Internal Auditing

Case in Point:
Lessons for the pro-active manager

April 2009
Vol. 1 No. 4
Point to Ponder...

 

"The time is always right to do what is right."

-- Martin Luther King, Jr.

 

It seems now more than ever organizations in all industries are struggling to maintain an ethical culture. From the past transgressions of Enron to the recent story of Bernie Madoff to our own state and the scandals within the Alabama Community College System organizations have fallen victim to a poor ethical culture. After these failings, the organization, it's employees, and the public at large are often left to deal with the fallout and costs of these events.

While policies, procedures, and reporting systems are all important and necessary foundations for any internal control system, increasingly the research shows that these systems are simply not enough to build a strong ethical culture in an organization. Employees are much more likely to be affected and impacted by the daily actions of their peers, superiors, and leaders than by impersonal policies and procedures. Tone at the top is clearly important; however, even then employees will typically follow the lead of a direct supervisor over the words of a CEO.

"Social proof" is a term often mentioned in the field of influence. It refers to how we often look to other people in determining the expectations and social norms for our own behavior. That's why the small decisions you make as a faculty member or employee are so vitally important in building a strong ethical culture in your area. A small short cut, a little violation, a "just this one time" action by an employee or supervisor sends a much more powerful message than an impersonal policy on a web page. This is vitally important to consider, as ultimately, its your first level of internal control. Without that strong ethical culture and your commitment to compliance, the policies of our institutions and the other internal controls won't really matter much.

The St. James Ethics Center in Sydney, Australia provides six important questions managers should ask when confronted with ethical dilemmas. Some good questions for us all to consider as we go about the business of Auburn University.

  1. Would I be happy for this decision to be in the public record?
  2. What would happen if everybody did this?
  3. How would I like it if someone did this to me?
  4. Will the proposed course of action bring about a good result?
  5. What will this proposed course of action do to my character or the character of my organization?
  6. Is the proposed course of action consistent with my espoused values and principles?
As you read about ethical and compliance failures this month, once again we ask you to consider how you can protect Auburn University from similar events. We welcome your feedback on these and other issues.

Sincerely,
M. Kevin Robinson, CIA, CFE
Executive Director, Internal Auditing


Information Security Related Events

April 14, 2009: More than 6,000 names and Social Security numbers (SSNs) were compromised when a University of Washington Transportation Services server was hacked in December 2008. The incident occurred after a vendor who works for the department changed the configuration of the system by moving the server outside of a firewall. (link)

April 14, 2009: A Boston College computer science student has asked a Massachusetts court to quash an invalid search warrant for his dorm room that resulted in campus police illegally seizing several computers, an iPod, a cell phone, and other technology. (link)

April 12, 2009: University of Utah officials say a computer virus has infected more than 700 campus computers, including those at the school's three hospitals. University health sciences spokesman Chris Nelson said the outbreak of the Conficker worm, which can slow computers and steal personal information, was first detected Thursday. By Friday, the virus had infiltrated computers at the hospitals, medical school, and colleges of nursing, pharmacy and health. (link)

April 10, 2009: A total of 31 laptop computers have been stolen from Madison Area Technical College since the start of 2009, said Jim Bottoni, chief of security for the college's district. (link)

March 31, 2009: BYU College of Humanities students were surprised to find a list of their fellow students GPAs and ID numbers included in a mass e-mail sent out last Thursday. “An employee in the College of Humanities inadvertently sent an e-mail to all students in the college,” said Carri Jenkins, university spokesperson. Jenkins said the e-mail was intended to be sent to the Registrars Office but was sent to the students’ e-mails instead. Although the e-mail shared students’ private personal information, Jenkins said the information released does not appear to increase students’ vulnerability to identity theft or fraud. (link)

March 30, 2009: A University of Maryland student discovered a hole in the university's IT security system last week that granted attackers full access to any university account with only the target's university e-mail address. OIT corrected the problem Friday night. The system flaw, which Office of Information Technology officials said may have existed for as long as three years, made it possible for anyone to change a user's password by knowing only his or her university account name, which doubles as the user's e-mail address and can be found in the university directory. An attacker or hacker could perform almost any password-protected action, such as dropping classes or logging on as a faculty member and changing course grades. (link)

March 30, 2009: Jefferson College officials are working closely with the FBI and the Jefferson County Sheriff’s Department Cyber Fraud Unit following a fraudulent online financial transaction that resultedfrom a sophisticated virus within the institution’s administrative computer system on March 12. (link)

March 26, 2009: An Abilene Christian University computer server was hacked near the end of February, but university officials do not at this point believe any personal information was distributed. An e-mail dated one week ago from the college's information technology branch states that the school experienced a security breach in a database containing myACU usernames and passwords tied to the school's internal e-mail system. (link)

