Campus Safety, Security & Privacy - Association of College

I V O L U M E 5 2 I N U M B E R 2 I W I N T E R 2 0 0 9 I

Campus Safety, Security & PrivacyINSIDE:The Privacy Argument

Workplace Conflict

Auditing Emergency Management

Responding to a Shooter Incident

Web Applications

1 COLLEGE & UNIVERSITY AUDITOR

FEATURESACUA LIFE

5 Meet Your ACUA Board Members — Toni MesserBy John M. Fuchko, III

6 Inside ACUA-LCompiled by Brenda Mowers

INTERNAL AUDIT ORGANIZATION7 The Privacy Argument

By Chris Kyriakakis and Sabrina C. Serafin

12 Nip It in the Bud: Nine Secrets to Reducing Workplace ConflictBy Randye Kaye

15 Campus Safety and SecurityBy Paige Buechley

INTERNAL AUDIT PRACTICES18 Auditing Emergency Management: A Framework for Evaluating Risk

By Mel Hudson-Nowak and John M. Fuchko, III

21 Privacy: How Should the Auditor Respond?By Mel Hudson-Nowak

HIGHER EDUCATION22 Joint Exercise in Responding to a Shooter Incident

By Lee Kernek

24 Campus Safety and Security — What Is An Auditor to Do?By Charles R. Hrncir

COLUMNS26 Web Applications: The Latest Threat

By Wilson Crider

DEPARTMENTS2 From the Editor3 From the President4 From the Immediate Past President

CONTENTSW I N T E R I 2 0 0 9

ACUA members are invited to submitletters and original articles to the editor.Go to www.acua.org and click on theFAQ and Publication for further guidelines.Please send your copy electronically tothe editor or ACUA in Word 95 (orhigher) or text file format. The editorreserves the right to reject, abridge ormodify any advertising, editorial or othermaterial.

EditorJohn M. Fuchko, III, MBA, CIA, CCEPBoard of Regents/University System of [email protected](404) 656-9439

Contributing EditorsACUA Life: VacantInternal Audit Organization:Claire Sams Milligan,Alabama Department ofPostsecondary EducationInternal Audit Practices:Mel Hudson-Nowak,Bowling Green State UniversityHigher Education:Michael J. Foxman,University System of GeorgiaColumns:Sterling Roth, Georgia State University

Copy EditorsACUA Life:Brenda Mowers,Montana State University - BozemanDonna Stapleton,Technical College System of GeorgiaInternal Audit Organization:David Dixon, Governors State UniversityInternal Audit Practices:Amy Hughes,Michigan Technological UniversityHigher Education:Mary Ann MacKenzie,Auburn UniversityColumns:Beverly Hawkins-Llewellyn,The University of Montana

ACUA ManagementStephanie Newman, Executive DirectorCollege & University Auditor is the official publication of the Association of College & University Auditors.

It is published three times a year as a benefit of membership. Articles in College & University Auditor represent theopinions of the authors and do not necessarily represent the opinions of governance, members or the staff of theAssociation of College & University Auditors. Acceptance of advertising does not imply endorsement by ACUA. ©2009Association of College & University Auditors.

Send address changes to:ACUAPO Box 14306Lenexa, KS [email protected]


Great leadership has often been defined, even byour Immediate Past President Kevin Robinson, asleaving things better than you found them. Myinitial experience as the editor of the CandUAuditor certainly highlights the strong foundationprovided by our outgoing ACUA President KevinRobinson and my predecessor, Mel Hudson-Nowak. Mel handed over a strong team of section

and copy editors that have truly donethe lion’s share of the work inrecruiting authors, soliciting articles,and preparing those articles forpublication. The end result is apublication that should help you, thecampus auditor, to leave things on yourcampus a little better than you foundthem.

BRIEF OVERVIEW ANDFUTURE ISSUESThe Winter 2009 CandU Auditor theme is“Campus Safety, Security, and Privacy.” CandUAuditor took several different approaches whenaddressing these issues. We solicited analyses of a

recent report by the Texas State Auditor’s Office(SAO) pertaining to campus safety. Paige Buechleyand Charlie Hrncir from the great state of Texashighlight key points from the Texas SAO’s reportthat are very relevant to every institution of higherlearning. Lee Kernek from the University ofCentral Florida detailed the results of a recentemergency management drill on her campus, andour very own Mel Hudson-Nowak provideddetailed guidance on how to conduct an emergencymanagement audit. Also included are two articleson privacy – another article by Mel Hudson-Nowak pertains to the privacy “roadblocks” thatauditors might face, while an article by ChrisKyriakakis and Sabrina C. Serafin addresses the keycomponents of a privacy audit. Finally, RandyeKaye penned an article on reducing workplaceconflict and Guest Columnist Wilson Criderdetailed potential information technology threatsassociated with Web-based applications.

Our Spring 2009 edition will focus on “HigherEducation Compliance Challenges.” Severalinteresting articles are already lined up for thisissue to include an article on the difference between

audit and compliance and another articleon establishing a compliance program forinstitutions without compliance officers.Looking forward to the summer, our themeis “Globalization and InternationalPrograms: Risk and Opportunity.”Proposed articles for this edition includeeverything from a review of “GAAP vs.IFRS” to the new InternationalProfessional Practices Framework from theInstitute of Internal Auditors.

On the lighter side, our ACUA Life sectionincludes some words of wisdom from bothour ACUA President Dick Dawson andour Immediate Past President KevinRobinson. Readers are also provided ashort introduction to ACUA BoardMember Toni Messer. Future editions willinclude additional opportunities to “meet”members of the ACUA Board and toreceive updates on ACUA Committeeactivity. �

Do We See a Theme?

LETTER FROMTHE EDITOR

Great leadership has often

been defined as leaving

things better than you found

them.

By John M. Fuchko, III, MBA, CIA,CCEP, Editor

The vision statement for the Association of Collegeand University Auditors (ACUA) declares that:ACUA members will be the recognized resource forhigher education leaders who manage and addressrisk. Achieving that vision will take a team effort.This is not to insinuate that little has been donetoward reaching this goal. On the contrary, the hardwork of each preceding Board has helped set adirection and tone for ACUA so that its memberscan be that recognized resource.

For those that attended the Wednesday night dinnerdance in Phoenix, you know that Kevin Robinson(ACUA Past President) and his band of merry menfrom Auburn University dressed as the VillagePeople, leading us in their rendition of “A-C-U-A”as opposed to “Y-M-C-A.” It occurred to me thatACUA does have a lot in common with the conceptof the “Village People.” We are a diverse group withmany different skills and aptitudes, representing alarge geographic base. You may recall that HillaryClinton wrote a book entitled It Takes a Villagewhereshe advocates for a society that meets children’sneeds. While I don’t want to belabor the tenet of her

book, I do find an interestingparallel between the Village People’sappearance at the dinner dance,Hillary Clinton’s book and ACUA.It will take the coordinated effort ofa Village to help ACUA achieve itsgoals.

The successful growth of a childrequires a clearly defined set ofvalues. The same is true for ACUA.

Values provide strong guidance to each member bysetting the tone and direction for decision-makingand strategic planning. The ACUA Board hasestablished a set of values that will support thesuccess of our association and allow us to reach ourvision. These values are as follows:

• Integrity• Open sharing of information• Camaraderie• Respect• Commitment to excellence• Innovation

Having said this, how do we go about achieving thevision? In January 2008, the Board met to revise the

current strategic plan. Our vision, mission,core values and goals have essentially remained thesame. However, some of the strategies to accomplishour goals were updated to reflect where we are today.

I encourage you to get a copy of the ACUA strategicplan and become familiar with it. We have twoimportant goals.

Goal A: ACUA will be its members’ indispensableresource for education, knowledge exchange, bestpractices and networking.

While we are actively working toward this goal,ACUA needs to better identify the needs and wantsof its members. We will conduct more periodic shortsurveys that will provide us with valuableinformation to better serve ACUA members. Pleaseparticipate in these surveys when you receive one.We also need to obtain more useful demographicinformation about your audit shops. Once obtained,we need to analyze that information so we candevelop products and services to help our members.In August, you should have received a survey fromDr. Urton Anderson from The University of Texas atAustin. He is conducting research on behalf ofACUA, the Institute of Internal Auditors (IIA), andThe University of California System. The purpose ofthis survey is to obtain information that will helpestablish appropriate staffing levels. The resultsshould help our members determine the appropriatestaffing size for their audit function.

In support of the core value of camaraderie, wewould also like to bring back the concept of the“host institution.” Many of the newer members donot remember the days before ACUA had amanagement firm handling its events, when hostscoordinated everything. While we do not want torevert back to having the host institution solelyresponsible for activities, we would like to bringback some of the camaraderie that having a “hostinstitution” might bring. For example, we couldallow the host to have an information table,providing an excellent opportunity to showcase theirinstitution with brochures, slide shows, videos, etc.Rick Gfeller from the University of Arizona Systemdid an excellent job of putting together Web siteinformation and arranging extracurricular activitiesat the Phoenix Conference.


Values and Vision

LETTER FROMTHE PRESIDENT

By J. Richard Dawson, CPA, CIA, President

AC

UA

Life

(see “Values and Visions,” page 11)

Goal A: ACUA will be its

members’ indispensable resource

for education, knowledge

exchange, best practices, and

networking.


LETTER FROMTHE IMMEDIATE PAST PRESIDENT

I have always believed that the basic goal of leadingan organization is fairly simple: leave theorganization better than you found it when youtook over leadership. It is my hope that at least insome small way my year as ACUA President hasdone just that, however I will leave it to others tojudge that outcome.

During the past year, the ACUA Board refreshedour strategic plan and spent the year focused oncarrying out the activities to support our twoprimary goals: A. ACUA will be its members’indispensable resource for education, knowledgeexchange, best practices and networking; B.ACUA will be the principal advocate of internalauditing in higher education.

One primary point of emphasis for my term aspresident was to build relationships and allianceswith outside organizations. We believe this isimperative for our association because it helps raisethe visibility of our profession which consequentlybenefits all our members. This is a criticalcomponent of ACUA’s strategic plan. First, wehave much to learn from other associations andneed to work toward leveraging the knowledgethey can bring to us. Second, we have much to offerthese other associations with respect to the “auditview” of risk, controls and governance. While thecliché “win-win” is overused, this is actually onecircumstance where I believe it does apply.

We made inroads with several notableorganizations, including the University RiskManagement and Insurance Association (URMIA),the National Association of College and UniversityBusiness Officers (NACUBO), the Association ofGoverning Boards (AGB) and the Institute ofInternal Auditor’s Research Foundation — just toname a few. We will continue to build upon theserelationships in the years to come. This will ensurethat ACUA, and consequently the internal auditprofession, will have a seat at the table whenimportant issues emerge within higher education.

