Protect Your Licence - Internal Control Requirements

14 January 2002

Well all, I trust you enjoyed your Christmas or Holiday Break, depending. I spent a good part of mine watching helicopters drop water on the scrub, bush, forest (think that covers most interpretations) just behind my house. Luckily no damage to homes in my area was done, except I had a higher than usual number of parrots and critters, varmints, rodents, possums, small furry creatures with big eyes and sharp teeth (think that covers most interpretations) around the house licking their wounds or after a bit of water.

Anyway, back to technology…

In last year's articles we explored some principals behind a regulated risk-management regulatory framework template for e-gambling. We looked at the concept of “regulated risk management”, money laundering protection, player protection and now this month we look at internal controls and operating procedures. Essentially, these control documents describe how your e-gambling business is to be run in a socially responsible, secure, reliable, profitable and compliant manner.

Unlike traditional gambling technology, online gambling technology and operations may become obsolete, non-compliant or introduce serious business exposure immediately after approval is granted by the regulator and the site becomes operational. Also, unlike traditional gambling technology, a great deal of power and trust is placed in the hands of the few people in an organization that operate and understand the technology.

It is essential therefore, that a system of internal controls is in place and that both the operator and the regulator are diligent in the conduct of ongoing technical, operational and security audits, as well as the traditional financial audits.

The technology and the operating environment are not mutually exclusive. Indeed, many areas of technological risk can quite often be effectively and simply mitigated to an acceptable level through the use of appropriate procedures. Compensating controls to mitigate business risk and reduce total reliance on technology is yet another reason why a practical and comprehensive system of internal controls and operating procedures (ICOP) is essential.

An ICOP submission must fully describe and explain the licensee’s operational procedures and systems regarding the conduct of interactive gambling operations.

The regulator (or testing agency) will review a control submission to determine if it provides satisfactory and effective control over the gambling operations (not corporate governance or marketing) of the licensee. A report will be provided to the regulator. If it is considered that satisfactory and effective control is not provided the licensee will be so advised in writing and will be given the reasons why the Regulator formed this opinion.

The licensee will then be invited to resubmit the control submission or the portion of it that is in contention, after making changes that the regulator considers appropriate. A licensee may conduct an approved game or take approved bets/ wagers on an approved system, only if the licensee has an approved control system, and the gambling is conducted in accordance with that approved control system.

Development of internal control and operating procedures is a major undertaking of any Internet gambling business. It should just not consider the immediate operational issues, but also the peripheral issues, often extending to suppliers. For example:

Software Development Environment Security and Security Procedures

This forms a part of the compliance review. Security of the development environment is paramount and is a concern for regulators. A few examples of why follow:

  1. Essentially if the development data is lost (e.g. intentionally destroyed), and not able to be recovered in a timely manner when a system fix/update is required, then the service might have to cease operation and the regulator could be embarrassed.

  2. If a competitor or hacker wanted to find a "weakest link" in security (to steal sensitive information, manipulate the system, or damage the site) an effective way may be through the installation of a Trojan in the product which could be propagated to the production environments of the operator.

Software Development Environment Documentation

This forms a part of the compliance review. Lack of documentation will limit the scalability of the organization and presents a risk to the operator and regulator. For example, if the development and business processes and the system itself are not adequately documented, as customers make demands on the developer’s systems (upgrades, bug fixes, etc.), it is highly likely that software erosion resulting in system instability, unreliability and extended development schedules will occur. Furthermore, if there is no documentation for a testing agency to review against, there is equally nothing for the new engineer to learn against or the replacement engineer to pick up on should a key staff member leave (and take the intellectual property of the business with them in their head). As a side issue, how does having IP walk out the door impact the valuation of the business?

Well, until next time. . .

Steve Toneguzzo is the CEO and president of GGS, the recognized pioneer and world leader in regulation and business risk mitigation related to Internet Gambling Systems, security and operations for regulated markets.

Visit them at;; and