Internal Control, Risk Assessment &
Performance Auditing
(Thoughts from SAS’s 109 & 115)
Presented by:
Billy Morehead, Ph.D., CPA, CGFM, CPM
AGA Past National President and
Chair, Division of Accountancy, CIS & Finance
Delta State University, Cleveland, Mississippi
Definition of Internal Control
Internal control is a process – effected by those
charged with governance, management, and
other personnel – designed to provide
reasonable assurance about the achievement of
entity’s objectives with regard to:
–
–
–
Reliability of financial reporting
Effectiveness and efficiency of operations, and
Compliance with applicable laws and regulations
Source: AICPA SAS 115
2
Definition of Risk Assessment
Risk analysis involves a careful, rational process
of estimating the significance of a risk,
assessing the likelihood of its occurrence, and
considering what actions and controls are
necessary to manage it.
Risk analysis involves estimating the cost to the
agency if an unexpected risk actually occurs.
3
Definition of Performance Audit
“Performance Audit is a valuable management
tool carefully structured around tough, nationally
recognized auditing principles that evaluate
whether tax dollars are being spent in an
effective, efficient and economic manner.”
(Heartland Institute)
4
Those Charged With Governance:
is defined as: “the person(s) with
responsibility for overseeing the
strategic direction of the entity and
obligations related to the accountability
of the entity. This includes overseeing
the financial reporting and disclosure
process.”
In most entities, governance is a
collective responsibility….
5
Internal Control Is Affected by
those charged with Governance –
an Entity’s Board of Directors,
Management, & Other Personnel.
The Establishment of Internal
Control Is
MANAGEMENT’S
Responsibility.
6
Internal Control Consists of 5
Interrelated Components:





Control environment (values, ethics,
integrity)
Risk assessment (inherent and direct)
Control activities (policies and procedures)
Information and communication (systems
and financial statements, etc.)
Monitoring (management, internal
auditors, audit committees, etc.)
7
COSO Cube
Components
Objectives
8
There Is a Direct Relationship Between:
OBJECTIVES
(What an Entity Strives to Achieve) and
COMPONENTS
(Organizational Climate & Structure Needed to
Achieve the Objectives)
BOTH are related to the entire entity & all business
units & functions
9
COSO Pyramid
10
Internal Control, No Matter How
Well Designed and Operated,
Can Only Provide
REASONABLE Assurance
to Management and the
Board of Directors Regarding
Achievement of an Entity’s
Control Objectives.
11
Control Environment
The control environment sets the tone of
an organization influencing the control
consciousness of its people.
It is the foundation for effective internal
control, providing discipline and
structure.
12
Control Environment Factors
 Communication & enforcement of integrity &







