Internal Audit and External Audit

1) Purpose and area

Ensure systematic, independent and reproducible control of Operations and Compliance processes: compliance with licenses/laws, reliability of financial and operational reporting, effectiveness of risk control (KYC/AML/RG, GDPR/PII, payments/PCI, honesty of games, information security, marketing/affiliates, providers). The section defines the principles, roles, methodology, check programming, report format and procedure for closing non-conformances.

2) Principles and "three lines of defense"

1st line: process owners (Operations, Payments, Game Providers, Marketing/Affiliates, Support Service) - manage day-to-day risks.
2nd line: Compliance/Risk/Security/DPO - policies, monitoring, consulting, enforcement.
3rd line: Internal Audit (IA) - independent assessment of the adequacy and effectiveness of control; reports to the Supervisory Board/Audit Committee.
External audit (EA): independent third parties - financial reporting, certification (ISO/SOC/PCI), regulatory inspections.

Principles: independence, objectivity, evidence, confidentiality, focus on risks and values, transparency and traceability.

3) IA vs EA accrual

4) Roles and RACI

Head of Internal Audit (IA Lead) - strategy, independence, plan/reporting. (A)

Internal Auditors - field checks, working documents, conclusions. (R)

Process Owners (1st line) - providing data/artifacts, CAPA. (R)

Compliance/InfoSec/AML/RG (2nd line) - co-audits, methodologists. (C/R)

CFO/Controller - financial circuit, GL, reconciliations. (C)

Legal/DPO - interpretation of norms, PII and retention. (C)

Audit Committee - approves IA plan, accepts reports, controls independence. (A)

External Auditors/Assessors - conduct EA; access to artifacts by NDA. (Contract I/R)

5) Annual Audit Plan

1. Risk register: probability × impact (finance/GGR, licenses, reputation, player safety).
2. Process map: payments/PSP, wallet, KYC/AML/KYB, RG, game providers/RTP, marketing/affiliates, information security/GDPR, incidents/notifications, regulatory reports.
3. Priority matrix: High/Medium/Low → frequency (quarter/half a year/year).
4. Scope: goals, criteria, procedures, samples, resources, timeline, dependencies.
5. Approval: The Audit Committee approves the annual plan; ad-hoc allowed for S1/S2 incidents.

6) Methodology: audit stages

A. Planning: Document Request, Process Understanding, Control Design Assessment, Risk Assessment, Test Program.
B. Fieldwork: interviews, walkthrough, design/responsiveness tests, analytical procedures, artifact inspection, sampling.
C. Conclusions and rating: comparison of facts with criteria; classification of findings.
D. Report: draft → approval of facts → final → presentation to management/committee.
E. CAPA and Follow-up: corrective/preventive action plan, follow-up, verification.

7) Evidence and samples

Types of evidence: documentary (policies, logs, tickets), physical (screenshots, configurations), oral (interviews), analytical (reconciliations, trends).
Quality: sufficiency (volume), relevance, validity (source).
Samples: random, systematic, directed (risk-based), by anomalies; the size is determined by the risk and the volume of the general population.

Traceability: each output is associated with a test, the test with evidence (unique ID); "continuous numbering."

8) Classification of non-conformities and ratings

Critical (S1): risk of license/law/significant financial damage/PII-breach. Immediate action required, report to Committee/Council.
High (S2): significant control defect; short SLA to fix.
Medium (S3): limited defect; adjustment plan.
Low (S4): improvements/observations (optimization).

Audited process rating: Effective/Generally Effective with Improvements/Partially Effective/Ineffective.

9) Working documents and retention

Working Papers: program, checklists, samples, interview protocols, evidence, calculations, conclusions.
Drafting standards: index, version, owner, date, hyperlinks to artifacts, change control.
Privacy and PII: RBAC access, encrypted storage, sensitive field masking.
Retention periods: by policy (typically 5-7 years) or longer if licenses/regulators require.

10) Check topics (IA catalog)

1. Payments/PSP/PCI: auth/decline/chargebacks, PAN aliasing, access logs, vendor registry.
2. KYC/AML/KYB: KYC completeness and accuracy, PEP/sanctions, SAR/STR timing, quality of investigations, case management.
3. Responsible play (RG): limits/self-exclusions, contact procedures, effectiveness of interventions, advertising restrictions.
4. GDPR/PII/DPO: processing registry, DSAR, privacy incidents, processor contracts.
5. Game providers/honesty: RTP drift, round incidents, balance synchronization, RNG/build versioning.
6. Marketing/Affiliates: compliance with creative/targeted restrictions, attribution, contracts, payments.
7. Incident-processes: time to application (TTS), timeliness of notifications to regulators, completeness of artifacts.
8. Regulatory reporting: schemes, deadlines, DQ, reconciliation with GL/PSP.
9. IT controls/information security: accesses, SOD, changes/releases, audit logs, backups, DR/BCP exercises.

