Casino Enterprise Management

In our desultory travels we’ve encountered many misconceptions and misperceptions concerning regulation. Most can be cleared up with a one- or two-sentence explanation. One area of confusion, however, presents a considerably greater challenge: the place of internal controls in the regulatory hierarchy. Seasoned regulators and casino personnel know the pecking order, but there are a number of fledgling regulators and casino newbies who seem to have a hard time grasping the concept. The difficulty stems, in part, from the inconsistent and imprecise use of terminology and variance in actual practice.

So in our continuing effort to lift the fog of perplexity from the gaming industry, we humbly offer the following primer on this topic.

Definition
Internal controls are essentially accounting and administrative standards designed to protect assets, safeguard game integrity and ensure accurate reporting of revenue. The function of internal controls is to prevent unauthorized activity and detect deviations from established procedures attributable to error or intentional misconduct.

The primary purpose of internal controls is to protect assets. Casinos are subject to a greater-than-normal risk of loss from employee or customer dishonesty because they are basically cash operations with numerous transaction points where recording of all individual game transactions is not practical.

Internal controls seek to minimize the risk of loss in gaming operations by using strict procedures for the authorization, accountability and safekeeping of cash assets, such as:

• Paper controls to document key transactions for later inspection as to appropriate signatures and other authorizations;
• Physical safeguards such as safes, secure areas (e.g., cages and count rooms) and other access barriers (i.e., mantraps); and
• Human controls in the form of required supervision of activities and strict segregation of duties and responsibilities to inhibit collusion.

Historical Context
Nevada first adopted minimum internal control standards (MICS) in 1968, but it did not attempt to enforce these standards until 1982, when the board brought a disciplinary action against a casino for noncompliance with its submitted system of internal controls regarding the grant of credit to a patron. Although the initial case was settled without a determination of wrongdoing, the principle was established that casino violations of internal controls, by themselves, could form the basis for disciplinary action even if the violation was absent of wrongful intent by the licensee or evidence of loss attributable to the violation.¹

Today, regulators routinely take action to enforce internal controls and hold licensees accountable for noncompliance with them.

The Hierarchy
So, where exactly do internal controls fit into the regulatory hierarchy? As with any regulatory scheme, legal directives and norms flow from the general to the specific, so it is logical to start with enabling legislation and move down the chain from there.

Statute
Typically, a jurisdiction will have a statute that authorizes gaming, creates a regulatory agency, and vests that agency with broad powers to control gaming within certain parameters. The statute will ordinarily provide for the overall structure of the agency, including the composition of the board or commission and the terms of its members. Statutes also typically address such matters as the scope or limits of gaming activity, categories and general criteria for licensing, and any fees or taxes. In general, however, statutes leave it to the board or commission to implement the enabling legislation through promulgation of appropriate rules.

The situation at this level is slightly more complicated in tribal jurisdictions. There, the Indian Gaming Regulatory Act (IGRA) requires the adoption of a tribal gaming ordinance, which in turn functions similarly to a gaming act in non-tribal jurisdictions. In Class III gaming, IGRA and the tribal gaming ordinance is supplemented by the provisions of the state-tribal gaming compact, which may accord the state limited oversight authority.

Regulations
Promulgated rules or regulations (the terms can be used interchangeably) are the administrative laws that govern gaming activity within the jurisdiction. The regulations put flesh on the bones of the gaming statute or ordinance. They cannot exceed the authority granted to the agency by the statute and cannot be inconsistent with the legislation. Beyond that, however, regulations will normally address all aspects of gaming operations and activity, from security and surveillance to the movement of cash or cash equivalents and gaming devices.

Although regulations contain more detail than statutes, they remain somewhat general. A regulation typically will tell a licensee what must be done but will not necessarily mandate how the licensee is to comply.

For example, a regulation might mandate that the licensed operator maintain a daily record of electronic gaming device drop and win, but it will be left to detailed internal controls to specify how the drop and count is to be conducted.

The line between regulations and internal controls, however, is not always as clear and bright as it perhaps should be. We’ve seen regulations that contain detailed directives that more properly belong in MICS and standards in MICS that probably should be embodied in a regulation.

Our point here is that regulations need to have an element of stability and not require constant modification and revision. Revision of regulations in most jurisdictions is an elaborate process that absorbs time and resources. Thus, placing too much detail in regulations almost ensures frequent revision and defeats the goal of stability.

Minimum Internal Control Standards
Agency regulations normally provide a process for agency adoption of a set of minimum internal control standards. Once the agency has exercised its discretion to consider and adopt MICS, the regulation will also specify requirements for the licensed operator to submit its conforming internal control system (ICS) for approval.

