by Joe H. Smith
In retrospect, how was an organization’s ability to withstand the impact of the pandemic judged, now that everyone is striving to return to normalcy? This event has tested not only the endurance and sustainability of the national economy (not to mention its impact on people’s health and society as a whole), but also the gaming industry’s ability to respond to a crisis – including the effectiveness of operations and control systems. Existing research has suggested that the following performance mechanisms have been most affected:
• Corporate governance has become detached and less responsive.
• Innovation has been stifled.
• Liquidity is diminished.
• Operations have become more inflexible.
Internal control reflects on an entity’s ability to manage risk and is essential to the implementation of governance mechanisms. The Committee of Sponsoring Organizations of the Treadway Commission has defined internal control as the way to achieve reasonable assurance of accomplishing accepted organizational objectives. These include: effective production of goods and services; prudent consumption of resources; production of reliable financial data; and compliance with applicable laws and regulations. Observations across the gaming industry, post-pandemic, reveals that high quality control environments played a significant role in mitigating risk arising from the cataclysmic COVID contagion. Consequently, the role of internal control in crisis management is above reproach and is a lesson to guide management in the prioritization of resources in the future.
The idea of revisiting internal control in light of the virus is not new. “The SEC is advising companies to consider what changes in controls have occurred that materially affect or are reasonably likely to materially affect ICFR” (internal control over financial reporting). “Companies need to consider what challenges they anticipate in their ability to maintain systems and controls.”
For the past few decades, tribal gaming has relied upon federal guidance to define an effective system of internal control, at least as it relates to the recognition and recordation of gaming revenues. Federal assistance, although well intended, has failed to keep pace with a changing industry, and most notably, the shifting risks resulting from the pandemic. Business processes have changed as a result of COVID, and previously stable workflows are now experiencing volatility. Risk assessments need to be more expansive, and at least for the near future, performed and refreshed periodically to ensure that internal controls continue to function as intended.
The assessment of internal control effectiveness has taken on a heightened level of importance. What worked in the past may result in gaps in control because of evolving risk factors, such as remote work environments, digital reviews/approvals and virtual documentation, and the most perplexing of all, a labor market impaled by the crisis. Many casinos have experienced dramatic changes, not only in the mix of revenues, but in the aggregated total; an elevated potential of employee and customer fraud; internal communication challenges; increased IT vulnerability – not unrelated to employee and customer privacy; and a mutated customer profile. The reassessment of inherent and residual risk is likely to result in changes to both financial and operational policies and procedures. Rules and responsibilities will need to be adjusted, and contingency planning will become a fundamental component of the departmental handbook.
Historically, higher performing individuals within an organization have typically achieved greater recognition and have been rewarded with additional responsibility and greater authority. Unfortunately, today’s workplace is often characterized by volatility in which people, workflows, and surroundings are subject to sudden and unexpected change. Companies are evaluating the need to assign appropriate back-up personnel to fill in as needed, and designated back-up personnel often have specific responsibilities, as opposed to broad authority. Occasionally, related functions are being more closely linked in the event there is a leadership void. For example, the person in charge of surveillance may be groomed and prepared to assume control over security personnel on a moment’s notice, and vice-versa. Or, the revenue audit manager might be tasked with temporarily assuming control over the cage/vault department.
Segregation of duties is a long-established concept that is now requiring additional resource allocations and often a bit of creative thinking by human resources to maintain. Pervasively, job descriptions have had to be revisited, as people are now given greater realms of responsibility and are expected to do more. Furthermore, qualifications for supervisory and management positions have had to be pruned in order to find people to fill them. Then after being hired, they are enrolled in a trained program to bring them up to speed. Consequently, the risk assessment process needs to be particularly attuned to detecting areas where control systems are jeopardized due to a lack of oversight and verification.
Two concepts permeate the National Indian Gaming Commission’s MICS: task redundancy, where multiple people are responsible for performing the same procedure; and individual accountability, which dictates that a single person must be individually held accountable for cash and cash equivalent funds and sensitive inventory items. The expansion of virtual environments due to the pandemic has made it more difficult to clearly distinguish between who holds physical custody of an asset and who handles the record-keeping for it. A shrinking workforce of entry level people and those skilled in the trades, coupled with a scarcity of gaming professionals, is confounding the ability of operations to respond to often-increasing workloads. Segregation of duties can be a casualty of these competing forces.
