NATIONAL INDIAN GAMING COMMISSION
INTERNAL AUDIT MICS COMPLIANCE REPORTING GUIDELINES
(Refer 542.22; 542.32; 542.42)
August 12, 2005
Each tribe or its designated tribal gaming regulatory authority shall, in accordance with the tribal gaming ordinance, establish and implement tribal minimum internal control standards that shall:
1. Provide a level of control that equals or exceeds those set forth in Section 542;
2. Contain standards for currency transaction reporting that comply with 31CFR part 103;
3. Establish standards for games which are not addressed in Section 542; and
Each tribe or its designated tribal gaming regulatory authority shall, in accordance with the tribal gaming ordinance, establish and implement tribal internal control standards that equal or exceeds the revised standards published on August 12, 2005 that shall include the following on internal audit guidelines:
1. The NIGC MICS Section 542.22 (g), 542.32 (g), and 542.42 (g), states:
(g) Internal Audit Guidelines. In connection with the internal audit testing pursuant to paragraph (b)(1) of this section, the Commission shall develop recommended Internal Audit Guidelines, which shall be available upon request.
2. Each gaming operation must be in compliance with the revised tribal internal control standards within four (4) months from August 12, 2005. However, the tribal gaming regulatory authority may extend the deadline by an additional sixty (60) days if written notice is provided to the NIGC no later than December 12, 2005.
These guidelines are developed to ensure that all gaming operations that are required to provide for an internal audit function are performing a minimum amount and similar types of internal audit compliance procedures pursuant to the NIGC Minimum Internal Control Standards (MICS).
25 CFR Part 542 (MICS) requires the gaming operation’s internal auditor to perform observations, document examinations and inquiries of employees to determine compliance with applicable minimum internal controls standards. The NIGC publishes recommended checklists, programs and guidelines for use in satisfying this regulatory requirement. The primary objective of these checklists, programs and guidelines is to provide guidance on what is necessary to comply with 25 CFR Part 542 (MICS). A secondary objective is to provide some consistency among internal audit departments and other individuals performing internal audit work by providing recommendations on standardizing the document examination sample sizes and the scope of the work to be performed. Standardization requirements ensure that all internal audit departments are performing a minimum amount of work and are performing the same required procedures. Finally, by standardizing the questionnaires, the NIGC is able to review any internal auditor’s workpapers in a more efficient and time saving manner without having to adjust to the myriad of internal audit department and accounting firm styles.
Each checklist provided by the NIGC contains meaning of terms used including sample size and a testing program. Although the checklists are not to be considered all-encompassing, they address the Minimum Internal Control Standards that became effective on June 27, 2002 and revised on May 4, 2005, August 12, 2005, and May 11, 2006. As the information changes due to the adoption of new regulations, internal auditors are expected to develop their own testing procedures until updated versions of the checklists are distributed. Additionally, these Guidelines are not intended to limit the internal auditor to the performance of only the above-specified procedures. If additional procedures are performed (e.g., expanded document testing), the results obtained should be included in the internal auditor’s report pursuant to 25 CFR Part 542 (MICS). The internal auditor may also develop compliance checklists appropriate for a Tier A, Tier B, or Tier C gaming operation that at a minimum address the MICS.
In connection with the issuance of the NIGC MICS Sections 542.22; 542.32; and 542.42 the Internal Auditor is offered the following information as recommended guidance:
Requirement for Internal Audit Function
Internal Audit Minimum Internal Control Standard (a)(1) requires that a separate internal audit department be maintained whose primary function is performing internal audit work and that is independent with respect to the departments subject to audit. Pursuant to (a)(1), for gaming operations who meet the requirements of a Tier A or Tier B gaming operation who are not required to maintain a separate internal audit department, personnel who are independent with respect to the departments/procedures being examined perform internal audit work.
Additionally, all Tier A, B, and C gaming operations, as defined in Section 542.2, must provide for an internal audit function. The following are definitions of the different Tier classifications:
Tier A means gaming operations with annual gross gaming revenues of more than $1 million but not more than $5 million.