This year also represents a milestone with respectto association management for ACUA. As youknow, ACUA engages an outside company tohandle our business and conference operations.This year, after an extensive process and hours ofdiscussion, the Board selected a new provider:Applied Measurement Professionals (AMP) fromKansas City, KS. You will learn more about AMPin the coming months and I know you will beimpressed with our new partner. StephanieNewman will serve as our new Executive Directorand she is already busy learning about ourprofession and association. It is also sad to saygoodbye to our long-term partner AssociationResources (AR). AR did many great things for usover the years and we appreciate the partnership wehad with them. We wish them continued successeven though we are parting ways.

I also want to thank the Board, Committee Chairsand vast number of volunteers who made my yearas ACUA President so very rewarding. I am simplyamazed at the tremendous talent within ourassociation. I am also confident that ACUA willcontinue to grow and prosper in the years ahead. Iurge you to get involved and be a part of thiswonderful association. You will learn much andmeet many amazing people who will become notonly business colleagues but also friends. Thankyou for allowing me to serve as your president. �

Looking Back

By Kevin Robinson, CIA, CFE,Immediate Past President


Toni Messer is one of the newestmembers of the ACUA Board.Toni is the Director of Audit

and Compliance at the University ofTexas at Dallas (UTD). She earned abachelor of business administrationdegree in accounting from Texas A&MUniversity. She is a both a certifiedpublic accountant and a certified internal auditor.Toni worked for the Texas State Auditor’s Office forseven years and has worked for UTD for over 16

years. Toni is the singlemom of two childrenRachel (age 12) and Ryan(age 10) … and the familydog, Saki (age 15). Toni isproud to point out that shewas the 4th grade spellingbee champion for herelementary school.However, she lost the

district championship over the word bronchitis.

CandU Auditor readers might be surprised to knowthat Toni has been to Silver Dollar City in Branson,MO every single year of her life. (Toni refused todisclose exactly how many years other than to

comment, “That’s a lot of years!”). She alsoplays Wallyball two to three times a weekat UTD’s Activity Center.

Toni shared her top goals for the associationas an ACUA Board member. She proudlystated that her goals are to support ACUA’sstrategic goals. Specifically, she wants to

continue to provide valuable and memorableeducational opportunities to members and improvethe host committee concept for Midyear andAnnual Conferences in support of the ACUA goalof “ACUA will be its members’ indispensableresource for education, knowledge exchange, bestpractices and networking.” Toni also wants toimprove the monitoring of industry trends andenhance relationships with other associations insupport of the ACUA goal of being “the principaladvocate of internal auditing in higher education.”

Toni also offered some indispensable advice formembers who want to get the most out of theirACUA membership:1. Participate … on ACUA-L!2. Participate … in conferences and Webinars!3. Participate … by volunteering to be on a

committee or writing an article! �

Meet Your ACUABoardMembers –ToniMesserBy John M. Fuchko, III, Editor

Toni shared her top goals for the

association as an ACUA Board

member. She proudly stated that

her goals are to support ACUA’s

goals.

AC

UA

Life

Picture above are members of the incoming ACUA Board of Directors.Seated from left to right are: Board Member-at-Large Helen Vanderland, Board Member-at-LargeToni Messer, and Secretary/Treasurer Tina M. Maier.Standing from left to right are: Board Member-at-Large Phillip W. Hurd, Vice PresidentMark Paganelli, President J. Richard (Dick) Dawson, Immediate Past President M. Kevin Robinson,Board Member-at-Large Scott Pierce, and Board Member-at-Large Vijay Patel. Photo: Kim Turner

COMPENSATION FOR OUTSIDEBUSINESSMary Barnett posed a question to the “Collective”regarding accepting payment and whether to usevacation time for speaking or consultingengagements.• Kim Herrenkohl shared excerpts fromWashington’s Ethics In Public Service Act,which states employees cannot accept paymentfrom sources other than the university,foundation or alumni association. Honorariumpayments may be accepted upon approval.

• Rita Moore also cited state law which indicateda requirement for faculty to receive approval andreport anticipated hours spent on the projectbefore doing any outside consulting. Actualhours must be reported afterwards.

• According to Phill Armanas, if the activity is inany way related to their work, the University ofSouth Australia gives the option to have thepayment deposited into an account that may besubsequently used for similar activities.

• Charlie Hrncir says Texas A&M employees maybe reimbursed for expenses, but may not acceptconsideration for services they would not havebeen asked to provide but for their officialposition.

• Kim Turner weighed in on whether thoseperforming QARs are compensated for theirtime. She participates for expensereimbursements only and has not taken vacationtime because the work also benefits her and hershop.

• When Don Holdegraver speaks to an outsidegroup, he takes vacation if compensated and isonly reimbursed for expenses. When performingQARs as an independent reviewer, he has done sofor actual expenses. Because of the value to theUniversity for CPE credits earned, he does notuse vacation time.

COMPENSATING CONTROLSMany of our universities struggle with staffingproblems. Barry Miller asked about whatcompensating controls to suggest when a dualcontrol over the opening of mail is not feasible.Paul Christiansen suggested separating most of thecash handling risk from the recordkeeping side ofthe transaction by having the individual openingthe mail endorse the checks right away, thuslimiting the ability to misappropriate them. The

cashiers then record the payments to theappropriate account. Keeping logs was not at thetop of the list of the responders due to timeconstraints and inaccuracy. Although manyresponders were not fond of logs, some examples oftheir usefulness were to aid in tracking payments tothe account they were posted, and identifying if acheck had been returned or if it was forwarded toanother area.

RED FLAG RULESOne topic of high interest on ACUA-L was theFTC Red Flag Rules for which mandatorycompliance began November 1, 2008 with someenforcement of its rules delayed until May 1, 2009.The rules require certain creditors and financialinstitutions to have identity theft preventionprograms. Parts of the rule cover many colleges anduniversities if, for instance, they participate in theFederal Perkins Loan program or offer deferredpayment plans for tuition. Those schools mustdevelop programs that provide for theidentification, detection and response to patterns,practices, or specific activities – known as “redflags” – that could indicate identify theft. JoePickard suggested forming a task force toimplement the program and to appoint a personresponsible for maintaining an institution’sidentity theft prevention program. CarolAnnLazarus proposed that the red flag requirementsmight be folded into what already exists forprotection of confidential data.

THE TIMES WE LIVE INPaul Stone wrote that the impact of the currenteconomic conditions has some private institutionstightening their budgets in anticipation of theeconomic impact due to falling enrollments.Contributing factors are availability of financial aiddue to tight credit, parents having lost money inthe stock market and the associated loss of equityin their houses, decline in donor giving andun/under/employment. Fred Chavez questionedwhether anyone had seen a report that footnotes theimpact of the economy on universities, and calledfor vigilance since the economic downturn hascaused two corners of the fraud triangle to increasesignificantly. Sylvia Budd reported that externalauditors made reference to the economicuncertainty in a separate note in the financialstatements. �


Inside ACUA-L

Compiled by Brenda Mowers, ACUA Life Copy Editor


The Privacy Argument

INTRODUCTIONWhen we think about privacy, there are two majorfactors that appear to be driving the debate –availability of information and a willingness toshare private information. Recalling consumers’attitudes regarding privacy 30 years ago, it was notunusual for people to share personal informationsuch as their name, date of birth and politicalbeliefs on their clothing, tattooed arms, buttons orbumper stickers. Today, those methods ofcommunication have been complemented by socialnetworking sites such as FaceBook, MySpace andClassmates.com. People of all ages are sharing,often as a demonstration of their artistic prowess,both superficial and deeply personal information.At the same time, many people in the past 15 yearshave gone from a simple entry in their local phonebook to having a complete composite profileavailable on the Web.

Along with this change in attitudes towardsprivacy, there is an exponential increase in theavailability of personal information. This is mainlydue to the advances in storage capability, theproliferation of e-commerce and indexinginnovations that make data availability almostinstantaneous. This evolution of technology anddesire to share personal information raises newquestions, such as “what are the privacyexpectations of the consumers?” and “what are theresponsibilities of businesses and administrators toprotect (and react) to personal information?”

Privacy is a nascent concept for many businessesand industries; however, there are several industrieswhere privacy risks have been catapulted to theforeground. Higher education is one of thoseindustries. Soon after the Virginia Tech tragedy inApril 2007, many eyes turned to the complicatedprivacy laws that impeded the sharing ofinformation between education, law enforcementand healthcare. As often happens in the wake of atragedy, rules and regulations were examined andrevisions proposed to address a situation that untilthat time was incomprehensible.

As an auditor, it is necessary to understand therisks that create significant exposure to theorganization and the expectations of administratorsto mitigate those risks. In this article, we willprovide a background of the evolving privacy

requirements as risks to institutions of highereducation and a framework for performing aprivacy audit.

PRIVACY AND DATA PROTECTIONIn general terms, privacy encompasses the rights ofindividuals and the obligations of organizationswith respect to the collection, use, disclosure andretention of personally identifiable information.“Personally identifiable information” refers to anyinformation that identifies or can be used toidentify, contact or locate the person to whom suchinformation pertains. This type of information,regularly utilized by academic institutions, issubject to certain data protections. Whileregulation is in place to guarantee students theright to privacy (see Family Educational Rightsand Privacy Act or FERPA), student data isparticularly vulnerable due to the vast need toshare and distribute student data within theacademic institution (e.g., among departments)and externally (e.g., transcripts).

KEY REGULATIONSManaging privacy risks often starts withunderstanding the regulations and authoritativeguidance governing the institution. Twosignificant privacy laws enacted to protect studentsare FERPA, as it relates to sharing of educationalrecords, and the Health Insurance Portability andAccountability Act (HIPAA), as it relates tosharing of health and treatment records.

FERPAFERPA, enacted in 1974, was designed to protectstudents’ personal information from such mundaneexposures as having their grades posted on abulletin board to more intricate requirements onhow the states may transmit grades to federalagencies. As it currently stands, FERPA providesbasic protections for students and parents. Therequirements relate only to colleges, universities,and other educational agencies that receive federalfunding. FERPA’s primary requirements for theschools include:• Providing students over the age of 18 access to

inspect their educational records• Providing students with copies of their

educational records upon request• Redacting personally identifiable information

about other students that may be included in astudent’s educational records

ABOUT THE AUTHORS

Chris Kyriakakis, CPA, CISA, CIA

leads Frazier & Deeter’s Information

Technology Assurance and Governance

Services Group where he specializes in

implementing Enterprise Risk

Management, IT Governance, and

SAS70 Audits. He is a former PCAOB

inspector and formerly from Deloitte &

Touche LLP.

Sabrina C. Serafin, CISA is a Senior

Manager in Frazier & Deeter’s

Information Technology Assurance and

Governance practice. She specializes with

consumer privacy services. Sabrina was

formerly a Director of Internal Audit at

CheckFree Corporation where she

implemented and supported their privacy

program.

