Chapter 3772-10 | Internal Control Systems

The following words and terms, when used in agency 3772 of the Administrative Code, have the following meanings, unless the context clearly indicates otherwise:

(A) "Accounting department" means the casino operator's internal department that is responsible for all financial, accounting, and revenue and gaming audit activities.

(B) "Asset number" means a unique number assigned to electronic gaming equipment by a casino operator for the purpose of tracking the electronic gaming equipment.

(C) "Bill validator canister" means a mechanical or electronic device designed to interface with electronic gaming equipment for the purpose of storing any combination of United States currency, gaming tickets, coupons, or other instruments authorized by the executive director.

(D) "Cashier's cage" means executive director-approved secured rooms in which cashiers conduct transactions associated with gaming.

(E) "Complimentary" means any lodging, service, or item that is provided directly or indirectly to an individual at no cost or at a reduced cost and that is not generally available to the public. Group rates, including convention and government rates, are deemed generally available to the public.

(F) "Contractor" means any person that provides goods or services to a casino facility.

(G) "Count room" means a secured room with access controlled by two separate casino departments where the proceeds from gaming are counted.

(H) "Critical program storage media" and "CPSM" mean any media storage device that contains data, files, or programs and is determined by the executive director to be capable of affecting the integrity of gaming.

(I) "Drop" means the total amount of money, tickets, and coupons removed from any slot machine, table game, or redemption kiosk.

(J) "Imprest" means the basis on which the operating funds of cashiers are maintained. The opening and closing values must be equal, and any difference must result in a variance. The funds may be replenished as needed in exactly the value of the net of expenditures made from the funds for value received.

(K) "Incompatible functions" means functions or duties that place any person or department in a position to perpetuate and conceal errors, fraudulent or otherwise.

(L) "Main bank" means the location in the casino where acts that include the following are performed:

(1) Transactions for recording and storage of currency, coin, tokens, cash equivalents, and negotiable instruments;

(2) Preparation of bank deposits;

(3) Acceptance of currency from the count room; and

(4) Reconciliation of all cage transactions.

(M) "Manual payout" means any payout not paid directly from electronic gaming equipment (EGE) or a table game, and any taxable jackpot.

(N) "Trolley" means an apparatus used for the secured transport of the contents of the drop.

(O) "Unclaimed winnings" means gaming winnings that are held by the casino operator as a liability to a patron until that patron is paid.

(A) Each casino operator must submit written internal controls, as required under agency 3772 of the Administrative Code, for approval by the commission at a meeting held under section 3772.02 of the Revised Code. No casino operator may operate without the commission's approval of these internal controls.

(B) Each casino operator may amend its commission approved internal controls with the approval of the commission at a meeting held under section 3772.02 of the Revised Code. For amendments requiring immediate action, the executive director may discretionarily grant temporary approval. Such temporary approval will be subject to final consideration at the next scheduled commission meeting.

(A) Each casino operator must maintain an organizational chart depicting the segregation of functions and describing the duties for each position shown, which may be tailored to meet management needs or policies so long as it does not conflict with Chapter 3772. of the Revised Code and the rules adopted thereunder. A copy of the current organizational chart must be made immediately available to the commission upon request.

(B) Each casino operator's organizational charts must provide for the following:

(1) A system of personnel and chain of command that permits management and supervisory personnel to be held accountable for actions or omissions within their areas of responsibility;

(2) The segregation of incompatible functions, duties, and responsibilities so that no employee is in a position both to commit an error or perpetrate a fraud and to conceal the error or fraud in the normal course of the employee's duties;

(3) The performance of all functions, duties, and responsibilities in accordance with legitimate financial practices by trained personnel; and

(4) The areas of responsibility that are not so extensive as to be impractical for one person to monitor.

(C) Alterations to the organizational chart must be submitted to the executive director for approval.

