Chat with us, powered by LiveChat


Internal controls and fraud prevention are some of my favorite topics to discuss. Maintenance season is the perfect time to analyze processes and determine whether changes are necessary. During this time you have the capacity to think critically about the needs of your organization and pinpoint areas that can be improved. As we walk through the internal control process keep in mind one size doesn’t fit all and depending on the size of your entity and your resources there will be differences in the internal controls.

Internal controls serve a key purpose that those in the financial trenches and those charged with governance need to understand. Internal controls inherently serve as a deterrent to the potential fraudster. They also help ensure the accuracy and validity of transactions resulting in financial statements that are accurate and complete. A sound internal control system serves as a method of self-protection for those in the financial trenches. This is commonly and humorously known as “CYA.”

a[data-title]:hover:after{ content: attr(data-title); background: #CFFDE9 ; position: center; left: 5%; top: 10%; }

All organizations regardless of size can have effective controls. These controls provide reasonable assurance that the organization remains in compliance, financial information is presented accurately, and fraud risks are reduced. Internal controls are a critical component that assists in the effective and efficient function of your entity.

Internal controls should be evaluated on a regular basis. Keep in mind that if a system, process, or other change occurs at your entity, the internal control process may need to change as well. Additionally, there may be a change in regulatory requirements that will change a certain process. An example is the new sick leave and paid family leave requirements in the State of Washington. What was effective may not be effective any longer. A good internal control system will catch errors, limit exposure (CYA) through sufficient documentation and processes, and provide value to the organization.

Begin your analysis of internal controls with areas that have the most risk. The riskiest areas include those that involve cash. I am sure that many of you are familiar with the cash receipt process and likely receipt cash payments on a daily basis. Having a sound internal control process related to cash receipting is critical. I would highly recommend checking out the Washington State Auditor’s guidance on this topic. If you only have time to analyze and implement one new process this maintenance season, I would focus on the cash receipting.

With internal control design and implementation, the cost (time) and benefit (reduction of risk) need to be taken into account. If internal controls are too cumbersome these processes and procedures will not be followed. A process is only useful if it is used. For example, your accounting software should have unique logins for users. If passwords are shared between users, this defeats the purpose of having separate login information. This brings us back to the initial statement one size doesn’t fit all. Each entity has different needs and therefore different internal controls. A common staffing pattern at many small entities is a two-person office where one person works full time and the other may be only part-time. What is an efficient and effective way for internal controls to be implemented? There is always talk about “separation of duties.” How does such a small office design appropriate internal controls? Management (i.e. Mayor, Fire Chief, other elected officials) must be brought into the conversation. At the end of the day, it is the responsibility of management to ensure the health of your organization. The design, implementation, and oversight of internal controls must be undertaken by more than one individual. Make sure that you’re maintaining supporting documentation for all transactions. Keep this information well organized and filed. As I recently heard Chad say, “Your future self will thank your current self.”

The smaller the office that you work in, the more involved elected officials need to be in the oversight of internal controls. Both you and elected officials need to know your roles. Remember, you are NOT responsible for the bottom line financial health of your organization! Your elected officials are the ones responsible, but it’s your role to get them the information to make decisions with.

I recently did a quick search of the SAO website on audit reports with findings. I then refined my search to only show findings related to internal control weakness or deficiency. There were approximately 50 audit reports to date in 2019 with findings related to internal controls. Elected officials and other individuals responsible for governance may think that internal controls aren’t important, but if these are lacking at your entity the SAO may issue a finding. Many think that fraud can’t happen at their entity. Fraud can occur at any entity, any time. Additionally, the impact on smaller entities is disproportionately greater than the impact on large entities. Internal controls play a critical role in reducing risk, increasing accuracy, and helping your entity function smoothly.

