Local governments carry big responsibilities, often with lean teams, tight budgets, and a high bar for public trust. Strong internal controls can help your organization safeguard assets, produce reliable information, and maintain public trust.

In this article, we outline practical steps that you can implement immediately. These steps are grounded in the Committee of Sponsoring Organizations (COSO) framework and tailored for real-world constraints, so your organization can prevent, detect, and correct issues before they become headlines.

What does internal control really mean?

Simply put, COSO defines internal controls as a process that provides reasonable, not absolute, assurance that you will achieve your objectives. This process is often led by your governing body, management, and staff. For governments, those objectives usually center on:

• Effective, efficient operations
• Reliable financial reporting, including monthly management reports and annual financial statements
• Compliance with laws, regulations, and policies

Within any strong internal control process, there are three key areas of control, which are: 

• Preventive: Stop issues before they happen (e.g., dual signatures on checks).
• Detective: Surface issues after they occur (e.g., reconciliations, exception reports).
• Corrective: Fix root causes so problems don’t recur (e.g., policy updates, retraining).

It’s important to remember that internal controls is a living system that people carry out every day—not just a binder on a shelf—and it needs periodic tuning as your risks, staff, systems, and environment change.

The 5 pillars of a strong control system

There are five pillars of a strong control system. Add another sentence here. These pillars include:

1. Control environment

It’s vital to remember that culture drives conduct, and a strong foundation of internal control should be set from the top of the organization. As a leader, you can set and reinforce expectations through multiple efforts. For example, instead of simply having a code of conduct and conflict-of-interest policy, actively train your team on these policies to ensure they understand the expectations of your organization. Another way is to implement anonymous reporting (whistleblower) channels. This open line of communication that allows anyone to report violations doesn’t have to be complicated either. Simply having a locked drop box that can be reviewed by a board member works in many scenarios.

We all know folks who pride themselves on the numerous days of PTO they have accrued. While being committed to an organization and having a strong work ethic are positive things, going long stretches without days away from work can, in fact, be a negative. A great way to catch potential anomalies—or worse—is to implement mandatory vacations and rotate duties.

Finally, part of having a solid control environment is ensuring consistency with your hiring and training efforts. Having clear job descriptions, documented onboarding, and annual performance reviews can ensure that your organization

2. Risk assessment

Conducting a risk assessment to evaluate the areas that could hinder an organization’s ability to achieve its objectives doesn’t have to be complicated. A simple, yet practical, approach is often best for most organizations. There are three key areas to assess during this process, with the first being where error or fraud could occur.  Identifying where this could occur is especially important for key areas, such as cash, payroll, procurement, receipting, and journal entries.

The next important area is to estimate significance. This can be measured in both dollars and likelihood. Finally, the last area to assess is the ability to mitigate the risk with targeted controls that balance cost versus benefit.

3. Control activities

The purpose of control activities is to ensure that the correct policies and procedures are in place for the day-to-day activities of an organization. We’ll explore more related to this in the detailed playbooks below.

4. Information & communication

This pillar is based on delivering accurate and timely financial information both internally and to the board. This should include budget-to-actual with explanations of material variances. It’s key to ensure that relevant information is available within a reasonable time frame to ensure that other pillars are supported, too.

5. Monitoring

Finally, a strong control system should not be set up, then forgotten about. Ongoing monitoring supports this by verifying that controls still work. While monitoring, it’s important to conduct independent reviews. In your organization, perhaps this may look like a board member checking bank reconciliation monthly. Another way this could be done is to conduct spot checks of transactions throughout the year instead of waiting for an audit. Or you may review policies and procedures on an annual basis or when personnel, systems, or processes change.

Playbooks for high-risk areas

1. Cash disbursements: Accounts payable & purchasing 

For your organization’s cash disbursements, always consider what could go wrong. Issues such as payments to fictitious or incorrect vendors, wrong amounts, duplicate payments, kickbacks, or period misstatements could cause more harm than simply losing money. 

To mitigate these risks, set core controls, such as:

• Segregate duties among invoice approval, mail opening, check/EFT preparation, check signing, and bank reconciliation.
• Approval trails that include documented signoffs before payment.
• Dual signatures on checks (no preprinted/stamped signatures).
• Procurement cards should apply the same approval & receipt retention as accounts payable and be reconciled monthly by someone other than the cardholder.
• Vendor controls, like only adding or changing vendors with independent review, requiring W-9, and watching for duplicate addresses or bank accounts.