(D) Each casino operator must have the following departments and supervisory positions, each of which must cooperate with, yet perform independently of, other mandatory departments and supervisory positions:

(1) A surveillance department supervised by a director of surveillance located at the casino;

(2) An internal audit department supervised by a director of internal audit. The director of internal audit must report directly to one of the following regarding matters of policy, purpose, responsibility, and authority, and the following must also control the hiring, termination, and salary of the director's position:

(a) The independent audit committee of the operator's board of directors;

(b) The independent audit committee of the board of directors of any holding or intermediary company of the facility manager that has authority to direct the operations of the operator;

(c) The internal audit executives of any holding or intermediate company if the most senior executive in the reporting line reports directly to the independent audit committee of the board of directors of the holding or intermediary company; or

(d) Another entity as approved by the executive director;

(3) An IT department supervised by an IT director located at the casino;

(4) A slots department supervised by a slot director located at the casino;

(5) A table games department supervised by a table games director located at the casino;

(6) A security department supervised by a director of security located at the casino;

(7) An accounting department supervised by a person who functions as the casino's controller located at the casino. The controller must be responsible for all accounting functions, including the preparation and control of books, records, and data, the control of stored data, the control of unused forms, the accounting for and comparison of operational data and forms; and

(8) A cashier's cage department supervised by a person located at the casino who functions as the cage manager. The cage manager must be responsible for the control and supervision of the cashier's cage, satellite cages, count room, and vault. The cashier's cage may be separated into independent operations or satellite cages to facilitate operations and accountability. The cashier's cage department must be responsible for the following:

(a) The custody and accountability of coin, currency, negotiable instruments, documents, and records normally associated with the operation of a cage;

(b) Any other functions normally associated with the operation of a cage;

(c) The count room;

(d) The vault; and

(e) The control and supervision of gaming cashiers and change persons.

(9) A regulatory compliance department supervised by a regulatory compliance officer located at the casino. The regulatory compliance department must be responsible for the casino's compliance with state and local law, including Chapter 3772. of the Revised Code and the rules adopted thereunder, as well as the casino's internal controls and procedures. The regulatory compliance officer must report directly to one of the following regarding matters of policy, purpose, responsibility, and authority, and the following must also control the hiring, termination, and salary of the compliance officer's position:

(a) The casino operator's corporate chief compliance officer; or

(b) Another position or entity as approved by the executive director.

(E) The casino operator's personnel must be trained in all policies, procedures, and internal controls relevant to each employee's individual function. The casino operator must develop special instructional programs in addition to any on-the-job instruction sufficient to make each member of the department knowledgeable about the requirements and performance of all transactions relating to that employee's functions.

(F) In addition to the department supervisory positions listed in paragraph (B) of this rule, each casino operator must also employ a casino general manager who must be the primary individual responsible for the performance of the casino facility. All casino departments may be subject to direct control by the casino general manager except the internal audit department, the compliance department, and the surveillance department.

(G) If a vacancy in any of the casino operator's mandatory department supervisory positions or in the casino general manager position required by this chapter occurs or if written notice is received that such a vacancy will occur in the future, the casino operator must:

(1) Notify the executive director immediately in writing of the vacant position;

(2) Designate a licensed person or persons to assume the duties and responsibilities of the vacant position on a temporary basis;

(3) Fill the position on a permanent basis within sixty days after the effective date of the vacancy. An extension of the temporary appointment to the position may be granted at the discretion of the executive director and should not be unreasonably withheld; and

(4) Notify the executive director immediately in writing upon the filling of the vacancy.

(A) Each casino operator must train its licensed employees on agency 3772 of the Administrative Code and its internal controls and procedures. Each casino operator must perform at least one controlled demonstration of its ability to abide by the Administrative Code and follow its internal controls and procedures before the executive director may allow the casino facility to open to the public. If the casino operator does not pass the controlled demonstration, then the executive director may require additional controlled demonstrations.

