GH GambleHub

Audit and inspection procedures

1) Why audits are needed in iGaming

Auditing is the systematic verification of product and transaction compliance with license requirements, law, standards, and internal policies.
Objectives: to reduce regulatory and financial risks, to prove the integrity of games/payments/data, to improve compliance processes and culture.

2) Taxonomy of checks (what and who)

TypeWho conductsFocusFrequency
Internal auditIn-house Internal Audit/CompliancePolicies, Processes, SoD, Logging, Reportingquarter/half year
External independentLaboratories/audit firmsRNG/RTP/volatility, safe. and processesannually/upon release
Regulatory InspectionLicensor/SupervisionFull slice: games, payments, RG/AML/Privacyon schedule/suddenly
Thematic auditBy DomainKYC/AML, RG, Privacy/GDPR, PCI DSSannually/by change
IT/SecuritySec/IT AuditAccesses, change management, DevOps, DR/BCPyearly/after incident

3) Scope

Games: RNG, RTP, version control, unchangeable logs.
Payments: routing, returns, chargeback, Net Loss, limits.
KYC/AML: Procedures, Sanctions Lists/PEPs, Cases, and SAR/STRs.
Responsible Gaming: Limits, timeouts, self-exclusion, Reality Checks.
Privacy/GDPR/CCPA/LGPD: DPIA, processing grounds, shelf life, rights of subjects.
Security/IT: RBAC/ABAC, SoD, journaling, CI/CD, secrets, DR/BCP.
Marketing/CRM/Affiliates: suppression, consents, contractual prohibitions.

4) Standards and methodology

ISO 19011 - audit principles and conduct (planning → report → follow-up).
ISO/IEC 27001/27701 - security/privacy management (control measures).
PCI DSS - if processing PAN/cards.
GLI-11/19, ISO/IEC 17025 - in conjunction with test laboratories.
The framework of the "three lines of protection" is 1) process owners, 2) risk/compliance, 3) independent audit.

5) Audit lifecycle

1. Planning: scope/criteria definition, risk map, artifact list, NDAs and accesses.
2. Fieldwork: interviews, walkthrough, control tests, sampling, log/system inspection.
3. Consolidation: fact fixing, non-conformance rating (High/Med/Low), draft report.
4. Report: findings, evidence, recommendations, timeframe for resolution.

5. Corrective and Preventive Actions - Corrective and Preventive Actions Plan

6. Follow-up: verification of CAPA implementation, closure of points.

6) Evidence and samples

Evidence: policies/procedures (latest versions), screenshots of settings, log uploads (WORM), build hashes, change management tickets, training acts, incident reports, DPIAs, consent registers, AML/RG reports.

Sampling:
  • RNG/RTP - statistical samples of ≥10⁶ outcomes (or agreed volume/period).
  • KYC/AML - random sampling of 60-100 cases/period with tracing to sources.
  • Privacy - 20-50 subject requests (DSAR), SLA verification and completeness of responses.
  • Payments - 100-200 transactions per scenario (deposit/withdrawal/chargeback/bonus).
  • RG - 50-100 limit/timeout/self-exclusion cases + suppression logs.

Chain of custody: fixing the source, time, integrity control (hashes, signatures).

7) Nonconformance ratings and CAPAs

LevelCriterionClosing dateExample
HighViolation of law/license, risk of harm to players15-30 daysSelf-excluded lack of suppression
MediumControl/Process Failure45-60 daysGaps in RBAC review
LowDocument Control/Minor Defects90 daysOut-of-date policy template

CAPA-template: the description of a problem → the root reason → the actions (adjusting / predisgusting) → the owner → term → effect KPI → closing evidence.

8) RACI (roles and responsibilities)

RoleResponsibility
Audit Lead (Internal/External)Plan, scope, methodology, independence
Process OwnersProvision of artifacts, corrections
Compliance/Legal/DPOCriteria, legal framework, DPIA, regulators
Security/IT/DevOpsAccesses, Logs, CI/CD, DR, WORM
Data/ML/RiskRG/AML metrics, models and reason-codes
Finance/PaymentsTransactions, chargebacks, reports
Support/CRM/MarketingScripts, suppression, consent

9) Audit readiness checklist

Documents and policies

  • Register of policy and procedure versions (with owners/dates).
  • DPIA/Records of Processing/Retention Data Matrix.
  • RG/KYC/AML/Privacy/Incident/Change/Access/Logging policies.

