Having trouble viewing this email? View it in your browser.

Office of Audit, Compliance & Privacy

Case in Point:
Lessons for the proactive manager

January 2016
Vol. 8 No. 1
“Right is right even if no one is doing it; wrong is wrong even if everyone is doing it.”

-- Augustine of Hippo

We begin our eighth year of Case in Point with our traditional look back at the prior year for trends and items of interest. Last year we linked 555 articles in our newsletter. The breakdown of these articles, by category, is as follows:

  • Information Security & Technology -- 67 (12%)
  • Fraud & Ethics -- 102 (18%)
  • Compliance /Regulatory & Legal -- 184 (34%)
  • Campus Life & Safety -- 173 (31%)
  • Unclassified -- 29 (5%)

In the coming months we will explore each of these categories more thoroughly and identify those issues we believe may be of growing concern. We should note that determining in which category to place a story is a monthly challenge for us, but we do strive to be as consistent as possible.

As in past years, the category of Compliance/Regulatory and Legal is the largest in terms of stories linked. We've discussed in depth the growing compliance burden in higher education and certainly see that impact here and within our own office.

With respect to institutional compliance issues in higher education, we are seeing numerous institutions reevaluate their institutional governance of compliance. Generally, those in the compliance profession go to the United States Federal Sentencing Guidelines to find best practices for organizational compliance & ethics programs. The guidelines include these 7 general components:

  • Standards & Procedures -- established policies and procedures to prevent non-compliant issues and detect problems should they occur.
  • Oversight -- both at a high level ensuring oversight of compliance related issues, and also on a day-to-day operational level so that appropriate individuals are charged with and given authority to carry out ethics and compliance duties.
  • Due Diligence Over Delegation of Authority -- ensuring the correct people are in the various roles of a compliance program.
  • Communication & Education -- through appropriate training programs and other information (as we strive to do through this publication).
  • Monitoring & Auditing -- this includes anonymous reporting systems such as our EthicsPoint System.
  • Enforcement & Discipline -- ensuring consistency in applying policies and actions taken.
  • Response & Prevention -- if an issue does occur, ensuring it is remediated appropriately and any operational or policy issues are improved.

While we could delve more deeply into these principles, it is important to remember that everyone plays a role in ensuring institutional compliance. Raising concerns to the appropriate channel, whether that be a supervisor or through the anonymous reporting system, is a responsibility all employees should take seriously. We no longer operate in a world where ignoring major risk exposures, compliance or otherwise, can be viewed as simply ''not my job.''

We again invite you to review the events happening within higher education over the past month and consider whether proactive risk management could help prevent a similar issue at your institution. As always we invite your comments and suggestions.

M. Kevin Robinson, CIA, CFE
Associate Vice President
Office of Audit, Compliance & Privacy

Information Security & Technology Events

Jan 22, 2016: Hackers accessed numerous computer records containing personally identifiable information belonging to University of Virginia employees, part of a "phishing" scam that also included some bank records, school officials announced Friday. An FBI investigation into data exposure at several U.S. colleges and universities found that overseas hackers, who are now in custody, gained access to records for 1,400 U-Va. employees, including W-2 tax forms from 2013 and 2014, U-Va. officials said in a statement. The direct deposit bank records for 40 employees also were stolen, U-Va. officials said. (link)

Jan 17, 2016: A Georgia resident linked to the University of Northern Iowa data breach has been charged as part of a tax refund scheme in Iowa. More than 100 UNI employees reported receiving rejection letters from the IRS when they filed their taxes in 2014. That was because someone had already filed taxes on their behalf and collected their refunds. On Friday, officials with the U.S. Attorney's Office for the Northern District of Iowa filed an information charging 45-year-old Bernard Ogie Oretekor with theft of government property and aggravated identity theft. (link)

