How to Do a Fraud Risk Assessment in a Local School District

Why “passing the audit” is not the same as protecting taxpayer money

Local school districts manage hundreds of millions of dollars across payroll, procurement, grants, construction, and student programs. Yet most districts rely on a compliance audit to reassure the board and the public that things are “under control.” I have experienced this at the school district where I am a volunteer on the Audit Committee.

It is a management responsibility to have risk assessments in place to evaluation how well they are doing to protect the school district from the risks that they are charged with managing.

That’s a material weakness to not have this type of risk assessment in place.

A fraud risk assessment (FRA) answers a different question than the annual audit:

Where is money most likely being lost right now—and why haven’t we caught it?

If you don’t ask that question explicitly, you’re guessing.

1. What a Fraud Risk Assessment Is (and Is Not)

A fraud risk assessment is:

• A structured, repeatable process

• Focused on where fraud, waste, and abuse are most likely

• Designed to identify control gaps, not policy gaps

  
  

  

  
  
  
  

A fraud risk assessment is not:

• A checklist

• A “gotcha” exercise

• A substitute for internal audit

• A compliance form for the state auditor

Compliance audits tell you whether required controls exist. Fraud risk assessments tell you whether those controls actually work.

2. Start With Reality, Not the Org Chart

The fastest way to fail a fraud risk assessment is to start with policies.

Instead, start with how money really moves:

• Who initiates spending?

• Who approves it?

• Who records it?

• Who reconciles it?

• Who reviews exceptions?

• Who benefits if controls fail?

In many districts, the answer to multiple questions is:

“The same person… because we’re short-staffed.”

That’s not a moral failure. It is a fraud risk.

3. Identify the Highest-Risk Areas (Hint: It’s Not the Classroom)

In almost every school district, fraud risk concentrates in the same places:

Procurement & Contracting

• Vendor favoritism

• Split purchases to bypass thresholds

• Weak oversight of change orders

• Paying for services not fully delivered

Why it’s risky: money goes out before performance is verified.

Payroll & HR

• Ghost employees

• Extra-duty stipends without documentation

• Overtime abuse

• Delayed removal of terminated employees

Why it’s risky: high volume + trusted insiders.

Grants & Federal Programs

• Unsupported costs

• Improper time-and-effort reporting

• Noncompliance leading to clawbacks

Why it’s risky: complex rules and limited expertise.

P-Cards, Travel, and Site-Level Spending

• Personal purchases

• Split transactions

• Rubber-stamp approvals

Why it’s risky: decentralized spending with weak review.

Capital Assets & Inventory

• Missing equipment

• Incomplete inventories

• Poor disposal controls

Why it’s risky: assets quietly walk away.

4. Define Fraud Schemes, Not Just “Risks”

A real fraud risk assessment names specific schemes, not vague threats.

Bad example: “Risk of fraud in purchasing.”

Good example: “Risk that a site administrator splits purchases across multiple P-card transactions to avoid competitive bidding and directs purchases to a preferred vendor.”

If you can’t describe how fraud would occur, you can’t prevent it.

5. Evaluate Controls the Way Fraudsters Do

For each fraud scheme, ask three blunt questions:

1. What control is supposed to stop this?

2. How is it actually performed in practice?

3. How easy would it be to bypass?

Many districts discover that:

• Reviews are undocumented

• Approvals are automatic

• Reconciliations are late

• Exceptions are ignored

On paper, controls exist. In reality, they’re ceremonial.

6. Score Risk Honestly (This Is Where School Boards Get Uncomfortable)

Fraud risk should be rated using likelihood × impact.

High-risk areas usually have:

• Large dollar volume

• Manual processes

• Limited segregation of duties

• High trust, low verification

If everything ends up rated “medium,” the assessment wasn’t honest.

7. Tie Results to Action—Not More Policies

The output of a fraud risk assessment should be:

• A prioritized risk register

• Clear ownership of each risk

• Specific remediation actions

• Realistic timelines

• Monitoring plans

What it should not be:

• Another policy

• Another training video

• Another memo no one reads

Sometimes the fix is simple:

• Independent review

• Better data analytics

• Rotating duties

• Surprise checks

Sometimes it requires leadership courage:

• Saying “no”

• Challenging long-standing practices

• Reducing discretion

8. Why This Matters More Than Ever

Enrollment declines, funding pressure, and staffing shortages create perfect fraud conditions:

• More pressure

• Fewer controls

• Less oversight

When fraud surfaces in a school district, the damage isn’t just financial.It’s reputational, political, and community-wide.

The worst sentence a board can hear is: “The fraud occurred over many years and went undetected.”

A fraud risk assessment exists to make sure that sentence is never written.

Final Thought

If your district has never performed a formal fraud risk assessment, the question is not whether fraud exists.

The question is: How much are you willing to lose before someone else finds it for you?

John C. Blackshire, Jr. Retired CPA