Technical artifacts

  • WORM log storage (games/payments/accesses/changes).
  • CI/CD artifacts: SBOM, build hashes, signatures, release notes.
  • RBAC/ABAC registry, SoD control, access review results.
  • DR/BCP exercise plans and results.

Operations

  • RG/AML/Privacy.
  • Log of incidents and post-morems.
  • Data Subject Query Register (DSAR) with SLAs.

10) Playbook: onsite and remote inspection

Onsite:

1. Briefing, agenda and itinerary coordination.

2. Tour of workplaces/server room (if applicable), physical inspection measures.

3. Interviews + live demos of controls, samples from prods/replicas.

4. Daily wrap-up, preliminary feedback.

Remote:
  • Access to read-only panels/dashboards, secure file exchange, recording sessions, time-boxed slots.
  • Preloading artifacts, playback scripts.
Communications:
  • Single point of contact, ticketing, SLA for providing evidence (usually T + 1/T + 2 working days).

11) Special scenarios: dawn raid and unscheduled checks

Readiness: legal brief, contact list (Legal/Compliance), auditor support rules, prohibition of data destruction/modification (legal hold).
Procedure: verification of credentials, registration of copies of seized data, presence of Legal, copies of integrity logs.
After: internal investigation, communications to board/partners, CAPA.

12) Compliance and Observability Architecture

Compliance Data Lake: centralized storage of reports, logs, certificates, DPIA, metrics.
GRC platform: register of risks, controls, audits and CAPAs, recertification calendar.
Audit API/Regulator Portal: managed access for external auditors/regulator.
Immutability: WORM/object storage, Merkle hash chains.
Dashboards: RTP drift, Self-Exclusion suppression accuracy, Time-to-Enforce limits, KYC SLA.

13) Audit Maturity Metrics (SLO/KPI)

MetricsTarget value
On-time Evidence Delivery≥ 95% of requests to SLAs
High-Findings Closure100% within CAPA deadline
Repeat Findings Rate<10% period-to-period
RTP Drift Alarms Investigated100% in T + 5 days
Access Review Coverage100% quarterly
Training Completion≥ 98% for critical programs
Audit Readiness Score≥ 90% (int. scale)

14) Auditor's report template (structure)

1. Executive Summary.
2. Scope and criteria.
3. Methodology and sampling.
4. Observations/inconsistencies (with references to evidence).
5. Risk assessment and priorities.
6. CAPA recommendations and plan (agreed timelines/owners).
7. Applications: artifacts, magazines, hashes, screenshots, interview register.

15) Frequent mistakes and how to avoid them

Out-of-date policies/versions → centralized ledger, reminders.
No WORM/chain of custody → cannot prove facts; implement immutability.
Weak SoD/RBAC → quarterly access and journal reviews.
Lack of CAPA discipline → owners/timing/evidence of closure.
Data inconsistencies (RTP/reports/catalog) → automatic reconciliations and alerts.
Ad-hoc reaction to inspections → playbook and training (table-top).

16) Implementation Roadmap (6 steps)

1. Policy and methodology: adopt audit standard, risk scale, report formats.
2. Inventory of controls: a map of processes and controls by domain.
3. Evidence architecture: WORM, Compliance Data Lake, Audit API.
4. GRC & calendar: audit/recertification schedule, CAPA register.
5. Training/training: role exercises, "dawn raid" simulations, table-top.
6. Continuous improvement: monitoring of metrics, retrospectives, reduction of repeated findings.

Result

Audit and inspection procedures are not one-time events, but a constant contour of proven compliance: a clear scope, high-quality evidence, CAPA discipline, immutable logs, readiness for regulator visits and transparent metrics. This approach reduces risk, strengthens licenses and increases product and brand sustainability.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.