Jan 05, 2016: Indiana University Health Arnett recently reported that information of more than 29,000 patients has gone missing, according to hospital system officials. An unencrypted USB flash drive, which stored the data, disappeared Nov. 20 from the hospital's emergency department at 5165 McCarty Lane. The flash drive contained spreadsheets with information from emergency department patients dating back to Nov. 1, 2014. The information includes patient names, dates of birth, home telephone numbers, medical record numbers, physician names, diagnoses and dates of service. (link)

Jan 05, 2016: Southern New Hampshire University (SNHU) says they're investigating how a database containing some student and class information was exposed to the public. The exposed SNHU database contains more than 140,000 records including student names, email addresses, and IDs; as well as other class-related details such as course name, course section, assignment details and assignment score. The database also contains instructor names and email addresses. SNHU says the database was exposed by a third-party vendor (configuration errors), but they wouldn't name the vendor in question. (link)

Dec 21, 2015: The Kean University website was hacked three times Sunday and into early Monday morning by what the college and its police department believe to be an Algerian group calling itself "Red Hell." "Kean University's externally hosted website was hacked twice in the past 24 hours by a group calling itself Red Hell, claiming to operate out of Algeria. They posted a despicable message. The site was disabled as soon as we were informed of the breach. A new firewall was enabled and the site became operational again at 3 p.m. today." (link)

Fraud & Ethics Related Events

Jan 20, 2016: Dr. Homayoun Karimabadi, a former research professor at the University of California, San Diego ("UCSD") and the Chief Executive Officer for SciberQuest, Inc., was charged in federal court today with fraudulently obtaining millions of dollars in government grants and contracts. Dr. Karimabadi and SciberQuest, Inc., the corporation run by Dr. Karimabadi, both waived indictment and were arraigned on an information charging them with felony wire fraud and criminal forfeiture. According to court records, during the fraud Dr. Karimabadi was the Chief Executive Officer and Chief Technology Officer at SciberQuest and at the same time was employed as a research professor at UCSD where, among other things, he served as the group leader of the space physics plasma simulation group. (link)

Jan 14, 2016: A study by the University of Maryland touting the benefits of a small company's chocolate milk is raising concerns about the potential conflicts-of-interest that can arise when food makers collaborate with schools on such efforts. Late last month, the university fired off a press release declaring that a preliminary study showed that Fifth Quarter Fresh's milk helped improve the cognitive and motor functions of high school football players, even after suffering concussions. The announcement raised red flags because the details of the full study were not made available. Now, the University of Maryland says it is launching a review into the release of the preliminary results and distancing itself from the press release. (link)

Jan 12, 2016: A former University of Louisiana at Lafayette assistant football coach violated NCAA rules by arranging fraudulent college entrance exam scores for five prospects and then denying his involvement, according to a decision issued by a Division I Committee on Infractions panel. The former assistant coach also failed to cooperate in the investigation. The panel accepted penalties self-imposed by the university, including scholarship reductions, recruiting restrictions and a vacation of football records. Additional penalties include two years of probation, a $5,000 fine, additional recruiting restrictions and an eight-year show-cause order for the former assistant coach. (link)

Compliance/Regulatory & Legal Events

Jan 28, 2016: The family of a University of Rhode Island baseball player who died after a team workout has received $1.45 million in a settlement with the university and its insurance carrier. The 20-year-old student from Orange, Connecticut, suffered an unspecified medical emergency and collapsed during an Oct. 24, 2011, team preseason workout. He died in a hospital three days later. (link)

Jan 27, 2016: Police arrested a college's director of campus safety on charges of possessing/viewing matter portraying sexual performance by a minor Wednesday. Robert Marshall, 52, was indicted on the child porn charge, according to the Kenton County Detention Center. His bond was set at $25,000. Marshall was the director of campus safety at Thomas More College in Crestview Hills. He joined the college's staff in 1999 and was promoted to director of campus safety in 2003, according to his biography on the school's website. (link)

Jan 25, 2016: Florida State has settled a federal Title IX lawsuit with Erica Kinsman, a former student who said she was raped by quarterback Jameis Winston in 2012. The settlement was announced on Monday, more than a year after she initially filed the complaint in federal court. FSU agreed to pay Kinsman $950,000 -- an amount that includes attorney's fees -- as well as make a five-year commitment to awareness, prevention and training programs. The lump sum is the largest settlement for Title IX claims regarding indifference to a student's reported sexual assault. (link)