11) IA Report Format (Template)

Executive Summary: Scope, Objectives, Rating, Key Findings, and Risk.
Context: process/system/jurisdictions, period, applicable requirements.
Methodology and limitations (if any).
Detailed conclusions on priority: fact → criterion → risk → impact → recommendations.

CAPA Table - Owner, Steps, Timelines, Success Metrics

Appendices: samples, charts, evidence register, glossary.

12) Interaction with External Audit (EA)

Financial reporting: preparation of GL, reconciliation, confirmations from PSP/banks/providers, management letters.
Certifications/assessments of compliance: ISO 27001/9001, SOC 2, PCI DSS, industry regulatory inspections.
IA roles: pre-assessment (gap analysis), query support, CAPA acceleration, avoiding duplication.
Transparency: a single showcase of artifacts, a calendar of visits, access rules, NDA.
Communications: regular stand-ups "EA readiness," entry point - Audit Coordinator.

13) CAPA and follow-up

CAPA plan: specific steps, metric, owner, term, dependent systems/teams.
Verification: evidence of implementation (screens, logs, policies, test results), date, responsible auditor.
Escalation: S1/S2 - mandatory update to the Committee; delays - the "red zone" of the dashboard.
Change in risk assessment: after a successful CAPA - review of residual risk and frequency of inspections.

14) Audit dashboard (management control)

Plan status:% completion by quarter and direction.
Findings portfolio: by severity and delinquency.
CAPA progress: completed/in progress/expired, median closing time.
Process heat map: risk/effectiveness of controls before/after CAPA.
Repeatable detections: indicator of system problems.

15) Ethical requirements and independence

Conflicts of interest: auditors do not audit their previous operations ≤ 12 months; conflict declaration.
Access to data: only on the principle of "minimum necessary"; personal PII copy prohibition.
Communications: neutral language, no "accusatory" tone; facts before interpretations.

16) Checklists

Start of audit

• Defined goals/criteria/boundaries.
• Artifacts requested and received, formats/timelines agreed.
• Independence confirmed, no conflicts.
• Test and sampling program approved.

Field stage

• Walkthrough and key-roles interviews conducted.
• Design and operational efficiency tests.
• Evidence register with ID/links is formed.
• Intermediate brief to process owners (no surprises in the final).

Report and CAPA

• Facts agreed, points of dispute resolved.
• Conclusions classified (S1-S4), risk/impact assessed.
• CAPA plan with owners and dates approved.
• Follow-up dates are listed in the calendar.

17) Artifact patterns (quick inserts)

Request List (PBC): list of documents/uploads/accesses with deadlines.
Test Sheet: control → procedure → sample → result → proof → conclusion.
Finding Card: code, title, description, risk, impact, root cause, recommendation, S-level, owner, term.
CAPA Sheet: step, metric, confirmation artifacts, date, checked.

18) Frequent mistakes and how to avoid them

The combined roles of IA and 2nd line → impaired independence. Decision: IA reporting directly to the Committee.
Insufficient traceability of evidence → weak protection of conclusions. Solution: single register and numbering.
"Nonconformance hunting" instead of risk and value assessment. Solution: risk focus and prioritization.
Overload CAPA without resources → delay. Solution: SMART goals and WIP limit.
Ignoring quality/freshness data when checking reporting. Solution: DQ-checklist.

19) Quick start (30-day implementation)

Week 1: Approve IA charter (mandate/accountability), conduct risk assessment, draft annual plan.
Week 2: create templates (PBC, Test/Finding/CAPA sheets), set up a register of evidence and a status dashboard.
Week 3: Conduct 2 "short form" pilot audits (e.g. PSP/PCI and RG/DSAR), issue reports, register CAPAs.
Week 4: conduct follow-up of pilots, adjust the methodology, submit the annual plan for approval by the Committee, agree on a schedule of external audits/certifications.

• Regulatory reports and data formats
• Notices of Violations and Reporting Deadlines
• Compliance dashboard and monitoring
• Incident playbooks and scripts
• Crisis management and communications
• Business Continuity Plan (BCP )/DRP
• Transaction Audit Logs