How Much Could a School District Lose to Waste, Fraud & Abuse With Only Minimum Internal Controls?

Why “compliance” is not enough — and what real risk looks like for an $800M district like Tucson Unified School District!

School districts are responsible for stewarding hundreds of millions of taxpayer dollars each year — funding everything from teachers and classrooms to transportation, food service, technology, and community programs. But all too often, public sector organizations mistake checking the box for protecting assets.

In Arizona, the Uniform System of Financial Records (USFR) Compliance Questionnaire issued by the Arizona Auditor General prescribes the minimum internal control policies and procedures that must be documented in a financial audit. Districts that can demonstrate these controls are in compliance with state requirements.

But here’s the hard truth: passing the Compliance Questionnaire doesn’t guarantee that fraud, waste, and abuse are being prevented or detected early. And when a large district — say one with $800 million in revenue like TUSD — relies only on these minimum controls, the financial exposure can be significant.

What the USFR Compliance Questionnaire Actually Tests

The USFR Compliance Questionnaire covers basic internal control areas including:

• Governance and conflict-of-interest policies

• Budgeting and budget monitoring

• Accounting records and reconciliations

• Cash and revenue controls

• Procurement and purchasing policies

• Credit and purchasing card usage

• Payroll policies

• Property control and inventory

• Student attendance and reporting

• Financial reporting and IT-related controls

Audit firms must gain an understanding of the district’s internal controls, perform test work, and document sufficient evidence supporting their questionnaire responses.

Meeting these requirements demonstrates compliance with the minimum statutory standards — but it does not ensure that controls are operating with adequate effectiveness, nor that they are tailored to mitigate actual fraud risks.

Minimum Controls vs. Effective Controls

Minimum internal controls are often policy-based — meaning the district has policies that appear to cover key risk areas. But in many districts, these controls are informational rather than functional, such as:

• Policies exist but are not enforced

• Approvals are rubber-stamped without verification

• Reconciliations are done late or only on paper

• Segregation of duties is impractical due to staffing constraints

These weaknesses are almost impossible to spot from the outside, yet they create fertile ground for:

• Procurement schemes

• Payroll manipulation

• Misuse of purchasing cards

• Improper vendor payments

• Unrecorded liabilities

• Asset misappropriation

Compliance questionnaires aren’t designed to test control effectiveness — they only establish whether the required procedures are documented and performed at a basic level. 

Quantifying the Risk: What Losses Look Like in Practice

There’s no magic formula that says “x% of spend will be lost” in every organization. But a large body of research and real-world loss data across public sector entities shows that:

• Organizations with weak or minimum controls often lose 3% – 7% of total expenditures to waste, fraud, and abuse annually.

• In some jurisdictions and sectors with weak oversight, losses exceed 7%.

• Stronger controls and active monitoring typically reduce losses to 1% – 2% or less.

Let’s apply that to an $800,000,000 school district budget:

Estimated Annual Loss Range

Even at the low end, $24 million per year lost to waste, fraud, and abuse is not a rounding error for TUSD. Over five years, that’s over $120 million that could have funded classrooms, safety initiatives, teacher pay, technology upgrades, or student support services.

Why Minimum Compliance Isn’t Enough

Meeting the minimum internal control standards has value — it ensures statutory compliance and reduces the risk of audit findings. But:

• Minimum controls don’t test for real-world threats like collusion, override of controls, or systemic procedural gaps.

• They don’t force regular fraud risk assessments tailored to the district’s unique operations.

• They don’t measure control performance over time, only that a policy exists and some related procedures were documented.

In fact, the Compliance Questionnaire itself includes questions about whether allegations of fraud, theft, or misuse were appropriately reported and resolved, showing that auditors expect these risks to exist.

What The Management at Districts Should Do Instead

To meaningfully reduce losses from waste, fraud, and abuse, districts should move beyond check-the-box compliance and adopt:

1. Formal Fraud Risk Assessments

Identify likely fraud schemes and vulnerabilities based on actual processes rather than generic lists.

2. Segregation of Duties Review

Ensure that no one individual controls all parts of a high-risk transaction.

3. Data Analytics & Exception Monitoring

Use system data to flag anomalies before they become losses.

4. Ongoing Control Testing

Test transactions and control performance throughout the year, not just at audit time.

5. Whistleblower Mechanisms

Encourage confidential reporting and follow up promptly on all credible tips.

Conclusion: Compliance Is a Floor, Not a Ceiling

The Arizona Auditor General’s USFR Compliance Questionnaire sets a baseline for internal controls — but baselines do not equal risk management maturity.

An $800 million school district that stops at minimum compliance is leaving tens of millions on the table every year. Those funds are not just numbers — they represent vital resources for students, teachers, and communities.

At Accountware Group, we help organizations bridge the gap between compliance and real control effectiveness. If your district is serious about protecting its resources and improving outcomes, the time to elevate your internal control framework is now.

Check out CCS's CPE Webinar CPE Training events on Fraud & Forensic subjects and the events on Internal Controls