Gaming Auditorium Article


Published on

2003 article describes auditing of customer loyalty programs

Published in: Entertainment & Humor
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Gaming Auditorium Article

  1. 1. Gaming Auditorium - The Institute of Internal Auditors Page 1 of 4 1st Quarter 2010 Vol 13 No 1 Hitting the High Points Internal auditors can hit the jackpot with awareness of key risks in a casino's slot club function. By Ron Ellis, CIA Internal Audit Manager Hard Rock Hotel and Casino Las Vegas BY THE NATURE OF THE INDUSTRY, casinos are prime targets for theft and fraud. Casinos with a slot club function have an additional challenge because of the complexity of the system application used to track patron activity and pay patron awards. To perform winning risk evaluations and audits, internal auditors need a full understanding of a slot club's complexity and controls. A slot club is a casino marketing tool that offers a patron additional rewards for playing slot machines in the casino. Rewards — which can be redeemed in cash, merchandise, or complimentary goods and services (comps) — are tracked through an application system that records the patron's slot machine play. The patron inserts a magnetically encoded card — encoded by the slot club when a patron joins the program — into a slot machine card reader, which tracks coin in, coin out, time played, jackpots, and other statistical information. Awards are based on level of activity such as actual coin in or expected theoretical win (coin-in multiplied by machine theoretical win percentage). Slot club operations and the application system used to track patron usage and awards are both complex. Consequently, the risk of error, fraud, abuse, and system malfunction deserve an auditor's full attention when planning an audit. The structure of the slot club operation, as well as the system function, will determine how the slot club function should be audited. To assist the internal auditor in understanding the casino's slot club operations, the auditor should perform a walk-through of the function with management and the employees who perform each function — from the time the patron inserts his or her card into the machine to the final award payout — to assess the risks and controls for the various transactions. It may also be helpful for the auditor to take the information learned from this walk-through and document it in a flowchart for reference during audit planning. To maintain professional skepticism with an eye on fraud, the auditor should approach the audit from an information systems functionality standpoint, as well. Given the vast number of tracking systems available on the market and the ever-increasing complexity of both the tracking-system and slot-machine processes, auditors must equip themselves with sufficient technical expertise to review and audit all potential risks. Understanding the process Internal auditors charged with reviewing the slot club function should perform due diligence during the planning process by starting with a functional overview. They should consider the following questions when performing a walk-through to gain insight into the slot club operations and system functions: • Are slot club and slot operations employees prohibited from participating? • How much play is required to earn one point or one comp dollar? • What is the value of one point? • What are the rewards available to players? • What is the procedure for earning rewards? • What are the procedures and controls for redeeming rewards? • What is the chain of custody for cash-back forms inventory? • Given the audit objectives, what reports are available for management review and audit purposes? • What is the source of the information on the reports? • What controls are in place over system administration and system-parameter changes? • How are changes to system parameters authorized and reported? • What controls are in place to ensure system-parameter changes are valid and authorized? 3/9/2010
  2. 2. Gaming Auditorium - The Institute of Internal Auditors Page 2 of 4 • Which employees have system access to adjust, add, or delete points to an account? What is the authorization and review process? • Are there access restrictions or levels for viewing and accessing online account information? • Does the system have the capability to show the exact source of transactions? • How are downloadable promotional credits controlled? • How are third-party technicians or service personnel supervised when accessing the system or slot machines? Common Risks Risks in the slot club function include internal employee and patron fraud, as well as inadvertent or intentional system-parameter changes and system malfunctions. Some of the more common risks include: • Unauthorized access or adjustments to dormant, test, and live patron accounts that result in the transfer of award credits to unauthorized accounts. • Extension of complimentary goods and services in excess of policy guidelines. • Computer system manipulations such as unauthorized changes to system parameters. • Unauthorized or inappropriate administrative rights, access rights to run patron-sensitive reports, or access rights to import data into common application programs that can be sorted and distributed for fraudulent usage. • Computer system malfunctions, such as awarding unearned credits. • Electronic funds transfer (EFT) download fraud or malfunctions such as unauthorized credit download or slot machines that do not cap downloaded credit at the limit of the patron's credit or debit card. • A poorly coordinated system for recording and paying awards for complimentary goods and services, resulting in tracking-system information that is not complete, accurate, and available in real time. • Seed-play manipulation, which is a fraudulent scheme in which a patron obtains a group of club cards on one account and places the cards in various machines so that when someone without a card plays the machine, the seed patron is credited with that play. Auditing Internal Risks A common problem — and the most probable risk — involves employees who perform unauthorized manipulation of points, rewards, and comps for personal gain. Without adequate controls, an employee could change the name on an account to that of a friend or relative, redeem the rewards or transfer dormant account rewards for personal gain, and then change the account name back to the original name. Suggested reviews and audit tests include: • Performing a system query to identify employee addresses, phone numbers, and other data that may be in the slot club database under a name other than the employee's. • Reviewing system activity