The fraud triangle theory, originally developed by Donald Cressey, states for fraud to occur three components must be present. These are 1) Opportunity 2) Pressure 3) Rationalization. Opportunity is the only component of the fraud triangle that can be controlled. Internal controls reduce the opportunity for fraud to occur. Not only do internal controls assist in the prevention of fraud, but they also aid in the detection of fraud. It has been routinely shown the longer a fraud persists, the greater the losses are. From the 2018 ACFE Report to the Nations, “frauds that last over 60 months are more than 20 times as costly as those that are caught in the first six months.” Internal controls that are well-designed and being followed allow for errors to be caught in a timely manner. Everyone should strive to have accurate records. Remember your role is to assist in keeping track of how the public’s money is being spent.

Even though cash may have the greatest risk of theft, there are many other areas where internal controls must be implemented. Payroll is one area that comes to mind. An internal control that MUST be followed is time-sheet approval. Through good payroll policies AND sticking to them, errors can be reduced. Timesheets should be signed by both employees and a supervisor. Management should be reviewing payroll registers on a regular basis and if possible have someone review your work! Having another set of eyes reviewing payroll before it is finalized will hopefully result in fewer errors and a more accurate work product.

Another common area for many municipalities is utility billing. An inherent part of utility billing is the need for adjustments. Make sure that you have an effective review process in place for utility adjustments that are made on customer accounts. Take into consideration who is processing utility billing and who is performing customer service duties. If the same person is handling complaints and in charge of utility billing, actions could be taken to cover up a potential fraud. This example was one I remember hearing at The Eastern Washington Finance Officers Association presentation, May 10, 2019, by Debbie Pennick, WA SAO.

An area of internal controls often overlooked is the oversight of financial reporting. Many audit reports I reviewed contained findings related to internal controls of financial reporting. What does this mean? It means that financial statements were prepared with incorrect information. How do you prevent this from happening? Again, elected officials are ultimately responsible for the oversight and accuracy of financial reporting. I can’t emphasize the importance of reaching out for assistance if needed. If you have a question be sure to reach out and ask questions to the Auditor’s office, BIAS Software, CPA, or legal counsel.

Additionally, make sure that you receive training on how to do your job if you’re new to the organization. If you’re not sure where to start, please reach out, and we would be more than happy to get you pointed in the right direction. Convey the importance to your elected officials the importance of having the knowledge to perform your job effectively and efficiently. If the State Auditors can breeze through your audit because everything is in line, costs will be reduced because they will spend less time at your entity. If you’re a seasoned veteran be sure to take CPE courses on a regular basis. For example, if your entity was awarded a Federal Grant for the first time, make sure that you know how to properly account for that grant. Maintenance season is a great time for you to obtain training that will benefit your entity.

I can’t emphasize the importance of internal controls enough. They play a critical role in your government. From the accuracy of records to fraud prevention internal controls help provide clarity on the financial health of your entity. Keep in mind the ultimate responsibility for the health of your entity is up to elected officials. It is up to them to make decisions that will lead to a firm foundation for your entity. You may need to be persuasive and vocal about what is needed. Remember the cost savings from fraud prevention, reduced audit costs, and more efficient functions will be beneficial to your entity for many years to come. Hopefully, you’re beginning to develop a game plan of what you want to achieve this summer.

Setting yourself up for success for the remainder of the year begins now! Check next week as we dive further into tasks that can be undertaken during maintenance season.
My name is Seth. I am a Consultant at BIAS Software, a division of Springbrook Software. I am a licensed CPA in the state of Washington and hold a Master of Accounting from Florida Atlantic University. To clear my mind, I love to get out of town and go fishing. I would appreciate your feedback. If you have a suggestion or a topic you’d like me to cover, please send it to me at
    • Hi Darlene,
      Strong internal controls related to the purchasing process should involve the separation of three critical functions. These are the record keeping, authorization, and custody of assets. Separate individuals should be responsible for each of these functions. Thanks for commenting!

Leave a Reply

Your email address will not be published. Required fields are marked *