By Chris Kyriakakis, CPA, CISA, CIA and Sabrina C. Serafin, MA, MBA, CISA

Inte

rnal

Aud

itO

rgan

izat

ion

(see “The Privacy Argument,” page 10)

ANNUAL CONFERENCE 2008



Photos: Phil Hurd


• Consideration of a request to amend inaccurateor misleading information

• Providing a hearing if the request above isdeclined

• Requiring a student’s consent (signed anddated) before disclosing educational records

• Annually notifying the students of their rightsunder FERPA.

As a note, these protections are largely granted toparents when the student is under the age of 18and the protections relate to educational recordsand specifically exclude health records that mightbe held by the institution. (Paraphrased from USDepartment of Education Web site)

HIPAAOriginally enacted in 1996 to regulate thehealthcare industry, HIPAA was created inresponse to the increasing ease of sharing healthinformation electronically between doctors,medical organizations and insurance companies. Aspecific section of the Act, referred to as the PrivacyRule, focuses on the protection of privateinformation. The Privacy Rule took effect in 2003and spawned the recognition of a new term,Protected Health Information (PHI). PHI is anyinformation regarding the health status, healthcareor payment of services that can be linked to anindividual (e.g., names, SSNs, medical treatments,diagnoses, etc.). Some of the significantrequirements of a healthcare institution include:• Documented privacy policies and procedures• A designated privacy official to develop and

implement the policies and procedures• Training and communication of the policies and

procedures• Proper administrative, technical and physical

safeguards to protect PHI from being disclosedin violation of HIPAA

• Documentation and record retentionrequirements that extend six years for documentsand records identified under the Privacy Rule.(Paraphrased from the US Department of Health andHuman Services Web site).

FERPA and HIPAA are only two, albeit thelargest, examples of an amalgamation ofcomplicated state and federal laws designed toprotect consumers’ information. It is thiscomplexity that has been deemed by many as oneof the major obstacles in preventing the VirginiaTech tragedy.

As a result, new legislation was proposed in early2008 to amend FERPA and to simplify some ofthese unnecessary complexities. The proposedamendments would give more latitude toeducational administrators and allow them to sharepersonally identifiable information without theconsent of the student when certain circumstancesarise. The updated language also clarifies FERPArules of disclosure when required under the USPatriot Act and the Campus Sex Crimes PreventionAct.

Considering the complexity of privacy laws and theinability of many to keep their personalinformation secure, it is becoming a greaterchallenge for institutions to manage their riskpolicies and for auditors to evaluate and report onthe design and implementation of those policies.For many audit departments, privacy has becomeone of the top compliance and reputational risks intheir organizations.

PRIVACY IN ACADEMIC INSTITUTIONSThe news is inundated with stories of privacybreaches in every industry, and academicinstitutions are not immune to scrutiny. Regardlessof a university’s existing privacy policy andpractices, auditors must gain an understanding ofthe effectiveness of the supporting processes. Enterthe privacy audit.

MECHANICS OF A PRIVACY AUDITA privacy audit examines the policies andprocedures surrounding the collection, use,disclosure and retention of personally identifiable(and often proprietary) information that iscommonly utilized by academic institutions.Auditors must ensure that information processingcontrols are sufficient to meet privacyrequirements and standards by reviewing the waysin which information is used, handled, modifiedand manipulated. Below are four steps for auditingprivacy, along with questions to ask to determinethe status of privacy protection within theorganization.

Identify Privacy RisksThe most important step in a privacy audit is toidentify the privacy risks that are presentthroughout the institution. The auditor must gainan understanding of how personal information iscollected, used, stored and disclosed and thenmust evaluate the potential privacy risks to thatinformation.

One of the most effective and thorough means toidentifying these risks is to gain an understandingof how data flows through the organization. Eachdata access point can be considered a potential riskarea. For each data access point:

• Understand what protection mechanisms are inplace and who is responsible for implementingthem

• Determine how personal information is used atthat point and to whom it is disclosed

• Ascertain whether outside organizations areallowed access to the information and how thathappens.

Evaluate Existing Policies and ProceduresOnce the universe of privacy risks has beenestablished, it is important to understand whatpolicies and procedures are in place to governprivacy and manage those risks. Consider theinformation management procedures and theprocesses for collecting, maintaining and using

(continued from “The Privacy Argument,” page 7)


personal information. What is the process formanaging privacy and confidentiality issues? Answersto these questions will help the audit team betterevaluate and quantify the risks identified in the firststep.

Test Key ControlsA basic understanding of risks and the correspondingcontrols will point to the tests necessary to truly revealthe organization’s formal and informal privacypractices. Testing of key controls will include:• Access controls that are in place to protect personal

information from unauthorized modification or use,damage and loss

• Procedures for password use• Procedures for database administration• Personnel procedures• Control procedures for the wide-area network and

local area networks• Physical security of the computer systems• Procedures for the storage and disposal of data

output.

Assist Management with the Resolution ofFindings and IssuesFollowing testing, results must be summarized andreported in a way that guides the organization towarda comprehensive plan to mitigate privacy issues andfindings. The report will be geared toward theorganization’s particular needs, helping it migrate to astrong privacy management program. Findings willprovide recorded assurance that privacy issues havebeen appropriately identified, adequately addressed orbrought to senior management for further direction.

Typical recommendations include:• Limit access to those who require it• Adequately secure data• Publish the corporate privacy policy; train

employees• Manage data in accordance with sensitivity• Build an incident response plan• Limit sensitive data collection and posting• Verify compliance with privacy regulations• Establish information retention and destruction

rules• Require and enforce confidentiality and non-

disclosure agreements.

Identified risks and solutions should be used by theorganization to remediate gaps in business processesand procedures to better protect sensitive data, complywith laws governing data security, develop effectivecompliance strategies and put best practices intoaction.

SUMMARYAs custodians of private data, the responsibility ofeducational institutions should be to formulate, plan,implement and support privacy standards and toolsprotecting the personally identifiable information offaculty, staff, students and graduates. Structuring anacademic privacy program requires the ability not onlyto deal with where data collection, access and disclosuremay provide risk at a given point in time, but also theability to change within a rapidly evolvingenvironment. Auditors are in place not only to ensurethat the collection, access and display of data are incompliance with expectations, privacy laws andstandards, but also to provide a framework andguidance for that compliance. �

Inte

rnal

Aud

itO

rgan

izat

ion

(continued from “Values and Visions,” page 3)

Another way to support camaraderie is to continuedevelopment of the ACUA ambassadors. This is a groupcomprised of longtime members with a history ofinvolvement in ACUA activities. This group mightinclude past Board and Committee Chairs, Board orCommittee members, and individuals who are willing toextend the reach of the Board by attending the first-timers reception and watching out for individuals who

appear disconnected at conferences.These individuals will continue toplay other important roles inACUA’s future, such asrepresenting our group with otherassociations.

We also want to continue developing the “ACUA RiskDictionary” by using it to communicate risk andcontrols on emerging areas important to highereducation. We have spent a lot of time and effort on thisproject and I believe it is not only one of the mostvaluable member benefits, but is also vital to theachievement of our vision. When Kevin Robinson, MarkPaganelli and I met with representatives of the

Association of Governing Boards (AGB) and theNational Association of College and University BusinessOfficers (NACUBO), they were both impressed andextremely interested in this project.

Goal B: ACUA will be the principal advocate of internalauditing in higher education.

Kevin Robinson began the process of formalizingagreements and relationships with other highereducation groups like AGB, NACUBO and theUniversity Risk Management and Insurance Association(URMIA). Fostering these relationships will benefitACUA members. He will continue those efforts asimmediate past president.

I believe ACUA has come a long way thanks to theinnovative ideas, hard work, and dedication of ACUAmembers, both past and present. But much more canstill be done to make ACUA a recognized leader inhigher education. It does take a “Village,” so pleasecontact Mary Barnett (ACUA Volunteer Coordinator) orany of the Board members if you are interested involunteering for any of our important activities. �

Goal B: ACUA will be the

principal advocate of internal

auditing in higher education.

INTRODUCTIONI grew up in New York City, where my gardeningexperience was confined to one houseplant. But Ihave since learned – mostly through trial and lotsof error in my own suburban backyard – a thing ortwo about nurturing healthy gardens. Many of thesame principles can be applied when it comes toreducing – and preventing – conflict in yourworkplace.

Let’s begin by defining what we mean by conflict.Whenever more than one person is in the room,there is bound to be disagreement, either expressedor unexpressed. Disagreement, or mild conflict, isa fact of life. In fact, it is an extremely healthyelement in a successful workplace. Disagreementcan foster growth in an organization, stimulatecreativity and problem-solving, and lead people toknow each other better. If handled well, mildconflict can actually increase trust.

It is when conflict gets out of hand, however, thatthe workplace becomes toxic. Whether people holdtheir feelings in or lash out at others, the result canbe hurt feelings, impaired teamwork, and/or severeinternal stress. From there, the unresolveddisagreements can trigger a series of chainreactions. Before you know it, you have angryclients, workplace resentment, people taking sidesand high employee turnover. When mild conflict isallowed to fester, it spreads more quickly than thedandelions in my front yard. And then you canbarely see the rest of the lawn.

Conflict – like my dandelion problem,unfortunately – never ends. However, it can bemanaged – internally by each of us, and externallyby the leadership within your organization. Hereare nine secrets that can help.

NINE SECRETS1. The right conditions. Most of my gardeningfailures – which, unfortunately, is most of mygardening – stem from not taking the steps toproperly assess and prepare the soil. I know Ishould have the soil tested, dig deep to loosen thedirt, add fertilizer and other mystery elements.Without that – well, you know. With that – well,witness my neighbor’s beautiful garden.

In the workplace, this groundwork translates intomanagement skills. For your clients, it may meansetting up a realistic picture of what to expect fromthe audit process. One ACUA member told methat a client got very upset when presented with apost-audit evaluation to fill out. Because she hadnot expected this, the client’s first reaction wassomething like, “What? You’re auditing me again?Haven’t we had enough scrutiny?” If she hadknown in advance that this evaluation was part ofthe process and what it was, that moment ofdiscomfort might have been prevented. Similarly,some clients may have preconceived notions aboutthe audit itself. Will this mean people will befired? Salaries decreased? Addressing concerns upfront can prevent misunderstanding later on.

Likewise, the atmosphere among co-workersbenefits from a clear idea of ground rules,expectations and the process for airing grievancesand solving problems. Show me a workplace whereno one can speak up, and I will show you aworkplace where workers feel undervalued andunsafe. Conversely, if disagreements are well-handled and feedback is welcome, the atmosphereis as good as my neighbor’s soil. Plants – andpeople – thrive in a realistic atmosphere whereexpectations are clear, individuals and teams arevalued and growth can occur with a minimum ofmisunderstanding.