March 26, 2009: Forest Grove Police Department is investigating the theft of a Pacific University-owned laptop from a staff member’s residence that occurred on Thursday, March 26, 2009. The computer contained names and some personal information. It does not appear that any social security numbers were stored on the system. There is no evidence at this time of identity theft. (link)

March, 21, 2009: A seemingly worthless pile of scrap paper at Solano Community College could have been a gold mine of information had it landed in the wrong hands. A computer print-out containing the names, addresses and Social Security numbers of students in the 2008 graduating class inadvertently got mixed up with scrap paper used in a mathematics lab, college spokesman Ross Beck said. (article no longer available on line)

March 19, 2009: A computer with sensitive student and faculty information was stolen from the office of an administrative assistant in University Hall last month. This week, University of Toledo notified the 24,000 students and 450 faculty members whose information was on the computer about the possibility of a breach of their information. The data on the computer contained information from the 2007-08 and 2008-09 academic school years. The faculty information on the stolen computer included personal information such as their names, Social Security numbers and dates of birth, in addition to professional information such as their faculty ranks, departments, degrees, gender, hire dates and the dates of their last promotions.(link)

March 18, 2009: University of West Georgia officials have notified nearly 1,300 students and faculty members that their personal information was on a laptop stolen from a professor traveling in Italy. (link)

March 18, 2009: A computer virus infected an administrative computer in the Penn State Office of Physical Plant potentially compromising employees’ identities, according to a Centre Daily News report. The Social Security numbers of 1,000 people who were employees of the Penn State Office of Physical Plant may have been stolen. The employees who are at risk were alerted to the breach, but so far there have been no reports of identity theft. (link)



 Misappropriation/Fraud/Ethics Events

April 9, 2009: An ex-university dean charged with money laundering and tax evasion told U.S. investigators he invested grants in property to fund his research non-profit. Former University of Louisville (Ky.) education Dean Robert Felner told federal investigators he and colleague Thomas Schroeder of Port Byron, Ill., used the federal grant money to buy property around the country so they could grow a non-profit organization he created for educational research, a transcript of his testimony said. (link)

April 9, 2009: The state auditor’s office and Bridgewater State College officials notified the attorney general’s office in August 2005 that more than $350,000 was missing from the Student Accounts Office at BSC. A joint investigation conducted by the attorney general’s and state auditor’s offices revealed that, while employed as a bookkeeper in the accounting department at BSC, Werner used her position to steal cash payments made by and on behalf of students, as well as other sources of cash received by the Student Accounts Office. (link)

April 3, 2009: A 70-year-old Stockton man charged last month with embezzling from San Joaquin Delta College's child day care center pleaded guilty. Timothy Allen Blumberg now has to pay back the $28,272 that he took from Delta's Child Development Center. Blumberg, a clerk at the center, stole the money in small amounts from January 2005 to January 2009. He worked at the day care center for 11 years and was considered a well-liked and trusted employee, Delta officials have said. (link)

April 2, 2009: A former manager of the Pediatric Neurosciences Department of the Neurological Institute at Columbia University, submitted phony invoices to the university for studies that had never been completed from June 2005 to June 2008 and diverted the funds -- totaling $112,500 -- into his own accounts, according to prosecutors. He also used university credit cards to purchase $40,000 worth of personal items -- such as soap and eye cream -- on Amazon.com and to pay for his $25,000 wedding at Skytop Lodge in Monroe County's Barrett Township on Sept. 15, 2007, authorities say. (link)

April 1, 2009: A former Kansas University employee is serving one month in Douglas County Jail, after pleading guilty to charges of stealing thousands of dollars of equipment from various campus buildings, court records said. (link)

March 31, 2009: An Athens woman helped her sister, a former University of Georgia employee, embezzle thousands of dollars during a two-year period using a state-issued purchasing card, UGA police said. University police took out arrest warrants for Angela Huff on Tuesday, nearly three months after charging her sister, a former secretary in the Terry College of Business, with felony theft and violating state purchasing agreements. Huff is charged with four counts of being party to the crime of violating state purchasing regulations - three felony charges and one misdemeanor "of a high and aggravated nature," said UGA Police Chief Jimmy Williamson. (link)

March 27, 2009: The Institute for Entrepreneurship was developed by the State University of New York to support small business efforts in the state. An investigation found that the Institute's head, J. Felix Strevell, used the institute's credit card to pay $7,500 in personal expenses, including clothing, home supplies and a family vacation at Disney World; fraudulently gave himself a $95,000 salary increase on top of his $124,000-a-year salary, and then tried to conceal it; improperly had the institute pay $9,000 for his father, a Florida resident, to take two trips to China as part of a "delegation" to foster business for New York; and sold his used recreational vehicle to the institute for $64,000 without disclosing his interest in the transaction to the institute's board of directors. (link)

