The last decade has seen Malta emerge as the undisputed front-runner in the regulation of the online gaming industry. According to the latest MGA Annual Report, as of the end of 2022, the number of companies licensed by the MGA, including online and land-based entities, stood at 350, holding 358 gaming licenses and 329 game type approvals to offer various types of games under the B2C license.
The Maltese igaming industry has continued to register a resilience and positive performance, that is largely attributed to its ability to remain flexible and adapt to ongoing changes.
The forthcoming global tax reform is one of the significant changes that will affect the industry.
Within the international corporate tax framework, global minimum taxation is set to be introduced in 2024. Large international groups of companies with a combined annual turnover of more than €750 million will be subject to a minimum income tax of 15% from 2024. In that regard, the MGA has intensified its efforts to safeguard Malta’s competitiveness as a jurisdiction.
There are positive expectations not only for increasing revenue and employment but also for regulatory and compliance requirements resulting from the wave of national regulation. iGaming companies must respond to these demands, while auditors must possess the necessary tools to keep abreast of these changes and to be aware of specific aspects when auditing clients in this high-risk industry, whether large or small.
Griffiths + Associates methodology adopted in carrying out the statutory audits for iGaming entities
1. Client acceptance procedures
Our Customer Acceptance Policy (CAP) focuses in verifying the identity of the firm’s customers, including its legal representatives and beneficial owners or controlling persons, their agents, on how the Customer Risk Assessment must be carried out, as well as obtaining data and information on the customers’ activities as well as their transaction as to allow our Audit Team to scrutinise them.
The approach or methodology adopted by firm when carrying out audits or reviews of gaming companies during statutory audits begins with client acceptance procedures. These procedures are put in place to ensure that the client and the audit team have a clear understanding of the scope and objectives of the audit, and to confirm that the client is willing and able to provide the necessary information and resources for the audit to be conducted.
In this sense, the firm has a Customer Acceptance Policy maintained by the Compliance Officer, which sets out the customer due diligence procedures that are applied to all the firm’s customers, including entities regulated by the MGA. The due diligence procedures take into account applicable legislation such as Anti-Money Laundering legislation as referred to by the Gaming Act, as well as standard recommendations issued by the FIAU, MFSA and MGA.
Notwithstanding the above, the CAP focuses in verifying the identity of the firm’s customers, including its legal representatives and beneficial owners or controlling persons, their agents, on how the Customer Risk Assessment must be carried out, as well as obtaining data and information on the customers’ activities as well as their transaction as to allow the audits to scrutinise them.
The firm introduced a standardised form (Customer Acceptance Form) for customer acceptance purposes, which is aimed at ensuring a uniform process during the acceptance of customers. During this process the documentation such as the client’s policy and procedures relating to AML and internal controls related to responsible gaming are obtained.
Upon onboarding, Griffiths + Associates enters into a formal agreement outlining the terms and conditions of the statutory audit (Letter of Engagement and Acceptance of General Terms and Conditions), as well as any relevant laws and regulations that may apply to the gaming industry.
Once the client acceptance procedures have been completed, the Audit Team begins to plan and conduct the statutory audit.
2. Quality assurance
Griffiths + Associates has compiled the ISQM 1 Manual so as to be compliant with International Standard of Quality Management 1 ‘Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements’. The system of quality management in compliance with such ISQM was required to be designed and implemented by 15 December 2022, which is the effective date of the quality management standard.
The ISQM 1 Manual, which is available on request, covers all the eight components required by ISQM 1:
- Firm’s risk assessment process
- Governance and leadership
- Relevant ethical requirements
- Acceptance and continuance of client relationships
- Engagement performance
- Information and communication
- Monitoring and remediation process
3. Statutory audit approach
As iGaming is a high-risk industry, the audit should be carried out with a risk-based approach.
Our professional responsibility is to obtain sufficient audit evidence before an opinion is rendered on any financial statements. To achieve this, we will conduct our work in the following phases:
3.1. Audit planning and risk assessment
As part of that process, we conduct a pre-audit meeting with management to discuss the scope and timing of the audit. The risk assessment audit standards require assessments based on an understanding of internal controls over financial reporting of the audited Company and determination of the areas that present risks of material misstatement to its financial statements. We then design our audit approach to include tests of specific internal controls and substantive audit procedures which are tailored to the identified risks. Our risk assessment includes consideration of the following factors:
- Materiality planning: quantitative factors, qualitative factors;
- Client understanding: external factors, nature of the business, business strategy, objectives, risks, key performance indicators, internal control;
- Audit team discussion: audit approach, issue resolution;
- Audit planning: staffing, timing, audit programs.
Evaluation of the entity’s IT system and controls
The risk assessment process Involves a thorough review of the entity’s existing I.T. processes and controls to evaluate their effectiveness, permissions applied to enforce segregation of duties and how errors or controls deficiencies are identified and addressed. The audit team evaluates the design and implementation of the controls by performing the following procedures: inquiring of entity’s IT personnel, observing the application of specific controls by the entity’s staff, inspecting documents and reports, and tracing transactions through information system by performing walk-through checks.
The conclusions on the effectiveness of the relevant controls and their impact on audit are documented and will determine the audit approach as regards the extent of substantive testing to be performed.
Compliance with laws and regulations:
Both at the risk assessment stage and throughout the audit, procedures are implemented to verify whether the entity is adhering to the Gaming Act and all other applicable regulations. Management with the oversight of those charged with governance are responsible for compliance with laws and regulations. Our responsibility is to obtain reasonable assurance that the financial statements taken as a whole are free from material misstatement whether due to fraud or error. Our objective is to respond appropriately to identified or suspected non-compliance with laws and regulations identified during the audit. Audit procedures include, and not limited to the following:
- Understanding of legal and regulatory framework applicable.