2. Recognize that conflict comes in stages. If anindividual “suddenly” loses his temper, workersquit their jobs after a short time, or clients areconsistently giving poor marks in evaluations – itdid not happen overnight. Conflicts – like weeds ina garden – are still a fact of life, no matter how richthe soil. They come in predictable stages, however,and each stage has its own set of managementskills. Michael Staver, CEO of The Staver Group,describes them this way: Stage one is the trigger orevent itself. Someone is criticized in front ofeveryone, or a client does not agree with her auditresults. Without early action, this can lead toescalation (stage two) or crisis (stage three). Here,too, the skills used will affect the eventualresolution (stage four) and emotional result(stage five). If the baseline and stage one skills areconsistently employed, the need for damagecontrol is greatly reduced.


Nip It in the Bud: Nine Secrets toReducingWorkplace ConflictBy Randye Kaye

ABOUT THE AUTHOR

Randye Kaye leads educational and corporate

workshops in communication, diversity,

creativity, teamwork, and self-esteem. She

combines her work experience in radio,

improvisation, acting, mental health and

theater to teach and inspire. She is also the

author of No Casseroles for Schizophrenia

(Dunham Literary, NYC, author’s

representative), a memoir of her family’s

experience with the onset of schizophrenia in one

of her children and how effective communication

skills keep the situation from escalating. Visit

www.randyekaye.com for more information.


3. Take responsibility. Dispel the myth that it isalways the other guy’s fault. It is the gardeningequivalent of refusing to pull out the weedsbecause they “shouldn’t” be there. Every event thathappens – yes, every event – is filtered through apersonal set of thoughts and feelings – many ofwhich come from past experience, deeplyingrained. A snowstorm can be seen as a wonderfulthing to a ten-year-old who gets a day off fromschool. But that same blizzard may cause stress,and even anger, in the adult who now has to find ababysitter and get to work through the snow.Either way, it is the same weather. It is our thoughtsabout it – and the resulting feelings – that color theevent.

So it is with the challenges of working with others.If we always blame the other guy, or the event, wenever have to take responsibility for improving ourown attitudes and actions. This all begins withsimple awareness.

No matter what is in the soil, you are the gardener.Some of the decisions are yours to make, and eachwill have a result. For instance, you can remaincalm if things start to heat up by doing threethings: breathe (it gives you a moment to take inboth some needed oxygen and also the situationitself); notice your own self-talk (“What am Itelling myself about this situation or thisperson?”); and remember to take the problemseriously instead of yourself (this can give you somegreatly-needed perspective).

4. Empathy. We are seldom the only one tendingour garden. Like it or not, there are other gardenersin the mix, at work and at home. Each of us hasneeds, and the biggest mistake we make inmanaging conflict is spending too much timedefending ourselves and not taking a moment toconsider what the other gardeners need – and on therealities of what the plants themselves need tothrive. If you plant tomato seeds 1” apart instead ofthe recommended 24” or so, you are not gettinggreat tomatoes no matter how right you think youare. In fact, how much of conflict eventually justboils down to “proving” we are right? It is our egothat may need that proof, but it does not solve theproblem. When we exhibit empathy for the otherparty’s needs and perceptions, we are on the way toa constructive solution. When this happensconsistently, we have a healthier baseline for allworkplace conflicts. People want, above all, to beheard, understood and valued. Empathy means wecare about their side of things.

5. Listening and responding skills. Empathy isbest exhibited in the way we listen to and respondto others. If a conflict is left to escalate, then angerbecomes the problem. Anger is usually about egoneeds like respect and control. The quickest way toinflame another gardener’s ego is to listen poorly.Conversely, listen and respond well and you maynip conflicts in the bud.

What does listening mean? First of all, let theother person talk. Most of the time we listenautobiographically – that is, we pay attention forabout 30 seconds and then our own ego has a thingor two to say. We wait for an opening and thenjump right in to defend ourselves, top a complaintwith a larger one or tell the other person how theyshould feel. Much more effective is to focus on theother person, try to understand what he or she isreally saying and filter for the real issue andfeelings.

The way you respond is also vitally important.Some responding skills include reflecting backwhat you heard, or think you heard. What youheard may not be what was meant, and you mayneed to check for understanding, using “I”language. An example: “I just want to make sureI understand. Did you say…? Did I get thatright?” Acknowledge the situation and feelings(empathy again); ask questions to clarify. “That isa tough situation, tell me more,” goes a lot fartherthan “Aw, come on – it can’t be that bad. Let metell you what happened to me last week.”

6. Preserving dignity. Whether someone isvoicing a complaint calmly or about to explode,things will only get worse if they feel they arebeing judged, ignored, or attacked. Anger happensmost often out a sense of injustice, incompetence orpersonal attack. Allow the angry person to save face.If you do not, you will have a second, largerproblem later on. If anger and ego become theprimary issue, the underlying problem never getsresolved. Remember: other people’s perceptions arereal to them! If the situation calls for it, admitmistakes and apologize, then try to refocus on theissues underlying the anger. Keep in mind: how canwe solve this problem?

7. Learn crisis skills. If the first six secrets areconsistently implemented, then you will hopefullynot have too many conflicts that reach stage three(crisis). However, it is best to know what to do incase they do. Arm yourself with skills; bring angermanagement and conflict resolution training toyour workplace. There you will learn things likethis: at stage three, the angry person thinks he hastaken control of the situation, but in fact is way outof control. At this point, anger becomes the realissue, until things calm down. Referee skills – suchas always asking permission to get involved – canalso be taught. The secret here is to be prepared, likehaving a fire escape plan in your family. We hopewe never have to use crisis skills, but it makes senseto have them.

8. Learn problem-solving skills. No matter howcalm everyone seems after the storm, issues willonly resurface if not addressed in the resolutionstage. At this point, there is often regret orembarrassment over stage three behaviors,promises made and wounds to heal. The worstthing you can do is to ignore this stage and hope

Inte

rnal

Aud

itO

rgan

izat

ion


the problem will go away by itself. The best thing you cando is to discuss what caused the trigger in the first placeand then see how a rerun can be prevented. Again,training can teach skills for brainstorming, problem-solving and negotiation. These range from where to sitaround the table to how to find common ground andfollow up on solutions. It is about mulch, weeding andMiracle-Gro: investments in the garden’s success.

9. Leadership. Every incident, even after the “problem”is solved, has an emotional aftermath. Secret #9 actuallybrings us right back to #1, creating an atmosphereconducive to productivity, satisfaction and growth. Is yourworkplace a place where people understand the mission andtheir part in it? Do the workers and clients feel valued? Isfeedback welcome or discouraged? In autumn, when thegarden begins to go to sleep, you have the opportunity tomake some plans for next spring – and keep them.

The best secret to conflict resolution is to follow the stepsfor conflict prevention and reduction. Be prepared. Stayaware. Train for the future. Nip it in the bud, and you’llhave a lot less weeding to do in the future. �


When we think of campus safety, weusually think of the police departmentor the office of risk management;

however, as auditors, we play an important role inkeeping our campuses free of crime and ensuringthat our institution can appropriately respond toemergencies. Every institution in the University ofTexas System has responded to some sort ofemergency on campus in the past few years. Some ofthese emergencies were more difficult to recoverfrom than others. For example, UT El Paso had toclose the campus during student orientation due tosevere flooding from Hurricane Gustav; HurricaneDolly caused more than $800,000 in damages to UTBrownsville; and UTMedical Branch in Galveston isstill recovering fromHurricane Ike. The ability of aninstitution to quickly recover from a disasterdepends in part on the quality andcomprehensiveness of the institution’s emergencymanagement plan.

In October 2008, the Texas State Auditor’s Office(SAO) issued An Audit Report on Campus Safetyand Security Emergency Management Plans atTexas Public Universities. The audit involvedreviewing emergency management plans at 35public universities, surveying personnel aboutemergency management practices, reviewingannual security reports and conducting on-sitevisits at six of the 35 public universities. Althoughthe SAO report does not include any specificrecommendations for institutions, their overallobservations and recommendations can be useful inpreparing for a campus safety audit. The full reportcan be found at their Web site: www.sao.state.tx.us.

STATE AUDITOR’S OFFICE REPORTKEY POINTSKey Elements and Implementation Status of EmergencyManagement Plans Vary Among UniversitiesThe SAO used the National Incident ManagementSystem standards as criteria for their review ofemergency management plans. While all of the 35public universities had developed these plans, theaudit concluded that the elements and conceptsaddressed in these plans differ among theuniversities because the State does not haveemergency management requirements specific tohigher education institutions. Categories that wereconsistently addressed included Concept of

Operations, Organization and Assignment ofResponsibilities, and Direction and Control.Categories that could be improved included PlanApproval, Implementation Situations andAssumptions, and Development and MaintenanceReadiness Levels.

Universities Face a Variety of Potential HazardsThe SAO report lists the significant incidents thathave affected Texas public universities includingcampus lockdown, a tropical storm and hurricanes,an infectious disease outbreak and a serious boatingaccident. The SAO report highlights UT Austin’semergency management plan that addresses 42major hazards ranging from potential fires toterrorism-related incidents. The SAO reportconcludes that a comprehensive risk assessment canhelp universities plan for hazards and identifycritical hazard mitigation activities.

Universities Could Improve Their Reporting of CampusSecurity and Crime to Better Comply with the Clery ActColleges and universities that receive Title IVstudent financial aid must comply with the CleryAct. The Clery Act requires institutions to collectand report crime data and security policystatements. It also requires institutions toimmediately notify the campus community uponthe confirmation of a significant emergency ordangerous situation. Violations may result in finesof up to $27,500 by the US Department ofEducation. According to Security On Campus(www.securityoncampus.org), a non-profitorganization dedicated to safe campuses for collegeand university students, the US Department ofEducation has conducted more than 260 programreviews since 1994. Some of the focused programreviews have resulted in fines of up to $200,000.

The SAO report found that two of the 35 publicuniversities did not produce and distribute anannual report. Seventeen of the 33 reports theyreviewed did not include all required informationin their 2007 annual security reports, includingdisclosing their policies for preparing the annualsecurity report, who prepared the report and fromwhat sources the crime statistics were collected.The auditors reviewed the required daily crimelogs at the six institutions where they conductedon-site work and found that the logs at two

Campus Safety and Security

By Paige Buechley, CIA, CISA

ABOUT THE AUTHOR

Paige Buechley, CIA, CISA is the

Assistant Director of Audits at the University

of Texas System Audit Office. Before joining

the UT System Audit Office, she worked at the

Texas State Auditor’s Office for six years.

Paige spent her college career at the University

of Texas at Austin and received a BA in

Government, a Masters in Public Affairs from

the LBJ School of Public Affairs and a

Masters of Business Administration from the

McCombs School of Business.

Inte

rnal

Aud

itO

rgan

izat

ion


universities did not always include the date andtime the crime occurred and the date anddisposition of complaints.