(B) The controlled demonstration must:

(1) Be at a date, time, and duration set by the executive director;

(2) Use casino gaming equipment that has been approved by the commission in accordance with Chapters 3772-9 and 3772-11 of the Administrative Code;

(3) Use cash or other actual consideration for live casino gaming;

(4) Involve at least one casino gaming employee shift change;

(5) Involve all aspects of casino gaming;

(6) Involve dropping all or part of the casino gaming floor to ensure proper accounting and security procedures; and

(7) Meet any other requirements established by the executive director.

(C) The casino operator's share of the net win from the controlled demonstration must go to a charitable organization, as defined under section 1716.01 of the Revised Code.

(A) Each casino operator must maintain all forms and procedures necessary to account for gaming and financial activities.

(B) All books, forms, records, documents, and stored data required by this rule must have the name of the casino facility, date of completion, and the title of the book, form, record, document, or stored data.

(C) Whenever forms or serial numbers are required to be accounted for under this rule and an exception is noted, the exception must be reported in writing to the casino operator's internal audit department and the commission upon identification of the exception.

(D) Whenever a prenumbered form is voided, the original and all copies must be marked "void" and the person voiding the form and another person independent of the transaction must sign the voided form and list the reason for the voided transaction.

(E) Each casino operator's internal controls must include procedures for using and retaining books, forms, records, documents, and stored data as well as the following:

(1) The department responsible for the receipt, control, and issuance of all prenumbered forms. Serial numbers on manual forms must be printed on the form by the manufacturer. Computerized forms must be sequentially numbered by the computer system. Documentation of all serial numbers must be maintained to account for the forms; and

(2) Procedures for making corrections to a completed form.

(A) A casino operator must file the following financial reports with the commission:

(1) A balance sheet submitted monthly and annually;

(2) An income statement submitted monthly and annually;

(3) A cash flow statement submitted monthly and annually;

(4) A gross casino revenue supplemental daily report and supporting documentation submitted concurrent with the casino operator's daily submission to the department of taxation, as required by section 5753.04 of the Revised Code; and

(5) Any other report requested by the executive director.

(B) Standard reporting forms and corresponding filing instructions may be prescribed by the executive director to be used by a casino operator in filing the reports specified in paragraph (A) of this rule.

(C) The annual financial statements must be prepared on a comparative basis for the current and prior calendar years and present financial position, results of operations, and cash flows in conformity with generally accepted accounting principles.

(D) The electronically transmitted reports or hard copy reports required to be filed pursuant to this rule must be authorized by individuals designated by the casino operator. In addition, the casino operator must submit a letter attesting to the completeness and accuracy of the reports. The letter must be signed by the casino operator's chief financial officer or controller.

(E) The reports required to be filed pursuant to this rule must be addressed as prescribed by the commission and received no later than the required filing date. The required filing dates are as follows:

(1) Gross casino revenue supplemental daily reports, required by paragraph (A)(4) of this rule, are due as required by section 5753.04 of the Revised Code.

(2) Monthly reports are due on the last calendar day of the following month or the next business day if such day falls on a weekend or legal holiday;

(3) Annual reports are due on the last calendar day of the third month following the end of the casino operator's calendar year or ten days after form 10-K (adopted March 2010) is filed with the securities and exchange commission, whichever comes first.

(F) All significant adjustments resulting from the annual audit are to be recorded in the accounting records of the year to which the adjustment relates. If the adjustments were not reflected in any annual report and the executive director concludes that the adjustments are significant, the casino operator may be required to file a revised annual report. The revised filing is due within thirty calendar days after written notification to the casino operator, unless the casino operator submits a written request for an extension before the required filing date and the extension is granted by the executive director.

(A) Each casino operator must have its annual financial statements audited by an independent certified public accountant or, when appropriate, an independent registered certified public accounting firm, licensed to practice in this state. The audit must be in accordance with generally accepted auditing standards and, when applicable, the standards of the accountancy board. The casino operator must report to the commission the name of the independent certified public accountant or independent registered certified public accounting firm as well as the lead audit partner or other individual taking primary responsibility for the financial statement audit engagement before the start of the engagement.

