Oversight

1.14 Compliance with the Standards and Requirements shall be documented in an organized manner to ensure that the information is capable of being reviewed and audited by an independent oversight function.

Requirements – At a minimum:

  1. Documentation shall be reviewed and analyzed to ensure compliance with the Standards and Requirements, and approved by management.
  2. Internal and external auditors shall be granted access to all relevant systems, documentation (including control activities) and resources for the purpose of conducting an audit.
  3. Where directed, Operators and gaming-related suppliers shall retain an independent auditor acceptable to the Registrar to carry out audits required by the Registrar and provide copies of the audit reports to the Registrar.

    Guidance: The intent of this Requirement is to allow the Registrar to direct third party audits where he considers necessary for regulatory assurance purposes. Although the auditor would be retained by the Operator or gaming-related supplier in these circumstances, it would report directly to the Registrar.

  4. In reviewing control activities for compliance with the Standards and Requirements, internal and external auditors shall take into account the Registrar’s expectations, as articulated herein.

1.15 Primary accountability for compliance resides with the Board, or other governance structure, where a Board does not exist, and there shall be evidence that the Board, or other governance structure, has carried out its responsibility in this respect.

Requirements – At a minimum:

  1. A compliance oversight function shall be established that is independent of the activities it oversees.

    Guidance: Overall responsibility for compliance monitoring should ideally rest with a chief compliance officer or if such person does not exist, a member of senior management.

  2. An internal audit function shall be established that regularly audits the organization’s control environment and compliance management framework and exercises oversight that is independent from operational management. The internal audit function shall have the authority to independently review any aspect of the operations.

    Guidance: Where this is not feasible given the organization’s size or structure, audits should be carried out by another independent oversight function.

  3. The compliance oversight function and internal audit or other independent oversight function shall have direct and unrestricted access to the Board, or other governance structure, and shall report on all important issues regarding compliance on a regular basis or as necessary.
  4. The Board, or other governance structure, shall establish a committee or committees to oversee the organization’s compliance and audit oversight functions, with appropriate terms of reference addressing composition and accountabilities.
  5. Members of the Board, or other governance structure, and of any committees established to oversee the organization’s compliance and audit oversight functions shall understand the business’s operations, initiatives and major transactions, and shall have the skills, training, experience and independence to carry out their fiduciary responsibilities.

1.16 There shall be an independent “whistleblowing” process to allow employees to anonymously report deficiencies or gaps in the control environment as well as incidents of possible non-compliance with the controls, Standards and Requirements, or the law.

Requirements – At a minimum, Operators shall:

  1. Issues raised through the “whistleblowing” process must be addressed and communicated to the Board in a timely manner.

1.17 Registrants shall engage with the Registrar in a transparent way.

Requirements – At a minimum, Operators shall:

  1. Provide reports regarding any incident or matter that may affect the integrity or public confidence in gaming, including any actions taken to prevent similar incidents from occurring in the future, in accordance with the established notification matrix.
  2. Provide reports regarding any incident of non-compliance with the law, Standards and Requirements or control activities, including any actions taken to correct the cause of noncompliance, in accordance with the established notification matrix.
  3. [Removed September 2020.]
  4. Make available any data, information and documents requested by the Registrar.
  5. [Removed September 2020.]