Bank reconciliations should be completed by someone without cash disbursement duties or by an independent reviewer, such as a board member, who will sign and date the finished reconciliation. This person should also review images of canceled checks for authorized signatures and appropriate payees.

If you must keep petty cash, keep the funds small and locked. You should have a log and receipts of all withdrawals and reconcile and record replenishments correctly and regularly. 

2. Payroll

When it comes to payroll, several things could go wrong without proper internal controls. Issues such as ghost employees, unauthorized pay rate changes, inflated hours, and improper PTO usage can put significant strain on organizations.

To mitigate these issues from occurring, consider setting core controls, such as:

• Timesheets or timecards must be approved by supervisors, with PTO explicitly reviewed. 
• New hires and rate changes should be entered by one person and approved by another, with a change report run after each payroll.
• Annual board approval of specific pay rates (not just “3% across the board”) to preserve a clear audit trail.
• Reconciling payroll registers to the general ledger and bank activity each pay cycle.

Especially in organizations where staffing may be limited, it can be helpful to run a periodic “active employees” list and have a manager outside payroll confirm every person and pay rate.

3. Cash receipts & accounts receivable

When cash is involved, many things can go wrong—including skimming, misapplied receipts, unrecorded deposits, uncollected receivables.

A few of the ways that your organization could mitigate these risks is to set up the following core controls:

• Separate cash handling, deposit preparation, system posting, and bank reconciliation whenever feasible.
• Maintain a deposit log (prepared by the cashier) and provide copies of checks/remittance lists to the poster for cross-check.
• Daily cash receipts report by major category; record deposit dates.
• Always issue receipts to payers.

Another helpful tip is for accounts receivable to generate aging reports and follow escalation steps for past-due balances to ensure that all funds are where they should be.

Board oversight that actually works

The process of developing strong internal controls is most effective when the board oversight actually helps the organization achieve its goals. To achieve this, it’s recommended to provide the board with:

• Monthly budget-to-actual with explanations for variances over a set threshold.
• A brief “unusual items” memo (e.g., large, one-time transactions; corrections; grant timing).
• Adequate time on the agenda to ask questions, ideally with materials sent in advance.

Practical, right-sized steps for small governments

We understand that resources are often limited for small governments. This is why we recommend prioritizing controls that deliver the most assurance per dollar, including:

• Independent bank reconciliation review (by a board member if needed).
• Dual approval for disbursements and vendor changes.
• Mandatory time away for anyone handling cash, receipting, accounts payable or payroll.
• Simple whistleblower channel with clear, non-retaliation language.
• Monthly variance analysis (budget vs. actual) and a short exceptions memo.
• Annual policy refresh plus a quick controls “fire drill” after staff or system changes.

While it’s always important to apply a cost-benefit lens, remember, small, low-cost checks, like independent reviews and duty rotation, can yield outsized protection.

A quick self-assessment you can start this month

If your organization feels unsure of where to start, this quick self-assessment can help you identify what your next steps should be:

1. Do we have documented, up-to-date policies and procedures, and do staff receive regular training?
2. Are duties segregated in accounts payable, payroll, and receipting, or independently reviewed when full segregation isn’t possible?
3. Are bank reconciliations completed monthly and independently reviewed?
4. Do we require supporting documentation and pre-approval for all purchases, including Procurement-Cards?
5. Do the board and management receive timely, accurate reports with variance explanations?
6. Do we have an anonymous reporting mechanism and a culture that supports its use?
7. Have we tested our controls recently (spot checks, walkthroughs), and updated them for staffing or software changes?

If you can’t answer “yes” to most of these, you have a focused roadmap for improvements.

Bottom line

When it comes to internal controls, the best offense is good defense. Thoughtful, right-sized internal controls, supported by a strong tone at the top, clear communication, and ongoing monitoring help local governments safeguard assets, produce reliable information, and maintain public trust. Start with the high-risk areas, build consistency, and keep iterating.

Need help benchmarking your controls or tailoring these steps to your municipality?

Our Governmental & Nonprofit team works with boroughs, townships, authorities, and districts across the Mid-Atlantic. We’re glad to review your current process and identify practical, cost-effective enhancements. Learn more about how we can support your organization and reach out to one of our Members to get started.