Auditing Essentials: Get Ready It`s Audit Time!
Auditing Essentials: Get Ready It’st Audit Time! Presented By: Christopher Bitakis Audit & Consulting Sr. Manager REDW Office: (505) 998-3496 Email: [email protected] Brandy Underwood Compliance Supervisor Finley & Cook Office: (405) 878-7307 Email: [email protected] Rachel Loudon Compliance Manager Finley & Cook Office: (405) 878-7303 Email: [email protected] Che Downs General Manager Kickapoo Casino Office: (405) 964-4444 Email: [email protected] Training Goals • Auditing Basics – Auditor Independence and Standards – Types of Audits and Auditors – Audit Objectives • MICS Audit – Common Findings and How to Avoid Them • Key Points and Concepts – – – – Audit Goals System of Internal Controls Management Responses Corrective Action Auditing Basics Auditing: A systematic process of (1) objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and (2) communicating the results to interested users. Auditing Basics Auditing: A systematic process of (1) objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and (2) communicating the results to interested users. • Objectively obtain and evaluate evidence – Auditor independence and evaluation • Impartial, intellectually honest, and free from influence or conflict of interest • Report directly to Tribe, TGRA, or Audit Committee • Based on fact, experience, or some measurable quality – Evaluate compliance • Inquire with staff • Review documentation • Unannounced observation Auditing Basics Auditing: A systematic process of (1) objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and (2) communicating the results to interested users. • Test Compliance with established criteria – Applicable Standards including, but not limited to: • • • • • • • Generally Accepted Accounting Principles (GAAP) Generally Accepted Auditing Standards (GAAS) Minimum Internal Control Standards (MICS) Tribal Internal Control Standards (TICS) System of Internal Control Standards (SICS) Title 31 Regulations State Compact Auditing Basics Auditing: A systematic process of (1) objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and (2) communicating the results to interested users. • Communicate Results – Audit Deliverables • • • • Internal Audit Report Opinion Agreed Upon Procedures (AUP) Management Responses – External Audit Communications • Material weakness – Reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis • Significant deficiency – Less severe than a material weakness, yet important enough to merit attention by those charged with governance • Control deficiency – The design or operation of a control does not adequately prevent, or detect and correct misstatements on the a timely basis – Exit Meeting • Discuss findings Audit Objectives & Auditor Responsibilities – Financial Audit • Auditor expresses an opinion on whether the financial statements are presented fairly, in all material respects, and in accordance with applicable financial reporting framework – Income Statements and Balance Sheet » Subsidiary ledgers to support the Balance Sheet – Statement of Revenue and Expenses; operations by product lines – Statement of Cash Flows – Notes to Financial Statements • Provide reasonable assurance that the financial statements are free from material misstatement, whether due to fraud or error – Reasonable assurance, not absolute » Obtain sufficient appropriate audit evidence to reduce audit risk to acceptably low level • Audit evidence is necessary to support the auditor’s opinion and report – Accounting records, prior Audit Reports, etc. Audit Objectives & Auditor Responsibilities – Agreed Upon Procedures (AUP) • Review of Internal Audit – MICS 542.3 (Class III gaming) – two options » Re-perform work of the Internal Auditor • 3% of the procedures for Gaming Machines and Table Games • 5% of all other applicable MICS checklists • Still complete entire Drop & Count and Internal Audit MICS checklists » Testing all areas by completing all applicable MICS checklists – MICS 543.23 (Class II gaming) – two options » Determine the adequacy of the Internal Audit procedures • If properly completed, rely on the work of the Internal Audit for completion of MICS checklists » Testing all areas by completing all applicable MICS checklists – Other Reports – transfer agreements, exclusivity fees, state net win and communication of internal control matters over financial reporting Audit Objectives & Auditor Responsibilities • Internal Audit – Audit each department of the casino • Test compliance with TICS, SICS, and MICS at least annually – Scope may be extended to include other regulations or areas: » Title 31, Title 26, Payroll, Food & Beverage