(B) The lead audit partner or other individual taking primary responsibility for the financial statement audit engagement may serve a maximum of five years in such a position before being required to rotate off the engagement.

(C) The annual financial statements audit must be prepared on a comparative basis for the current and prior fiscal years and present financial position and results of operations in conformity with generally accepted accounting principles. The financial audit required by this rule must include an explanation reconciling any differences between the financial statements included in any annual reports and the audited financial statements.

(D) The casino operator must require the independent certified public accountant or independent registered certified public accounting firm auditing the casino operator's financial statements to render a report on the prospective financial statements, including a one-year forecast and three-year projection, expressing an opinion as to whether the prospective financial information is properly prepared on the basis of the assumptions and is presented in accordance with the relevant financial reporting framework, and any additional reports required by the executive director.

(E) The casino operator must file with the commission the reports required by paragraphs (A) and (D) of this rule in a format determined by the executive director within one hundred twenty days following the end of the casino operator's fiscal year or upon receipt, whichever is earlier.

(F) Each casino operator must contract with a third party to perform an independent IT audit and surveillance system audit. The third party must be approved by the executive director as qualified, independent, and capable of performing the audit. The audits must be performed, and a copy of the report provided to the commission, at least once every licensure period. The audits and corresponding report must assess the following:

(1) The design, controls, maintenance, and security of the casino operator's IT and surveillance systems;

(2) The casino operator's compliance with the IT and surveillance requirements of this chapter; and

(3) Any other subject required by the executive director.

(G) At any time, the executive director may require a special audit of a casino operator by commission personnel, an independent certified public accountant, an independent registered certified public accounting firm, or any other third party the executive director approves as qualified, independent, and capable of performing the special audit. The scope, procedures, and reporting requirements of any special audit are to be established by the executive director.

(H) The casino operator must notify the commission of any report that is filed, or required to be filed, with the securities and exchange commission or other securities regulatory agency.

(I) All audits and reports required by this rule are to be prepared at the sole expense of the casino operator.

(J) Any audit engagement contract entered into under this rule is subject to decertification, as established under paragraph (A) of rule 3772-10-23 of the Administrative Code, or invalidation due to lack of qualification, independence, or capacity or a finding that the contract or conduct performed thereunder poses a material risk to the integrity of casino gaming in this state. The invalidation process is an action against the casino operator that is subject to the hearing procedures and disciplinary actions provided for under Chapters 3772-21 and 3772-22 of the Administrative Code, respectively. If an audit engagement contract is decertified or invalidated, the casino operator must enter into a new audit engagement contract to ensure the requirements of this rule are met.

(K) Each casino operator must file with the commission a copy of any suspicious activity report.

(A) Each casino operator must establish internal controls for monitoring and reviewing table game operations, which must include:

(1) Procedures for the monthly review of table game performance. The review must be a comparison of the lifetime average historical payout percentage and the rolling thirty-day average payout percentage for each table game, on a per table basis; and

(2) Procedures for documenting, investigating, and resolving deviations of more than four percent between the historical results and the actual results. The procedures must include:

(a) Conducting and documenting the investigation; and

(b) Notification to the commission of the investigation results upon completion.

(B) Each casino operator must establish internal controls for monitoring and reviewing electronic gaming equipment operation for equipment that accepts wagers. These controls must include:

(1) Procedures for the review of recorded electronic gaming equipment meters, including the parameters used to determine the reasonableness of the recorded meters;

(2) Procedures for the alteration of recorded electronic gaming equipment meters, including the positions authorized to perform the alteration and the documentation maintained to support the alteration;

(3) Procedures for the comparison of each electronic gaming equipment's recorded meters with the actual drop amount. The comparison must be performed for each drop;

(4) Procedures for documenting, investigating, and resolving inconsistencies encountered while comparing each electronic gaming equipment's recorded meters with the actual drop amounts. They must include, but are not limited to:

(a) The variance threshold(s) that indicate an investigation is necessary. The commission must be notified of variances requiring investigation within one week of the variance discovery;

(b) Procedures for conducting and documenting the investigation. The procedures should include a comparison of metered cash and voucher transactions with cash and vouchers from the drop; and

(c) Notification to the commission of the investigation results upon completion.