While Universities Have Implemented Some EmergencyPreparedness Measures, Additional Steps Could BeTakenThe SAO report found that while most universitiesconduct risk assessments, nearly half of the 35universities do not incorporate these assessmentsinto their emergency management plans. Oneuniversity stated that it never conducts riskassessments and nine universities stated that theyconduct a risk assessment less than once per year.The SAO report also concludes that universities donot ensure that all personnel with a role inemergency management receive emergencypreparedness training. The audit also found thatuniversities can improve preparedness byconducting more frequent exercises of theiremergency plans. Recent revisions to the Clery Actrequire institutions to include in their annualreport a statement of current campus policiesregarding immediate emergency response andevacuation procedures including testing theseprocedures on an annual basis.

Universities have implemented emergency notificationsystemsThe audit found that all 35 universities reportedhaving more than one system available foremergency notification including e-mail, Web site,text messaging and public address systems. Someuniversities automatically enroll all students,faculty and staff into the notification system whileothers give students an option to sign up forcampus alerts.

Universities could enhance their use of emergency resourcesby entering into mutual aid agreements and identifyingavailable resourcesThe audit also determined that universities couldenhance their use of emergency resources byentering into mutual aid agreements with externalentities. Twenty-six of the 35 universities reportedthat they had a formal mutual aid agreement withlocal government entities and the remaining nineuniversities did not have agreements with anyexternal entity. The SAO report provides a list offederal and state emergency management resourcesand determined that some universities are not fullyusing these resources. In addition, almost 70percent of the universities were able to identifyspecific equipment in their inventory available foremergency operations and 20 percent indicatedthat specific budgets were set up for emergencyoperations. The remaining universities did nothave budgets for emergency operations, but usedemergency funds from other departments.

Universities Have Taken Steps to Mitigate TheirExposure to Hazards and Limit Potential LossesThe audit found that all 35 universities reportedthey had incorporated mitigation activities into

their emergency management programs. Thesemitigation activities include providing mentalhealth resources to the campus community andoffering education and outreach programs. TheSAO report highlighted the University of Texas atAustin’s Behavior Concerns Advice Line. Thisconfidential hotline allows faculty, students andstaff an opportunity to discuss their securityconcerns about another individual’s behavior. Thisservice is a partnership among the Office of theDean of Students, the Counseling and MentalHealth Center, the Employee Assistance Programand The University of Texas Police Department. Inaddition, The University of Texas at Austin hasdeveloped educational brochures and madeavailable a 20-minute video, “When LightningStrikes – Shots Fired,” developed by the Center forPersonal Protection and Safety, on what to do inthe event of an active shooter on campus. Othermitigation activities are implementing physicalsecurity measures around campus such as cameras,blue light emergency phones and student patrols.

While the State Auditor’s Office audit showed thestate of campus security in a point in time, toaccurately understand the state of campus securityand safety at your institution, it is important toknow the history of campus security and how theprogram was developed.

CAMPUS SAFETY AT THE UNIVERSITYOF TEXAS SYSTEMCampus security has always been an importantissue at The University of Texas System. Inresponse to the September 11th incident, the UTSystem Chancellor began a security initiative andasked each of the 15 institutions to form a workinggroup to oversee an increase in physical securitymeasures at its campus. This year, institutions inthe UT System were asked to perform an audit ofcampus safety as part of their annual audit plan dueto its high risk and heightened awareness fromother campus incidents. The audits will includedetermining compliance with the Clery Act andreviewing emergency management plans. Theaudits incorporate the biennial inspections of theinstitution police departments performed by theUT System Police that include a review of CleryAct compliance.

Last year, UT System identified Student HealthCenters as a high risk and requested the IAdepartments to perform an audit. In response tothe Virginia Tech incident, procedures were addedon the coordination between the Student HealthCenters, Mental Health Counseling and PoliceDepartments and how the institution responds tothreatening behavior by a student.

RESOURCES FOR CONDUCTINGCAMPUS SAFETY AUDITSThere are several resources available that can assistwith planning a campus security audit. The USDepartment of Education provides a checklist for


Clery Act compliance in their Handbook forCampus Crime Reporting. The NationalIntegration Center Incident Management SystemsIntegration Division, established by the Secretaryof Homeland Security, provides the NationalIncident Management System so responders fromdifferent jurisdictions and disciplines can worktogether to respond to disasters and emergencies,including acts of terrorism. The Texas StateAuditor’s report also provides a list of federal andstate resources for emergency planning andmanagement.

Finally, it is important as auditors to be aware ofcrime on each campus. Under the Clery Act,institutions are required to maintain a daily log ofall crimes reported to the police department. Someuniversities publish those logs. For example, TheUniversity of Texas at Austin has a daily e-mailthat reports selected crimes. Information in thesedaily logs can provide information on potentialfraud or areas in need of increased security. �

Inte

rnal

Aud

itO

rgan

izat

ion“As auditors, we play an

important role in keeping ourcampus free of crime.”


Wander across any college or universitycampus in early October and it becomesimmediately apparent that higher

education is a unique business. Campuses can belarge or small, urban or rural, residential orcommuter and yet they all share a characteristicflow of students, faculty, staff and guests that is allabout people.

Auditors know that in a people business, risks tohealth and safety have a big impact. Catastrophicevents can result in loss of life or property,disruption to campus mission and activities,financial loss and, in extreme cases, an inability forthe institution to recover. While it may seemunlikely that catastrophic events will happen atany given institution, campus shootings atVirginia Tech and Northern Illinois and floods inNew Orleans and Iowa City illustrate the realimpact of low likelihood events.

A FRAMEWORK FOR AUDITThe audit team at the University System ofGeorgia has developed a comprehensive auditprogram for reviewing emergency management atinstitutions of higher education. Based on theFederal Emergency Management Agency (FEMA)draft white paper, “Principles of EmergencyManagement”1 (Principles), the audit program iscreated around eight broad principles. ThePrinciples state that an emergency managementprogram must be: 1) comprehensive, 2)progressive, 3) risk-driven, 4) integrated, 5)collaborative, 6) coordinated, 7) flexible and 8)professional.

Taken together, the Principles provide a frameworkfor meeting the mission of emergencymanagement, which the Principles define as to“protect communities by coordinating andintegrating all activities necessary to build, sustainand improve the capability to mitigate against,prepare for, respond to and recover from threatenedor actual natural disasters, acts of terrorism or othermanmade disasters.”

PRINCIPLE 1: COMPREHENSIVEThe Principles define a comprehensive program asone in which “emergency managers consider andtake into account all hazards, all phases, allstakeholders and all impacts relevant to disasters.”

Although hazards, stakeholders and impacts maybe terms largely understood by auditors, the idea ofemergency management phases may be new. Thephases were defined in the ComprehensiveEmergency Management Model2 as:• Mitigation. Those activities and actions

designed to prevent or reduce losses fromdisaster.

• Preparedness. The development of plans andcapabilities for effective disaster response

• Response. The immediate reaction to adisaster. It may occur as the disaster isanticipated, as well as soon after it begins

• Recovery. Those activities that continuebeyond the emergency period to restorecritical community functions and managereconstruction.

To assess whether an emergency managementprogram is comprehensive, auditors should startwith interviews with senior emergencymanagement officials to understand how theyhandle each of the four phases. In addition tointerviews, document review should be completedof both the business continuity portion of thecampus emergency plan and the processes andprocedures to ensure accurate record-keepingduring a disaster.

PRINCIPLE 2: PROGRESSIVEProgressive emergency management means that“emergency managers anticipate future disastersand take preventative and preparatory measures tobuild disaster-resistant and disaster-resilientcommunities.” As the number and severity ofdisasters increase, it is important to not simplywait to respond to conditions, but to understandthe unique exposure faced at your institution andwhat is being done proactively to reduce thelikelihood and severity of a catastrophic event.

To determine whether an emergency managementprogram is progressive, auditors can evaluatewhether the institution is investing resources andmaking a high-level commitment.• To understand resource investments, auditors

should review budget information for thecurrent period and the last two years and look atboth on-going funding and one-time specialexpenditures.

• High-level commitment can be understoodthrough interviews with emergency

Auditing EmergencyManagement:A Framework for Evaluating RiskBy Mel Hudson-Nowak, MBA, CIA, Internal Audit Practices Section Editor and John M. Fuchko, III, Editor

ABOUT THE AUTHORS

Mel Hudson-Nowak, MBA, CIA is the

Director of Internal Audit at Bowling Green

State University (BGSU), a position she has

held since 2006. Prior to joining BGSU, she

worked in various Finance positions at Ford

Motor Company, including an overseas

assignment at Volvo Cars for Sarbanes-Oxley

readiness. Mel has a BA from Smith College,

an MBA from Michigan State and is a CIA.

John M. Fuchko, III, CIA, CCEP is the

Editor of the College and University Auditor.

John serves full-time as the Assistant Director

of Compliance for the University System of

Georgia. His professional background includes

senior auditing roles in both performance

auditing and higher education auditing. John

is a Captain, Military Intelligence in the

Georgia Army National Guard. John also is

an officer on two non-profit boards of directors.

He earned a MBA from Georgia State

University and a B.S. in Political Science from

Kennesaw State University. John, his wife

Sherie and their six children live in Kennesaw,

Georgia.


management staff to understand whether needshave been communicated to institutionleadership, addressed in a timely manner andprioritized so that high risk items (i.e., bothhigh impact and high probability) are addressedin the right order. Communication to thebroader institution community also indicatesthe amount of high-level support given.

• In addition to institutionally unique risks, thisassessment step should also include review ofthe Pandemic Flu Plan. The FEMA DisasterAssistance Policy 9523.17 states that, “Over anexpected period of two years, between 15% and35% of the U.S. population could be affected byan influenza pandemic, and the economicimpact could range between $71.3 and $166.5billion.” Given the residential nature of ourenvironment, the impact to higher educationwould be significant.

PRINCIPLE 3: RISK-DRIVENAuditors should have no trouble relating to a risk-driven approach – one in which sound riskmanagement principles (i.e., hazard identification,risk analysis, and impact analysis) drive theassessment of priorities and resources. The processthat should be used by emergency managers toidentify areas for review is remarkably similar tothe process for determining an audit plan.

To determine whether an emergency managementprogram is risk-driven, auditors should determinewhether a comprehensive list of hazards has beenidentified, and review each hazard to ensure thatthe relative risk has been considered in thedevelopment of specific mitigation measures foreach hazard.

PRINCIPLE 4: INTEGRATEDAn integrated emergency management program isone that ensures “unity of effort among all levels ofgovernment and all elements of a community.”Integration requires building of partnershipsamong disciplines and across sectors. Thosepartnerships should facilitate communication andshared decision-making among stakeholders.

To determine whether an emergency managementprogram is integrated, signed Memorandums ofAgreement (MOA) or Understanding (MOU)should be collected and reviewed. MOAs or MOUsshould exist between the institution andappropriate community partners, and may beappropriate with other emergency managementpartners depending on scope of operations (e.g., aninstitution that performs research involvingpotential biological pathogens may establish somearrangement with the Centers for Disease Control).

