Positive Pay can help protect your organization from check fraud

check_164491487Check fraud is a common financial crime here in Washington and nationwide. According to the American Bankers Association, check fraud accounted for 32 percent of the banking industry’s losses in 2015.

To help address this significant risk area as a preventative measure. While it was created to protect the banks, Positive Pay is a great tool that can be used by state and local governments to prevent and monitor for check fraud, common types of which include duplicated checks, altered check amounts and counterfeit checks.

Continue reading

Repost from MRSC: Big Cybersecurity for Small Jurisdictions

From our friends at MRSC: Mike Kaser, IS Director for the City of Mercer Island, weighs in on protecting local governments from cyber attack. You can read the original here.

Big Cybersecurity for Small Jurisdictions

The use of technology to support service delivery by local government continues to grow. Whether it’s a 911 dispatcher, firefighter, patrol officer, utility crew member, or an elected official, all of these local government employees use technology as part of their everyday duties.

IT departments are expected to maintain operations with little to no downtime while cybersecurity incidents, like the recent global ransomware attack dubbed “WannaCry,” are one of many risks we face. Even the most sophisticated and well-funded organizations are finding their data unceremoniously dumped onto the Internet.

How can small jurisdictions with so few resources have a capable cybersecurity program in the face of today’s many risks? Simply put, determine what can be done within current resources and skill sets, then communicate honestly and openly with your organization’s leadership about where the gaps are. You must share and decentralize the risk beyond IT.

Cybersecurity Risks

Cybersecurity risks have been around for a long time. Organizations employ different technologies like permissions, IDS/IPS, logs, firewalls, anti-virus, encryption, backups, etc. in response to that risk.

What is new is the scope and impact of security issues to the organization, the sophistication and quantity of the bad guys, and the need to get every employee thinking about their role on the organization’s “security team.” Imagine explaining why your utility customer’s payment information was sold on the dark web or not being able to answer 911 for a few hours.

Some percentage of resources must be dedicated to cybersecurity to maintain the trust of your organization, your elected officials, and the people your jurisdiction serves.

The Mercer Island Approach

A great first step is to discuss this risk with leadership and define what success looks like within your organization’s resources. For the City of Mercer Island, “success” at a high level includes Communication, Policies and Plans, Training, Technology, and Assessments.


Talk to your organization and let them know what’s up with this whole “cyber” thing. This step is simple. Let people know that you believe there is risk. Give tangible, not hyped, examples of possible events (maybe they have already happened).

Explain what the current IT capabilities are and discuss the gaps. For smaller agency IT managers, this is key. You must explain where the risk is to the organization’s leadership. Simply repeating you are understaffed or don’t have enough money isn’t enough. By highlighting specific gaps to leadership, the responsibility is now in the hands of those most responsible for managing an organization’s risk.

Policies and Plans

Love them or hate them, they are critical. Policies can identify risk and explain everyone’s roles and responsibilities. Create or update your policy together with members from all departments and your leadership. Have the CEO sign it. The discussion alone will highlight for everyone what the issues are. It doesn’t have to be complex, either. Keep decentralizing the risk!

Document your technology at a high level and work with each department to establish ownership of the digital information staff collect, process, store, and transmit, as well as responsibility over the technology used to manage that data. Create and exercise a high-level incident response plan that isn’t 65-pages long. Use frameworks like the NIST cybersecurity framework to guide your planning.


Train all employees on cybersecurity measures, beginning with IT.  They are the front line and need a solid understanding of the issues. And I don’t mean CISSP training. I mean real, hands-on, learn-how-to-hack, break-into-systems training (using test labs, of course). They need to know what the bad guys know to be able to defend your organization well. OSCP, certain SANS courses, and other hands-on training are recommended.

Make your training fun for employees! Get departments other than IT involved in developing the training. We used departmental staff to develop the phishing emails in our phishing training campaign. They loved being a part of it. Train on your incident response plan!


Get some technology! Use both open-source (free or free-ish) and commercial technologies. Your agency already has employed some technology (hopefully) like firewalls, but there are lots of new and interesting ways security technology is evolving. A key and powerful tool to help prevent ransomware, AppLocker, is built right into recent versions of Windows.

Reach out to your vendors but be skeptical of “all-in-one” solutions. Build security language into contracts! You need a toolbox for this cyber stuff. This is where money and time become a real issue for small jurisdictions.

Identify the combination of products and services your organization can afford and decide which can be operated in-house and which requires vendor support. Whatever your capabilities are, there will be a gap. Just remember to communicate this gap to leadership and decide, together, how to address it. Consider insurance as an option or maybe outsource security entirely: these services exist!


Bring in qualified and credentialed third parties to do assessments. This is invaluable as a third party will highlight the problems that you have missed. This gives you a baseline for improvement, for highlighting the gap, and for communicating cybersecurity concerns within your organization.

Find Allies

Another important step is building relationships. Cybersecurity is complicated. Talking to people at the local, regional, and state, and even federal level is helpful.

Learn where the free resources are. You might be surprised how much help is out there. For example, the state’s Office of CyberSecurity, the Center for Internet Security’s MS-iSAC, and the United States Computer Emergency Readiness Team (US-CERT) all come to mind. Go to regional or local cyber security events and exercises. Learn and share with others.

This recipe has strengthened Mercer Island’s security posture but we will continue to identify, communicate, and address the gaps as new ones arise. After all, cybersecurity is now an everyday part of doing business.