ethical values
Commitment to competence
Participation of those charged with
governance
Management’s philosophy & operating style
Organizational structure
Assignment of authority & responsibility
Human resource policies and practices
Entity’s risk assessment process
13
Communication & Enforcement of
Integrity & Ethical Values
 Codes of conduct (behavioral statements)
 Policies and procedures regarding:
 Acceptable business practices
 Conflicts of interest
 Expected standards of ethical and moral
behavior
 How communicated & reinforced
14
Communication & Enforcement of
Integrity & Ethical Values
 Dealings with employees, suppliers,
customers, investors, creditors,
insurers, competitors, and auditors
 Pressures to meet unrealistic
performance targets
15
Commitment to Competence
 Hiring practices (check references)
 Formal job descriptions defining tasks
that comprise particular jobs
 Analyses of the knowledge and skills
necessary to perform jobs adequately
16
Participation of Those Charged
with Governance
 Independence from management
 Experience & stature of its members
 Extent of its involvement and scrutiny of
activities
 Appropriateness of its actions
 Information it receives
17
Participation of Those Charged
with Governance
 Degree to which difficult questions are raised
and pursued with management
 Interaction with internal and external auditors
 Oversight of the design & effective operation
of whistle-blower procedures
 Oversight of the process for reviewing the
effectiveness of the entity’s internal control
18
Management’s Philosophy and
Operating Style
Management philosophy is the set of shared
beliefs and attitudes characterizing how the
agency handles everything it does, from
developing and implementing strategy to
day-to-day activities. This philosophy
reflects the agency’s values, influencing its
culture and operating style, and affects how
well fiscal programs can implement,
maintain, and enforce control.
19
Management’s Philosophy and
Operating Style
Management philosophy appears in
policy statements, oral and written
communications, and decision-making.
Management reinforces the philosophy
more with everyday actions than with
its words.
20
Management’s Philosophy and
Operating Style
 Approach to taking and monitoring
business risks
 Attitudes and actions toward financial
reporting (conservative or aggressive application
of GAAP, conscientiousness and conservatism when
developing accounting estimates)
 Attitude toward information processing
and accounting functions and personnel
21
Organizational Structure
 Appropriate framework for necessary
planning, execution, control, and review
of entity wide objectives
 Adequately defined key areas of
authority and responsibility; and,
appropriate lines of reporting
 Appropriate organization structure
depends upon size, complexity, and
nature of activities
22
Assignment of Authority and
Responsibility
 How responsibility assigned
 How authority delegated
 Appropriate business practices
 Knowledge and experience of key personnel
 Appropriate resources provided for carrying
out duties
 Policies and communications so all personnel
understand entity’s objectives, know their
roles and how they will be held accountable
23
Human Resource P&Ps
 Relate to recruitment, orientation,
training, evaluation, counseling,
promoting, compensating, and remedial
actions
 Adequate background checks (educational
background, prior work experience, past
accomplishments, evidence of integrity & ethical
behavior)
 Adequate retention and promotion criteria
(continued education; performance appraisals; code of
conduct guidelines)
24
Fraud Perpetrator’s
Criminal History
Fraud Perpetrator’s
Employment History
25
©2008 by the Association of Certified Fraud Examiners, Inc.
Risk Assessment
Inherent -- By the Very Nature of the
Business Entity
Direct -- As a Result of Action Taken
by Management or Employees
26
Risk Circumstances
 Changes in operating environment
 New personnel
 New / revamped information systems
 Rapid growth of entity
 New technology
 New business models, products, activities
 Corporate restructuring
 New or expanded foreign operations
 New accounting pronouncements
27
External Influences
Contributing to Risk:







Economic Conditions
Social Conditions
Political Conditions
External Regulation
Natural Events
Supply Sources
Technological Changes
Source: AICPA SAS 109
28
Internal Influences
Contributing to Risk:







Changes in personnel duties
Availability of funds for new initiatives or
continuation of key programs
Employee relations
Information systems
Data processing
Cash management activities
Asset protection and preservation
Source: AICPA SAS 109
29
Managing Risk...
 Can you identify internal and external
risks?
 Which risks are significant?
 Do you have a thorough risk analysis
process?
 Can you adequately anticipate the risk
associated with change (self-imposed or
as a result of external infliction)?
30
Information Systems
Consists of:
– infrastructure (physical and hardware)
– Software
– People
– Procedures (manual & IT)
– Data
– Adequate Backup Systems
31
Information Systems
Relevant to financial reporting objectives
consists of procedures and records
established to:
–
–
–
–
–
–
–
Initiate
Authorize
Record
Process
Report
Maintain accountability
Provide security
32
Information Systems
Encompasses methods and records that:
– Identify and record all valid transactions
– Describe transactions in sufficient detail &
on a timely basis
– Measure the value of transactions
– Determine proper accounting time period
– Properly present transactions & related
disclosures in the financial statements
33
Control Activities...
…Are the Policies and Procedures
That Help Ensure Management
Directives Are Carried Out and
Necessary Actions Are Taken to
Address Risks that Threaten the
Achievement of the Entity’s
Objectives.
34
Relevant Control Activities...
Provide for Performance Reviews
Provide for Information Processing
(accuracy, completeness, & authorization – application
controls & general controls)
Provide Physical Controls (physical security of
Assets, Documents, & Records; reconciliations &
inventory counts)
Adequate Segregation of Duties
35
Monitoring Activities...
 Ongoing -- performance evaluation
 Corroboration of information -- bank




