(a) Compliance based upon tier.
(1) Tier A gaming operations must comply with §§542.1 through 542.18, and §§542.20 through 542.23.
(2) Tier B gaming operations must comply with §§542.1 through 542.18, and §§542.30 through 542.33.
(3) Tier C gaming operations must comply with §§542.1 through 542.18, and §§542.40 through 542.43.
(b) Determination of tier.
(1) The determination of tier level shall be made based upon the annual gross gaming revenues indicated within the gaming operation's audited financial statements. Gaming operations moving from one tier to another shall have nine (9) months from the date of the independent certified public accountant's audit report to achieve compliance with the requirements of the new tier.
(2) The Tribal gaming regulatory authority may extend the deadline by an additional six (6) months if written notice is provided to the Commission no later than two weeks before the expiration of the nine (9) month period.
(c) Tribal internal control standards. Within six (6) months of June 27, 2002, each Tribal gaming regulatory authority shall, in accordance with the Tribal gaming ordinance, establish and implement tribal internal control standards that shall:
(1) Provide a level of control that equals or exceeds those set forth in this part;
(2) Contain standards for currency transaction reporting that comply with 31 CFR part 103;
(3) Establish standards for games that are not addressed in this part; and
(4) Establish a deadline, which shall not exceed nine (9) months from June 27, 2002, by which a gaming operation must come into compliance with the tribal internal control standards. However, the Tribal gaming regulatory authority may extend the deadline by an additional six (6) months if written notice is provided to the Commission no later than two weeks before the expiration of the nine (9) month period.
(d) Gaming operations. Each gaming operation shall develop and implement an internal control system that, at a minimum, complies with the tribal internal control standards.
(1) Existing gaming operations. All gaming operations that are operating on or before June 27, 2002, shall comply with this part within the time requirements established in paragraph (c) of this section. In the interim, such operations shall continue to comply with existing tribal internal control standards.
(2) New gaming operations. All gaming operations that commence operations after August 26, 2002, shall comply with this part before commencement of operations.
(e) Submission to Commission. Tribal regulations promulgated pursuant to this part shall not be required to be submitted to the Commission pursuant to 25 CFR 522.3(b).
(f) CPA testing.
(1) An independent certified public accountant (CPA) shall be engaged to perform “Agreed-Upon Procedures” to verify that the gaming operation is in compliance with the minimum internal control standards (MICS) set forth in this part or a Tribally approved variance thereto that has received Commission concurrence. The CPA shall report each event and procedure discovered by or brought to the CPA's attention that the CPA believes does not satisfy the minimum standards or Tribally approved variance that has received Commission concurrence. The “Agreed-Upon Procedures” may be performed in conjunction with the annual audit. The CPA shall report its findings to the Tribe, Tribal gaming regulatory authority, and management. The Tribe shall submit two copies of the report to the Commission within 120 days of the gaming operation's fiscal year end. This regulation is intended to communicate the Commission's position on the minimum agreed-upon procedures to be performed by the CPA. Throughout these regulations, the CPA's engagement and reporting are based on Statements on Standards for Attestation Engagements (SSAEs) in effect as of December 31, 2003, specifically SSAE 10 (“Revision and Recodification Agreed-Upon Procedures Engagements.”). If future revisions are made to the SSAEs or new SSAEs are adopted that are applicable to this type of engagement, the CPA is to comply with any new or revised professional standards in conducting engagements pursuant to these regulations and the issuance of the agreed-upon procedures report. The CPA shall perform the “Agreed-Upon Procedures” in accordance with the following:
(i) As a prerequisite to the evaluation of the gaming operation's internal control systems, it is recommended that the CPA obtain and review an organization chart depicting segregation of functions and responsibilities, a description of the duties and responsibilities of each position shown on the organization chart, and an accurate, detailed narrative description of the gaming operation's procedures in effect that demonstrate compliance.
(ii) Complete the CPA NIGC MICS Compliance checklists or other comparable testing procedures. The checklists should measure compliance on a sampling basis by performing walk-throughs, observations and substantive testing. The CPA shall complete separate checklists for each gaming revenue center, cage and credit, internal audit, surveillance, information technology and complimentary services or items. All questions on each applicable checklist should be completed. Work-paper references are suggested for all “no” responses for the results obtained during testing (unless a note in the “W/P Ref” can explain the exception).