Make sure to meet requirements when purchasing using ‘piggybacking’ method

“Piggybacking” refers to one local government making purchases from contracts awarded by another government or group of governments via an interlocal agreement or contract. Piggybacking is a convenient way to procure goods or services. However, our Office has seen an increasing number of local governments use this alternative method without completing the process properly. National purchasing cooperatives are becoming more widely used, and many of these are based in other states where the laws do not align with Washington law.

The key to maintaining compliance when procuring through piggybacking is to ensure your local government’s own bidding requirements are still met. State law
(RCW 39.34.030), which allows for piggybacking, does not relieve any public agency of any obligation or responsibility with respect to purchasing, except for the notice of bids or advertising requirements. As long as the lead agency satisfies its own requirements for advertising and posts the solicitation on the internet, the piggybacking government’s advertising requirements are considered met.

Continue reading

Other post-employment benefits (OPEB) update

Diversity team in business development meeting with charts, IndiWe’re already halfway through 2017, and 2018 is quickly approaching! GASB Statement No. 75, Accounting and Financial Reporting for Postemployment Benefits Other Than Pensions, is effective for fiscal years ending in 2018.

Implementing this complex standard requires planning and information sharing. The State Auditor’s Office participates in several OPEB standards implementation workgroups to help identify and share common questions and concerns.

Continue reading

GASB issues guidance on asset retirement obligations

The Government Accounting Standards Board (GASB) recently issued a new standard, GASB Statement 83, to provide accounting guidance on asset retirement obligations (AROs). The GASB issued this standard because many governments have not been reporting these liabilities or may have been applying other guidance (such as FAS 143). The standard is expected to resolve these inconsistencies and may result in some governments recording potentially significant liabilities.

The new standard is effective for financial statements on years ending after June 15, 2018, with early implementation encouraged. The pronouncement is available online at www.gasb.org.

If you have questions regarding ARO, please submit a HelpDesk request (login required). If you have questions about other GASB standards, please contact Debra.Burleson@sao.wa.gov.

Continue reading

For 4th year in a row, more governments filing financial reports on time

Local governments are required to submit an annual financial report within 150 days after their fiscal year end under state law (RCW 43.09.230). Exhibit 1 illustrates that the number of governments meeting this requirement has increased for the fourth consecutive year. Exhibit 2 illustrates that 228 of the 302 governments that missed the filing deadline also missed the deadline in 2015.



The State Auditor’s Office has emphasized the importance of filing timely annual reports and has provided assistance in a variety of ways. Most recently, we offered 27 free filing workshops statewide to help all local governments that were having difficulty meeting the requirement. Of the 350 governments that attended the workshops, 321 were able to file timely annual reports. This included 50 governments that did not meet the requirement last year.

We will continue to evaluate ways to increase the number of timely filings in the future. Please contact DuaneWalz@sao.wa.gov for questions or suggestions.


The State Auditor’s Office and MRSC expand financial policy guidance


(Repost from MRSC’s blog. Original available here.)

By Toni Nelson, MRSC

Financial policies are an essential component of any local government’s financial health, but financial policy needs vary considerably from jurisdiction to jurisdiction. Different types of entities (cities, towns, counties, and special purpose districts) have different needs depending on size, scope of activities, organizational and staffing structures, contractual and program structures, and the governing body’s values and priorities. A boilerplate, one-size-fits-all approach will not work – but how do you know what policies you need, or what approach is right for your jurisdiction?

Well, MRSC is here to help! Working in partnership with the State Auditor’s Office Local Government Performance Center, we’ve just launched a series of online resources to help local governments in Washington State develop and adopt effective financial policies and procedures, as well as complying with SAO’s policy requirements as currently prescribed by BARS and recommended during audits. Continue reading

2017 NSAA IT Conference in Tacoma

WA18We are excited to announce that for the first time in the history of the National State Auditor’s Association (NSAA) IT Conference, Washington is the host state!  This year’s conference takes place October 3rd through 6th at the beautiful and modern Hotel Murano in Tacoma.

If you are a state or local government IT auditor (internal or external), this conference is for you. It will provide participants with valuable IT audit training at an affordable price. Plus, there will be ample opportunities to network with other IT auditors from across the country. Don’t worry if you haven’t yet had much experience in IT auditing–the trainings are designed to span the spectrum of experience.

Be sure to check out NSAA’s website for more information, like a draft agenda when it becomes available. You can also check out the event page on Facebook!


Auditor McCarthy: Financial reporting should be easy to read and understand

Since the original issuance of Governmental Accounting Standards Board (GASB) Statement 34 in 1999, the Office of the Washington State Auditor has found the resulting financial statement presentations to be unnecessarily complex, less timely and more costly for state and local governments to prepare and have audited. These presentations are also more challenging to understand.

Financial statements prepared by state and local government entities in the United States are longer than those prepared by other organizations in the United States and around the world, due to the use of different accounting methods (e.g. modified-accrual and full-accrual) within the presentation.GASBlettergraphic








Continue reading

Audit focus for schools in fiscal year 2016

Pupil writing on the board at elementary school maths classSchool districts have asked the State Auditor’s Office to let them know in advance the areas they can expect auditors to emphasize in upcoming audits. This list will help your district prepare for audits examining FY 2016. If you have questions, your local audit team is available year round: they can answer technical questions and point you to additional guidance on specific areas of audit.  Continue reading