The realities of risks within the Revenue Audit world.
I hosted a webinar this week where we discussed risk, specifically as it relates to Revenue Audit. In true “Doug” fashion, I got caught up in explaining risk and did not leave ample time to discuss the real-life examples we had prepared. To follow up and – hopefully – reiterate the realities of risks within the Revenue Audit world.
One of the case studies we presented was the difference between comps and promotions and how they are handled. This example always gets a lot of attention because it almost always hits close to home. For the sake of this article, I’m going to use it to more clearly define how to assess risk. Before I do that, let me quickly remind you how we categorized risk.
Category 1: Internal Risk vs. Control Risk
- Inherent Risk – These are natural consequences of choosing to do business. It may involve location, game types, or the simple reality that people are… well, people.
- Control Risk – The risks that exist because you did not control the situation(s) as well as possible. Note, this is not necessarily about MORE internal controls as much as it is about the RIGHT internal controls.
Category 2: Compliance vs. Organizational Risk
- Compliance Risk – As the name suggests, we are talking about risks associated with rules and regulations. In other words, the risk that you are doing that could cause an audit finding, a fine, or some other form of “punishment”.
- Organizational Risk – Those risks that are founded in the reality that you are missing opportunities to be better. It may be a lack of communication, poor leadership, or bad training – but these things cause you to be inefficient and less productive.
A good risk assessment evaluates all types of risk. It will take into consideration the activity and offerings of your property, then evaluate how those areas create risk. Finally, the assessment will categorize the risk and provide feedback on actions that may help mitigate the risk, when necessary.
Using the example above, consider the following hypothetical (but were real at some point) risks that should be assessed for a casino that offers complimentary services or items.
Risk Type: Inherent Compliance Risk
ISSUE: Are complimentary items or services issued at the discretion of the appropriate Management and not as a result of gaming activities?
FINDING: Comps are being issued to Table Games players based on their player ratings. Free buffets are being issued to players that are considered “valuable”.
RECOMENDATION: The casino should provide guidance on when free buffets can be issued to players. If there is no threshold for when a player qualifies for a buffet, these are comps. However, if there is a specific value at which a player can be rewarded, these should be treated and audited as promotions.
RISK LEVEL: Medium – It is possible these are truly complimentary items. But if there is some threshold, they are using to decide who gets a buffet, that is a promotion, and they are out of compliance if they are not auditing it as such.
Risk Type: Inherent Organizational Risk
ISSUE: Do the individuals completing the audit of comps provide reasonable assurance that the comps are issued appropriately?
FINDING: Revenue Auditors review a report of the comps issued each day but fail to note that the recipient of the complimentary service or item has the same last name the issuer of the comp 75% of the time.
RECOMENDATION: Auditors must be able to apply some common sense in their approach to reviewing the documentation for comps issued. While internal controls can be created and implemented to aid in noting exceptions, auditors should remain aware of potential fraud.
RISK LEVEL: High – Using the ability to issue comps to friends or family is an easy way to commit fraud; especially if it goes undetected in the Revenue Audit process.
Risk Type: Control Compliance Risk
ISSUE: Are comps that are issued for more than $100 traced back to the original documentation?
FINDING: The Revenue Audit process provides the auditor reviews all comps to ensure they are issued according to the thresholds established; however, comps that are valued at more than $100 requires more information not being reviewed by the Revenue Audit team.
RECOMENDATION: Revenue Audit should complete a full audit of the complimentary services and items issued, including verifying all the information is obtained when the value of a comp exceeds $100. This information should be recorded on and verified to source documentation by the audit team.
RISK LEVEL: Medium to High – The risk of fraud might not be all that high, assuming the review of all comps is happening while reviewing the report from the system; however, this will almost certainly lead to an audit finding, justifying a risk assessment of “high”.
Risk Type: Control Organizational Risk
ISSUE: Does the Revenue Audit team spend sufficient time reviewing and auditing comps?
FINDING: The process for reviewing and auditing comps includes running a report from the system used to issue comps, tracing every instance back to source documentation, providing documentation of exceptions when a variance occurs, and following up with Management for exceptions noted. This process includes the centennial t-shirts created by the casino and given to players during the month of July.
RECOMENDATION: The process for auditing comps is thorough and effective. However, tracking every t-shirt that is given away as a “comp” is unnecessary and inefficient. Source documentation will not be provided for many of these and given their minimum value, the risk misuse of complimentary items is minimal.
RISK LEVEL: Medium – The risk here is misused resources, not misused comps or inappropriate audit practices.
The reality here is that a good, thorough risk assessment takes a lot of time and effort. These are four examples of real risk from a single element of Revenue Audit. Revenue Audit touches almost every part of the casino – so this is a tall task! From my perspective, though, it’s worth doing.