In our view, internal control regulations should specify that an independent certification of MICS compliance accompany the submission of any ICS, or any modifications thereto, preferably by a certified public accountant approved by the commission or board.

Like the statutory level, the MICS level is somewhat more complicated in tribal jurisdictions. By regulation, 25 CFR Part 542, as amended, the National Indian Gaming Commission (NIGC) has adopted MICS for tribal gaming. Tribal gaming agencies are required to adopt Tribal Internal Control Standards (TICS) that meet or exceed the NIGC MICS. Recently, the United States Court of Appeals for the District of Columbia Circuit affirmed the August 2005 ruling of the District of Columbia District Court in Colorado River Indian Tribes v. NIGC (popularly known as the CRIT decision) that the NIGC had no power to impose operational standards on Class III gaming. Specifically, the courts found no statutory authority under the Indian Gaming Regulatory Act (IGRA) that would allow the NIGC to promulgate or enforce regulations containing minimum internal control standards. Despite this ruling, however, many tribal gaming agencies have adopted either the NIGC or industry standard MICS to govern their gaming operations.

System of Internal Controls (aka Internal Control System)
The casino operating procedures are more detailed and specific to the particular gaming operation. The ICS, however, cannot deviate from the minimum requirements absent regulatory approval and demonstration that the procedures provide an equivalent level of control and security.

Standard Operating Procedures
The ICS does not provide specific directions to employees as to the exact manner in which their duties are to be carried out. Casinos, therefore, normally supplement the ICS with detailed standard operating procedures (SOPs) for each individual department. SOPs also address areas of casino operations that do not directly involve gaming activity, such as personnel policy matters (attire, general behavior, customer service, breaks, hygiene, layoffs and grievance procedures) and housekeeping or maintenance matters.

In general, regulators are not nearly as concerned about what a casino puts in its SOPs, provided that the provisions do not conflict with the hierarchy of statute, regulation and MICS. No conflict should be present if the content of the SOPs is solely that of non-gaming related policies or procedures.

Confusion can come at this level where a casino combines ICS with SOPs in a single manual called “Policies and Procedures.” There is nothing inherently wrong with this practice, provided that the distinction is made clear within the manual. What we have observed, however, are regulators spending an inordinate amount of time reviewing and approving policies and procedures that simply are not part of an ICS but have been presented by the casino for review. Sometimes we suspect that clever operators know precisely what they are doing in combining the two and have no problems with allowing regulators to spend time on busy work—which keeps them out of the operator’s hair.

Illustrations
All of the above represent a neat abstract framework that may lend itself to an intellectual understanding of the hierarchy. Some examples, however, will more readily illustrate how the system works in concrete reality.

Take surveillance, for example. A statute might mandate that the casino have a surveillance system. The regulation would specify things like the general location of the surveillance room, areas of mandatory coverage, data retention, logs, equipment malfunction procedures and requirements for a surveillance plan. MICS normally would not directly address surveillance but would specify when surveillance needs to be notified for such matters as the movement of cash, secure area access, drops or count and other asset transfer events. The ICS could specify the exact personnel required to make the required calls to surveillance.

Similarly, as noted with respect to drops and counts, the statute might only require accurate reporting of gaming revenue. Regulations might only require that the licensee notify the agency of drop and count times. The MICS, for example, could have a provision that would require, with respect to table game drop boxes, that “the physical custody of the keys needed for accessing stored, full table game drop box contents shall require the involvement of persons from at least two separate departments, with the exception of the count team.” An ICS provision would amplify this requirement by specifying exact locations for securing keys, personnel authorized access, and required logs or other documentation related thereto.

Final Thoughts
When implemented properly and consistently, the gaming ordinance, the gaming regulations and the ICS work together to form a chain that secures the gaming entities’ assets—including its reputation—from internal or external assault. However, as with any chain, if one of the links is defective, the entire chain only provides a false sense of security to the user, creating an exposure rather than a deterrent to theft.
If all of the above sounds painfully familiar, we apologize for boring you. But we suspect that the readers who already know about and have lived the hierarchy through experience have probably turned to another article by now. So, for those still with us, we hope this has been helpful and assists in clearing up any confusion in this area.

Footnote
1 The case establishing this principle and the history of internal controls in Nevada is discussed in Nevada Gaming Law, Third Edition (Lionel Sawyer & Collins, 2000).
 

Pat Leen, co-owner of Gaming Regulatory Consultants, was a founding member of the Michigan Gaming Control Board. He can be reached at (517) 256-8619 or pleen[at[grcgaming.com.

Tom Nelson, co-owner of Gaming Regulatory Consultants, was the first Director of Licensing and Enforcement for the MGCB and served for 22 years as Michigan’s Assistant Attorney General. He can be reached at (719) 440-6611 or tnelson[at]grcgaming.com.