2003 article describes auditing of customer loyalty programs

1. Gaming Auditorium - The Institute of Internal Auditors Page 1 of 4
1st Quarter 2010 Vol 13 No 1
Hitting the High Points
Internal auditors can hit the jackpot with awareness of key risks in a casino's slot club function.
By Ron Ellis, CIA
Internal Audit Manager
Hard Rock Hotel and Casino
Las Vegas
BY THE NATURE OF THE INDUSTRY, casinos are prime targets for theft and fraud. Casinos with a slot club
function have an additional challenge because of the complexity of the system application used to track patron
activity and pay patron awards. To perform winning risk evaluations and audits, internal auditors need a full
understanding of a slot club's complexity and controls.
A slot club is a casino marketing tool that offers a patron additional rewards for playing slot machines in the casino.
Rewards — which can be redeemed in cash, merchandise, or complimentary goods and services (comps) — are
tracked through an application system that records the patron's slot machine play. The patron inserts a magnetically
encoded card — encoded by the slot club when a patron joins the program — into a slot machine card reader,
which tracks coin in, coin out, time played, jackpots, and other statistical information. Awards are based on level of
activity such as actual coin in or expected theoretical win (coin-in multiplied by machine theoretical win percentage).
Slot club operations and the application system used to track patron usage and awards are both complex.
Consequently, the risk of error, fraud, abuse, and system malfunction deserve an auditor's full attention when
planning an audit. The structure of the slot club operation, as well as the system function, will determine how the
slot club function should be audited. To assist the internal auditor in understanding the casino's slot club operations,
the auditor should perform a walk-through of the function with management and the employees who perform each
function — from the time the patron inserts his or her card into the machine to the final award payout — to assess
the risks and controls for the various transactions. It may also be helpful for the auditor to take the information
learned from this walk-through and document it in a flowchart for reference during audit planning.
To maintain professional skepticism with an eye on fraud, the auditor should approach the audit from an information
systems functionality standpoint, as well. Given the vast number of tracking systems available on the market and
the ever-increasing complexity of both the tracking-system and slot-machine processes, auditors must equip
themselves with sufficient technical expertise to review and audit all potential risks.
Understanding the process
Internal auditors charged with reviewing the slot club function should perform due diligence during the planning
process by starting with a functional overview. They should consider the following questions when performing a
walk-through to gain insight into the slot club operations and system functions:
• Are slot club and slot operations employees prohibited from participating?
• How much play is required to earn one point or one comp dollar?
• What is the value of one point?
• What are the rewards available to players?
• What is the procedure for earning rewards?
• What are the procedures and controls for redeeming rewards?
• What is the chain of custody for cash-back forms inventory?
• Given the audit objectives, what reports are available for management review and audit purposes?
• What is the source of the information on the reports?
• What controls are in place over system administration and system-parameter changes?
• How are changes to system parameters authorized and reported?
• What controls are in place to ensure system-parameter changes are valid and authorized?
http://www.theiia.org/Gaming/index.cfm?act=Gaming.printa&aid=1034 3/9/2010

2. Gaming Auditorium - The Institute of Internal Auditors Page 2 of 4
• Which employees have system access to adjust, add, or delete points to an account? What is the
authorization and review process?
• Are there access restrictions or levels for viewing and accessing online account information?
• Does the system have the capability to show the exact source of transactions?
• How are downloadable promotional credits controlled?
• How are third-party technicians or service personnel supervised when accessing the system or slot
machines?
Common Risks
Risks in the slot club function include internal employee and patron fraud, as well as inadvertent or intentional
system-parameter changes and system malfunctions. Some of the more common risks include:
• Unauthorized access or adjustments to dormant, test, and live patron accounts that result in the transfer of
award credits to unauthorized accounts.
• Extension of complimentary goods and services in excess of policy guidelines.
• Computer system manipulations such as unauthorized changes to system parameters.
• Unauthorized or inappropriate administrative rights, access rights to run patron-sensitive reports, or access
rights to import data into common application programs that can be sorted and distributed for fraudulent
usage.
• Computer system malfunctions, such as awarding unearned credits.
• Electronic funds transfer (EFT) download fraud or malfunctions such as unauthorized credit download or slot
machines that do not cap downloaded credit at the limit of the patron's credit or debit card.
• A poorly coordinated system for recording and paying awards for complimentary goods and services,
resulting in tracking-system information that is not complete, accurate, and available in real time.
• Seed-play manipulation, which is a fraudulent scheme in which a patron obtains a group of club cards on one
account and places the cards in various machines so that when someone without a card plays the machine,
the seed patron is credited with that play.
Auditing Internal Risks
A common problem — and the most probable risk — involves employees who perform unauthorized manipulation of
points, rewards, and comps for personal gain. Without adequate controls, an employee could change the name on
an account to that of a friend or relative, redeem the rewards or transfer dormant account rewards for personal gain,
and then change the account name back to the original name.
Suggested reviews and audit tests include:
• Performing a system query to identify employee addresses, phone numbers, and other data that may be in
the slot club database under a name other than the employee's.
• Reviewing system activity change reports for improper transactions such as unusual name changes, social
security number changes, and manual adjustments to award balances. For example, a name change from
"Ellis, R." to "Pease, F." would require further investigation and validation.
• Evaluating the adequacy of the club's policy and procedures regarding controls over master-file changes and
system administration controls for adding access authorization.
• Validating the master-file or parameter changes in question. Close attention should be paid to accounts that
have a material value as well as where the reward was earned prior to the master-file change.
• Determining whether or not change activity is authorized.
• Determining whether or not only employees authorized by management have access rights to make
adjustments.
• Determining whether or not adjustments are adequately supported.
• Determining whether or not transfers to dormant accounts are validated.
Auditing System Risks
As the industry moves from a coin-based slot business to a coinless or EFT-based environment, it is inevitable that
cash handling will be eliminated. Direct downloads from patron credit and debit cards is the future of wagering.
Ideally, an internal auditor should flowchart the tracking and reward system operations provided by the walk-through
to gain an understanding of the critical communication components, transaction flow, and card-reader functions. In
addition to IT managers and employees, slot technicians can be a good source of information in explaining how a
specific system operates. With an understanding of transaction flow, the auditor will be able to extract a
http://www.theiia.org/Gaming/index.cfm?act=Gaming.printa&aid=1034 3/9/2010

