Sound Control Environment
1.02 Operators and gaming-related suppliers shall develop, document and implement formal control activities to address the regulatory risks identified by the AGCO and achieve the regulatory objectives reflected in the Standards and Requirements. Control activities must be authorized by the appropriate level of management. (Also applicable to Gaming-Related Suppliers) [Amended: February, 2022]
Requirements – At a minimum:
- A process shall be in place to periodically review control activities for effectiveness in meeting the Standards and Requirements and to document, remedy and adjust the controls where deficiencies or gaps are found.
- Substantial changes to the Operator's control environment shall be communicated to the Registrar in a timely manner.
- Control activities must be available to the AGCO (or its designate) for regulatory assurance purposes.
- Operators and gaming related suppliers who run critical gaming systems shall develop a control activity matrix. An operator’s control activity matrix shall summarize all controls related to the gaming site, including where the operator works with third-party suppliers, including platform providers.
- Operators shall have their control activities assessed by an independent oversight function for alignment with the Standards and Requirements.
Guidance: Independent oversight may be exercised by an internal audit body and/or external auditor, as considered appropriate by the Operator and as acceptable to the Registrar. The Registrar recognizes that oversight practices may vary by Operator depending on their size, ownership structure, scope and complexity of operations, corporate strategy and risk profile. Whatever the case, the independent oversight function should be responsible for auditing the organization’s compliance management framework, identifying, managing and reporting on risks the organization is or might be exposed to and exercising oversight that is independent from operational management. It should also have direct and unrestricted access to the Board.
1.03 Management overrides of the control activities shall be clearly documented and made available to the Registrar upon request. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
1. Approval from at least two senior-level managers is required in order to override any control activity, and in each instance the override shall be reported to the Board or other governance structure where a Board does not exist.
Guidance: The intent of this Standard is to allow senior-level management to override controls on a one-off basis in necessary circumstances and to ensure that appropriate documentation is maintained for auditing purposes. This Standard is not intended to address permanent changes to the control environment.
1.04 Operators must establish, implement and maintain controls to support preparation of financial reports which comply with all applicable accounting standards, rules and good practices.