Not sure how to report a loss? SAO’s updated policy has the answers

Nov 9, 2023

State and local governments should be familiar with RCW 43.09.185, which requires them to immediately report all known or suspected losses to SAO. But the statute's long history has come with a lot of questions and confusion. For example, what constitutes a “loss”? Are there times when “immediately” doesn't make sense for the situation?

Further, the statute did not leave any wiggle room—requiring you to immediately report even something small like a lost screwdriver. To help in resolving these complications, the Legislature amended the law. Effective in 2022, the law now includes that “The state auditor must adopt policies as necessary to implement this section.”

SAO published the first version of its new general loss reporting policy in accordance with the law in 2022. Recently, we updated the policy with additional information and clarifications to help governments determine what they need to report.

While SAO takes seriously all instances of misappropriation and loss of public funds in government, this policy clarifies what types of losses governments should report to SAO’s Fraud Program. Make sure to check out the policy here to understand the full description of what losses to report this way, and how to report others.

Here are just a few clarifications on losses that we’re commonly asked about. Unless employee involvement cannot be ruled out completely, you do not need to report things like:

  • Unauthorized credit card attempts and/or transactions initiated by an external party that are determined fraudulent by the bank and refunded.
  • Cellphones, tablets, laptops or similar assets assigned to employees that were stolen by an external party. We recommend governments report these to the police.
  • Eligibility-based funding provided to an external party based on incorrect or falsified eligibility information. As described in the full policy, governments may need to report these to their granting agencies.

In addition, with the exception of the types of cyber losses identified in the policy, losses or illegal activity resulting from actions made by external parties—including vendors, contracted service providers, subrecipients and other nongovernmental parties—should be reported to your audit team as part of your normal audit. They do not need to be reported to SAO’s Fraud Program.

As a reminder, you must report all cybersecurity incidents that involve your finances or financial records. Refer to the policy for further clarification and examples. Remember, we are happy to help you sort through this process. Just email us at