The review of the MOA or MOU should makeclear what obligations exist for both parties, andinterviews with personnel should confirmunderstanding of those obligations. Local or stateregulations may also mandate certain

requirements, especially for public institutions.The important point at this step is that emergencymanagement must be integrated into dailydecisions, not just during times of disasters, toensure that when an event occurs all parties areunited in their efforts.

PRINCIPLE 5: COLLABORATIVETo be collaborative, emergency managers “createand sustain broad and sincere relationships” thatbuild an environment where coordination of effortsduring an event will work. Collaboration isdifferent than coordination. Coordination involvesidentification of specific tasks that need to becompleted and assignment of roles andresponsibilities; collaboration ensures that theright individuals are involved and that when theyare called they have a sincere desire to listen andactively participate in the solution.

It is more difficult to determine whether anemergency management program is collaborativebecause it is based on the existence and strength ofrelationships. A first step would be to ask theemergency management team for a list of on-campus and off-campus community partners.Interviews can be completed to understand thedepth of existing interaction with those partnersand can be qualitatively assessed. Inclusion of keypartners in training or a recent campus drill mayindicate on-going interaction, while a responsethat, “we’ve never met Mark, but we hear he’s agood guy” may lead to concern.

PRINCIPLE 6: COORDINATEDWhen efforts are well-coordinated, emergencymanagers “synchronize the activities of all relevantstakeholders to achieve a common purpose.” Usinga sports analogy, if collaboration means thateveryone is willing and interested to be on theteam, coordination means that the coach thenunderstands what plays should be called and thatall of the players understand and are ready toexecute. Everyone has a shared objective andbelieves that the play called is the best way toaccomplish it.

To determine whether an emergency managementprogram is coordinated, several areas can beevaluated:• Review the institution’s communicationplan. Are the right groups included? Are plansin place to address failure of primary andsecondary communication methods? Wherewill the key leaders meet to coordinate efforts?Is contact information accessible during poweroutage?

• Inspect the institution’s emergencyoperations center. Is the center ready tooperate during all of the hazards identified inthe risk assessment?

• Review the processes for handlingevacuations. The detailed considerations forevacuating students from campus, or receiving

Inte

rnal

Aud

itPr

actic

es


community members who need to be sheltered,are complex. Controls for communication,logistics, procurement, funding and securityshould be assessed.

PRINCIPLE 7: FLEXIBLEEmergency managers that “use creative andinnovative approaches in solving disasterchallenges” meet the flexible principle. No singlestrategy exists to reduce or eliminate risk, and inemergency management, identifying a range ofmitigation strategies allows managers to identifynot only the most efficient solution, but also theone that is most likely to work in any givencircumstance – i.e., effective. Flexibility has a rolein each of the four planning stages: mitigation,preparedness, response and recovery, and theimportant aspect in each is that one size does notfit all. Managers must be prepared to adapt quicklybased on new information and insight.

To determine whether an emergency managementprogram is flexible, a few suggestions are made.Does the plan identify authority to waive standardprocedures in cases of emergency? Is a secondaryauthority identified, in case the primary authorityis unavailable? Also, consider what has beenlearned through interviews and document review:Is there more than one course of action or responseidentified for each major element?

PRINCIPLE 8: PROFESSIONALEmergency managers that are professional “value ascience and knowledge-based approach” that has acommon shared foundation. Understandings ofethics, a network of professional associations,certifications, specialized knowledge and use ofbest practices all create a foundation that ensuresthat emergency management is a profession – notjust a discipline or avocation.

To determine whether an emergency managementteam is professional, both competency anddemonstration of skills for handling emergencysituations should be assessed. Because it is unlikelythat institutions will go through an actual eventthat can be used to assess the professionalismof individuals and the team as a whole,institutional drills can provide a good alternative.Do the drills mirror real-life expectationsincluding communication patterns and involvedparticipants? Are the drills table-top or conductconsistent with real logistical challenges? Doparticipants complete an “after-action review” toshare lessons learned both from what went well andwhat needs to be improved?

THE BOTTOM LINEThe vision outlined in the Principles states that“emergency management seeks to promote safer,less vulnerable communities with the capacity tocope with hazards and disasters.” Dealing with thethreat of a significant event is like any other riskthat auditors assess; no control can eliminate allrisk, and if it could, the cost would likely beunaffordable. Therefore, the goals become “safer”and “less vulnerable.” In the people business ofhigher education – where institutions are builtanywhere there is a population that needs to learnand everyone carries a backpack – audit has a roleto help each institution understand the risk andcontrol trade-offs at each phase of the emergencymanagement process. �

NOTES1. Principles of Emergency Management(http://training.fema.gov/EMIWeb/IS/IS230/Principles%20of%20EM.pdf)

2. National Governors’ Association. 1978 EmergencyPreparedness Project: Final Report. Washington, DC: HGA,1978.

We Listen. We Partner. We Focus. We Deliver.

1-866-229-8700www.huronconsultinggroup.com

© 2008 Huron Consulting Group Inc. All rights reserved.


Attribute standard 2300 in the InternationalStandards for the Professional Practice ofInternal Auditing (“Standards”) states that

“internal auditors should identify, analyze, evaluateand record sufficient information to achieve theengagement’s objectives.” On most days, audit canbe like a game of hide-and-seek, where auditorschase about trying to find the data needed to meetthe Standards. Good auditors learn “seeker” skillsquickly. They learn to find data by understandinghow information flows. They expand their reach toidentify and leverage key operational andinformation technology personnel to help whenneeded. They spend the time and effort needed tolearn how to extract and manipulate datathemselves.

However, sometimes the search for information isless like a game of hide-and-seek and more like agame of capture the flag. The challenge isfundamentally different when the information isnot hidden but guarded by institutionalgatekeepers. When individuals assert the privacyargument – “you can’t have that because it isprotected by privacy laws” – the tools needed toachieve the desired audit objective are verydifferent. CandU Auditor reached out to the ACUAmembership to identify ways that you can gatherneeded information to evaluate and improve riskmanagement, control and governance processes inthese unique situations. Over ten auditprofessionals responded, resulting in three bestpractices that can be used to help you win theprivacy argument.

GET IT IN WRITINGNearly all of the respondents who had faced theprivacy argument pointed to their audit charter as

the most important toolin gaining access toneeded information. Inthe Standards, PracticeAdvisory 1000-1outlines recommendedaspects of a good charter,including approval bysenior management andthe board, andauthorization of access to

records and information. Several individualsidentified placing a reliance on “full, free, andunrestricted” access, which provided strong andclear support for the audit function authority. Insome instances, the charter was sufficient to allowthe audit to move forward, but in all cases itprovided a solid foundation for additionalelements.

KEEP IT CONFIDENTIALThe intent of privacy laws is to restrict disclosureof information. Two of the most frequentlyreferenced privacy laws in higher education are theFederal Education Rights and Privacy Act(FERPA), which protects the privacy of educationrecords and the Health Insurance Portability andAccountability Act (HIPAA), which protects theprivacy of individually identifiable health data.Predictably, individuals on campuses who aretasked with maintaining these protected recordsare cautious even in cases of appropriate use ofthose records.

Respondents noted that accepting audit’sresponsibility for confidentially over those recordswas often helpful. Many had clauses in their auditcharter that matched the access to data with aresponsibility to maintain that data confidentiallyor even in a manner consistent with the data owner.Others reflected that they had signed the sameconfidentiality statement required of the operatingdepartment’s employees. Once it was clear thatauditors would take data safeguarding as seriouslyas the data owners, they were more likely toprovide access.

ASK FOR HELPAlthough good preparatory work and soundrational discussion may prove an effectivecombination, some institutions reported that itwas often necessary to ask for help. One audit officereported that they did not have a charter, but thatwhen the matter was taken up the chain to theappropriate vice president, they were able to accessthe data. In fact, escalation to individuals who wereaware of audit’s role and responsibilities seemed tobe an effective way of breaking the logjam.Additionally, gaining the support of others whohad organizational credibility in understanding the

Privacy: How Should theAuditor Respond?By Mel Hudson-Nowak, Internal Audit Practices Section Editor

For more information on the privacy laws noted, visitthe following Web sites:

For FERPA guidanceUS Department of Educationhttp://www.ed.gov/policy

For HIPAA guidanceUS Department of Health and Human Serviceshttp://www.hhs.gov/ocr/hipaa

(see “Privacy,” page 28)

Inte

rnal

Aud

itPr

actic

es


Picture in yourmind thef o l l o w i n g

scenario: Inside a vacantbuilding immediatelyadjacent to theUniversity of CentralFlorida (UCF) campus,armed intruders enterhallways and classroomsand begin shootingstudents and facultymembers. In reaction tothe call, Universitypolice officers respondat the building site. Inthe past, the officerswould have followedcontainment procedures and crouched behind theircars, or other appropriate cover, containing theassailants until the arrival of the SWAT team.Today, these responding officers do somethingdifferent. They go directly into the building toconfront the shooters and neutralize them.

This is a training scenario, a joint cooperative effortby UCF, Saab Training USA, and MPRI, a divisionof L-3 Com, which was held in the vacant GrasebyBuilding in the Central Florida Research Park,adjacent to the UCF main campus. The objective ofthe exercise was to prepare the UCF police officersto respond to the growing trend in active shooterincidents.

The participants – officers, “victims” and“shooters” – were all members of the UCFcommunity, participating in a first-of-its-kindexercise in a university environment. In addition tothe UCF police officers, about 20 faculty membersand 100 students volunteered to act as role players,getting a rare inside look at an active shooterexercise. Students and faculty were given cardsindicating how they should respond after “shots”were fired. Some were asked to crouch down underdesks, some would try to flee the building and stillothers, who were injured, would plead with officersfor help.

High tech cameras monitored their every move.Octatron, Inc., a California company specializingin imaging and communication systems, provided

the video camera systemfor the exercises.Officers’ and shooters’weapons were equippedwith special lasers.Retired FBI SWAT andHostage Rescue Teammembers served asinstructors, to monitorand critique the officers’actions. All of this wastied into a cutting edgecomputer monitoringsystem, which enabledtrainers and UCF PoliceDepartment superiorofficers to view theaction in real time, and

then to conduct thorough After Action Reviews(AARs) with the participating officers. Scenariosand scripting are done by Curriculum Design andDevelopment of Vero Beach.

The shooters and officers carried department-issuedguns loaded with blanks and fitted with small lasertransmitters on the barrels. The participants allwore vests equipped with laser beam receptors andGPS antennas. The transmitters sense when “shots”are fired and project a beam. The vests track themovements of the person wearing them, feedingthe information to a central computer data base anddisplay. The laser receptors sense when a person ishit and whether the shot is fatal, a critical injury, ora minor injury. This information is also fed into thedatabase. Additional technology aids in reportinghow many shots were fired, who fired them andwhere the rounds went.

Officers entered the building in teams, with thesole mission of finding and stopping the shooters.They participated multiple times with differentcolleagues, while organizers made changes such asusing different shooters, different numbers ofshooters, shooters in different rooms, etc., so thescenarios would not become predictable.

