Positive Pay can help protect your organization from check fraud

check_164491487Check fraud is a common financial crime here in Washington and nationwide. According to the American Bankers Association, check fraud accounted for 32 percent of the banking industry’s losses in 2015.

To help address this significant risk area as a preventative measure. While it was created to protect the banks, Positive Pay is a great tool that can be used by state and local governments to prevent and monitor for check fraud, common types of which include duplicated checks, altered check amounts and counterfeit checks.

Continue reading

Repost from MRSC: Big Cybersecurity for Small Jurisdictions

From our friends at MRSC: Mike Kaser, IS Director for the City of Mercer Island, weighs in on protecting local governments from cyber attack. You can read the original here.

Big Cybersecurity for Small Jurisdictions

The use of technology to support service delivery by local government continues to grow. Whether it’s a 911 dispatcher, firefighter, patrol officer, utility crew member, or an elected official, all of these local government employees use technology as part of their everyday duties.

IT departments are expected to maintain operations with little to no downtime while cybersecurity incidents, like the recent global ransomware attack dubbed “WannaCry,” are one of many risks we face. Even the most sophisticated and well-funded organizations are finding their data unceremoniously dumped onto the Internet.

How can small jurisdictions with so few resources have a capable cybersecurity program in the face of today’s many risks? Simply put, determine what can be done within current resources and skill sets, then communicate honestly and openly with your organization’s leadership about where the gaps are. You must share and decentralize the risk beyond IT.

Cybersecurity Risks

Cybersecurity risks have been around for a long time. Organizations employ different technologies like permissions, IDS/IPS, logs, firewalls, anti-virus, encryption, backups, etc. in response to that risk.

What is new is the scope and impact of security issues to the organization, the sophistication and quantity of the bad guys, and the need to get every employee thinking about their role on the organization’s “security team.” Imagine explaining why your utility customer’s payment information was sold on the dark web or not being able to answer 911 for a few hours.

Some percentage of resources must be dedicated to cybersecurity to maintain the trust of your organization, your elected officials, and the people your jurisdiction serves.

The Mercer Island Approach

A great first step is to discuss this risk with leadership and define what success looks like within your organization’s resources. For the City of Mercer Island, “success” at a high level includes Communication, Policies and Plans, Training, Technology, and Assessments.


Talk to your organization and let them know what’s up with this whole “cyber” thing. This step is simple. Let people know that you believe there is risk. Give tangible, not hyped, examples of possible events (maybe they have already happened).

Explain what the current IT capabilities are and discuss the gaps. For smaller agency IT managers, this is key. You must explain where the risk is to the organization’s leadership. Simply repeating you are understaffed or don’t have enough money isn’t enough. By highlighting specific gaps to leadership, the responsibility is now in the hands of those most responsible for managing an organization’s risk.

Policies and Plans

Love them or hate them, they are critical. Policies can identify risk and explain everyone’s roles and responsibilities. Create or update your policy together with members from all departments and your leadership. Have the CEO sign it. The discussion alone will highlight for everyone what the issues are. It doesn’t have to be complex, either. Keep decentralizing the risk!

Document your technology at a high level and work with each department to establish ownership of the digital information staff collect, process, store, and transmit, as well as responsibility over the technology used to manage that data. Create and exercise a high-level incident response plan that isn’t 65-pages long. Use frameworks like the NIST cybersecurity framework to guide your planning.


Train all employees on cybersecurity measures, beginning with IT.  They are the front line and need a solid understanding of the issues. And I don’t mean CISSP training. I mean real, hands-on, learn-how-to-hack, break-into-systems training (using test labs, of course). They need to know what the bad guys know to be able to defend your organization well. OSCP, certain SANS courses, and other hands-on training are recommended.

Make your training fun for employees! Get departments other than IT involved in developing the training. We used departmental staff to develop the phishing emails in our phishing training campaign. They loved being a part of it. Train on your incident response plan!


Get some technology! Use both open-source (free or free-ish) and commercial technologies. Your agency already has employed some technology (hopefully) like firewalls, but there are lots of new and interesting ways security technology is evolving. A key and powerful tool to help prevent ransomware, AppLocker, is built right into recent versions of Windows.

Reach out to your vendors but be skeptical of “all-in-one” solutions. Build security language into contracts! You need a toolbox for this cyber stuff. This is where money and time become a real issue for small jurisdictions.

Identify the combination of products and services your organization can afford and decide which can be operated in-house and which requires vendor support. Whatever your capabilities are, there will be a gap. Just remember to communicate this gap to leadership and decide, together, how to address it. Consider insurance as an option or maybe outsource security entirely: these services exist!