Tier B means gaming operations with annual gross gaming revenues of more than $5 million but not more than $15 million.
Tier C means gaming operations with annual gross gaming revenues of more than $15 million.
Independent Accountant Performs Internal Audit Function
Gaming operations may elect to have an independent accountant perform the internal audit function rather than using its own internal auditors. If the independent accountant is engaged to perform the internal audit procedures, the required observations of the table games/gaming machine drops and counts must be separately performed to satisfy the internal audit observation requirements and independent accountant tests of controls as required by the American Institute of Certified Public Accountants guide which satisfies the Internal Audit Minimum Internal Control Standard (b)(3).
When the same CPA firm performs the procedures required by Section 542.22; 542.32; or 542.42 and Section 542.3(f), it is recommended that the individual(s) performing the Section 542.22; 542.32; or 542.42 procedures cannot also perform Section 542.3(f) drop and count procedures.
Independent Accountant Reliance on Internal Auditors – Section 542.3(f)(3)
The CPA firm may rely on the work of an internal auditor, to the extent allowed by the professional standards, for the performance of the recommended procedures specified in paragraphs at Section 542.3(f)(1)(iii)(B), (C), and (D), and for the completion of the checklists as they relate to the procedures covered therein provided that the internal audit department can demonstrate to the satisfaction of the CPA that the requirements contained within Section 542.22, 542.32, or 542.42, as applicable, have been satisfied.
Agreed-upon procedures are to be performed by the CPA to determine that the internal audit procedures performed for a past 12-month period (includes two 6-month periods) encompassing a portion or all of the most recent business year has been properly completed. The CPA will apply Agreed-Upon Procedures to the gaming operation’s written assertion as specified in paragraphs at Section 542.3(f)(3)(ii)(A), (B), (C), (D), (E), and (F).
It is recommended that the internal auditor perform the following:
1. Complete the applicable testing procedures checklist by performing inquiries and observations during the period under review, and perform document compliance testing for dates within the period under review. Within the checklists provided by the NIGC unless specified otherwise, the standard document testing for gaming machines and table games involves a sample size of two (2) days, all shifts. One test date should be selected from the first six (6) months of the audit period and the second test date selected from the six (6) month period immediately preceding the examination. Standard document testing for all other areas involves a sample selection of one (1) day, all shifts, from the twelve (12) month period immediately preceding the audit. The days are to be randomly selected. Where monthly testing is required, the months used will be the months that include the selected test dates.
2. A separate checklist must be completed for each major gaming area of the gaming operation which satisfies the Internal Audit Minimum Internal Control Standard (b)(1). Theses gaming areas include, but are not limited to, bingo; pull tabs; card games; keno; pari-mutual wagering; table games; gaming machines; cage and credit procedures; information technology functions; and complimentary service or items. These checklists are used to determine if the gaming operation’s procedures in effect and the documents in use comply with the MICS. Each checklist must at least be completed once each year in accordance with the MICS.
Performance and Completion
It is recommended that the internal auditor perform and complete procedures in accordance with the following requirements:
1. All questions on each applicable checklist must be completed. Detailed explanations must be provided for all “no” responses and for exceptions noted during document testing.
2. Observations must be performed on an unannounced basis and, whenever possible, are to be performed without the employees being aware that their activities are being observed. For purposes of these procedures, “unannounced” means that no officers, directors, or employees are given advance information regarding the specific dates or times of such observations. Such observations may be performed from the surveillance room if practical. If advance arrangements for count room access are necessary between the gaming operation and the internal auditor, the arrangements indicating the method that will be used to allow the internal auditor access to the gaming operation’s count rooms should be made. Documentation should be prepared by the internal auditor indicating the date the arrangements were made, the time period the arrangement is in effect, procedures to allow the internal auditor prompt access to the gaming operation’s count room and the method to ensure proper identification of the internal auditor. These arrangements should allow the internal auditor prompt access to the count rooms at any time without prior notification to any gaming operation personnel. Any subsequent updates to these arrangements (e.g., personnel updates) should be made on a regular basis (e.g., quarterly) to avoid alerting the gaming operation of an upcoming observation.
