543.3—How do tribal governments comply with this part?
(c) Tribal internal control standards.
Within six months of October 10, 2008, each tribal gaming regulatory authority must, in accordance with the tribal gaming ordinance, establish or ensure that tribal internal control standards are established and implemented that must:
(2)
Contain standards to identify, detect and deter money laundering in furtherance of a criminal enterprise, terrorism, tax evasion or other unlawful activity. The standards should be designed to facilitate the keeping of records and the filing of reports with the appropriate federal regulatory and law enforcement authorities.
(3)
Establish a deadline, no later than October 13, 2010, by which a gaming operation must come into compliance with the tribal internal control standards. However, the tribal gaming regulatory authority may extend the deadline by six months if written notice citing justification is provided to the Commission no later than two weeks before the deadline.
(d) Gaming operations.
Each gaming operation must develop and implement an internal control system that, at a minimum, complies with the tribal internal control standards.
(1)
Existing gaming operations. All gaming operations that are operating on or before November 10, 2008, must comply with this part within the time requirements established in paragraph (c) of this section. In the interim, such operations must continue to comply with existing tribal internal control standards.
(2)
New gaming operations. All gaming operations that commence operations after April 10, 2009, must comply with this part before commencement of operations.
(e) Submission to Commission.
Tribal regulations promulgated pursuant to this part are not required to be submitted to the Commission pursuant to Sec. 522.3(b) of this chapter.
(f) CPA testing.
(1)
An independent certified public accountant (CPA) must be engaged to perform “Agreed-Upon Procedures” to verify that the gaming operation is in compliance with the minimum internal control standards (MICS) set forth in this part or a tribally approved variance thereto that has received Commission concurrence. The CPA must report each event and procedure discovered by or brought to the CPA's attention that the CPA believes does not satisfy the minimum standards or tribally approved variance that has received Commission concurrence. The “Agreed-Upon Procedures” may be performed in conjunction with the annual audit. The tribe must submit two copies of the report to the Commission within 120 days of the gaming operation's fiscal year end. In performing the compliance audit, the CPA must use the Statements on Standards for Attestation Engagements No. 10 at Sections 101 (“Attest Engagements”) and 201 (“Agreed-Upon Procedures Engagements”) (collectively “SSAE's”), July 12, 2007, American Institute of Certified Public Accountants Inc, (AICPA). SSAE No. 10 at Sections 101 and 201 are incorporated by reference into this section with the approval of the Director of the Federal Register under 5 U.S.C. 552(a) and 1 CFR part 51. To enforce any edition other than that specified in this section, the Commission must publish notice of change in the Federal Register and the material must be available to the public. You may obtain a copy from the American Institute of Certified Public Accountants, 220 Leigh Farm Rd., Durham, NC 27707, 1-888-777-7077, at http://www.aicpa.org. You may inspect a copy at the National Indian Gaming Commission, 1441 L Street, NW., Suite 9100, Washington, DC 20005, 202-632-7003. All approved material is available for inspection at the National Archives and Records Administration (NARA). For information on the availability of this material at NARA, call 202-741-6030 or go to http://www.archives.gov/federal_register/code_of_federal_regulations/ibr_locations.html. The CPA must perform the “Agreed-Upon Procedures” in accordance with the following:
(i)
As a prerequisite to the evaluation of the gaming operation's internal control systems, it is recommended that the CPA obtain and review an organization chart depicting segregation of functions and responsibilities, a description of the duties and responsibilities of each position shown on the organization chart, and an accurate, detailed narrative description of the gaming operation's procedures in effect that demonstrate compliance.
(ii)
Complete the CPA NIGC MICS Compliance checklists or other comparable testing procedures. The checklists should measure compliance on a sampling basis by performing inspections, observations and substantive testing. The CPA must complete separate checklists for bingo and information technology. All questions on each applicable checklist should be completed. Work-paper references are suggested for all “no” responses for the results obtained during testing (unless a note in the “W/P Ref” can explain the exception).
(iii)
The CPA must perform, at a minimum, the following procedures in conjunction with the completion of the checklists:
(A)
At least one unannounced observation of each of the following: financial instrument acceptor drop and count. For purposes of these procedures, “unannounced” means that no officers, directors, or employees are given advance information regarding the dates or times of such observations. The independent accountant should make arrangements with the gaming operation and tribal gaming regulatory authority to ensure proper identification of the CPA's personnel and to provide for their prompt access to the count rooms. The checklists should provide for drop and count observations. The count room should not be entered until the count is in process and the CPA should not leave the room until the monies have been counted and verified to the count sheet by the CPA and accepted into accountability.
(D)
Compliance testing of various documents relevant to the procedures. The scope of such testing should be indicated on the checklist where applicable.
(E)
For new gaming operations that have been in operation for three months or less at the end of their business year, performance of this regulation, this section, is not required for the partial period.
(2)
Alternatively, at the discretion of the tribe, the tribe may engage an independent CPA to perform the testing, observations and procedures reflected in paragraphs (f)(1)(i), (ii), and (iii) of this section utilizing the tribal internal control standards adopted by the tribal gaming regulatory authority or tribally approved variance that has received Commission concurrence. Accordingly, the CPA will verify compliance by the gaming operation with the tribal internal control standards. Should the tribe elect this alternative, as a prerequisite, the CPA will perform the following:
(i)
The CPA must compare the tribal internal control standards to the MICS to ascertain whether the criteria set forth in the MICS or Commission approved variances are adequately addressed.
(ii)
The CPA may utilize personnel of the tribal gaming regulatory authority to cross-reference the tribal internal control standards to the MICS, provided the CPA performs a review of the tribal gaming regulatory authority personnel's work and assumes complete responsibility for the proper completion of the work product.