Bring in qualified and credentialed third parties to do assessments. This is invaluable as a third party will highlight the problems that you have missed. This gives you a baseline for improvement, for highlighting the gap, and for communicating cybersecurity concerns within your organization.

Find Allies

Another important step is building relationships. Cybersecurity is complicated. Talking to people at the local, regional, and state, and even federal level is helpful.

Learn where the free resources are. You might be surprised how much help is out there. For example, the state’s Office of CyberSecurity, the Center for Internet Security’s MS-iSAC, and the United States Computer Emergency Readiness Team (US-CERT) all come to mind. Go to regional or local cyber security events and exercises. Learn and share with others.

This recipe has strengthened Mercer Island’s security posture but we will continue to identify, communicate, and address the gaps as new ones arise. After all, cybersecurity is now an everyday part of doing business.


Make sure to meet requirements when purchasing using ‘piggybacking’ method

“Piggybacking” refers to one local government making purchases from contracts awarded by another government or group of governments via an interlocal agreement or contract. Piggybacking is a convenient way to procure goods or services. However, our Office has seen an increasing number of local governments use this alternative method without completing the process properly. National purchasing cooperatives are becoming more widely used, and many of these are based in other states where the laws do not align with Washington law.

The key to maintaining compliance when procuring through piggybacking is to ensure your local government’s own bidding requirements are still met. State law
(RCW 39.34.030), which allows for piggybacking, does not relieve any public agency of any obligation or responsibility with respect to purchasing, except for the notice of bids or advertising requirements. As long as the lead agency satisfies its own requirements for advertising and posts the solicitation on the internet, the piggybacking government’s advertising requirements are considered met.

Continue reading

Other post-employment benefits (OPEB) update

Diversity team in business development meeting with charts, IndiWe’re already halfway through 2017, and 2018 is quickly approaching! GASB Statement No. 75, Accounting and Financial Reporting for Postemployment Benefits Other Than Pensions, is effective for fiscal years ending in 2018.

Implementing this complex standard requires planning and information sharing. The State Auditor’s Office participates in several OPEB standards implementation workgroups to help identify and share common questions and concerns.

Continue reading

GASB issues guidance on asset retirement obligations

The Government Accounting Standards Board (GASB) recently issued a new standard, GASB Statement 83, to provide accounting guidance on asset retirement obligations (AROs). The GASB issued this standard because many governments have not been reporting these liabilities or may have been applying other guidance (such as FAS 143). The standard is expected to resolve these inconsistencies and may result in some governments recording potentially significant liabilities.

The new standard is effective for financial statements on years ending after June 15, 2018, with early implementation encouraged. The pronouncement is available online at www.gasb.org.

If you have questions regarding ARO, please submit a HelpDesk request (login required). If you have questions about other GASB standards, please contact Debra.Burleson@sao.wa.gov.

Continue reading

#CyberAware about Ransomware

ransomwareImagine your local government’s files and documents held for ransom. The risk is greater than you think, with the number of cyber-attacks by ransomware increasing rapidly.

Ransomware, including Cryptolocker and its variants, is malicious software that encrypts files on a computer as well as files on the network that the user has access to.  Once the files are encrypted, the only way to open them again is with the encryption key. Victims must pay a ransom, usually in a virtual currency such as Bitcoin, to the attacker to obtain the key to their locked files.  Continue reading

The Cost of Transparency

The Effect of Public Records Requests on State and Local Governments

It’s hard to deny the benefits of an open and transparent government. The Public Records Act allows people to request things like video footage, emails, land development records — essentially almost every record that a government produces. The importance of access to government records can be seen in frequent examples across the nation, such as when the San Francisco Examiner discovered that police investigated rapes in upscale Berkeley far more readily than in the crime-blighted neighborhoods of Oakland by systematically examining local government records. Continue reading

Is your local government filing its annual financial report?

NumberReportingBarChartOn January 27, 2016, our Office published a follow-up to a report we issued last year on local government financial reporting. This year’s results show that our outreach efforts have contributed to a greater number of local governments filing their reports as required by law for fiscal year 2014.

Our outreach, provided at no cost to local governments, included training sessions and how-to-file workshops, support from the Auditor’s Office Helpdesk, and improvements in our online filing process. Staff from our Local Government Performance Center offered additional support and workshops.

Of the 394 local governments that did not file, more than half did eventually file, but after the deadline; another 50 started filing but did not complete their report. About 100 governments did not send any data, and 70 of them did not file a report for 2013 either.

The report also addressed the consequences of not filing an annual report, and our plans to help more entities file, including more workshops for governments large and small.

Follow-up Special Report: Promoting Transparency and Accountability