1. Jennifer Goines, ACDA
Sr. Continuous Auditor
Cherokee Nation Businesses
918.384.6731
jennifer.goines@cn-bus.com
Letting the CAAT Out of The Bag

2. Cherokee Nation and Its Businesses
• Nations second largest Indian tribe
• 300,000+ tribal citizens
• Sovereign government - executive, judicial and legislative
branches
• Jurisdiction – 14 Oklahoma counties
• CNB – board-governed holding company
• 40+ businesses, 40 states, 8500 employees
• $590+ million in annual revenues
• 30% supports services for tribal citizens
• 70% reinvested in training, job creation, self-sufficiency

4. Regulations
• Federal Law
• IGRA – Indian Gaming Regulatory Act
• Title 31 and Suspicious Activity Regulations
• IRS Regulations (Tips, Gaming Withholding & Reporting)
• State Compact Legislation & Fees
• Table Games
– Class II definition/non-house banked
• Poker
• Electronic Gaming
– Covered vs. Class II games
– Net Win

5. Regulations
• National Indian Gaming Commission (NIGC)
• Minimum Internal Control Regulations
• Fee payments
• Class II Definition
• Cherokee Nation Gaming Commission (CNGC)
• Rules and Regulations
• Minimum Internal Control Standards
• On-site inspectors
• Oklahoma Horse Racing Commission (OHRC)
• Gaming requirements
• Racing requirements
• State Fees/Fair Meadow Agreement
• Horseman purses

6. Continuous
Auditing/Monitoring
The COSO Framework

7. • Analytical Procedures: Provide an efficient and effective means of assessing and
evaluating information collected in an engagement (IIA Practice Advisory 2320-
1)—aka “data analytics”
• Continuous auditing: A method used to perform control risk assessments
automatically on a more frequent basis (IIA GTAG-3)
• Continuous monitoring: Encompasses processes that management puts into
place to ensure that the policies, procedures, and business processes are operating
effectively (IIA GTAG-3)
• CAATTS: Computer-assisted audit tools and techniques; this includes generalized
software packages and desktop productivity software
IIA Definitions

8. Gaming System Environment

9. Data Volume
• Challenges
- Vast volumes of data - IT limits on file sizes
- Data analysis limitations - Disparate data sources
- Multitude of data formats
• CAAT Solutions
- 100% data access - Unlimited file sizes
- Total data populations - Cross-platform analysis
- Single point of view
• Benefits
- Increased breadth & depth of audit coverage
- Confidence in making decision on the whole picture
- Comprehensive analysis & insight into business integrity

10. Security
• Challenges
- Data security concerns - IT controls for data protection
- Fraud - Undetected controls violations
- Unattended processes
• CAAT Solutions
- Adhere to security protocols
- Secure and managed environment
- Work with IT governance and control
• Benefits
- Reduced risk of loss and security breaches
- Confidentiality of data maintained
- Only authorized access to source data, results & findings
- Work with managed IT environment

11. Productivity
• Challenges
- Reliance on busy IT resources - Long data request cycles
- Automating recurring analysis - Incomplete data extracts
- Lack of multiple tools for extraction, analysis and reporting
• CAAT Solutions
- Direct/remote data access - “Self Serve” to data securely
- Repeat analysis and automation
- Single technology for multi-source data access, analysis & reporting
• Benefits
- Increased audit independence - Shortened audit cycles
- Reduced training requirements - More easily retained skill set
- Improved efficiency and effectiveness
- Results immediately available

12. Requirements
• Executive/Audit Committee Support
• Inclusion In The Audit Plan
• Supportive/Patient Chief Audit Executive
• Dedicated Resources
• The Right Technology
• The Right Skill Sets
• Creativity
• Do it RIGHT! vs. Do it right NOW!

13. Technologies
• CAAT(s)
– Supported by Big Four Accounting
– Multi-Platform Analysis
– Virtually Unlimited File Sizes
– Easy Automation (scripting)
• Windows Script Host
– Included in Windows OS; facilitates Windows based automation
• WinZip
– Inexpensive
– Command line interface
– Encryption
• Windows Task Scheduler
– Included in Windows OS
• Microsoft Excel
– Company standard
– End-user familiarity
– Easy Automation

14. Strategy
• Pick The Low Hanging Fruit
– Readily available data
– Obvious impact in efficiency and cost
– May have to temporarily throw out risk-based approach
• Areas Where Others Have Failed
– More willing to grant access to data
– Vested interest in success
• Internal Projects
– Departmental reporting projects
– Administrative tasks
• Small Projects
– Create opportunities for small wins
– Deliverables sell the process

22. Data Analysis & Reporting

23. Data Flow Diagram

24. Data Analysis & Reporting

25. Analytics
• Code as you go..saves time and frustration
• Pop-ups are nice, but someone has to click on
them
• Variables are your friend
• Create “living analytics” that adjust to
environmental changes or send an alert if updates
are required
• Naming conventions and organization
• Path references
• Do it RIGHT vs. Do it right NOW!

26. Data Analysis & Reporting

27. Data Repository

28. Data Analysis & Reporting

29. Repeatable Analytics

30. Data Analysis & Reporting

31. Automation Process
Master VB Script
This script runs the other scripts and controls the timing of when the separate processes start.
ODBC:
Database
Connections
ACL Scripts:
Perform the
analysis and
export the
results for
processing by
the respective
report template .
Note: Build in
controls that
monitor key
points and
notify IA if
changes are
needed.
VB Script:
Archives the
analysis in a
compressed
file (.zip) and
moves the file
to the audit
share drive for
storage and
nightly
backups.
Sub-routine:
Opens
communication
with SMTP
server, creates
email message,
and attaches the
formatted excel
file.
VB/VBA
Scripts:
Housed inside
report templates.
There is one per
analysis and the
script imports the
summary data,
exception detail,
scatter graph data,
creates the
statistics used to
determine what is
out of the ordinary,
creates the scatter
graph, and creates
a copy of the
analysis for
archiving.
RDRD PD
Email End
User
.ZIP to
Archive
Windows Scheduler runs script at specified date and time.
RD = Raw Data = Processed Data = Report Formatted DataPD RD

32. Continuous Auditing
• Independent testing of controls - through the review of 100 percent of transactions from any
source
• Timely notification to management of control breakdowns - an "early warning system" of
compliance risk, enabling control weaknesses to be fixed before they materially impact
financial statements or they are reported externally
• Improved fraud detection and reduction of business risk - through identification of control
gaps and weaknesses that can lead to error, abuse, and fraud
• Improvements to efficiency and effectiveness - with potential to increase profitability by
containing costs, minimizing losses, and improving revenue collection
• Sustainable compliance - ongoing, automated internal control testing that provides cost-
effective support for compliance programs
• Extensibility to multiple end-to-end business processes - with independent assurance of
controls effectiveness and transaction integrity across the enterprise

33. Disclaimer
• The code contained in this presentation and any related material
is provided “as is.” The information is provided for
informational purposes only and is not intended to provide
specific programming guidance. Use at your own risk.
• Any techniques or methodologies presented here can create
security risks if not properly implemented. You should consult
your IT security department for guidance on using anything
presented herein. Use at your own risk.

34. Questions?