- Understanding of how the entity is complying with the framework such as reviewing the entity’s policies and procedures relating to AML.
- Make inquiries with the gaming entity’s MLRO and senior management.
- Inspect correspondence including reports relating to audits/compliance visits by regulatory bodies such as MGA and FIAU and reading minutes.
- Obtain written representations.
- Sending legal letters to all lawyers used by the entity enquiring details of litigations and claims and existence of any contingent liabilities.
- Conducting a Google search for any news and reviews involving the entity.
Other risk areas
Other typical risk areas to be considered at the risk assessment stage in an iGaming scenario include revenue, intangible assets valuation, related party receivables valuation, and acquisition accounting. And typical estimates comprise gaming taxes, provisions for litigation and claims, valuation of intangible assets, recoverability of related party receivables, recoverability of bank and PSP balances, recoverability of investments in the subsidiary, and valuation of pending bets.
Considering the specifics of iGaming industry, upon “Materiality” calculation, the most relevant benchmarks are profit before tax from continuing operations, net gaming, and also total assets or net assets, depending on the type of entity and situation.
3.2. Fieldwork and Substantive Testing
Based on the results of our risk assessment and internal control evaluation, we design a specific audit plan to focus expanded procedures on areas with the greatest risk of material misstatement, error, and fraud. We use tests of details, substantive analytical procedures, or a combination of the two to conclude on the reasonableness of the given transaction class or account balance. By utilizing a blend of substantive testing (vouching underlying transactions to support), and substantive analytical testing (testing data through overall and stratified analysis), we are able to cover significant ground while still getting a quality level of detailed depth to our testing. Striking a good balance and not overlying on one type of testing over the other is integral to a thorough and efficient audit.
The primary areas of audit focus include:
Cash & Investments; Receivables & Revenues; Capital assets; Accounts Payable including Player’s Liabilities and Expenditures; Long-term debt and other liabilities; Deferred Revenue; Compliance with purchasing and expenditures policies and controls; Compliance with laws and regulations; Any special transaction or situations with financial management or reporting significance; Commitments and contingencies; and Reporting in the financial statements in accordance with IFRS.
Typical substantive procedures:
In general, this implies agreeing the financial statement elements to the underlying accounting records including year-end account balances and transaction activity occurring throughout the year; and confirming cash held in bank and investment accounts, accounts receivable, inventory held by others, material grants and long term debt balances.
Elaborating on iGaming specifics:
- Testing “revenue”, we typically use following procedures:
perform analytical procedures by current & prior year, both at a high level and detail year at revenue stream and trend analysis; agreeing monthly revenue with GSP’s monthly reports, agreeing on GGR to returns submitted to authorities; performance of a reasonable test for bonuses by comparing bonus rate over GGR with expected rate; review of customer complaints; and cut-off procedures.
- Testing “player liability” (also known as customer balance or wallet), we check the client’s reconciliation by: vouching a sample of deposits and withdrawals to PSP statements; recalculations of exchange differences; agreeing bets and wins with GSP statements; analytical review on bonuses.
- Testing “pending bets” is usually performed using a high-level analytical procedure and applying the wins-to-bets ratio to bets at year-end. A pending bets report after year-end can be also obtain to identify closed bets and wins or get odds at year-end to assess the fair value.
- Testing “Payment Service Provider balances”, we usually obtain confirmation of PSP balances.
A particular focus is made on player funds requirements, namely, that player funds are kept segregated as per the Gaming Player Protection Regulations, SL 583.08, are safeguarded as per Gaming Act, Cap.583, Article 19 and cover the requirements pf the Player Protection Directive, Directive 2 of 2018, Article 38.
We utilize both statistical and non-statistical sampling techniques, depending on the type of testing being performed. Internal control, substantive and compliance testing samples are generally selected using nonstatistical techniques. Sample sizes are determined by risk assessment and nature of the population.
Typical analytical procedures:
We compare financial information with comparable prior periods. This analytical work allows us to form quality expectations to compare results to. When results don’t align with our expectations, we investigate further to obtain sufficient evidence to conclude whether there is a valid reason for the deviation or if not, determine the root of the issue causing the variance. This is a great method for identifying systemic and significant issues and/or material misstatements.
This phase includes:
- Reviewing the financial statements and agreement to underlying audited records;
- Evaluating the financial statements for compliance with IFRS requirements;
- Formulating an opinion as to the fair presentation of the financial statements; and
- Preparing management letter with recommendations and communication letter to those charged with governance (TCWG).
4. Agreed-upon procedures reports
Griffiths + Associates adheres to the following Technical Releases by the Malta Institute of Accountants as regards procedures and gathering of evidence and reporting of findings in carrying out engagements as per Article 41 (2)(b)(iii) of Directive 3 of 2018 Gaming Authorisations and Compliance Directive (“Gaming Authorisations and Compliance Directive 2018”:
- AUDIT 02/21 – Players Funds and Jackpot Funds – Technical Release for engagements requiring a confirmation of the players funds, as well as the portion of Players Funds Account balance which fall under the Maltese Licence;
- AUDIT 02/21 – Gaming Tax Payable and Levy on Gaming Devices – Technical release for engagements requiring a confirmation of Gaming tax payable on the revenue from clients classified as Maltese players, as well as Levy on gaming devices which fall under the Maltese License.