Audit checklists and reviews

1) Purpose

• comparability of checks between teams and periods;
• completeness and evidence of results;
• Transparent management of patches (CAPAs) and re-checks

2) Roles and RACI

Owner: Head of Compliance/Head of Internal Audit - methodology, versions of checklists. (A)

Process Owners (1st line): self-assessment, artifacts, CAPA. (R)

Compliance/InfoSec/AML/RG (2nd line): peer-review, co-audits, interpretation of norms. (R/C)

Internal Audit (3rd line): independent reviews, ratings, follow-up. (R)

Management (Exec Sponsor) -Approval outputs and resources to CAPAs. (A/C)

3) Types of review

1. Self-Assessment (SA): monthly/quarterly by process owners for short checklists.
2. Peer-Review (PR): cross-checking by a neighboring team (no conflict of interest).
3. Management Review (MR): quarterly - review of KPI/KRI, trends and open CAPAs.
4. Internal Audit Review (IA): IA Plan Independent Review.
5. External-Audit Readiness (EAR): preparation for certifications/inspections (ISO/SOC/PCI/regulator).

4) General rules of the checklist

ID: CL- <code >/Version: v <MAJOR. MINOR >/Owner: <role>
Область: <KYC/AML/RG, GDPR/PII, Payments/PCI, Games/Providers, Reporting, Incidents...>
Frequency: M     Q      Ad-hoc
Material: <criteria for High/Medium/Low>
Sampling: <method and size>
Evidence: <list of files/screenshots/logs>
Question List: [X] Yes [] No [] N/A + Comment + Artifact + Severity
Bottom line: Score/Rating/CAPA

• Fully Met (100–90%) / Largely Met (89–75%) / Partially Met (74–50%) / Not Met (<50%).
• Severity of discrepancies: S1 critical/S2 high/S3 medium/S4 low.
• Materiality: monetary effect (GGR/NGR), customer coverage/PII, license/penalty risk, impact on game integrity.

5) Checklist catalogue (skeletons with checkpoints)

CL-KYC-01 — KYC/KYB

• Policies and review levels are approved and up to date.
• KYC providers have existing contracts/DPAs.
• Verification SLAs are met (D-1 metric).
• Documents are stored according to retention; access - RBAC.
• Failures/escalations documented; the proportion of FP is normal.
• KYB for partners: current statements/beneficiaries.

Evidence: KYC status uploads, DPA registry, access log, sample of 25 cases.

CL-AML-02 — AML/CFT

• Updated AML policy and risk scoring methodology.
• On-boarding PEP/sanction checks and periodically.
• SARs/STRs are sent on time; there are acknowledgements.
• Quality of investigations: completeness, timing, closure.
• Monitoring rules cover velocity/structuring/mules.
• no tipping-off test: No client notification during SAR.

Evidence: SAR/STR cases, sanction check logs, case closure time reports.

CL-RG-03 - Responsible play

• Limit/Self Exclusion Register synchronized (Register/Nat. system).
• Vulnerability triggers → contact in SLA; communication templates.
• Intervention effectiveness is measured and analyzed.
• Ads/bonuses meet market constraints.
• RG incidents and notifications to the regulator - on time.

Evidence: self-exclusion logs, communist. patterns, outreach metrics.

CL-PCI-04 - Payments/PCI

• PCI segmentation and PAN/CHD inventory up to date.
• Tokenization/encryption in transit/at-rest; keys are digging.
• Auth-rate/decline/latency by PSP in thresholds; fallback routes.
• Chargeback process and evidence base for disputes.
• Vulnerabilities from ASV scans have been fixed on time.
• Payment area access logs are complete and unchangeable.

Evidence: network charts, ASV reports, chargebacks cases, key KMS policy.

CL-GAMES-05 - Game Providers/Integrity

• Contracts and technical specifications are up-to-date; RNG/build versions - in the registry.
• RTP-drift monitoring and response thresholds; freeze is procedurally fixed.
• Synchronizing round/session/wallet balances.
• Provider Incidents: Timeline, Capture, Player Compensation.
• Reports to Integrity Regulator/RTP - submitted and confirmed.

Proofs: RTP uploads, provider API logs, examples of freeze tickets.

CL-REP-06 - Regulatory Reporting

• Deadline Calendar: Ready/Sent/Accepted statuses.
• Data schemas are versioned; files are signed/with hashes.
• Reconciliation: purse ↔ PSP ↔ GL no discrepancy> X%.
• Acknowledgements (IDs/receipts) are stored and associated with artifacts.
• Localization/language met.

Evidence: Deadline dashboard, receipts, SQL reconciliations.

CL-INC-07 - Incidents/Notifications

• TTS (first message) in SLA by S1/S2.
• DPA/Regulator/PSP/CERT Notifications - on time, with confirmations.
• Completeness of artifacts: timeline, logs, messages, affected lists.
• Retro ≤ 7 days, CAPAs are registered and moving.
• Players are compensated according to the policy.

Evidence: incident log, status page, artefact packages.