(iii)
The CPA must report each procedure discovered by or brought to the CPA's attention that the CPA believes does not satisfy paragraph (f)(2)(i) of this section.
(3) Reliance on internal auditors.
(i)
The CPA may rely on the work of an internal auditor, to the extent allowed by the professional standards, for the performance of the recommended procedures specified in paragraphs (f)(1)(iii)(B), (C), and (D) of this section, and for the completion of the checklists as they relate to the procedures covered therein.
(ii)
Agreed-upon procedures are to be performed by the CPA to determine that the internal audit procedures performed for a past 12-month period (includes two six month periods) encompassing a portion or all of the most recent business year has been properly completed. The CPA will apply the following agreed-upon procedures to the gaming operation's written assertion:
(A)
Obtain internal audit department work-papers completed for a 12-month period (includes two six month periods) encompassing a portion or all of the most recent business year and determine whether the CPA NIGC MICS Compliance Checklists or other comparable testing procedures were included in the internal audit work-papers and all steps described in the checklists were initialed or signed by an internal audit representative.
(B)
For the internal audit work-papers obtained in paragraph (f)(3)(ii)(A) of this section, on a sample basis, re-perform the procedures included in CPA NIGC MICS Compliance Checklists or other comparable testing procedures prepared by internal audit and determine if all instances of noncompliance noted in the sample were documented as such by internal audit. The CPA NIGC MICS Compliance Checklists or other comparable testing procedures for the applicable Drop and Count procedures are not included in the sample re-performance of procedures because the CPA is required to perform the drop and count observations as required under paragraph (f)(1)(iii)(A) of this section of the agreed-upon procedures. The CPA's sample should comprise a minimum of three percent of the procedures required in each CPA NIGC MICS Compliance Checklist or other comparable testing procedures for the bingo department and five percent for the other departments completed by internal audit in compliance with the internal audit MICS. The re-performance of procedures is performed as follows:
(1) For inquiries, the CPA should either speak with the same individual or an individual of the same job position as the internal auditor did for the procedure indicated in the CPA checklist.
(2) For observations, the CPA should observe the same process as the internal auditor did for the procedure as indicated in their checklist.
(3) For document testing, the CPA should look at the same original document as tested by the internal auditor for the procedure as indicated in their checklist. The CPA need only retest the minimum sample size required in the checklist.
(C)
The CPA is to investigate and document any differences between their re-performance results and the internal audit results.
(D)
Documentation must be maintained for five years by the CPA indicating the procedures re-performed along with the results.
(E)
When performing the procedures for paragraph (f)(3)(ii)(B) of this section in subsequent years, the CPA must select a different sample so that the CPA will re-perform substantially all of the procedures after several years.
(F)
Additional procedures performed at the request of the Commission, the tribal gaming regulatory authority or management should be included in the Agreed-Upon Procedures report transmitted to the Commission.
(4) Report format.
The NIGC has concluded that the performance of these procedures is an attestation engagement in which the CPA applies such Agreed-Upon Procedures to the gaming operation's assertion that it is in compliance with the MICS and, if applicable under paragraph (f)(2) of this section, the tribal internal control standards and approved variances, provide a level of control that equals or exceeds that of the MICS. Accordingly, the Statements on Standards for Attestation Engagements (SSAE's), specifically SSAE 10, at Sections 101 and 201 are applicable. SSAE 10 provides current, pertinent guidance regarding agreed-upon procedure engagements, and the sample report formats included within those standards should be used, as appropriate, in the preparation of the CPA's agreed-upon procedures report. If future revisions are made to this standard or new SSAE's are adopted that are applicable to this type of engagement, the CPA is to comply with any revised professional standards in issuing their agreed upon procedures report. The Commission will provide an example report and letter formats upon request that may be used and contain all of the information discussed below. The report must describe all instances of procedural noncompliance (regardless of materiality) with the MICS or approved variations, and all instances where the tribal gaming regulatory authority's regulations do not comply with the MICS. When describing the agreed-upon procedures performed, the CPA should also indicate whether procedures performed by other individuals were utilized to substitute for the procedures required to be performed by the CPA. For each instance of noncompliance noted in the CPA's agreed-upon procedures report, the following information must be included: The citation of the applicable MICS for which the instance of noncompliance was noted; a narrative description of the noncompliance, including the number of exceptions and sample size tested.
(5) Report submission requirements.
(i)
The CPA must prepare a report of the findings for the tribe and management. The tribe must submit two copies of the report to the Commission no later than 120 days after the gaming operation's business year end. This report should be provided in addition to any other reports required to be submitted to the Commission.
(ii)
The CPA should maintain the work-papers supporting the report for a minimum of five years. Digital storage is acceptable. The Commission may request access to these work-papers, through the tribe.
(6) CPA NIGC MICS Compliance Checklists.
In connection with the CPA testing pursuant to this section and as referenced therein, the Commission will provide CPA MICS Compliance Checklists upon request.
(g) Enforcement of Commission Minimum Internal Control Standards.
(1)
Each tribal gaming regulatory authority is required to establish and implement internal control standards pursuant to paragraph (c) of this section. Each gaming operation is then required, pursuant to paragraph (d) of this section, to develop and implement an internal control system that complies with the tribal internal control standards. Failure to do so may subject the tribal operator of the gaming operation, or the management contractor, to penalties under 25 U.S.C. 2713.
(2)
Recognizing that tribes are the primary regulator of their gaming operation(s), enforcement action by the Commission will not be initiated under this part without first informing the tribe and tribal gaming regulatory authority of deficiencies in the internal controls of its gaming operation and allowing a reasonable period of time to address such deficiencies. Such prior notice and opportunity for corrective action is not required where the threat to the integrity of the gaming operation is immediate and severe.
Code of Federal Regulations
Code of Federal Regulations
Code of Federal Regulations
166