booking system on July 16. No personal information is thought to have been viewed, but the incident could have affected up to 4,400 users. (link)

Sept. 3, 2014: Kansas State University officials say an internal error may have exposed on the Internet personal information from candidates seeking admission to the school's graduate program in agronomy. In a news release Wednesday, school officials said 19 persons who had applied for admission to graduate programs between 2010 and 2013 have been notified that personal information from their applications may have been exposed. (link)

Fraud & Ethics Related Events

Sept. 27, 2014: A University of Arizona professor recently lauded as a top new teaching talent in her field has been reprimanded for plagiarizing the work of a former student. Susannah Dickinson, an assistant professor in the UA's school of architecture since 2009, recently received a ''formal admonishment'' from the university's provost after the student accused Dickinson of poaching material from his master's thesis and presenting it as her own. (link)

Sept. 25, 2014: A critical California State University audit has found that the former head of a San Jose State academic department misused campus funds, used an illicit off-campus bank account and engaged in conflicts of interest. (link)

Sept. 24, 2014: The University of North Texas manipulated its payroll spending so that it received millions of extra dollars from the state over many years -- money the university should repay, according to an investigation by the State Auditor's Office. The auditor's office recommends that the Legislature require UNT to repay the state at least $75.6 million over the next 10 years. (link)

Sept. 24, 2014: A long-time College of Southern Idaho business office employee is being investigated on suspicion of stealing money from the college for years. CSI and Twin Falls police haven't released the name of the employee, who no longer works at CSI, and charges have not been filed. (link)

Sept. 18, 2014: A former Oregon State University employee accused of selling university-owned cell phones turned herself in to Oregon State Police on Thursday. (link)

Sept. 16, 2014: Youngstown State University plans tighter controls for employee use of university credit cards following discovery of fraud by an employee. Since the fraud was discovered last year, the university's controller's office has instituted additional monitoring measures, according to an analysis of card procedures done by Packer-Thomas Certified Public Accountants & Business Consultants, Youngstown, YSU's internal auditors. (link)

Sept. 10, 2014: A former accountant for the University of Sioux Falls has been indicted for wire fraud for reportedly collecting more than $25,200 in unearned paychecks. (link)

Sept. 10, 2014: He seemed like the Doogie Howser of India, able to crack the country's best medical school, and work there as a 21-year-old doctor. Anoop Shankar later claimed to add a Ph.D. in epidemiology and treat patients even as he researched population-wide diseases. He won a ''genius'' visa to America, shared millions in grants, and boasted of membership in the prestigious Royal College of Physicians. But there was a problem: Shankar isn't a Ph.D. He didn't graduate from the Harvard of India. He didn't write dozens of the scholarly publications on his resume, and as for the Royal College of Physicians, they've never heard of him. He does have a master's degree in epidemiology from the University of North Carolina and an Indian medical degree, but at least two of his green card references--attesting to ''world class creativity,'' ''genius insight,'' and ''a new avenue for treating hypertension''--were a forgery. (link)

Compliance/Regulatory & Legal Events

Sept. 30, 2014: The crime statistics being released by colleges nationwide on Wednesday are so misleading that they give students and parents a false sense of security. Even the U.S. Department of Education official who oversees compliance with a federal law requiring that the statistics be posted on Oct. 1 each year admits that they are inaccurate. (link)

Sept. 29, 2014: In a legal set-to, the University of Oregon, a UO associate professor and a former employee are fighting over who owns -- and can profit from -- a reading test used at 15,000 schools with 4 million students nationwide. All sides agree that the Dynamic Indicators of Basic Early Literacy Skills -- or DIBELS -- had its origins at the university and has been used and tinkered on by many UO professors, graduate students and researchers. The question is: Who does DIBELS (rhymes with dribbles) belong to now? (link)

Sept. 26, 2014: A woman who accused a community college administrator of raping her has sued the school, seeking at least $4.8 million and alleging it knew of the man's "history of sexual misconduct" and failed to protect her. (link)

Sept. 26, 2014: Lehigh University officials said Friday they have resolved a graduate's civil rights complaint alleging the school mishandled race-related incidents.. The U.S. Department of Education's Office for Civil Rights had "no finding" of any violation by the university, the officials said. But under an agreement reached with the office, Lehigh will train staff on racial harassment and revise its harassment policy. (link)

Sept. 26, 2014: Fired band director Jonathan Waters filed a federal lawsuit Friday to fight his dismissal from Ohio State University, his lawyers announced in a news conference. Waters and his backers have fought his firing since Ohio State announced it on July 24. University investigators had concluded that there was a ''sexualized culture'' in the band that Waters did too little to stop. Waters has said he was working to fix problems in the band and that he was blamed for traditions that date back decades. Waters is seeking his job back and at least $1 million in damages. (link)

Sept. 25, 2014: University of South Dakota officials are defending their notification procedures after a former student was accused of videotaping females in a dormitory shower in late August, then charged days later in an off-campus rape. (link)

Sept. 25, 2014: Negligence and unsafe conditions are what the parents of a young teen say caused their son's death. Ricky Harris III, 13, of Frankfort drowned while at a summer camp at Transylvania University in June. (link)

Sept. 18, 2014: A 36-year-old Hackensack man is accused of climbing onto roofs at Fairleigh Dickinson University and the Glenpointe complex and stealing tens of thousands of dollars worth of copper, authorities said. (link)