Observations may be performed live using surveillance equipment. However, because the internal auditor must observe the count until the monies are transferred to the vault/cage and accepted into the vault/cage accountability, it is recommended that any change in viewing location (i.e., from the count room to the surveillance room) will necessitate reviewing the surveillance tapes for the time period during which the auditor was in transit.
3. The gaming operation’s written system of internal control must be compared by the internal auditor against actual control procedures in effect as they relate to compliance with the NIGC MICS and approved MICS variances. The internal auditor must also compare the written system of internal control to the gaming operation’s policies and procedures.
4. The internal auditor performs compliance testing of various departments referred to in the checklists to determine compliance with the NIGC MICS and to determine if the gaming operation’s recording and reporting procedures are adequate and accurate. The scope of such testing is indicated on the checklist where applicable. When multiple test dates are required to be selected, the days are to be randomly selected. The checklists and/or back-up workpapers must include documentation of the original document examined by either explicitly identifying the form(s) (e.g., document # of slot jackpot form) examined or including a copy of the document(s) examined.
5. Documentation should be prepared to evidence all internal audit work performed, including all instances of noncompliance.
6. All material exceptions resulting from internal audit work are investigated and resolved with the results of such being documented. Documentation should include the names of individuals with whom inquiries were made and how the investigation was conducted.
7. The results of internal audit work should be reported directly to the Tribe, Tribal gaming regulatory authority, audit committee, or other entity designated by the Tribe and to management personnel who are independent of the departments under review. Internal audit findings are properly communicated to the appropriate employees of the gaming operation.
8. Follow-up inquiries, observations, and examinations are performed to verify that corrective action has been taken regarding all instances of noncompliance cited by internal audit, the independent accountant, and/or the Commission. The verification is performed within six (6) months following the date of notification.
9. Although not required by Section 542.22; 542.32; or 542.42, it is recommended that the internal auditor perform testing for compliance with 31 CFR Part 103 and other such Bank Secrecy Act regulations specific to the reporting of income recognition transactions. Sample size should consider the frequency of transactions subject to the referenced reporting requirements.
The above procedures are the recommended minimum procedures to be performed.
These recommended guidelines are not intended to limit the internal auditor to the performance of only the above-specified procedures. If additional procedures are performed (e.g., expanded document testing), the results should be included in the internal audit report.
Report Submission Requirements
A copy of the internal auditor’s report identifying procedures required by the NIGC and any additional gaming-related compliance audit procedures not required by the NIGC, a reference to the applicable internal audit checklists completed, all instances of noncompliance noted (regardless of materiality), the review period, and management personnel responses to the noted noncompliance should be available for review by the Tribal gaming regulatory authority. Additionally, regarding noted noncompliance, the report must describe all instances of procedural noncompliance (regardless of materiality) with the regulations, Tribal MICS, NIGC MICS or approved MICS variances, and all instances where the gaming operation’s written system of internal control does not adequately reflect the gaming operations actual control procedures in effect as they relate to compliance with the NIGC MICS and approved MICS variances.
It is recommended that the following information be included in the audit report:
a. Audit objectives.
b. Audit procedures and scope.
c. A narrative description of the noncompliance, including the number of exceptions.
d. The citation of the applicable National Indian Gaming Commission Minimum Internal Control Standard, Tribal Internal Control Standard, and State Compact, as applicable, for which the instance of noncompliance was noted.
e. Recommendations, if applicable.
f. Management’s responses to the noted instances of noncompliance.
g. If the instance of noncompliance is determined to be immaterial, a broad management response acknowledging the instances of immaterial noncompliance is acceptable. The immaterial instances of noncompliance may be disclosed as a separate section of the report.
h. Instances in which the written system of internal control does not reflect the actual control procedures in effect as they relate to compliance with the NIGC MICS and approved MICS variances.
Please contact the NIGC’s Audit Division if you require clarification of the preceding guidelines.
Joe H. Smith
Acting Director of Audits