reconciliations, etc.
Comparison of physical assets to book
assets -- inventories
Internal and external audits -effectiveness
Codes of ethics certification
Training and education
36
Monitoring...
If No One Ever Looks at or Reviews
the Internal Control Environment -What Good Is It Doing?
37
Benefits of Internal Control...
A Well-designed & Well-functioning
Internal Control System Can Help an
Entity Achieve Its Performance and
Profitability Targets
38
It Can
Help Prevent
Loss of Resources,
Help Ensure Reliable
Financial Reporting, and
Help Ensure That the Entity
Complies With Laws and Regulations
39
In Other Words,
Internal Control Systems
Can Help an Entity Get to Where
It Wants to Go and Avoid Pitfalls
and Surprises Along the Way
40
Increasing Interest in Performance
Performance Measurement
+ Reporting Results
+ Accountability over Resources
= Performance Management
Government Performance Auditing (Ives & Hancox)
Increasing Interest in Performance
Agency Managers must actively:
 Develop & Implement appropriate,
cost-effective IC for results-oriented
management
 Periodically assess the adequacy of
those controls
 Identify needed improvement, and
 Take corresponding corrective action
Government Performance Auditing (Ives & Hancox)
Six Stages for
“Managing to Achieve Results”
1.
2.
3.
4.
5.
6.
Strategic Planning (setting goals & objectives)
Program Planning (establishing measurable
objectives)
Setting Priorities & Allocating Resources
Actively Planning (establishing strategies &
operational processes)
Managing Operations (controlling & measuring
performance)
Assessing Results & Adjusting Strategies
(where warranted)
Government Performance Auditing (Ives & Hancox)
Performance Audits May be Broad
or Narrow in Scope & Cover:





Whether an entity is acquiring, protecting & using its
resources in the most productive manner to achieve
program objectives
The extent to which legislative, regulatory, or
organizational goals & objectives are being
achieved
Whether a program produced intended results or
produced effects that were not intended by the
program’s objectives
Whether the entity is following sound procurement
practices
The validity & reliability of performance measures
Government Performance Auditing (Ives & Hancox)
When Evaluating Economy &
Efficiency of Operations – Ascertain:



Whether resources are properly
deployed
Whether there are idle resources or
overstaffed functions
Whether resources are acquired at a
reasonable price
Government Performance Auditing (Ives & Hancox)
Types of Subjects Covered in
Performance Audits






Progress made in achieving goals of a specific
program
Assessment of the hiring, training & supervision
of staff of a program
State oversight & local government compliance
with regulation of a program
Assessment of a program intended to
increase/decrease aspect of a program
Assessment of the efficiency & effectiveness of
a program
Assessment of program service delivery &
financial management
Government Performance Auditing (Ives & Hancox)
Limitations of Internal Control
 Not a cure all
 Cannot ensure entity’s success or
survival
 Cannot ensure entity will achieve
operation, financial reporting, and
compliance objectives
 Effectiveness limited by human
judgment and hasty decision making
47
 System can breakdown due to
misunderstandings, mistakes in judgment,
or errors committed due to carelessness,
distraction, or fatigue
 Only as effective as the people who are
responsible for its functioning
 Collusion can result in control failure
 Limited resources (cost/benefit)
 excessive control is costly & counterproductive
 too little control presents undue risk to entity
48
Everyone in an Organization Has Some
Responsibility for Internal Control;
However, MANAGEMENT Is
Responsible!
49
Deficiency in Internal Control
Statement of Auditing Standard (SAS) 115
entitled “Communicating Internal Control
Related Matters Identified in an Audit” defines
deficiency in internal control, significant
deficiency, and material weakness and
provides guidance for auditors on evaluating
the severity of the deficiencies in internal
control.
50
Deficiency in Internal Control
Determination as to whether a deficiency is
significant or material is based upon whether
a reasonable person would derive the same
conclusion as the auditor or whether prudent
officials having knowledge of the same facts
and circumstances would agree with the
auditor’s classification of the deficiency.
51
Deficiency in Internal Control
A deficiency in internal control exists when
the design or operation of a control does not
allow management or employees, in the
normal course of performing their assigned
functions, to prevent or detect and correct
misstatements on a timely basis.
52
Deficiency in Internal Control
Significant deficiency is defined as a
deficiency or combination of deficiencies, in
internal control that is less severe than a
material weaknesses, yet important enough
to merit attention by those charged with
governance.
53
Deficiency in Internal Control
A material weakness is a deficiency, or
combination of deficiencies, in internal
control, such that there is a reasonable
possibility that a material misstatement of the
entity’s financial statements will not be
prevented, or detected and corrected on a
timely basis.
54
Deficiency in Internal Control
One situation when a deficiency in internal
control should be regarded as at least a
significant deficiency and a strong indicator of
a material weakness – ineffective oversight of
the entity’s financial reporting and internal
control by senior management and those
charged with governance.
55
Indicators – Material Weakness
 Identification of fraud, whether or not material, on the
part of senior management.
 Restatement of previously issued financial
statements to reflect the correction of a material
misstatement due to error or fraud
 Identification by the auditor of a material
misstatement of the financial statements under audit
in circumstances that indicate that the misstatement
would not have been detected by the entity’s internal
control.
 Ineffective oversight of the entity’s financial reporting
and internal control by those charged with
governance.
56
Deficiencies in Design Controls
 Inadequate design of controls over the preparation of
the financial statements being audited.
 Inadequate design of controls over a significant
account or process.
 Inadequate documentation of the components of
internal control.
 Insufficient control consciousness within the
organization; for example, the tone at the top and the
control environment.
57
Deficiencies in Design Controls
 Absent or inadequate segregation of duties within a
significant account or process
 Absent or inadequate controls over the safeguarding
of assets
 Inadequate design of IT general and application
controls that prevent the information system from
providing complete and accurate information
consistent with financial reporting objectives and
current needs.
58
Deficiencies in Design Controls
 Employees or management who lace the
qualifications and training to fulfill their assigned
functions.
 Inadequate design of monitoring controls used to
assess the design and operating effectiveness of the
entity’s internal control over time.
 The absence of an internal process to report
deficiencies in internal control to management on a
timely basis.
59
SAS 109
– Describes the procedures to be used to
gather information and gain an understanding
of the entity and its environment, which
include:
•
•
•
Inquiries
Analytical procedures
Observation and Inspection
60
•
SAS 109 Requires a
brainstorming session, which may
be conducted concurrently with
the SAS 99 session
61
SAS 109 directly links the
understanding of the entity and its
internal control with the assessment
of risk and the design of further audit
procedures
– The understanding of the entity and its
environment, including its internal
control, provides audit evidence
necessary to support the auditor’s
assessment of risk
62
Under the previous standard, the
primary purpose of gaining an
understanding of internal control
was just to plan the audit.
63