Sept. 15, 2014: A black Columbia University janitor is suing his employer, claiming the Ivy League institution is rife with racism. (link)

Sept. 15, 2014: Hillel International, a Jewish campus organisation, is demanding a public apology from the Ohio University over the arrest of four pro-Israel students during a protest. Pro-Israel students staged a protest during Wednesday meeting of the university's Student Senate. Protesters were calling for the resignation of the Senate's president, Megan Marzec, who initiated the "Blood Bucket Challenge" in support of the Boycott, Divestment and Sanctions movement against Israel. (link)

Sept. 8, 2014: The University of Missouri System is paying just shy of $500,000 for its expansive consulting contract with the National Center for Higher Education Risk Management for help creating policies and training for Title IX practices systemwide. (link)

Sept. 3, 2014: Iowa State University failed to notify students and staff of all crimes considered an ongoing threat to the Ames campus community the way federal law requires, an internal audit found. The Clery Act requires "timely warnings" to be communicated to the entire campus through mass emails, voice or text messages. But ISU had been posting those warnings only on the university police website, a practice that required individuals to search for the information, the audit said. (link)

Sept. 2, 2014: A 46-year-old African American UCLA facilities employee arrested for obstruction and resisting arrest by campus police last week is accusing the department of racial profiling and violating his civil rights. (link)

Campus Life & Safety Events

Sept. 29, 2014: The University of Massachusetts Amherst announced Monday that it will review aspects of a campus Police Department program that uses students as confidential drug informants, after a disclosure that an informant for the university police died of a heroin overdose.(link)

Sept. 29, 2014: California Gov. Jerry Brown signed a bill Sunday that requires colleges and universities in the state to adopt anti-sexual-assault policies that radically rewrite what constitutes consent, a move that some critics have called an unfair shift of the burden of proof to the accused. (link)

Sept. 25, 2014: Clemson University in South Carolina has suspended all fraternity activities after 19-year-old Sigma Phi Epsilon pledge Tucker Hipps died this week during a fraternity run, while investigators said Thursday that they would stop releasing information about the case, which remains open. (link)

Sept. 23, 2014: A Texas Tech fraternity has been indefinitely suspended after pictures leaked Monday of a party exhibiting a banner encouraging rape and a sprinkler shaped like female genitalia. (link)

Sept. 21, 2014: Clemson University suspended a mandatory online course that asked students and faculty about their sex lives and drinking habits following backlash from the school community. (link)

Sept. 20, 2014: Hundreds of University of Delaware students rallied Friday afternoon, calling for transparency in the school's harassment policy following accusations that a professor offered a student an "A" in exchange for sexual favors. (link)

Sept. 17, 2014: Police departments at Arizona State University and community colleges in Tucson and Yuma have acquired 79 fully automatic M-16 assault rifles and nine older M-14 rifles under a Department of Defense program that distributes surplus weapons to local agencies throughout the country. (link)

Sept. 16, 2014: A Georgetown University student died Tuesday after apparently contracting meningitis, the university said. Andrea Jaime was a sophomore in the school of nursing and health studies, Georgetown said in a statement. She had been undergoing treatment for the infectious disease at MedStar Georgetown University Hospital. (link)

Sept. 15, 2014: Daniel Milzman, 19, of Bethesda, Md., pled guilty today to a federal offense stemming from the discovery of a plastic bag of lethal ricin in a dormitory room where he was staying while he was a student at Georgetown University. (link)

Sept. 10, 2014: The LSU fraternity that displayed a game-day banner mocking the NFL's first openly gay player, Michael Sam, has apologized to the university for shedding negative light on LSU. The Delta Kappa Epsilon's Zeta Zeta chapter displayed the message, which some deemed offensive, on what appeared to be a bed sheet secured over the entrance of the fraternity house Saturday (Sept. 6). The apology letter says the chapter will stop hanging signs in front of the DKE house "indefinitely."(link)

Sept. 9, 2014: A man accused of looking up the skirts of women on Campus Corner was hit with a Taser repeatedly by police Monday after refusing to comply with officers' demands, a police report shows. (link)

Sept. 5, 2014: Cal State Northridge said Friday an internal investigation determined hazing was involved in the death of a college freshman who passed out in the Angeles National Forest during a hike with other fraternity pledges in July. (link)

Sept. 1, 2014: During the Longhorns football game Saturday against the University of North Texas, university police saw an unauthorized drone flying in and around the stadium and watched as it landed on San Jacinto Boulevard, said Cindy Posey, a UT spokeswoman. (link)

Aug. 30, 2014: A California bill that demands college students get ''affirmative consent'' before engaging in sexual activity passed in the state's legislative chambers on Thursday. The state's so-called ''yes means yes'' law passed unanimously in the state senate and will become law if it is signed by Governor Jerry Brown by the end of September. (link)

Other News & Events

Sept. 24, 2014: The University of Oregon has ended free art sessions for community artists to sketch nude models, saying it could not afford the increasing cost of keeping the popular classes secure. During the past two and a half weeks, the art school saw a marked increase in phone calls and emails inquiring about the sessions, Rocco Luiere, the school's associate dean for finance, told The Associated Press. (link)

If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at https://www.auburn.edu/administration/oacp.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.