Let's start with the 10-step order of operations:
1. Set the tone at the top. Before a single procedure is written, the board and superintendent must visibly commit to written codes of conduct, clear lines of authority, and consistent enforcement. The SBO cannot build a control environment alone — it begins with governance.
If leadership circumvents established procedures, no downstream control compensates for it. Consider asking the board to adopt a code of ethics and conflict of interest policy as the starting point for each new fiscal year.
2. Prioritize risk. Not every process carries equal risk. Start where exposure is highest: cash receipts, student activity funds, payroll, purchasing cards, and federal grant compliance. These five areas generate the most recurring audit findings in school districts and carry the greatest reputational consequences when controls fail. Map these first before expanding to lower-risk processes.
3. Know your control types. Every high-risk area needs:
-
Preventive controls stop errors and fraud before they occur — dual signatures, pre-approval requirements, access restrictions, and segregation of duties.
-
Detective controls identify problems after they occur — monthly bank reconciliations, supervisory reviews, exception reports, and bank statement analysis.
In small offices where full segregation of duties isn't possible, compensating controls substitute: The SBO opens mail independently, reviews bank statements directly or approves all wire transfers personally. The control must exist even when the staffing doesn't support the textbook design.
4. Document your risk assessment in writing. The 2025 Green Book requires that your annual risk assessment be documented, not just performed. Explicitly address fraud, improper payments, information security, and per GASB 102, concentration and constraint risks. A risk assessment that lives only in the SBO's head does not meet the standard.
5. Write procedures, not just policies. A policy states what should happen. A procedure describes exactly how, by whom, and when. Every high-risk process needs a written procedure. Review and update procedures annually — or whenever a significant operational change occurs, a new GASB standard takes effect, or a technology system changes.
6. Cross-train staff. Cross-training is simultaneously a continuity measure and an internal control. Irregularities become visible the first time a different employee performs a task. Assign backup staff for every critical function — payroll, bank reconciliations, accounts payable, and student activity fund accounting.
7. Build controls for new GASB standards before the audit. When a new GASB standard takes effect, your first question should be "What new control does the standard create?" — not just "How do we book this entry?" Build the reconciliation, approval workflow, and documentation procedure before your auditor asks for evidence.
8. Establish an anonymous reporting mechanism. Approximately one-third of fraud is discovered through tips. COSO Principle 15 requires an external communication channel — staff must be able to report concerns without fear of retaliation. A whistleblower hotline, anonymous suggestion box, or third-party reporting service satisfies this requirement. If staff cannot safely report a concern, the control environment has a material gap regardless of what the policy manual says.
9. Review technology access controls annually. System permissions, user access rights, and IT authorization are internal controls. Review who has access to your financial system, payroll platform, and student activity fund accounts at least annually. Terminate access immediately upon employee departure. With cloud-based systems expanding under GASB 96 and AI tools entering school administration, technology general controls are no longer optional.
10. Own your audit findings completely. When a management letter finding lands on your desk, develop a corrective action plan with assigned owners, clear deadlines, and a documented follow-up mechanism. Track every finding to completion. Close it before the next audit cycle begins. Remediation is not a clerical task — it is a professional obligation under ASBO International Professional Standards.
This third article in a series on internal controls for school business officials provides a 10-step process for implementing internal controls.
The standards tell you what is required. The frameworks tell you how to structure it. These 10 steps give you the order of operations to make it real in your district — starting with the highest-risk processes and building outward, one control at a time. Every district is different. Every business office has different staffing, systems, and risk exposure. What doesn't change is the obligation: design the control, document it, test it, and own the result.
For additional guidance, review the following resources:
|
|
|
|
|
|
Fiscal Crisis & Management Assistance Team (FCMAT) — California
|
A self-evaluation checklist specifically developed for local educational agencies (LEAs) maps to all five COSO components with yes/no questions that identify control weaknesses across cash receipts, disbursements, payroll, purchasing, and student activity funds; a "No" response indicates a deficiency requiring remediation.
|
|
|
Alabama Association of School Business Officials (AASBO)
|
Practical presentation covering control definitions, the difference between policies and procedures, student activity fund cash controls, pre-numbered receipt books, bank account authorization, and how local school bookkeepers interact with the district's audit function.
|
|
|
Wisconsin Association of School Business Officials (WASBO)
|
Board-level and SBO-level overview of internal control responsibilities in school districts; covers where risks exist, how controls can be established, and practical examples of preventive and detective controls in school business office operations
|
|
|
U.S. Office of Management and Budget (OMB) / White House
|
A concise summary table of all five COSO/Green Book components and their 17 principles with illustrative controls for each; the most accessible free one-document summary of the complete COSO framework directly applicable to government entities, including school districts.
|
|
|
U.S. Government Accountability Office (GAO)
|
The authoritative internal control standard for all government entities, including school districts, covers all five components and 17 principles with the 2025 additions of documented risk assessment results and explicit requirements for fraud, improper payments, and information security — effective FY 2026.
|
|
|
Association of School Business Officials International® (ASBO International)
|
The Certificate of Excellence in Financial Reporting scoring checklist evaluates whether a district's ACFR meets GASB disclosure and presentation requirements through GASB Statement No. 100; it is best used as a GASB compliance verification tool after controls are in place — not a controls primer, but a critical reporting completeness crosswalk.
|
Related Reading in School Business Now
Internal controls can increase available revenue for education by reducing fraud, theft, waste, and misappropriation. School districts can establish solid internal controls by following several principles.
The CFO, accounting team, and auditor can work together constructively and collaboratively. Even though they have different but complementary roles, they share the goal of improving the district’s financial processes, accuracy, and reliability.
Do your employees understand what conflict of interest is? Do you, as a school finance professional, know how to protect your organization from the fallout of conflicts of interest?
Keys to developing a comprehensive internal control document.
How to ensure tight internal controls through adequate cross-training of school business staff members.
Being prepared for the unexpected can ensure continuity in the school business office.
It is possible to add internal audit functions in your district even if you cannot add an internal auditor to the staff.
A primary document in the school business office is the Annual Comprehensive Financial Report. It is critical for SBOs to understand its elements so they can utilize it to its fullest.
Integrating artificial intelligence into school business operations presents both challenges and rewards. Examine AI maturity models and their successful implementation into your district operations.
How a data-driven audit of "fixed" costs allowed one large Indiana district to fund 20% raises within a standard budget
This article was curated with the assistance of two AI tools, each serving a distinct and limited function. Perplexity AI (Perplexity AI, Inc., April 2026), a large language model, was used to compile research, locate and verify applicable standards and source documents, and assist with content drafting. QuillBot™ (QuillBot Inc.®), an AI-powered writing tool, was used for sentence-level fluency, readability, and editorial refinement—not for content generation. All factual claims were independently confirmed by the author against primary sources, including the GAO Green Book (2025), GASB pronouncements, COSO publications, and AICPA standards. Professional analysis, practice recommendations, and all editorial decisions — including content selection, structural organization, emphasis, and framing — are the author's own. AI assistance is disclosed in accordance with School Business Now Author Guidelines.