MPRI’s instructors accompanied the officers, whiletrainers and observers from other organizations,such as the Florida Department of LawEnforcement, watched the scenario live on wall-size, side-by-side monitoring screens located in

Joint Exercise in Responding to aShooter IncidentBy Lee Kernek

ABOUT THE AUTHOR

Lee Kernek, Associate Vice President for

Facilities & Safety, comes to the University of

Central Florida from CALIBRE, a company

involving work with multi-faceted government

programs. She has a Masters in Public

Administration from Harvard University, and

extensive experience in administration, finance,

and government and public relations.

Lee worked as a Department of Defense senior

manager, where she directed and managed

foreign relations programs, legislative

initiatives and political strategies. As the

Director of Public Relations and Physician

Services for Beauregard Memorial Hospital in

Louisiana, she led the hospital's efforts in

community, government and public relations.

Lee has worked with a variety of companies

and organizations, ranging from the Army to

NASA. She worked counter-narcotics for

President Bush. She has also received a

Government of Guatemala Medal for

Exceptional Meritorious Service, and the

Department of the Army Achievement Medal

for Civilian Service.

Saab Training USA and Ocatron provided theequipment and technical assistance at the exercisefor free. Photo: Jacque Brund

another part of the building. One screen featured a Saabsoftware program that indicated the whereabouts of everyofficer and other role players in the building, whiletracking their movements real-time in 3-D. The otherscreen showed live video from wireless cameras placedthroughout the building. Saab Training USA conductssimilar exercises, under contract to the US Department ofDefense, for the Army, Marines and Navy SEAL Teams.The software program is capable of displaying thewhereabouts of up to 80 people at a time, and it can beconfigured to show the entire building or just one or tworooms.

“The high-tech equipment and the help of our students andfaculty made this an invaluable experience for our linepolice officers,” said Lee Kernek, a UCF associate vicepresident, who oversees the Police Department. “While wehope that this type of scenario never happens on ourcampus, it is important that we provide frequent trainingto ensure that our officers are well prepared. They are thefirst line of defense in protecting the lives of our faculty,staff and students, should such an incident occur.”

“This was an opportunity to bring a really unique type oftraining to our personnel,” said Chief Richard Berry of theUCF Police Department. “The trends we have seen indicatean increasing number of this type of incident. This makesus much better prepared.”

“Instead of going through the training and walking away,our technology allows officers and trainers to keep goingback over the scenarios to see what was done right and whatshould have been done differently,” said Keith Kernek,Saab Training USA’s vice president for training solutions,“It’s a confidence builder.”

“Combining the administrative and educationalcapabilities of UCF, the cutting edge technology of SaabTraining USA and MPRI’s seasoned tactical trainersenables us to provide a level of training unmatchedanywhere in the world,” said Lee Kernek.

An unexpected benefit was discovered at the conclusion ofthe training. The training was not only a confidence builderfor the police, but also for the students and faculty. Theydiscovered what gunshots, heard several rooms away, soundlike. They also learned how to react in various situations.“You don’t have to sit there and be a victim,” said onestudent; “you can try to get away.” Another commented, “Ireally got caught up in this. It was scary. After it was over,we, my friend and I, talked about what we could do if itreally happened. Now we know there is stuff to do otherthan just hiding under our desks.”

UCF, in partnership with Saab and MPRI, will continue totrain their police officers, with the program expanded toinclude emergency medical and fire personnel. At the sametime, ways of making this training available to otherentities around the state are being explored.

In conclusion, the benefits of this simulated exerciseleveraged the knowledge and skills of the assessment teamin how to respond and deter a potential crisis incident thatwe hope never occurs. �


UCF Police ChiefRichard Beary explainsthe training exercise.Behind him are the livecomputer images of theentire training area andlive video of several of therooms. Photo: Jacque Brund

Sophomore Alex Boucherperforms CPR on injuredsenior Franz Osorio whileofficers Katie Marts (frontleft), Abby Horsely, ChuckReising (back right) andAlan Elliot go through thepolice training exercise.Photo: Jacque Brund

Orange County MayorRich Crotty tried onone of the vests worn byofficers and student andfaculty role playersduring the scenario.Howard Harris, SaabTraining USA’s businessdevelopment manager,explained how thehigh-tech vests work.Photo: Jacque Brund

UCF police officersentered a vacant buildingin teams of four in aneffort to find and kill the“shooter” during thetraining exercise. Thisscenario featured officersJennifer Powers,Matthew Ahearn andWilfredo Sotomayor.Photo: Jacque Brund

Hig

her

Educ

atio

n


Whoa, Nellie! Look left, look right, cavediving, 15 passenger vans, nuclearreactors, raw fish, Cleary Act, IBC,

IRB, NIMS, study abroad, teaching labs, wet labs,dry labs, active shooter training, hurricanes, theflu, fire safety and on and on! What are internalauditors supposed to do?

Recently, the Texas State Auditor’s Officeconducted an audit of all 35 higher educationinstitutions campus safety and security emergencymanagement plans in Texas. Based upon the resultsof this audit, the first thing is to find out if yourinstitution has taken the following steps:

• Developed an emergency managementplan. According to the Local EmergencyManagement Planning Guide from the TexasGovernor’s Office, emergency management isthe continuous process of mitigating theeffects of and preparing for emergencies andthen responding to and recovering fromemergencies once they occur. The Guide alsodefines what goes into an emergencymanagement plan. An emergencymanagement plan outlines the coordinatedoperation efforts by all responders to performnecessary emergency functions.

According to the Governor’s Division ofEmergency Management, “It has beenrepeatedly demonstrated [that] preplanningemergency operations saves time in gettingoperations underway, facilitates integratedeffort and helps ensure essential activities arecarried out efficiently.”

• Adopted NIMS Standards. In February2003, Homeland Security PresidentialDirective 5, Management of DomesticIncidents, directed the Secretary of HomelandSecurity to develop and administer a NationalIncident Management System (NIMS).NIMS is designed to provide a consistentnationwide approach for federal, state andlocal governments to work together effectivelyand efficiently to prevent, prepare for, respondto and recover from domestic incidents,regardless of cause, size or complexity.Adoption of NIMS standards is a condition for

receiving federal preparedness assistance fromthe US Department of Homeland Security,such as grants, contracts or other activities.

• Assessed risks. Because of the variedgeographical locations and the large open andaccessible size of their campuses, institutionsmust consider and plan for a wide range ofnatural and man-made hazards. Additionally,because of the variety of potential hazards, it isimportant that institutions take an all-hazardsapproach to emergency planning and performcampus-specific risk assessments. Riskassessments assist institutions in identifyingpotential hazards and assessing theirlikelihood and impact. A comprehensive riskassessment can help institutions plan forhazards and identify critical hazard mitigationactivities.

• Trained key staff. According to the USDepartment of Homeland Security, highereducation institutions should identify keypositions that should receive NIMS IncidentCommand training. Key positions are thoseinvolved in school emergency managementand incident response and fall into one of threecategories: general personnel, criticalpersonnel or leadership personnel.

General Personnel – Personnel with any rolein emergency preparedness, incidentmanagement or response.

Critical Personnel – Personnel with a criticalrole in response such as incident commanders,command staff, general staff or members of akey campus emergency management team.

Leadership Personnel – Personnel typicallyobligated to command and manage people andactivities during an emergency incident.

• Conducted regular training and exercisesof its emergency management operations.According to the Homeland Security Exerciseand Evaluation Program, emergency exercisesinclude:

Table-top exercises – validate plans andprocedures by having key personnel discuss ahypothetical scenario.

Campus Safety and Security –What Is AnAuditor ToDo?

By Charles R. Hrncir, CPA

ABOUT THE AUTHOR

Charles R. Hrncir is a Director for the

Texas A&M System Internal Audit

Department. He received his bachelor of

business administration in accounting from

Texas A&M University in 1980. Prior to

joining the System Internal Audit Department

in April of 2000, Charlie worked for the

Texas State Auditor's Office for 19 years.

Charlie is a Certified Public Accountant and

an active participant in the Boy Scouts of

America and Little League International.

Functional exercises – evaluate capabilities,functions, plans, and operations centers byresponding to a simulated emergency.Command staff actions are real, but movementof response personnel and equipment issimulated.

Full-scale exercises - validate every aspect ofemergency management through actualimplementation and execution during asimulated scenario. This includes the actualmobilization of resources, response personnel,and command staff.

In addition to reviewing the status of campussafety and emergency management plans, the TexasState Auditor’s Office researched previous reportson campus safety and security produced by federalofficials, national organizations, task forces anduniversities in other states. Five common themeswere identified:

• Higher education institutions shouldcreate and regularly update an all-hazardsemergency response plan. Campuses thatdevelop and implement an all hazardsemergency plan will increase their capacity forquickly responding to emergencies.Emergency plans should be updated regularlyto increase the institution’s preparedness forcomplex and changing security threats.Higher education institutions’ emergencymanagement plans also should strive toidentify all hazards that the institution mayreasonably expect to occur.

• Higher education institutions shouldregularly schedule emergency operationsdrills and tests of emergency equipment.By regularly conducting training exercises andother practice drills, higher educationinstitutions can test the effectiveness of theiremergency management plans and identifyareas needing improvement. Emergencyexercises also allow the campus community(including faculty, staff, and students) to gainan understanding about what they should doduring certain emergency situations. Inaddition, the federal Higher EducationOpportunity Act of 2008 requires universityand college campuses to annually test andpublicize their emergency response andevacuation procedures.

• Higher education institutions should trainfaculty, staff, and students on emergencyprotocol and offer outreach programs onhow to identify students exhibiting at-riskbehaviors, as well as other topics related tomental health and campus safety. Trainingand educating the campus community canhelp safeguard lives by allowing the campuscommunity to recognize emergency alerts andunderstand the appropriate procedures to takeduring an emergency.

• Higher education institutions should entermutual aid agreements, develop strongworking relationships, and conduct jointtraining with local law enforcementpartners and other external emergencyresponders. Partnerships with localresponders can enhance a higher educationinstitution’s response capabilities in the eventof a crisis. NIMS standards recommend thateach jurisdiction enter into mutual-aidagreements with other appropriatejurisdictions from which assistance is expectedto be received and/or for which such assistancemay be provided in the event of an emergency.

• Higher education institutions shouldadopt emergency mass-notification andcommunications systems. Implementingmass-notification systems would allow campuspersonnel to quickly alert and relay importantinformation to the campus community duringan emergency. Under the Higher EducationOpportunity Act of 2008, higher educationinstitutions must immediately notify thecampus community upon confirmation of animmediate threat to the campus community.

When I joined the higher education internal auditcommunity several years ago, Charlie Chaffin,Director of Internal Audit for the University ofTexas System, told me that campus safety was thehighest risk area for higher education. Highereducation institutions are doing all sorts of thingsrelated to campus safety and security, with all sortsof new tools and techniques and practices, creatinga very interesting and exciting environment!

