For Harrah’s Entertainment, an effort to fully automate the internal auditing process begun early last year could not have been timed more fortunately.
That’s because the casino industry — already subject to stiff compliance demands from state authorities and the payment-card industry — saw its bar raised further at the beginning of this year by new reporting requirements, mostly involving system security, from the Nevada Gaming Commission.
At Harrah’s, the heavier compliance crush is eased considerably by its ongoing project to achieve “continuous auditing.” Definitions for that term vary widely; the Institute of Internal Auditors, for one, calls it “any method used by auditors to perform audit-related activities on a more continuous or continual basis.” Increasingly, though, individual practitioners see the cutting edge as auditing 100% of data relating to transactions, processes, policies, or whatever else is to be audited, rather than reviewing small samplings at longer intervals, as many organizations still do.
Achieving that level of scrutiny generally is accomplished by writing data-analytic scripts for each area to be audited, then integrating them with any database and reporting systems used internally and with off-the-shelf auditing software programs like ACL, Idea, and Microsoft Access.
The integration work was a big undertaking for Harrah’s, which has 40-plus properties, including 13 in Nevada. Each property has three key systems that run its slot machines, table games, and sports-book service, and there are also food-and-beverage, ATM, and in some cases hotel management systems. “We’re talking about a lot of systems in a casino,” says Cheryl Kondra, chief audit executive for Harrah’s.
A lot of employees, too, which is a crucial factor. That’s because monitoring workers’ access to systems is one of the most important tasks for Kondra’s department. Casinos are required to review the access listings each quarter to determine that, for instance, only active employees are listed and that everyone has the appropriate level of access. At Caesars Palace alone there are 5,200 employees, about 2,000 of whom have access to the key gaming systems.
“It was a massive, very manual process to print a report and compare it to an HR listing of employees,” says Kondra. “Automating that, and monitoring it continuously instead of waiting until the end of the quarter, makes the audit a lot easier, and we don’t find as many exceptions.”
System access is so important because of the potential for employee fraud. “It’s not just the access to cash,” she notes. “You have to have adequate access to systems to get everything to balance so the fraud does not pop out.”
For Harrah’s, a big benefit of the move to automated monitoring is that it allows the 86 auditors who work at the casinos to spend more time on the gaming floor doing surveillance — another way to catch employee fraud. “I’d rather see them on the floor because that’s where the action is, not at their desks buried in paperwork,” Kondra says.
For the Office of the Comptroller General of the British Columbia Ministry of Finance in Canada, the 2008 launch of a move to continuously audit 100% of transactions put it well ahead of most governments and other non-profit organizations, for which less-automated processes are still commonplace.