SAS 109 requires auditors to evaluate the design
of controls and determine whether they have been
implemented. Evaluating the design of a control
involves considering whether the control,
individually or in combination with other controls,
is capable of effectively preventing or detecting
and correcting material misstatements.

Thus, the understanding of internal control
provides audit evidence that ultimately supports
the auditor’s opinion on the financial statements.

It is anticipated that this phase of the audit will
require more work than simply gaining
understanding of internal control
64
The determination of significant risks, which
arise on most audits, is a matter for the
auditor’s professional judgment. In exercising
this judgment, the auditor should consider:
─ inherent risk to determine whether:
─ the nature of the risk,
─ the likely magnitude of the potential misstatement,
including the possibility the risk may give rise to multiple
misstatements, and
─ the likelihood of the risk occurring are such that
─ they require special audit consideration.
(SAS 109, ¶ 111)
65
 Whether the risk is a risk of fraud.
 Whether the risk is related to recent significant
economic, accounting, or other developments and,
therefore, requires specific attention.
 The complexity of transactions.
 Whether the risk involves significant transactions with
related parties.
 The degree of subjectivity in the measurement of
financial information related to the risks, especially
those involving a wide range of measurement
uncertainty.
 Whether the risk involves significant nonroutine
transactions which are outside the normal course of
business for the entity, or otherwise appear to be
unusual.
66
(SAS 109, ¶111)
SAS 109 – Appendices…
(Excellent Resources)