3. Gaming Auditorium - The Institute of Internal Auditors Page 3 of 4
representative sample selection to validate the process to recognize potential problem sources. Recommended
procedures include:
• Establishing a "test" club account and test playing a sample of machines to the extent that bonus point
activity will be awarded. Review system accuracy by recording critical slot meters for coin in, coin out, and
number of games played before and after play to compare manually recorded data to what was captured on
the system. In most jurisdictions, this test will require regulatory approval before beginning testing activities.
• Selecting a random sample of active patron accounts to test the accuracy of point calculations. Test the
various components individually — as opposed to recalculations based on a total — because they may be
calculated differently.
• Reviewing the computer rights report, which lists the functions an employee can access, for appropriate
segregation of duties, unauthorized attempts to login, and unauthorized attempts to access menu options.
• Reviewing the system-parameter change report for fields changed — the from/to data fields. Are changes
made by authorized employees? Are such changes supported and approved?
• Reviewing the controls and authorization process for downloading cashable/non-cashable credits to
magnetically encoded cards. Are controls in place to preclude and detect unauthorized downloads, such as
controls over physical storage, employee computer rights to download electronic credits to cards, and
controls over unissued encoded cards?
• Determining the adequacy of procedures used by management to verify download activity for errors and
malfunctions. Ensure review procedures are in place, such as determining whether or not credits for comp
awards can be cashed out and reviewing for multiple redemptions of the same card — the card number will
appear twice on the redemption reports if there is a malfunction.
Auditing Patron Risks
Patrons who exploit slot systems by taking advantage of system malfunctions, manipulating a poorly coordinated
system for tracking earned and redeemed complimentary goods and services, and seeding play using multiple
player club cards are only some of the potential risks of the slot club function. Although individual casino operations
may warrant different audit processes based on their unique environment, audit processes should include:
• Determining whether or not the rules of the club are clearly disclosed to the patron upon opening the account
and whether or not rewards acquired through illegitimate means are invalid.
• Reviewing slot machine event logs and meters for unusual transactions such as power-downs, excessive
drop-door openings, and excessive EFT downloads. Investigate unusual activity.
• Determining whether or not procedures are in place to mitigate the risk of seeding activity, such as policies
governing the issuance of multiple cards and requiring government-issued photo identification for cashing out
an account.
• Reviewing reports designed to disclose potential seeding activity to determine whether or not proper follow-
up has been performed. Test activity as deemed necessary.
• Reviewing a sample of patron accounts for the validity of comp awards. Do the point ratings support the
comps extended? Test comp award calculations to determine the accuracy of the constants used to calculate
theoretical wins.
• Determining the validity of comps that were extended before or after a patron's in-house stay. For example, if
a guest was staying in-house, validate comps received several days after hotel check out.
• Determining whether or not the system captures comp awards immediately when earned through system
interfaces that provide real-time data. Validate this by settling test comps to determine when complimentary
goods and services are posted to the test account. An alternate test is to calculate the time elapsed between
the settlement of complimentary charges at the point of sale and the time the charges are posted to patron
accounts using actual comp data.
• Determining whether or not the casino has written procedures in place to address sufficient controls to
mitigate club risks and making sure that personnel are trained to follow those procedures.
An internal auditor can add value to his or her organization by identifying control weaknesses and providing
recommendations to mitigate risks in the slot club function. A risk-based approach to slot club review can provide
the necessary assurance that the critical risks are mitigated and managed and that the costs associated with
offering club rewards are spent on deserving patrons, and not undeserving fraudsters.
Ron Ellis is an internal audit manager at the Hard Rock Hotel and Casino in Las Vegas, Nev. Ellis can be reached
at iauditman306@yahoo.com.
http://www.theiia.org/Gaming/index.cfm?act=Gaming.printa&aid=1034 3/9/2010

4. Gaming Auditorium - The Institute of Internal Auditors Page 4 of 4
All contents of this Web site, except where expressly stated, are the copyrighted property of the Institute of Internal Auditors Inc.
http://www.theiia.org/Gaming/index.cfm?act=Gaming.printa&aid=1034 3/9/2010