YUMA — Yuma County officials on Sept. 15 described a series of administrative and technical steps intended to protect public money after a multiyear embezzlement case in another Arizona county prompted statewide reforms. Chief Financial Officer Humberto del Castillo and County Treasurer David Alexander told the Board of Supervisors the county has tightened internal controls, improved cross‑department oversight and is rolling out employee training and whistleblower tools.

The presentation began with an example of a fraud attempt the county stopped. “This looks suspicious,” CFO Humberto del Castillo said crediting payroll employee Carmen Anderson for pausing and calling to verify a purported direct‑deposit change that arrived via email and fax. After the callback, staff confirmed the request was fraudulent and the payroll deposit was not sent to the bogus account.

Why it matters: Arizona lawmakers passed HB2368 to increase fiscal transparency after the Santa Cruz County treasurer’s multi‑year theft came to light; the law allows the state auditor to access county bank records directly. County officials said they are implementing that law while strengthening local safeguards so the auditor’s access is read‑only, tightly controlled and logged.

What officials told the board: Del Castillo and Alexander described layered protections the county uses: segregation of duties so the same person cannot both initiate and approve transactions; dual verification and callback procedures for electronic transfers; vendor bank‑account verification when payment information changes; monthly reconciliations and annual GASB‑40 reporting on deposits and investments; and collaboration with external auditors to meet single‑audit federal requirements.

Del Castillo said the county has created a working group with IT, risk management, county administration and finance to address a recurring audit finding tied to IT access and controls. He said the group has performed at least one internal audit that eliminated unnecessary user licenses, is drafting standard operating procedures for access requests in the county’s ERP (Oracle) and will test an emergency plan to maintain operations if IT systems are disrupted.

Treasurer David Alexander described continuing collaboration between the treasurer’s office and finance, routine monthly reporting and the county’s approach to investment disclosures. He emphasized traditional safeguards such as audit‑ready documentation and repository of supporting paper and digital records the county keeps for external review.

On auditor access to accounts: Several supervisors raised questions about the state auditor’s new direct access to county bank accounts and whether that access increases risk. Alexander and Del Castillo said the auditor’s access is read‑only and banks require multi‑step verification, dual approvals and a phone confirmation with the treasurer before granting any access. The county also logs who views accounts and when, the officials said.

On training and technology: The county plans a training schedule developed with ITS, Alexander said. Both officials noted vendor contracts for appraisal or cost data (e.g., Marshall & Swift or Tyler Technologies) can include proprietary elements; Alexander said those vendors’ counsel declined to share certain underlying proprietary algorithms on request, and that separate legal routes exist for third parties seeking those records.

Board response and next steps: Supervisors pressed for continued vigilance, frequent updates on the IT corrective plan, and scheduled employee fraud‑prevention training. The county administrator said an anonymous online whistleblower reporting tool will be launched soon. The CFO and treasurer said they will continue monthly coordination with the auditor general and report on progress before the next audit cycle.

Ending: Officials said the county’s approach is to view fraud prevention as an ongoing, countywide culture of “cultural vigilance,” not a one‑time checklist, and urged employees to pause and verify any unusual or urgent financial request.