Internal Auditing Assurance Insight Objectivity Institute of Internal Auditors (IIA) • Identify risks and report deficiencies – Develop a strong partnership with management and TGRA » Make recommendations to enhance risk management and internal controls » Serve as a catalyst for continuous improvement • Conduct follow-up (within 6 months) to determine if corrective action has been implemented Audit Objectives & MGMT/TGRA Responsibilities – Management and TGRA – Auditor selection and planning • Solicit and evaluate Requests for Proposals (RFP) – Assess technical qualifications and proposed fees • Multi-year vs. single year audit contracts – First year audits require more time and are more costly for auditors – Periodic auditor rotation is a common practice – Responsibilities fundamental to the conduct of the audit • Preparation and fair presentation of financial statements • Design, implementation, and maintenance of internal controls • Provide auditors with: – Access to all information relevant to the audit – Unrestricted access to persons within the entity from whom the auditor determines it necessary to obtain audit evidence – Provide Management Responses • Implement Corrective Action – Adequate, effective, and efficient MICS Audit – Common Findings • MICS 542.16(a)(1)(iii)/(iv) & (6) – Information Technology, General Controls for Gaming Hardware and Software – Related MICS Part 543: Logical & Physical Security, User Controls 543.20(d),(e),&(f) Standard 542.16(a)(1)(iii)/(iv) & (6) (1) Management shall take an active role in making sure that physical and logical security measures are implemented, maintained, and adhered to by personnel to prevent unauthorized access that could cause errors or compromise data or processing integrity. (iii) Access to systems software and application programs shall be limited to authorized personnel. (iv) Access to computer data shall be limited to authorized personnel (6) The computer systems, including application software, shall be secured through the use of passwords or other approved means where applicable. Management personnel or persons independent of the department being controlled shall assign and control access to system functions. – Common Findings: • Associate system access/permissions is not consistent with policies and procedures • Users are not properly setup in the system because adequate controls are not in place – Inadequate setup form, no setup form • Super users in IT 12 User Access Resolution • Develop policies and procedures to detail processes for user access changes and ensure staff is properly trained – User access changes (new hire, termination, transfer) • Develop a comprehensive access change form • Who is required to authorize the form? – Human Resources to verify employee name, position, start/term/transfer date • Who is authorized to add/remove user access and make changes to user groups? – Require User Access Change Request forms with all applicable information: • User information • System, badge, and key access • Signatures of requestor, authorizer and associate making the access changes – Ensure permissions for point adjustments, comp issuance, voucher processing, archiving accounts, etc. agree with policies and procedures – Ensure IT Users have administrative accounts, not super users 13 MICS Audit – Common Findings • MICS 542.13(h)(17) & (18) – Gaming Machines, Evaluating Theoretical and Actual Hold Percentages – Related MICS Part 543: Revenue Audit, Bingo 543.24(d)(1)(iv) Standard 542.13(h)(17) & (18) (17) The statistical reports shall be reviewed by both gaming machine department management and management employees independent of the gaming machine department on at least a monthly basis (18) For those machines that have experienced at least 100,000 wagering transactions, large variances (three percent (3%) recommended) between theoretical hold and actual hold shall be investigated and resolved by a department independent of the gaming machine department with the findings documented and provided to the Tribal gaming regulatory authority upon request in a timely manner – Common Findings: • No documentation of review • No documentation of investigation or resolution 14 Evaluating Theoretical to Actual Hold Percentage Resolution • Develop policies and procedures to detail the review and investigation of Gaming Machine Statistical Reports: – What is the established variance threshold? • Per MICS 542, +/- 3% is recommended • Per MICS 543, TGRA must establish a threshold – Who is responsible for preparing the report and when? • Recommend a full report with all machines, and a summary report with only those that meet the established variance threshold – Who is responsible for reviewing the reports? • Gaming Machine Department and independent agent – Who is responsible for investigating and resolving variances? – Who is responsible for retaining the documentation? 