(5) Procedures for the monthly review of electronic gaming equipment performance. The review must consist of a rolling thirty days, rolling twelve months, and life-to-date comparison of the expected theoretical payout percentage and the actual payout percentage for each electronic gaming device that accepts wagers. The comparisons must be done on a per paytable basis, unless otherwise approved by the executive director; and

(6) Procedures for documenting, investigating, and resolving deviations of more than four percent while reviewing electronic gaming equipment performance. They must include:

(a) Notification of the electronic gaming equipment requiring investigation to the commission within one week of the deviation discovery;

(b) The procedures for conducting and documenting the investigation; and

(c) Notification to the commission of the investigation results upon completion.

(A) In addition to the limits on promotional credits in section 3772.23 of the Revised Code, each casino operator's internal controls must include the following:

(1) Procedures for the authorization, issuance, and recording of complimentaries, including cash and non-cash gifts. These internal controls must include the delegation of authority to approve the issuance of complimentaries and the limits that apply to this authority, including limits based on proper separation of duties and limits based on relationships between the authorizer and recipient;

(2) Procedures for ensuring that complimentaries are not provided to members of the Ohio voluntary exclusion program or those on the commission's involuntary exclusion list; and

(3) Procedures for auditing complimentaries.

(B) All complimentaries paid in cash must be disbursed directly to the patron by a gaming cashier at the cage after receipt of appropriate documentation.

(A) Each casino operator may process financial transactions at the cashier's cage for patrons. For the purpose of this rule, "financial transaction" does not include the exchange of cash for casino chips, the redemption of casino chips or redeemable vouchers issued from electronic gaming equipment for cash at the cashier's cage, or coin or currency exchanges.

(B) Each casino operator must designate in its internal controls the types of financial transactions to be conducted at the cashier's cage and the procedures for doing so.

(C) Before processing each financial transaction at the cashier's cage, the casino cashier must verify the identity of the patron and ensure that the patron is not a part of the commission's voluntary or involuntary exclusion programs.

(D) The casino operator must retain all records related to each transaction whether in paper or electronic form in accordance with rules 3772-1-07 and 3772-10-05 of the Administrative Code.

(E) The casino operator must do the following with respect to patron deposits that are received or withdrawn:

(1) Provide the patrons with a receipt, which must include the total amount deposited or withdrawn, the date of the deposit or withdrawal, and the signature of the cage employee accepting or processing the patron deposit or withdrawal, respectively; and

(2) Maintain a log detailing all patron deposits and withdrawals.

(F) Wire transfers must be subject to the following additional requirements:

(1) A cage wire transfer log must be kept and must list the details of each wire transfer sent and received for gaming purposes;

(2) Wire transfers received must be verified by a receiving licensed employee and a second licensed employee independent of the original receipt of the transfer. Both licensed employees must sign the wire transfer log as evidence of this verification.

(3) Residual balances must be returned to the patron if not used during a set amount of time detailed in the internal controls.

(A) A casino operator may extend credit to a patron in a commercially reasonable manner considering the patron's finances and in accordance with this rule.

(B) If a casino operator chooses to extend credit to patrons, the casino operator's internal controls must detail the procedures for extending credit, including a description of the application process, the identification of employees involved, a requirement for prompt recording of the transactions that impact the patron's credit line, and placement of safeguards on credit extension.

