25 CFR § 543.23 - What are the minimum internal control standards for audit and accounting?

prev | next
§ 543.23 What are the minimum internal control standards for audit and accounting?

(a) Conflicts of standards. When establishing SICS, the gaming operation should review, and consider incorporating, other external standards such as GAAP, GAAS, and standards promulgated by GASB and FASB. In the event of a conflict between the MICS and the incorporated external standards, the external standards prevail.

(b) Accounting. Controls must be established and procedures implemented to safeguard assets and ensure each gaming operation:

(1) Prepares accurate, complete, legible, and permanent records of all transactions pertaining to gaming revenue and activities for operational accountability.

(2) Prepares general accounting records on a double-entry system of accounting, maintaining detailed, supporting, subsidiary records, and performs the following activities:

(i) Record gaming activity transactions in an accounting system to identify and track all revenues, expenses, assets, liabilities, and equity;

(ii) Record all markers, IOU's, returned checks, held checks, or other similar credit instruments;

(iii) Record journal entries prepared by the gaming operation and by any independent accountants used;

(iv) Prepare income statements and balance sheets;

(v) Prepare appropriate subsidiary ledgers to support the balance sheet;

(vi) Prepare, review, and maintain accurate financial statements;

(vii) Prepare transactions in accordance with the appropriate authorization, as provided by management;

(viii) Record transactions to facilitate proper recording of gaming revenue and fees, and to maintain accountability of assets;

(ix) Compare recorded accountability for assets to actual assets at periodic intervals, and take appropriate action with respect to any variances;

(x) Segregate functions, duties, and responsibilities;

(xi) Prepare minimum bankroll calculations; and

(xii) Maintain and preserve all financial records and relevant supporting documentation.

(c) Internal audit. Controls must be established and procedures implemented to ensure that:

(1) Internal auditor(s) perform audits of each department of a gaming operation, at least annually, to review compliance with TICS, SICS, and these MICS, which include at least the following areas:

(i) Bingo, including supervision, bingo cards, bingo card sales, draw, prize payout; cash and equivalent controls, technologic aids to the play of bingo, operations, vouchers, and revenue audit procedures;

(ii) Pull tabs, including, supervision, pull tab inventory, pull tab sales, winning pull tabs, pull tab operating funds, statistical records, and revenue audit procedures;

(iii) Card games, including supervision, exchange or transfers, playing cards, shill funds, reconciliation of card room bank, posted rules, and promotional progressive pots and pools;

(iv) Gaming promotions and player tracking procedures, including supervision, gaming promotion rules and player tracking systems;

(v) Complimentary services or items, including procedures for issuing, authorizing, redeeming, and reporting complimentary service items;

(vi) Patron deposit accounts and cashless systems procedures, including supervision, patron deposit accounts and cashless systems, as well as patron deposits, withdrawals and adjustments;

(vii) Lines of credit procedures, including establishment of lines of credit policy;

(viii) Drop and count standards, including supervision, count room access, count team, card game drop standards, player interface and financial instrument drop standards, card game count standards, player interface financial instrument count standards, collecting currency cassettes and financial instrument storage components from kiosks, kiosk count standards, and controlled keys;

(ix) Cage, vault, cash and cash equivalent procedures, including supervision, cash and cash equivalents, personal checks, cashier's checks, traveler's checks, payroll checks, and counter checks, cage and vault accountability, kiosks, patron deposited funds, promotional payouts, drawings, and giveaway programs, chip and token standards, and cage and vault access;

(x) Information technology, including supervision, class II gaming systems' logical and physical controls, independence, physical security, logical security, user controls, installations and/or modifications, remote access, incident monitoring and reporting, data back-ups, software downloads, and verifying downloads; and

(xi) Accounting standards, including accounting records, maintenance and preservation of financial records and relevant supporting documentation.

(2) Internal auditor(s) are independent of gaming operations with respect to the departments subject to audit (auditors internal to the operation, officers of the TGRA, or outside CPA firm may perform this function).

(3) Internal auditor(s) report directly to the Tribe, TGRA, audit committee, or other entity designated by the Tribe.

(4) Documentation such as checklists, programs, reports, etc. is prepared to evidence all internal audit work and follow-up performed as it relates to compliance with TICS, SICS, and these MICS, including all instances of noncompliance.

(5) Audit reports are maintained and made available to the Commission upon request and must include the following information:

(i) Audit objectives;

(ii) Audit procedures and scope;

(iii) Findings and conclusions;

(iv) Recommendations, if applicable; and

(v) Management's response.

(6) All material exceptions identified by internal audit work are investigated and resolved and the results are documented.

(7) Internal audit findings are reported to management, responded to by management stating corrective measures to be taken, and included in the report delivered to management, the Tribe, TGRA, audit committee, or other entity designated by the Tribe for corrective action.

(8) Follow-up observations and examinations is performed to verify that corrective action has been taken regarding all instances of non-compliance. The verification is performed within six (6) months following the date of notification of non-compliance.

(d) Annual requirements.

(1) Agreed upon procedures. A CPA must be engaged to perform an assessment to verify whether the gaming operation is in compliance with these MICS, and/or the TICS or SICS if they provide at least the same level of controls as the MICS. The assessment must be performed in accordance with agreed upon procedures and the most recent versions of the Statements on Standards for Attestation Engagements and Agreed-Upon Procedures Engagements (collectively “SSAEs”), issued by the American Institute of Certified Public Accountants.

(2) The tribe must submit two copies of the agreed-upon procedures report to the Commission within 120 days of the gaming operation's fiscal year end in conjunction with the submission of the annual financial audit report required pursuant to 25 CFR part 571.

(3) Review of internal audit.

(i) The CPA must determine compliance by the gaming operation with the internal audit requirements in this paragraph (d) by:

(A) Completing the internal audit checklist;

(B) Ensuring that the internal auditor completed checklists for each gaming department of the operation;

(C) Verifying that any areas of non-compliance have been identified;

(D) Ensuring that audit reports are completed and include responses from management; and

(E) Verifying that appropriate follow-up on audit findings has been conducted and necessary corrective measures have been taken to effectively mitigate the noted risks.

(ii) If the CPA determines that the internal audit procedures performed during the fiscal year have been properly completed, the CPA may rely on the work of the internal audit for the completion of the MICS checklists as they relate to the standards covered by this part.

(4) Report format. The SSAEs are applicable to agreed-upon procedures engagements required in this part. All noted instances of noncompliance with the MICS and/or the TICS or SICS, if they provide the same level of controls as the MICS, must be documented in the report with a narrative description, the number of exceptions and sample size tested.

[77 FR 58712, Sept. 21, 2012, as amended at 83 FR 65509, Dec. 21, 2018]