Appendix A – Understanding the Entity
and Its Environment

Appendix B – Internal Control
Components

Appendix C – Conditions and Events
That May Indicate Risks of Material
Misstatement
67
Exhibit 4: Management’s Commitment to Professional and Technical Competence
This Control Implemented and Operating Effectively
Agree/Disagree
Comments
1. Job descriptions (and other documents that define key
position duties/requirements) are current, accurate,
and understood.
3 - Somewhat agree
We are in the process of updating our job descriptions.
We recently purchased a software program that will
assist in making sure that adequate ADA language is
included,etc.
2. There is a mechanism in place to keep the job
descriptions current, accurate, and understood.
4 - Agree
We need to do a better job to ensure that our job
descriptions are kept current. The Executive Director
has appointed the Communications Officer to lead the
effort to bring the job descriptions up-to-date.
3. Job knowledge/skill requirements realistically match
the organization and position’s needs.
5 - Strongly agree
4. Management has the specialized knowledge,
experience, and training required to perform their
duties and does not rely extensively on technical
specialists or outside consultants.
4 - Agree
We do hire several outside consultants throughout
each fiscal year to help in the technology area. We have
only 3 employees in this area and they are responsible
for keeping all divisions and locations' networks up and
running.
5. Employees are properly trained and are capable of
performing all jobs within your division.
4 - Agree
We are working to strengthen training on new
computers and computer applications.
6. Employees are committed to excellence in performing
their jobs.
5 - Strongly agree
Employees at the agency are very professional and are
committed to excellence.
7. Individual performance targets focus on both the longand short-term and address a broad spectrum of
criteria (e.g., quality, productivity, leadership,
teamwork, and self-development).
5 - Strongly agree
Each division is responsible for providing the executive
director with 4 or more goals above and beyond normal
job duties that they will strive to achieve during the
upcoming fiscal year. These goals may be either short
or long-term.
Conclusions Reached and Actions Needed:
Our management has a high commitment to professional and technical competence. However, we need to do a better job in keeping our job descriptions
current. XYZ, DEF, and ABC on 5/12/09 and 5/28/2009.
68
Exhibit 7: Risk Assessment
This Control Implemented and Operating Effectively
Agree/Disagree
Comments
1. Formal or informal mechanisms exist to inform
management of events that are considered risks; i.e.,
events that may adversely affect the achievement of
agency-wide or division objectives.
5 - Strongly agree
We have 7 divisions within the Agency and each
division head is a member of the Senior Staff, which
meets weekly to discuss any issues of concern and the 6
division heads can and do speak to the Executive
Director any time they need to do so.
2. Management assesses for inherent risk, each event or
combination of events that represents a risk,
considering both likelihood and impact, and then
develops a risk response.
5 - Strongly agree
See comments to question #1. For example, we just
had a staff meeting where our employee in charge of
safety and risk informed the group of precautions and
actions to take in the event of a swine flu outbreak.
3. Once a risk response is developed for each risk,
management considers residual risk.
5 - Strongly agree
4. Management uses an appropriate blend of quantitative
or qualitative techniques across the various
divisions/functions such that sufficient consistency
exists to assess risks agency-wide.
5 - Strongly agree
We certainly analyze risks quantitatively and
qualitatively. For example, we use both in considering
new affects of the current recession, increased special
revenues, reduced state tax collections and potential
budget cuts.
5. The process used to analyze risks is clearly
understood and includes estimating the significance or
risks and assessing the likelihood of their occurring.
5 - Strongly agree
See comments to question #1. This agency has an
excellent staff that is qualified and able to assess the
significance and liklihood of risks.
See comments to question #1.
Conclusions Reached and Actions Needed:
Our Senior Staff meets weekly which puts them in a good position to assess risks and to be responsive to any known risks.
EDF, DFG 5/13/2009
69
Exhibit 5: Assignment of Authority and Responsibility
This Control Implemented and Operating Effectively
Agree/Disagree
Comments
1. Management designates who is responsible for
committing to financial or contractual obligations
through a formal delegation of authority.
5 - Strongly agree
Management assigns signature authority to appropriate
personnel to designate personnel authorized to commit
to financial or contractual obligations.
2. Specific limits are established for certain types of
transactions and delegations are clearly
communicated and understood by employees.
4 - Agree
Management personnel with signature authority are
aware of any specific limits for certain types of
transactions, if applicable.
3. Job descriptions for personnel include specific
references to control related responsibilities.
4 - Agree
Job Content Questionnaires (JCQ) are completed for
each employee. The JCQ includes specific references of
job related responsibilities including control related
responsibilities, if applicable.
4. Management accepts responsibility for information
generated and on reported results.
5 - Strongly agree
Management accepts the responsibility for the
information generated and works constantly to improve