(iii) The CPA shall perform, at a minimum, the following procedures in conjunction with the completion of the checklists:
(A) At least one unannounced observation of each of the following: Gaming machine coin drop, gaming machine currency acceptor drop, table games drop, gaming machine coin count, gaming machine currency acceptor count, and table games count. The AICPA's “Audits of Casinos” Audit and Accounting Guide states that “observations of operations in the casino cage and count room should not be announced in advance * * *” For purposes of these procedures, “unannounced” means that no officers, directors, or employees are given advance information regarding the dates or times of such observations. The independent accountant should make arrangements with the gaming operation and Tribal gaming regulatory authority to ensure proper identification of the CPA's personnel and to provide for their prompt access to the count rooms.
(1) The gaming machine coin count observation would include a weigh scale test of all denominations using pre-counted coin. The count would be in process when these tests are performed, and would be conducted prior to the commencement of any other walk-through procedures. For computerized weigh scales, the test can be conducted at the conclusion of the count, but before the final totals are generated.
(2) The checklists should provide for drop/count observations, inclusive of hard drop/count, soft drop/count and currency acceptor drop/count. The count room would not be entered until the count is in process and the CPA would not leave the room until the monies have been counted and verified to the count sheet by the CPA and accepted into accountability. If the drop teams are unaware of the drop observations and the count observations would be unexpected, the hard count and soft count rooms may be entered simultaneously. Additionally, if the gaming machine currency acceptor count begins immediately after the table games count in the same location, by the same count team, and using the same equipment, the currency acceptor count observation can be conducted on the same day as the table games count observation, provided the CPA remains until monies are transferred to the vault/cashier.
(B) Observations of the gaming operation's employees as they perform their duties.
(C) Interviews with the gaming operation's employees who perform the relevant procedures.
(D) Compliance testing of various documents relevant to the procedures. The scope of such testing should be indicated on the checklist where applicable.
(E) For new gaming operations that have been in operation for three months or less at the end of their business year, performance of this regulation, section 542.3(f), is not required for the partial period.
(2) Alternatively, at the discretion of the Tribe, the Tribe may engage an independent certified public accountant (CPA) to perform the testing, observations and procedures reflected in paragraphs (f)(1)(i), (ii), and (iii) of this section utilizing the Tribal internal control standards adopted by the Tribal gaming regulatory authority or Tribally approved variance that has received Commission concurrence. Accordingly, the CPA will verify compliance by the gaming operation with the Tribal internal control standards. Should the Tribe elect this alternative, as a prerequisite, the CPA will perform the following:
(i) The CPA shall compare the Tribal internal control standards to the MICS to ascertain whether the criteria set forth in the MICS or Commission approved variances are adequately addressed.
(ii) The CPA may utilize personnel of the Tribal gaming regulatory authority to cross-reference the Tribal internal control standards to the MICS, provided the CPA performs a review of the Tribal gaming regulatory authority personnel's work and assumes complete responsibility for the proper completion of the work product.
(iii) The CPA shall report each procedure discovered by or brought to the CPA's attention that the CPA believes does not satisfy paragraph (f)(2)(i) of this section.
(3) Reliance on Internal Auditors.
(i) The CPA may rely on the work of an internal auditor, to the extent allowed by the professional standards, for the performance of the recommended procedures specified in paragraphs (f)(1)(iii)(B), (C), and (D) of this section, and for the completion of the checklists as they relate to the procedures covered therein provided that the internal audit department can demonstrate to the satisfaction of the CPA that the requirements contained within §542.22, 542.32, or 542.42, as applicable, have been satisfied.
(ii) Agreed-upon procedures are to be performed by the CPA to determine that the internal audit procedures performed for a past 12-month period (includes two 6-month periods) encompassing a portion or all of the most recent business year has been properly completed. The CPA will apply the following Agreed-Upon Procedures to the gaming operation's written assertion:
(A) Obtain internal audit department work-papers completed for a 12-month period (includes two 6-month periods) encompassing a portion or all of the most recent business year and determine whether the CPA NIGC MICS Compliance Checklists or other comparable testing procedures were included in the internal audit work-papers and all steps described in the checklists were initialed or signed by an internal audit representative.