Jan 25, 2016: Campus mathematics lecturer Alexander Coward filed a wrongful termination complaint against the UC Board of Regents on Friday after nearly three months of ongoing tension with the campus. Coward, who has taught at UC Berkeley since 2013, outlined three complaints in his suit: whistleblower retaliation, defamation and discrimination in violation of the federal Fair Employment and Housing Act. (link)

Jan 25, 2016: The University of Missouri communications professor caught on video scuffling with a journalist during a November campus demonstration was charged with third-degree assault Monday morning, the Columbia city prosecutor's office confirmed to FoxNews.com. A summons with a yet-to-be determined court date is set to be mailed to UM assistant professor of communications Melissa Click. If she's found guilty, her penalty would ultimately be up to a judge, but would likely require paying a fine, a spokesperson from the prosecutor's office said. (link)

Jan 22, 2016: A district court issued a permanent injunction Friday prohibiting Iowa State University administrators from using trademark policy to stop a campus group from printing university-themed T-shirts that depict a marijuana leaf. In a 45-page ruling, the U.S. District Court for the Southern District of Iowa permanently barred ISU from enforcing the university's trademark licensing policies in a discriminatory manner against the campus chapter of the National Organization for the Reform of Marijuana Laws. The court specifically blocked ISU "from further prohibiting plaintiffs from producing licensed apparel on the basis that their designs include the image of a similar cannabis leaf." (link)

Jan 20, 2016: The FBI is investigating a professor at Kent State University for allegedly having ties to terrorism, CBS affiliate WOIO reports. Citing an FBI source, WOIO reports that a joint terrorism task force has been investigating Julio Pino for his alleged involvement with the Islamic State of Iraq and Syria (ISIS). The FBI told CBS News' Paula Reid that it would not reveal details of its investigation, saying "because this is an ongoing investigation, we cannot comment." Reid reports that the FBI has open ISIS-related cases in all 50 states. The bureau does not expect charges to be filed in the immediate future. (link)

Jan 18, 2016: The sister of a man fatally shot by a University of Cincinnati police officer who pulled him over for lacking a front license plate said she hopes a $5.3 million settlement will help prevent another family from losing a loved one. The settlement with the university, which was announced Monday, gives the family of Samuel DuBose $4.85 million and promises free undergraduate tuition for his 12 children. It also provides for a memorial commemorating DuBose, an apology from the university and the family's involvement in a community advisory committee on police reform. DuBose, 43, was shot and killed behind the wheel of his car on July 19 after Officer Ray Tensing stopped him near campus for missing a front license plate, which is required by Ohio law. Tensing was charged with murder and pleaded not guilty. (link)

Jan 15, 2016: Attorneys have settled a federal lawsuit filed by a blind student who accused Miami University of using technology that presented a barrier to her education, court records show. Attorneys for Aleeha Dudley and the university reached a settlement following mediation Friday, but it's subject to "modest continuing negotiations," according to U.S. District Court records posted online. Dudley, who's from New Paris, sued the university in 2014. Her lawsuit said course materials were inaccessible to her text-to-speech software and she hadn't received material in Braille or other forms she could use without help. Her lawsuit also said Miami violated federal law by failing to provide equal access. (link)

Jan 15, 2016: Superior Court Judge Siobhan Teare sentenced Rutgers-Newark professor Anna Stubblefield, 46, of West Orange, to 12 years in state prison for abusing the 35-year-old victim, known as D.J., in her Newark office in 2011. D.J. has cerebral palsy and is unable to speak beyond making noises. Stubblefield has claimed she and D.J. fell in love, and that she communicated with him via a controversial typing method, known as "facilitated communication." But an Essex County jury determined D.J. is mentally incompetent and could not consent to the sexual activity, and found Stubblefield guilty on Oct. 2 of two counts of first-degree aggravated sexual assault. She was facing between 10 and 40 years in prison. (link)