the accuracy and effectiveness of the information.
Management also reviews and documents their approval
by signing required reports.
5. Managers at all levels within your agency are
appropriately empowered to correct problems and
implement improvements.
5 - Strongly agree
Managers are expected to correct problems and
implement improvements if needed. Depending on the
materiality of the problem, senior management
encourages they be informed of the problem and
corrective action.
6. The current level of delegation of duties balances
empowerment and “getting the job done” with
management involvement and authority levels.
5 - Strongly agree
Employees have the empowerment to "get the job
done". Management is available for training and
assistance. Management will normally approve or review
the "job".
70
Exhibit 7: Risk Assessment
This Control Implemented and Operating Effectively
Agree/Disagree
Comments
1. Formal or informal mechanisms exist to inform
management of events that are considered risks; i.e.,
events that may adversely affect the achievement of
agency-wide or division objectives.
5 - Strongly agree
Mechanisms are in place. Please refer to the
conclusions section below for more detail.
2. Management assesses for inherent risk, each event or
combination of events that represents a risk,
considering both likelihood and impact, and then
develops a risk response.
4 - Agree
Once a risk is identified, management considers the
likelihood of the risk occurring and the potential impact it
will have on the agency's financials and the achievement
of the agency's objectives.
3. Once a risk response is developed for each risk,
management considers residual risk.
4 - Agree
Once a control activity is created for an identified risk,
management considers the remaining risk.
4. Management uses an appropriate blend of quantitative
or qualitative techniques across the various
divisions/functions such that sufficient consistency
exists to assess risks agency-wide.
4 - Agree
Quantitative and qualitative techniques are used by
management to assess risk.
5. The process used to analyze risks is clearly
understood and includes estimating the significance or
risks and assessing the likelihood of their occurring.
4 - Agree
Both the agency-wide risk assessment and divisional
assessments include determining the risks, the likelihood
of their occurrence, and the potential impact of those
risks on the agency.
Conclusions Reached and Actions Needed:
Risks are assessed at the agency-wide level and divisional level. The agency-wide assessment is included in the agency's Strategic Plan
(http://www.agencyname.ms.gov/Documents/agency5YearStrategicPlan.pdf). The agency has procedures in place for assessing risk at divisional levels. We
will enhance and expand our risk assessment process in conjunction with enhancing our internal control plan.
71
Exhibit 8: Risk Response
This Control Implemented and Operating Effectively
Agree/Disagree
1. The process used to analyze risks is clearly
understood and includes determining steps needed to
mitigate risks.
3 - Somewhat agree
2. In determining risk response, management considers
the effects of potential responses on risk likelihood and
impact because a response may affect the likelihood
and impact differently.
4 - Agree
3. Management considers the relative costs and benefits
of alternative risk response options.
4 - Agree
4. When considering cost-benefit relationships,
management looks at risks as interrelated and pools
the agency’s risk reduction and risk sharing responses.
4 - Agree
5. The agency’s risk response considerations are not
limited solely to reducing identified risks, but also
include consideration of new opportunities.
3 - Somewhat agree
6. Once management has selected a response,
management determines whether an implementation
plan is needed.
3 - Somewhat agree
7. If an implementation plan is needed, management
establishes the necessary control activities to ensure
the risk response is carried out.
4 - Agree
8. The agency evaluates risk from an agency-wide
perspective.
3 - Somewhat agree
Comments
72
Exhibit 22: Monitoring Questionnaire
This Control Implemented and Operating Effectively
Agree/Disagree
Comments
1. Management has established performance measures
for processes and receives periodic reports of results
against those measures.
2. Personnel responsible for reports are required to “sign
off” on their accuracy and integrity and are held
accountable if errors are discovered.
3. In the event of known control breakdowns or
deficiencies, controls that should have prevented or
detected problems are reassessed and modified as
appropriate.
4. Controls most critical to mitigating high priority risks in
your function are evaluated with appropriate
frequency.
5. Evaluations of the entire internal control system are
performed when there are major strategy changes,
major acquisitions or dispositions, or operations and
methods of processing financial information are
changed.
6. An appropriate level of documentation is developed to
facilitate the understanding of how your internal control
system works.
7. Employees are provided with sufficient control and
compliance training sessions and feedback
opportunities.
73
The Hot Ten!
10. Weak Internal Controls
9. Lack of or Poor Assessment of IC by Management
8. Personal Pressures
7. Environmental Changes
6. Audit Deficiencies
5. Inadequate, Limited, or Reduced Training Resources
4. Related Party Transactions
3. Management’s Override of Internal Controls
2. Negative Work Environment – Poor Tone at the Top
1. Blind Trust
74
Questions?
Contact Information
William A. (Billy) Morehead, Ph.D., CGFM, CPA, CPM
Delta State University
DSU Box 3222
1003 West Sunflower Road
Cleveland, MS 38733
Phone: 662-846-4180
Fax: 662-846-4429
Email: wmorehed@deltastate.edu