A key component of the risk assessment process should be the identification of external service providers deemed to be critical to the achievement of the organization’s objectives. The consequences of business disruption need to be evaluated and contingency planning options developed. Below are steps to consider when implementing a critical resource response plan:
• Identify those service providers most critical to business continuity and the core function areas dependent on their product or service.
• Identify internal personnel who have front-line connections with the service provider and provide guidance on the fostering of communications so the vendor’s ability to fulfill its commitment can be periodically assessed.
• Consult legal and compliance personnel on the effectiveness of the governing agreements to protect the organization’s interests in the event something goes wrong, thereby enabling the development of contingency planning and mitigation remedies.
• Set a regular cadence of communications internally with key leadership personnel to monitor the ability of providers to continue to perform. Insecurity in the relationship might trigger contingency planning mechanisms, such as increased dialog with the vendor or options to modify or rescind contracts.
• If confidence in the service provider is on the line, consult with risk management personnel on the consequences of an interruption in coverage, and how negative outcomes might be mitigated. Begin the process of unwinding the relationship and seeking a replacement. Consider whether the outsourced activity can be brought in-house.
To repeat a popular cliché, failing to plan is the same as planning to fail. In the post-pandemic environment in which supply chains have become challenged, it is all but an inevitable consequence that interruptions will occur in critical service providers; however, as noted above, there are basic steps that can be implemented to minimize the repercussions.
Whether you’re talking about a compliance audit, performance audit, internal audit, or external audit, testing procedures of observation, interview, and document examination are not what they used to be. The American Institute of Certified Public Accountants recognized this when they posted a blog in 2021 advising, “You’re not prohibited from conducting audit procedures remotely. Auditing standards generally specify what evidence must be collected, but not how it must be collected.”
Because of the current state of flux in policies and procedures, position roles and responsibilities, and process timelines, testers now, more than ever, need to invest more time in advance of audits to gain an understanding of what is new, and what to expect once the examination begins. Considering the likelihood of increased remote testing, the auditee needs to consider what measures are appropriate to facilitate communication and file sharing. Setting aside the surveillance video of the year-end cash count is a likely request of the external auditors, as well as the drop-and-count process for the MICS auditor. Likewise, audit teams that embrace technology may ask to capture select records during the year for later retrieval, such as every hundredth jackpot slip, or every fourth Thursday grave shift cage/vault inventory count document, or maybe all voided table game fill slips. If automated systems are in use, the virtual document can be copied to a holding file and then at year-end uploaded to a share file. Greater reliance on technology in internal control and substantive financial testing has been a long time coming and the post-pandemic era has hastened its arrival. Although remote auditing may allow for an expedited examination, it will also increase the risk of miscommunication. As a result, greater collaboration between the parties will be essential.
COVID took our well-defined set of inherent risks and put them into the proverbial blender. Since reopening, we have been attempting to reevaluate and mitigate a new and often imposing set of risk factors. The gaming environment has been realigned and has become dependent on mobile devices, online transactions and banking, telecommuting, temporary project-based workforces, flexible hours, and outsourcing. All of these characteristics of doing business make accountability difficult and necessitate a thorough internal control to respond to a newfound set of risks. The importance of having a meaningful process for improving a risk assessment in order to design an effective system of internal control cannot be overstated. The pandemic taught us that organizations with control systems that are valued and supported by the employees were able to better withstand the contagion tsunami. For the indomitable leader, the challenges arising from the past two years will spark opportunity – to introduce automation into control systems and workflows, improve assurance, more evenly distribute workloads, achieve greater compliance, and provide stakeholders with an added level of confidence.
Joe H. Smith, CPA, CFE, CFF, CGAP, is a Senior Consultant for REDW, LLC and Commissioner for the Picayune Rancheria of the Chukchansi Indians Tribal Gaming Commission. He can be reached by calling (503) 314-2009 or email [email protected].