25 CFR 542.22 - What are the minimum internal control standards for internal audit for Tier A gaming operations?
(a) Internal audit personnel. (1) For Tier A gaming operations, a separate internal audit department must be maintained. Alternatively, designating personnel (who are independent with respect to the departments/procedures being examined) to perform internal audit work satisfies the requirements of this paragraph.
(2) The internal audit personnel shall report directly to the Tribe, Tribal gaming regulatory authority, audit committee, or other entity designated by the Tribe in accordance with the definition of internal audit in § 542.2.
(b) Audits. (1) Internal audit personnel shall perform audits of all major gaming areas of the gaming operation. The following shall be reviewed at least annually:
(i) Bingo, including but not limited to, bingo card control, payout procedures, and cash reconciliation process;
(ii) Pull tabs, including but not limited to, statistical records, winner verification, perpetual inventory, and accountability of sales versus inventory;
(iii) Card games, including but not limited to, card games operation, cash exchange procedures, shill transactions, and count procedures;
(iv) Keno, including but not limited to, game write and payout procedures, sensitive key location and control, and a review of keno auditing procedures;
(v) Pari-mutual wagering, including write and payout procedures, and pari-mutual auditing procedures;
(vi) Table games, including but not limited to, fill and credit procedures, pit credit play procedures, rim credit procedures, soft drop/count procedures and the subsequent transfer of funds, unannounced testing of count room currency counters and/or currency interface, location and control over sensitive keys, the tracing of source documents to summarized documentation and accounting records, and reconciliation to restricted copies;
(vii) Gaming machines, including but not limited to, jackpot payout and gaming machine fill procedures, gaming machine drop/count and bill acceptor drop/count and subsequent transfer of funds, unannounced testing of weigh scale and weigh scale interface, unannounced testing of count room currency counters and/or currency interface, gaming machine drop cabinet access, tracing of source documents to summarized documentation and accounting records, reconciliation to restricted copies, location and control over sensitive keys, compliance with EPROM duplication procedures, and compliance with MICS procedures for gaming machines that accept currency or coin(s) and issue cash-out tickets or gaming machines that do not accept currency or coin(s) and do not return currency or coin(s);
(viii) Cage and credit procedures including all cage, credit, and collection procedures, and the reconciliation of trial balances to physical instruments on a sample basis. Cage accountability shall be reconciled to the general ledger;
(ix) Information technology functions, including review for compliance with information technology standards;
(x) Complimentary service or item, including but not limited to, procedures whereby complimentary service items are issued, authorized, and redeemed; and
(xi) Any other internal audits as required by the Tribe, Tribal gaming regulatory authority, audit committee, or other entity designated by the Tribe.
(2) In addition to the observation and examinations performed under paragraph (b)(1) of this section, follow-up observations and examinations shall be performed to verify that corrective action has been taken regarding all instances of noncompliance cited by internal audit, the independent accountant, and/or the Commission. The verification shall be performed within six (6) months following the date of notification.
(3) Whenever possible, internal audit observations shall be performed on an unannounced basis (i.e., without the employees being forewarned that their activities will be observed). Additionally, if the independent accountant also performs the internal audit function, the accountant shall perform separate observations of the table games/gaming machine drops and counts to satisfy the internal audit observation requirements and independent accountant tests of controls as required by the American Institute of Certified Public Accountants guide.
(c) Documentation. (1) Documentation (e.g., checklists, programs, reports, etc.) shall be prepared to evidence all internal audit work performed as it relates to the requirements in this section, including all instances of noncompliance.
(2) The internal audit department shall operate with audit programs, which, at a minimum, address the MICS. Additionally, the department shall properly document the work performed, the conclusions reached, and the resolution of all exceptions. Institute of Internal Auditors standards are recommended but not required.
(d) Reports. (1) Reports documenting audits performed shall be maintained and made available to the Commission upon request.
(2) Such audit reports shall include the following information:
(i) Audit objectives;
(ii) Audit procedures and scope;
(iii) Findings and conclusions;
(iv) Recommendations, if applicable; and
(v) Management's response.
(e) Material exceptions. All material exceptions resulting from internal audit work shall be investigated and resolved with the results of such being documented and retained for five years.
(f) Role of management. (1) Internal audit findings shall be reported to management.
(2) Management shall be required to respond to internal audit findings stating corrective measures to be taken to avoid recurrence of the audit exception.
(3) Such management responses shall be included in the internal audit report that will be delivered to management, the Tribe, Tribal gaming regulatory authority, audit committee, or other entity designated by the Tribe.
(g) Internal Audit Guidelines. In connection with the internal audit testing pursuant to paragraph (b)(1) of this section, the Commission shall develop recommended Internal Audit Guidelines, which shall be available upon request.