(B) For the internal audit work-papers obtained in paragraph (f)(3)(ii)(A) of this section, on a sample basis, reperform the procedures included in CPA NIGC MICS Compliance Checklists or other comparable testing procedures prepared by internal audit and determine if all instances of noncompliance noted in the sample were documented as such by internal audit. The CPA NIGC MICS Compliance Checklists or other comparable testing procedures for the applicable Drop and Count procedures are not included in the sample reperformance of procedures because the CPA is required to perform the drop and count observations as required under paragraph (f)(1)(iii)(A) of this section of the Agreed-Upon Procedures. The CPA's sample should comprise a minimum of 3 percent of the procedures required in each CPA NIGC MICS Compliance Checklist or other comparable testing procedures for the gaming machine and table game departments and 5 percent for the other departments completed by internal audit in compliance with the internal audit MICS. The reperformance of procedures is performed as follows:
(1) For inquiries, the CPA should either speak with the same individual or an individual of the same job position as the internal auditor did for the procedure indicated in their checklist.
(2) For observations, the CPA should observe the same process as the internal auditor did for the procedure as indicated in their checklist.
(3) For document testing, the CPA should look at the same original document as tested by the internal auditor for the procedure as indicated in their checklist. The CPA need only retest the minimum sample size required in the checklist.
(C) The CPA is to investigate and resolve any differences between their reperformance results and the internal audit results.
(D) Documentation is maintained for 5 years by the CPA indicating the procedures reperformed along with the results.
(E) When performing the procedures for paragraph (f)(3)(ii)(B) of this section in subsequent years, the CPA must select a different sample so that the CPA will reperform substantially all of the procedures after several years.
(F) Any additional procedures performed at the request of the Commission, the Tribal gaming regulatory authority or management should be included in the Agreed-Upon Procedures report transmitted to the Commission.
(4) Report Format.
(i) The NIGC has concluded that the performance of these procedures is an attestation engagement in which the CPA applies such Agreed-Upon Procedures to the gaming operation's assertion that it is in compliance with the MICS and, if applicable under paragraph (f)(2) of this section, the Tribal internal control standards and approved variances, provide a level of control that equals or exceeds that of the MICS. Accordingly, the Statements on Standards for Attestation Engagements (SSAE's), specifically SSAE 10, issued by the Auditing Standards Board is currently applicable. SSAE 10 provides current, pertinent guidance regarding agreed-upon procedure engagements, and the sample report formats included within those standards should be used, as appropriate, in the preparation of the CPA's agreed-upon procedures report. If future revisions are made to this standard or new SSAEs are adopted that are applicable to this type of engagement, the CPA is to comply with any revised professional standards in issuing their agreed upon procedures report. The Commission will provide an Example Report and Letter Formats upon request that may be used and contain all of the information discussed below:
(A) The report must describe all instances of procedural noncompliance regardless of materiality) with the MICS or approved variations, and all instances where the Tribal gaming regulatory authority's regulations do not comply with the MICS. When describing the agreed-upon procedures performed, the CPA should also indicate whether procedures performed by other individuals were utilized to substitute for the procedures required to be performed by the CPA. For each instance of noncompliance noted in the CPA's agreed-upon procedures report, the following information must be included:
(1) The citation of the applicable MICS for which the instance of noncompliance was noted.
(2) A narrative description of the noncompliance, including the number of exceptions and sample size tested.
(5) Report Submission Requirements.
(i) The CPA shall prepare a report of the findings for the Tribe and management. The Tribe shall submit 2 copies of the report to the Commission no later than 120 days after the gaming operation's business year. This report should be provided in addition to any other reports required to be submitted to the Commission.
(ii) The CPA should maintain the work-papers supporting the report for a minimum of five years. Digital storage is acceptable. The Commission may request access to these work-papers, through the Tribe.
(6) CPA NIGC MICS Compliance Checklists. In connection with the CPA testing pursuant to this section and as referenced therein, the Commission will provide CPA MICS Compliance Checklists upon request.
(g) Enforcement of Commission Minimum Internal Control Standards.
(1) Each Tribal gaming regulatory authority is required to establish and implement internal control standards pursuant to paragraph (c) of this section. Each gaming operation is then required, pursuant to paragraph (d) of this section, to develop and implement an internal control system that complies with the Tribal internal control standards. Failure to do so may subject the Tribal operator of the gaming operation, and/or the management contractor, to penalties under 25 U.S.C. 2713.
(2) Recognizing that Tribes are the primary regulator of their gaming operation(s), enforcement action by the Commission will not be initiated under this part without first informing the Tribe and Tribal gaming regulatory authority of deficiencies in the internal controls of its gaming operation and allowing a reasonable period of time to address such deficiencies. Such prior notice and opportunity for corrective action is not required where the threat to the integrity of the gaming operation is immediate and severe.
[67 FR 43400, June 27, 2002, as amended at 70 FR 47104, Aug. 12, 2005]