15 MICS Audit – Common Findings • MICS 542.13(m)(7) – Accounting/Auditing Standards – Related MICS Part 543: Drop & Count, Variances 543.17(k) Standard 542.13(m)(7) (7) Follow‐up shall be performed for any one machine having an unresolved variance between actual currency drop and bill‐in meter reading in excess of an amount that is both more than $25 and at least three percent (3%) of the actual currency drop. The follow‐up performed and results of the investigation shall be documented, maintained for inspection, and provided to the Tribal gaming regulatory authority upon request. – Common Findings: • Lacking documentation of investigation/follow-up performed • Inadequate investigation performed – “Will wash with next day” or “washes with yesterday” without evidence of such – No explanation is provided 16 Metered to Actual Comparison Resolution • Develop policies and procedures that detail the process for review and investigation of metered to actual comparisons and ensure staff is properly trained: – Who is responsible for preparing the report? • Recommend a full report of all machines and a summary report with only those with a variance – What is the established threshold for investigation? • Recommend not exceeding (+/-3% and $25) – Who is responsible for conducting and documenting the investigation? – What documentation is required? • When explaining a “wash” document which date/machine number the variance washes with and provide supporting documentation of such – Who is responsible for retaining the documentation? 17 MICS Audit – Common Findings • MICS 542.13(j)(1)(ii) – Gaming Machines, Player Tracking System – Related MICS Part 543: Audit Revenue, Player Tracking 543.24(d)(4)(ii) Standard 542.13(j)(1)(ii) (1) The following standards apply if a player tracking system is utilized: (ii) The addition of points to members' accounts other than through actual gaming machine play shall be sufficiently documented (including substantiation of reasons for increases) and shall be authorized by a department independent of the player tracking and gaming machines. Alternatively, addition of points to members' accounts may be authorized by gaming machine supervisory employees if sufficient documentation is generated and it is randomly verified by employees independent of the gaming machine department on a quarterly basis – Common Findings: • Lacking documentation of point adjustments • Lacking authorization matrix identifying which agents are authorized and corresponding limits • Permissions in the player tracking system do not agree with authorization matrix • No audit is conducted 18 Point Adjustment Resolution • Develop policies and procedures to outline processes for point adjustments and ensure staff is properly trained: – Who is authorized to make point adjustments? • Develop an authorization matrix to detail authorized associates and limits Manual Adjustment Authorization Matrix Associate Title Per Transaction Per Day Comments Director of Marketing 5,000 20,000 >5,000 requires GM Approval Marketing Manager 2,000 10,000 Player's Club Supervisor 500 2,000 Marketing Coordinator 500 2,000 • Recommend considering other manual adjustments (comps, freeplay, etc.) • Ensure system permissions agree with authorization matrix 19 Point Adjustment Resolution cont. – What documentation is required? • Develop a form or report to document: – – – – – Who made the adjustment (Name and title recommended) Patron account Reason for adjustment Who approved the adjustment (Name and title recommended) Date and amount of the adjustment – Who is responsible for auditing the documentation and how? • Determine what reports/documentation require review • Determine how variances (unauthorized, processed incorrectly) are documented and communicated for resolution 20 Key Points and Concepts • Audit Goals – Protect Tribal assets by identifying and correcting deficiencies and regulatory violations – Utilize Internal Audits to continuously improve • System of Internal Controls – Additional and more stringent regulations make compliance more challenging • Must develop a System of Internal Controls (and TICS) to meet, at a minimum, the MICS – Part 543 (class II gaming) – Part 542 (class III gaming), if applicable – Applicable Federal Regulations (Title 31/Title 26) • Management Responses – Develop feasible solutions • Corrective Action Plans – Assign responsibility and establish timelines 22
© Copyright 2024