change reports for improper transactions such as unusual name changes, social security number changes, and manual adjustments to award balances. For example, a name change from "Ellis, R." to "Pease, F." would require further investigation and validation. • Evaluating the adequacy of the club's policy and procedures regarding controls over master-file changes and system administration controls for adding access authorization. • Validating the master-file or parameter changes in question. Close attention should be paid to accounts that have a material value as well as where the reward was earned prior to the master-file change. • Determining whether or not change activity is authorized. • Determining whether or not only employees authorized by management have access rights to make adjustments. • Determining whether or not adjustments are adequately supported. • Determining whether or not transfers to dormant accounts are validated. Auditing System Risks As the industry moves from a coin-based slot business to a coinless or EFT-based environment, it is inevitable that cash handling will be eliminated. Direct downloads from patron credit and debit cards is the future of wagering. Ideally, an internal auditor should flowchart the tracking and reward system operations provided by the walk-through to gain an understanding of the critical communication components, transaction flow, and card-reader functions. In addition to IT managers and employees, slot technicians can be a good source of information in explaining how a specific system operates. With an understanding of transaction flow, the auditor will be able to extract a 3/9/2010
  3. 3. Gaming Auditorium - The Institute of Internal Auditors Page 3 of 4 representative sample selection to validate the process to recognize potential problem sources. Recommended procedures include: • Establishing a "test" club account and test playing a sample of machines to the extent that bonus point activity will be awarded. Review system accuracy by recording critical slot meters for coin in, coin out, and number of games played before and after play to compare manually recorded data to what was captured on the system. In most jurisdictions, this test will require regulatory approval before beginning testing activities. • Selecting a random sample of active patron accounts to test the accuracy of point calculations. Test the various components individually — as opposed to recalculations based on a total — because they may be calculated differently. • Reviewing the computer rights report, which lists the functions an employee can access, for appropriate segregation of duties, unauthorized attempts to login, and unauthorized attempts to access menu options. • Reviewing the system-parameter change report for fields changed — the from/to data fields. Are changes made by authorized employees? Are such changes supported and approved? • Reviewing the controls and authorization process for downloading cashable/non-cashable credits to magnetically encoded cards. Are controls in place to preclude and detect unauthorized downloads, such as controls over physical storage, employee computer rights to download electronic credits to cards, and controls over unissued encoded cards? • Determining the adequacy of procedures used by management to verify download activity for errors and malfunctions. Ensure review procedures are in place, such as determining whether or not credits for comp awards can be cashed out and reviewing for multiple redemptions of the same card — the card number will appear twice on the redemption reports if there is a malfunction. Auditing Patron Risks Patrons who exploit slot systems by taking advantage of system malfunctions, manipulating a poorly coordinated system for tracking earned and redeemed complimentary goods and services, and seeding play using multiple player club cards are only some of the potential risks of the slot club function. Although individual casino operations may warrant different audit processes based on their unique environment, audit processes should include: • Determining whether or not the rules of the club are clearly disclosed to the patron upon opening the account and whether or not rewards acquired through illegitimate means are invalid. • Reviewing slot machine event logs and meters for unusual transactions such as power-downs, excessive drop-door openings, and excessive EFT downloads. Investigate unusual activity. • Determining whether or not procedures are in place to mitigate the risk of seeding activity, such as policies governing the issuance of multiple cards and requiring government-issued photo identification for cashing out an account. • Reviewing reports designed to disclose potential seeding activity to determine whether or not proper follow- up has been performed. Test activity as deemed necessary. • Reviewing a sample of patron accounts for the validity of comp awards. Do the point ratings support the comps extended? Test comp award calculations to determine the accuracy of the constants used to calculate theoretical wins. • Determining the validity of comps that were extended before or after a patron's in-house stay. For example, if a guest was staying in-house, validate comps received several days after hotel check out. • Determining whether or not the system captures comp awards immediately when earned through system interfaces that provide real-time data. Validate this by settling test comps to determine when complimentary goods and services are posted to the test account. An alternate test is to calculate the time elapsed between the settlement of complimentary charges at the point of sale and the time the charges are posted to patron accounts using actual comp data. • Determining whether or not the casino has written procedures in place to address sufficient controls to mitigate club risks and making sure that personnel are trained to follow those procedures. An internal auditor can add value to his or her organization by identifying control weaknesses and providing recommendations to mitigate risks in the slot club function. A risk-based approach to slot club review can provide the necessary assurance that the critical risks are mitigated and managed and that the costs associated with offering club rewards are spent on deserving patrons, and not undeserving fraudsters. Ron Ellis is an internal audit manager at the Hard Rock Hotel and Casino in Las Vegas, Nev. Ellis can be reached at 3/9/2010
  4. 4. Gaming Auditorium - The Institute of Internal Auditors Page 4 of 4 All contents of this Web site, except where expressly stated, are the copyrighted property of the Institute of Internal Auditors Inc. 3/9/2010