Jan 14, 2016: A private foundation is suing UA in Texas state court, alleging the university breached a contract between the two after taking more than $1.3 million for a scholarship program for first-generation college students. The lawsuit filed by the Suder Foundation, based in Plano, Texas, in July 2015 claims breach of contract, anticipatory breach of contract, promissory estoppel, and unjust enrichment. It is seeking return of the funds, attorneys and court fees, and pre- and post-judgment interest on the funds. (link)

Jan 14, 2016: A Michigan professor who authorities say traveled to South Florida to have sex with a 14-year-old boy has pleaded guilty.James Cavalcoli, of Ann Arbor, Michigan, pleaded guilty Wednesday to attempting to coerce or entice a minor to engage in sexual activity and traveling with intent to engage in illicit sexual conduct. Authorities say Cavalcoli, 51, had made arrangements to meet with an undercover Florida Department of Law Enforcement agent, whom he believed to be the boy's father. He was arrested Aug. 7. (link)

Jan 14, 2016: A former Miami University student is facing criminal charges for allegedly stealing computers from the school's technical support office, selling marijuana and making a sex tape of a woman without her permission. In July, Miami University Police began investigating the theft of computers from MiTech Repair Center, which is part of the university's IT department, according to Lt. Jim Bechtolt. Jordan was employed at the center that offers technical assistance to students who purchase computers through the university. (link)

Jan 13, 2016: The University of Missouri revealed details from a "collaborative investigation" with the NCAA that spanned 19 months on Wednesday, announcing the findings of several rules violations by the men's basketball program that led the school to self-impose punishment. Most notably, Missouri is vacating all of its wins from the 2013-14 season and imposed a one-year postseason ban for the 2015-16 season, which means the Tigers will not participate in the SEC tournament or any postseason event sanctioned by the NCAA. The investigation by the university and NCAA showed rules violations dating back to 2011 that included impermissible benefits provided by Missouri donors, illegal contact with recruits by the men's basketball coaching staff, failure to monitor an internship program and a former coach assisting with a prospective student's housing. (link)

Jan 13, 2016: A college professor in Minnesota has pleaded guilty to illegally smuggling items made of elephant ivory from the United States to China. St. Cloud State University philosophy professor Yiwei Zheng (EEE'-way Zeng) also pleaded guilty Wednesday to violating the U.S. Lacey Act, which bans trade in wildlife, fish and plants that have been illegally taken or sold. Under a plea deal, Zheng agreed to pay a $500,000 fine. He also could face roughly three years in prison when he's sentenced in May. Investigators say the items Zheng tried to smuggle to China in April 2011 included potted flower carvings, a fan and a carved lion. All were made of elephant ivory. (link)

Jan 08, 2016: The University of Iowa reached a financial settlement of $15,000 Friday with a former football player who was one of 13 Hawkeyes hospitalized with a serious muscle disorder following a high-intensity 2011 workout. Lowe's lawsuit alleged that coaches and trainers failed to properly supervise the January 2011 workout and didn't immediately offer medical care after he and others reported severe pain and symptoms. The former backup cornerback argued that his injuries were aggravated because he was required to participate in additional workouts in the following days. Lowe and 12 others were eventually hospitalized and diagnosed with exertional rhabdomyolysis, which is the result of muscles breaking down and releasing proteins into the bloodstream. It can cause kidney failure and even death. (link)

Jan 11, 2016: In a press release, Eastern Mennonite University said: "Eastern Mennonite University (EMU) has suspended Luke Hartman from his role as vice president for enrollment, effective immediately. The suspension comes as a result of a January 8, 2016, misdemeanor charge of solicitation of prostitution following an investigation by the Harrisonburg Police Department and the Rockingham County Sheriff's Office." (link)