CL-GDPR-08 — GDPR/PII

• Treatment Registry (RoPA) up-to-date; the legal grounds are correct.
• DSARs are closed ≤ 30 days; delinquencies explained.
• DPIAs are designed for high-risk processes.
• Aliasing/masking in uploads and reports.
• Contracts with processors and SCC are valid.

Evidence: RoPA, DSAR journal, DPIA, examples of masks in reports.

CL-ITGC-09 - General IT Controls

• Change management: PR process, tests, approvals, separation of duties.
• Accesses: RBAC/ABAC, periodic revision, off-boarding ≤ 24 hours.
• Backup/Restore, DR Periodic Tests
• Audit logs are unchangeable, retention is observed.
• Observability: SLO/erroneous budgets, alerts to critical metrics.

Evidence: PR samples, IAM logs, DR test reports, retention policies.

6) Sampling and evidence methodology

Size: Focus on scope and risk (e.g. min 25, pps/stratification for large arrays).
Methods: random, systematic, directional (anomalies/marginal cases), by peak periods.
Sufficiency: at least 2-3 independent sources for the key output (logs, screenshots, uploads, tickets).
Traceability: for each checklist item - proof with ID and link in the register.

7) Review ratings rubricator

Effective - the control is designed and works stably, there are no inconsistencies S1/S2.
Generally Effective (with improvements) - there are S3/S4, but risks are under control.
Partially Effective - system S2; high residual risk.
Ineffective - S1/set S2; requires an immediate recovery plan.

8) CAPA и follow-up

For each finding: root → action → owner → term → success metric.
Closing SLA: S1 - ≤ 30 days; S2 - ≤ 60 days; S3 - ≤ 90 days; S4 - by agreement.
Verification: the auditor applies evidence of implementation (screens/logs/policies), changes the status to Verified.
Escalation: S1/S2 delays - to weekly MR, to the Audit Committee quarterly.

9) Working artifacts (templates)

9. 1 Checklist (check sheet)

9. 2 Finding Card

Code Title Actual Criterion Risk/impact Root cause Recommendation S-level.

9. 3 CAPA Sheet

Finding → Steps → Owner → Deadline → Metric/Threshold → Evidence → Status → Verification Date.

9. 4 PBC list (Provided By Client)

Query → Format → Source → Owner → Deadline → Date Received → Comments.

10) Dashboard review

Coverage:% of processes covered by the review during the period.
Findings by Severity: S1-S4 distribution.
CAPA Progress: completed/in progress/expired; median closing time.

Repeat Findings: Proportion of repeats in 12 months

Timeliness: adherence to SA/PR/MR/IA schedule.
Effectiveness Trend: Rating dynamics by area.

11) Calendar and frequencies

Monthly: SA by KYC/Payments/GDPR DSAR, incidents/notifications.
Quarterly: PR by AML/RG/Providers/Reporting, MR for all directions.
Semi-Annual/Annual: IA by high risk area; EAR before certifications/inspections.

12) Check-cards "Quick start" (7 points each)

KYC (7-point): Policy Providers/DPA SLA Queues> SLA RBAC Waivers/Escalations FP Report.
AML (7-point): PEP lists/SAR sanctions deadlines Quality of investigations Velocity/structuring No tipping-off Caseboard KPI trainings.
RG (7-point): Registry/synchronization Contacts in SLA Effectiveness Ad Restrictions Complaints Incidents Reports to Regulator.
PCI (7-point): Segmentation Keys/ASV Rotation/Volcanoes Access Logs Tokenization Chargebacks Fallback PSP.
Games (7-point): RTP-drift Freeze procedure Balance Synchronies Provider Incidents RNG Versions/Builds SLA API Integrity Reports.
Reporting (7-point): Calendar Schemes/versions Signature/hash Reconciliation Language/locale DQ metric receipts.
Incidents (7-point): TTS Notifications in time Completeness of artifacts Compensation Retro CAPA Dashboard.

13) Frequent mistakes and how to avoid them

Checklists without evidence → all items will require an artifact ID.
Valuation without materiality → fix the thresholds in the checklist card.
SA/PR/IA duplication → a consistent calendar and a single request register (PBC).
"Document centrism" without operational tests → always take a sample of operations.
CAPAs without metrics → specify measurable results (for example, DSAR ≤ 30 days ≥ 98%).

14) Implementation plan (30 days)

Week 1

1. Approve the methodology and rating scales.
2. Create 8 basic checklists (CL-KYC/AML/RG/PCI/GAMES/REP/INC/GDPR).
3. Register artifacts and PBC/Finding/CAPA templates.

Week 2

4. Conduct SA pilot in 2 processes and PR in 1 process.
5. Set up review dashboard and CAPA log.

6. Issue training on "evidence and samples."

Week 3

7. EAR session on near certification/inspection.
8. Agree on MR/IA schedule for the quarter.
9. Fix material thresholds and sample sizes.

Week 4

10. Release v1. 0 checklist directory and calendar card.
11. Retro pilot, update checklist versions (v1. 1).
12. Include review in process owner KPIs.

15) Related Sections

Internal Audit and External Audit

Regulatory reports and data formats

Notices of Violations and Reporting Deadlines

Compliance dashboard and monitoring

Incident playbooks and scripts

Crisis management and communications