March 23, 2009: The two cases - one involving an employee and the other a vendor - have cost Coastal Carolina University at least $83,508, according to court documents and a university audit. Chip Weisgerber, the head pro at the university's Quail Creek Golf Club, is identified in the first case, in which an audit found improper refunds totaling $7,300 were made at the course during a 10-month period. The university audit, concluded last week, also states that initials on some of the transactions were those of student employees who weren't working on the dates the refunds occurred. (link)

March 18, 2009: A former Northeastern State University student has been indicted on federal charges of fraud and illegally using another person's identity. Federal prosecutors say 32-year-old Emily Mae Crank of Muskogee is charged with two counts of financial aid fraud and unlawful use of a means of identification. Crank is accused of using the university's computer system to get personal information about fellow students and faculty. Prosecutors say she then used the information to get federal financial aid. (link)

March 16, 2009: A former Georgia Tech employee was sentenced to 10 years in prison Monday after pleading guilty to going on a $175,000 shopping spree with her state-issued credit card. (link)


Compliance/Regulatory Failure Events

April 14, 2009: College sports fans, be careful of the company you keep on Facebook. You might get yourself - and the program you support - in trouble. That was the lesson this week for Taylor Moseley, a North Carolina State freshman who expressed a common-enough opinion on campus when he started the Facebook group called ``John Wall PLEASE come to NC STATE!!!!'' (link)

April 3, 2009: Duke University may owe the federal government more than $1.6 million, according to a report released by the Office of the Inspector General of the U.S. Department of Health and Human Services. OIG said the University had misused federal funds to pay administrative and clerical staff members. (link)

April 2, 2009: A Marist College professor was found guilty Tuesday of more than 130 felonies relating to his possession of child pornography on his office computer. (link)

March 31, 2009: The former director of theater at Midland College was sentenced late Tuesday to 10 years in federal prison after law enforcement found him in possession of more than 3,300 pornographic images of children last May. (link)

March 31, 2009: Curtis Crittenden, the former head of 4-H in Tooele County, Utah who is serving out a prison sentence for child sexual abuse, has admitted to molesting more than twice as many boys as he had previously. Crittenden, who has a master’s degree and worked for the Utah State University extension service, routinely hosted sleep-overs at his house although the practice was against 4-H program policy. (link)

March 28, 2009: University of Missouri officials are waiting to find out whether they must return $282,000 to the federal government for noncompliance with administrative requirements for research money received from the Department of Health and Human Services. Outside auditors reviewing grants and contracts in fiscal 2006 discovered researchers had failed to sign verification reports to affirm that the amount of money allotted for salaries matched the amount of time spent on research work. Nikki Krawitz, the university’s vice president for finance and administration, said a “computing glitch” kept the university from getting the reports signed as required by the grant. (link)

March 23, 2009: At LSU, in the last two years, five students have filed complaints alleging sexual harassment against a University employee, according to Marian Caillier, Human Resources associate vice chancellor. (link)

March 10, 2009: Binghamton University kept payment information for every student, possibly dating back at least ten years in a storage area next to one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open. The information itself contained social security numbers, credit card numbers, scans of tax forms, business information (including social security numbers and salary information for employees of students' parents), asylum records and more, all kept in a haphazard and disorganized fashion, sprawled out in boxes, in unlocked (yet lockable) filing cabinets and shelving units. And, to seemingly add insult to injury, the university left dollies and a shopping cart in the room, apparently to aid in any attempted theft. (link)


Other Events

April 13, 2009: In the last three years, UCLA has reported at least 10 arsons, attempted arsons and other acts of vandalism against its professors and researchers, along with many unrealized threats. In February, four animal activists were arrested on allegations that they were involved in attacking and harassing animal researchers at UC Berkeley and UC Santa Cruz, but no arrests have been made in any of the UCLA cases, according to FBI spokeswoman Laura Eimiller. She said the incidents are under investigation as acts of domestic terrorism. (link)

April 13, 2009: In the United States, two out of every five college students are binge drinkers, and 1,700 college students die every year from alcohol-related causes. These are senseless tragedies that lead to the important question: What can we all do to make sure it doesn't happen again? (link)

March 31, 2009: Valencia Community College is trying to figure out how a felon got hired as a teacher. On his application, in his own handwriting, it says what he was convicted of. On the paperwork he even put his federal case number on his application for administrators to see and sign off on but a background check done by the college showed no hits. (link)

March 30, 2009: Indiana University police are on the lookout for a toilet-paper arsonist responsible for three fires in the past week in student residence buildings. So far, the fires — started by igniting rolls of toilet paper — have been discovered early and caused just smoke and $200 in damage to floors and walls. (link)

March 16, 2009: Recording class sessions so students can review them online is becoming routine on many campuses. But all that taping can lead to "uh-oh moments," such as when a professor's joke about the college dean ends up on YouTube, or a private comment to a student after class is inadvertently broadcast. (link)


If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at http://www.auburn.edu/audit

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman gotterw@auburn.edu.

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director
robinmk@auburn.edu
334.844.4389
© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.