Jan 04, 2016: Kent State University would allow assistance animals in university housing and would pay a couple $100,000 as part of a proposed consent decree to settle a fair-housing lawsuit filed by the U.S. Department of Justice. The federal lawsuit arose following a complaint filed with the U.S. Department of Housing and Urban Development by Jacqueline Luke, who had sought to live with a dog following a university psychologist's recommendation that the animal would help alleviate her anxiety. (link)

Dec 30, 2015: Oregon's Bureau of Labor and Industries announced a settlement Wednesday in a wage dispute with Southern Oregon University. Under the settlement, the university will pay $2.5 million to workers who built a new residence hall and dining area on the campus. BOLI found that SOU had underpaid the workers under the state's wage law for public works projects. (link)

Campus Life & Safety Events

Jan 23, 2016: On campuses across the country, millions of students have an app called Yik Yak on their phones. It's like an anonymous version of Twitter. But because it's anonymous, it can get ugly and be a breeding ground for hate speech. Black student leaders across the country have held sit-ins and protests asking college officials to block the app. Yik Yak, an Atlanta-based social media app, has a presence on more than 2,000 college campuses. Users of the app post comments anonymously, and anyone in within a radius of a few miles can see, share and rate the comment. (link)

Jan 12, 2016: A man has been charged with secretly photographing women under their clothing on the Washington University campus. St. Louis County prosecutors last week charged Donnie Rhett Koonce, 21, with a felony. He was a student when he photographed the women, police say. On Tuesday, a university spokeswoman said Koonce is no longer a student there. According to court documents, one incident happened Oct. 21 at Anheuser-Busch Hall on the Washington University campus. He used a concealed camera to photograph women's bodies and undergarments. The photos were taken under or through the women's clothing, without their consent, police say. (link)

Jan 08, 2016: Oral Roberts University is now requiring all freshmen to wear tracking devices to monitor their physical activity, the school says. The school, which is a private institution, says Fitbit fitness tracking now is required for all incoming students, and ORU has opened the program up to all students. According to the ORU website, it appears as though school staff and instructors will be able to access the fitness tracking information gathered by the students' devices. (link)

Jan 07, 2016: A University of Kentucky student who operated a drone that crashed inside a stadium before a football game has pleaded guilty to a misdemeanor in the case.The Lexington Herald-Leader cites court documents in reporting that 24-year-old law student Peyton Wilson pleaded guilty Wednesday to misdemeanor criminal trespassing and paid a $100 fine. (link)

Jan 07, 2016: One of the holiday's hottest presents is now considered contraband at many U.S. colleges. At least 20 universities have banned or restricted hoverboards on their campuses in recent weeks, saying the two-wheeled, motorized scooters are unsafe. Beyond the risk of falls and collisions, colleges are citing warnings from federal authorities that some of the self-balancing gadgets have caught on fire. "It's clear that these things are potentially dangerous," said Len Dolan, managing director of fire safety at Kean University in Union, New Jersey. (link)

Jan 05, 2016: A statewide investigating grand jury has found no criminal evidence that links specific fraternity members to the March 2014 death of Marquise Braham, a Penn State University student hazed prior to his suicide. The grand jury also decided not to recommend criminal charges related to any hazing at the university, calling it "a fraternity-wide problem." The chapter was suspended for six years following his death, and the suspension bars the chapter from participating in campus events and using Penn State facilities. (link)

Other News & Events

Jan 11, 2016: The Supreme Court on Monday turned away an appeal that sought to make it easier to erase student loans in bankruptcy, sidestepping an issue that has become a focal point for consumer advocates and lawmakers as millions of borrowers fall behind on their payments.The court, in a brief written order, said it wouldn't consider an appeal by an unemployed Wisconsin man who owes more than $260,000 in student-loan debt from business and law school. Mark Tetzlaff, 57 years old, said in court papers his alcoholism, depression and criminal record have prevented him from finding a job and repaying his debt. He also twice failed the bar exam. (link)

If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at https://www.auburn.edu/administration/oacp.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Office of Audit, Compliance & Privacy
Auburn University
304 Samford Hall
M. Kevin Robinson, Assoc. VP

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Office of Audit, Compliance & Privacy is listed as the source.