(C) The casino operator's internal controls must detail the information contained in, the use of, and security for patron credit files. A credit file for each patron must be prepared before the casino operator's approval of a patron's credit limit and include, at a minimum, the following:

(1) The patron's name;

(2) The patron's address;

(3) The patron's telephone number;

(4) A copy of the patron's government issued identification;

(5) The patron's banking information;

(6) The patron's income information;

(7) The patron's credit limit, showing how it was established and how the casino operator considered other outstanding total indebtedness;

(8) The credit agreement;

(9) A listing of all transactions affecting a patron's outstanding indebtedness to the casino operator and its affiliates; and

(10) Any other information the executive director deems necessary to ensure the reasonableness of the credit extension.

(D) Before extending credit to a patron, a casino operator must verify that the patron is not participating in the Ohio voluntary exclusion program or on the commission's involuntary exclusion list.

(E) A casino operator may not extend credit to any patron who has not made a payment on the patron's outstanding credit within a period of thirty days.

(F) Except as otherwise provided in this rule, no person who is employed by a casino operator or is acting on behalf of or under any arrangement with a casino operator may extend credit to a patron in connection with the conduct of casino gaming.

(G) Procedures must be established for the issuance, use, and payment of markers, including the following:

(1) A designation of employees who are authorized to issue markers;

(2) A designation of where markers can be issued;

(3) A description of the marker's documentation and signatures required to authorize the marker;

(4) Verification of the patron's identity and available credit before issuance of the marker;

(5) Controls on how the transaction will be recorded;

(6) Controls on the use of markers;

(7) Controls on how markers may be repaid; and

(8) Any other information deemed necessary by the executive director.

(A) Each casino operator's internal controls must establish procedures for sensitive keys and securing access to assets and restricted areas.

(B) Each casino operator must maintain automated systems approved by the executive director designed to control and record access to assets and restricted areas.

(C) Unless otherwise required by the executive director, all sensitive keys, locks, access cards, biometric access, and all other methods used to grant access to assets and restricted areas must be controlled and managed by the security department. The IT department may provide assistance with management of automated systems.

(D) Inventory ledgers must be maintained for all sensitive keys and locks. Key and lock inventory ledgers must detail the following information:

(1) The acquisition of sensitive keys and locks;

(2) The placement into service or removal from service of sensitive keys and locks including the current location; and

(3) The destruction or disposal of sensitive keys and locks.

(E) Database records must be maintained documenting the assigned access for sensitive keys, access cards, biometric access, and all other methods used to grant access.

(F) The automated system in which sensitive keys are kept must be continuously covered by a fixed surveillance camera.

(G) Access to assets and restricted areas must be assigned to employees by position type.

(H) Additions or deletions of employee access to assets or restricted areas must be recorded in the automated systems and properly supported by personnel action documentation.

(I) The casino operator's automated systems must track and record when sensitive keys are checked out by employees.

(J) The casino operator's automated systems must track and record employee access to restricted areas secured by the automated systems.

(K) The casino operator's internal audit team must, at least semi-annually, complete an audit or analytical procedures designed to test the physical inventory count of sensitive keys and locks and assigned access to assets and restricted areas.

(L) Procedures for the destruction of sensitive keys and locks must be approved by the executive director.

(M) If a sensitive key or lock is lost, becomes missing, or is otherwise compromised, the casino operator must notify the commission in writing and investigate the incident. After receiving the results of the investigation from the casino operator, the executive director will determine if all associated sensitive keys and locks must be changed in order to maintain access restrictions.

(N) If an access card, biometric access, or other electronic access is lost, becomes missing, or is otherwise compromised, the casino operator must immediately remove all compromised access.

(A) Each casino operator must prepare and maintain a signature card for each licensed employee. The signature cards must contain the following:

(1) The employee's printed name;

(2) The employee's license number;

(3) The employee's handwritten signature and initials;

(4) The employee's title, department, and employee number;

(5) The department supervisor's signature authorizing the signature card;

(6) The date of signature card; and

(7) The forms that the employee is authorized to sign.

(B) All signature cards must be updated or replaced immediately upon a change in employee status.