Taking the steps listed above, you can help yourinstitution enhance its campus safety and emergencymanagement environment and ensure that it is readyfor any potential safety and security emergency. Formore information about emergency management goto www.fema.gov/emergency/nims/ andwww.txdps.state.tx.us/dem/pages/index.htm.

For an electronic copy of the Texas State Auditor’sOffice “Report on Campus Safety and EmergencyManagement Plans” go to www.sao.state.tx.us andclick on Reports and Publications. Additionally,the International Association of Campus LawEnforcement Administrators’ report, “Blueprint forSafer Campuses,” can be found at www.iaclea.organd the National Association of AttorneysGeneral’s “Report and Recommendations of TaskForce on School and Campus Safety” can be foundat www.naag.org.

Additional information about campus safety andsecurity should soon be coming from the NationalAssociation of College and University BusinessOfficers (NACUBO). NACUBO has joined withnine other higher education associations to gatherdata and provide resources for institutions onplanning for all types of emergencies. A keycomponent of the project is a comprehensive surveyassessing the state of readiness of colleges anduniversities across the country. �


Hig

her

Educ

atio

n


Today, more and more organizations areputting their applications on the Web. As aresult, Web-based applications are being

targeted for attack. According to SC Magazine’sJanuary 2007 edition, Web applications are one ofthe fastest growing threats.1 In addition, currentinformation technology (IT) security practices,including usernames and passwords, Secure SocketLayer (SSL) and encryption, firewalls and scanners,do not readily identify and mitigate the threatsfrom the unauthorized use or invasion of Web-based applications.2

• Passwords are used to authenticate users to theapplication. However, consumer Webapplications deal with unknown customersand the public, which are easy for a hacker toimpersonate.

• SSL and data encryption protects data fromeavesdropping during transmission, but anapplication requires readable data to be usefulfor its users.

• Firewalls are useful in blocking unauthorizedtraffic into your internal networks; however,Web application traffic must be allowed topass through the firewall for legitimate users.

• Scanners and intrusion detection systems(IDSs) look for known vulnerabilities.Scanners identify outdated/vulnerable softwareand services while IDSs monitor networktraffic, identifying patterns consistent withknown attacks. Web applications do not needoutdated software to be vulnerable or generateunusual network traffic while being misused.

WEB APPLICATION VULNERABILITIESWhat types of Web application vulnerabilities arebeing exploited? And more importantly, what canbe done to mitigate their threat? The Open WebApplication Security Project (OWASP) was createdto address these problems. OWASP created the Top10 Web application threats:1. Cross Site Scripting2. Injection Flaws3. Malicious File Execution4. Insecure Direct Object Reference5. Cross Site Request Forgery6. Information Leakage and Improper Error

Handling

7. Broken Authentication and SessionManagement

8. Insecure Cryptographic Storage9. Insecure Communications10. Failure to Restrict Uniform Resource Locator

(URL) Access3

CROSS SITE SCRIPTINGCross site scripting (XSS) flaws allow a user toinsert code, either HyperText Markup Language(HTML) code or client-side script, that is viewedby other Web site users. This occurs when theapplication accepts user-supplied data and sends itto the Web browser without first validating orencoding the data. XSS allows an attacker to runcode on the victim’s browser which may assist inphishing attacks, hijacking user sessions, defacingWeb sites or introducing viruses or worms. XSSmay be avoided by validating and encoding user-supplied data prior to usage by the application.4

INJECTION FLAWSInjection flaws, particularly Structured QueryLanguage (SQL) injection, allow a user to insertcode that is sent to an interpreter as part of acommand or query. The code is then used by theinterpreter to execute unintended commands.Injection flaws allow an attacker to displayunintended data, change database records, or deletedatabase contents. Injection flaws may bemitigated by validating the user-supplied dataprior to their being sent to the interpreter or usingparameterized statements.5

MALICIOUS FILE EXECUTIONThis threat (also known as Remote File Inclusion)allows a user to execute code (stored in a remotefile) from the targeted Web site. This occurs due tovulnerable code on the Web site. For example, anattacker may substitute the remote location ofsome malicious code for a variable in the targetedWeb site’s URL. If the Web site’s code does notvalidate the variable prior to its usage by a functionor command, the malicious code will be executed,allowing the attacker to access the server housingthe Web site and potentially gain root privileges.Malicious file execution may be mitigated byvalidating all variables prior to their usage.6

Web Applications: The Latest Threat

By IT Guest Columnist Wilson Crider, CPA, CISA

ABOUT THE AUTHOR

Wilson Crider, CPA, CISA, who serves as

an IT Audit Manager, County of Orange,

Internal Audit Department, was previously an

IT Auditor at the University of California,

Irvine. He has over 16 years of auditing

experience, including extensive work in public

accounting. He has published previously in

College & University Auditor and has also

published an article for the Information

Systems and Audit Control Association.

INSECURE DIRECT OBJECT REFERENCEIn this situation, an attacker identifies a referenceto some internal object such as a file, directory,database record, or key, as a URL or form parameterand then manipulates those references to accessother objects without authorization. This threat ismitigated by securing object references.3

CROSS SITE REQUEST FORGERYA Cross Site Request Forgery (CSRF or XSRF)occurs when an attacker uses a trusted user tounknowingly submit transactions to a vulnerableWeb site. With this attack, the attacker tricks atrusted user of the vulnerable Web site (e.g.,clicking on an image in an internet forum). Thisexecutes malicious code from the victim’s browserto send an unauthorized transaction to thevulnerable Web site using the victim’sauthentication information (usually stored in acookie). CSRF may be mitigated by the Web site’sswitching from persistent authentication (e.g.,cookie and Hypertext Transfer Protocol (HTTP)authentication) to transient authentication (e.g.,hidden field on every form or verifying user-specifictokens on each form).7

INFORMATION LEAKAGE ANDIMPROPER ERROR HANDLINGInformation leakage and improper error handlingare what they imply. The applicationunintentionally reveals information that is used byan attacker to obtain sensitive information. Forexample, the error message for a wrong user id orpassword may specify the user id format orpassword characteristics instead of a genericmessage that the user id/password is invalid.3

BROKEN AUTHENTICATION ANDSESSION MANAGEMENTBroken authentication and session managementflaws refer to attacks from improperly protectedaccount credentials or session tokens. Attackers usethe poorly protected credentials and tokens tocompromise passwords, keys or authenticationtokens and assume the identities of other users.3

INSECURE CRYPTOGRAPHIC STORAGEInsecure cryptographic storage refers to flaws in theimplementation of cryptographic functions toproperly protect data and credentials. Attackers usethese weaknesses to conduct identity theft andother crimes, such as credit card fraud. This threatis lessened by employing strong cryptographicalgorithms and proper implementation.3

INSECURE COMMUNICATIONSInsecure communications occur when theapplication neglects to encrypt network traffic forsensitive data (authentication credentials, creditcard data, etc.). The attacker captures theunencrypted data and uses it to perform otherattacks or unauthorized transactions. Insecurecommunications may be mitigated by encryptingall network traffic using strong encryptionalgorithms and proper implementation.3

FAILURE TO RESTRICT URL ACCESSFailure to restrict URL access refers to the practiceof not displaying sensitive functionality, such aslinks or URLs, to unauthorized users. Attackersscan the applications for hidden links and URLsand then access the URLs directly to performunauthorized operations. This may be avoided bylimiting the use of hidden links and requiring userauthentication on each form.3

AUDITOR’S ROLEIn addition to the traditional application reviewprocedures, Web-based applications require theauditor to take a closer look at the organization’sapplication development practices andmethodology. In particular, the methodologyshould address the following:• Requirement documents address the following

security issues: access (authentication andauthorization), data confidentiality, integrity,accountability, transport security and privacy;

• Development standards address the followingsecurity concerns: session management,application layer logging, cookies, hiddenlinks, data entry validation, variable valuevalidation, data transmission and encryption,and error handling;

• Code reviews ensure compliance withdevelopment standards and remove old,backup and unnecessary files and referencesfrom the production system; and

• Security reviews test for existence of knownvulnerabilities.8

OWASP has developed a variety of documents andtools (available on their Web site: www.owasp.org)to assist with development, review and testing ofWeb-based applications, including:• Detailed audit program (OWASP Testing

Guide v2);• OWASP WebScarab project – security testing

tool for Web applications and services;• OWASP Guide project – security guide for

Web applications and services;• OWASP Testing Guide – testing guide for

Web applications;• OWASP Encoding project – document

encoding best practices; and• OWASP Code Review project – document

code review best practices.9

In addition, there are commercial softwarepackages available to assist with the assessmentprocess, including Watchfire’s AppScan and HP’sWebInspect.

CONCLUSION“With literally hundreds of hidden security-relatedvulnerabilities showing up in Web applicationsweekly, it’s not really a matter of if but whensomeone finds an unknown flaw in your site andexploits it.”1 Auditors need to be looking at theirorganization’s Web sites and the applicationsrunning on them. With the help of organizationslike OWASP and commercial software, auditors


Col

umns


(continued from “Privacy,” page 21)

legislation, including legal counsel, wasmentioned as a successful strategy. One personnoted that they had received positive benefitsfrom a clause in their audit charter that requiresnon-compliance with an information request tobe reported to the audit committee.

THE BOTTOM LINEWhenever auditors are dealing with access tosensitive, confidential or private information, it isimportant to remember that in the audit role,the hope is that the data gatekeepers are prudentin their oversight. Alfred Chavez, University ofSan Diego, noted in his response that, “the firstthing I used to tell staff was that it was actually agood thing that auditees who are in charge ofconfidential information pushed us back at first.It shows that they are protective of the data theyhave.” Using the techniques and tools above,the audit team should be able to capture the flag– needed information – and complete theaudit objectives deemed appropriate at eachinstitution. �

can help to minimize the threats associated withtheir organization’s Web-based applications. �

REFERENCES1. “Fast Growing Threats.” by Jim Carr. SCMagazine. January 2007.

2. “Security at the next level: are your Webapplications vulnerable?” HP White Paper

3. Top 10 Web Application Vulnerabilities for2007. Open Web Application Security Project.

4. “Cross-site scripting.” Wikipedia, the freeencyclopedia.

5. “SQL injection.” Wikipedia, the freeencyclopedia.

6. “Remote file inclusion.” Wikipedia, the freeencyclopedia.

7. “Cross-site request forgery.” Wikipedia, thefree encyclopedia.

8. OWASP Testing Guide v2. Open WebApplication Security Project.

9. OWASP Web site.http://www.owasp.org/index.php/Category:OWASP_Project.

SAVETHE

DATES!

2009 MIDYEAR SEMINAR

April 27-29, 2009Austin, TX

2009 ANNUAL CONFERENCE

September 14-17, 2009Minneapolis, MN

P.O. Box 14306Lenexa, KS 66285-4306

Documents

Campus Safety, Security & Privacy - Association of College