(C) Whenever a signature of a licensed employee is required by rules adopted by the commission at a public meeting under section 3772.02 of the Revised Code or the casino operator's internal controls, the signature must:

(1) At a minimum be, the signer's first initial, last name, and commission license number; and

(2) Be immediately adjacent to or above the legibly printed or preprinted title of the signer.

(A) Each casino operator's internal controls must include internal audit standards.

(B) The casino operator must maintain a separate internal audit department whose primary function is to perform internal audit work that must be independent with respect to the departments subject to audit. The casino operator must ensure that the standards, conventions, and rules governing audits in the United States are followed for all audits. The internal audit department must be responsible for the following:

(1) The review and appraisal of the adherence of the casino operator's internal controls to Chapter 3772. of the Revised Code and the rules adopted thereunder;

(2) Performing tests to ensure compliance with the internal controls;

(3) The reporting to the casino operator's management and the commission of instances of noncompliance with the internal controls;

(4) The reporting to the casino operator's management and the commission of any weaknesses in the internal controls;

(5) The recommendation of procedures to eliminate any weaknesses in the internal controls; and

(6) Performing tests to ensure compliance with rule 3772-10-06 of the Administrative Code.

(C) The auditing department must prepare documents to evidence all internal audit work performed as the work relates to the requirements in this rule, including all instances of noncompliance with the internal controls:

(1) The internal audit department must operate with audit programs that address the requirements of this rule;

(2) The internal audit department must accurately document the work performed, the conclusions reached, and the resolution of all exceptions; and

(3) All audit reports must be prepared, maintained, and provided to the commission on a schedule approved by the executive director.

(D) Internal audit personnel must perform audits of all major gaming areas of the casino operator. The following must be reviewed at least semi-annually:

(1) Slot revenue and procedures;

(2) Table games revenue and procedures;

(3) Manual payouts;

(4) Cage procedures;

(5) Information technology;

(6) Complimentaries and promotions;

(7) Control of access to assets and restricted areas;

(8) Purchasing; and

(9) Any other internal audits as required by the executive director, audit committee of the board of directors, or any other entity designated by the executive director.

(E) The audit reports must include the following information:

(1) Audit objectives;

(2) Audit procedures and scope;

(3) Findings and conclusions; and

(4) Management's response.

(F) The internal audit department must perform follow-up examinations to verify that corrective action has been taken regarding all instances of noncompliance cited by internal audit and the independent accountant. Further, if directed by the executive director, the internal audit department must perform follow-up examinations to verify that corrective action has been taken regarding all settlement agreements, notices of noncompliance, and disciplines imposed by the commission. These verifications must be performed within three months of the issuance of the audit report.

(G) Whenever possible, internal audit observations must be performed on an unannounced basis.

(H) All exceptions disclosed during audits must be investigated and resolved.

(I) All internal audit findings must be reported to management, who must respond to internal audit findings stating corrective measures to be taken to avoid recurrence of the audit exception. The management responses must be included in the internal audit reports that are delivered to the casino operator's management, the commission, audit committee of the board of directors, or other entity designated by the executive director.

(A) The casino operator's information technology ("IT") department is responsible for the quality, reliability, accuracy, security, and integrity of all gaming-related computer systems, regardless of the system's location.

(B) Each casino operator must provide hardware and software, approved by the executive director, for the exclusive use of the commission to facilitate access to the casino operator's gaming-related systems from commission offices.

(C) Each casino operator must provide the commission with a comprehensive list of all gaming-related computer systems in a format approved by the executive director. Each casino operator must provide updates to the list as changes occur.

(D) The area where the gaming-related system servers and core components are located must be secured and access restricted to appropriate personnel. Access to the secured area must be logged. The log must be reviewed for accuracy and completion by a member of the IT department at least monthly. At a minimum, the log must include the following information:

(1) Date and time the secured area was entered;

(2) Date and time the secured area was exited;

(3) Reason for access;

(4) First and last name of individual entering the area; and

(5) License number of individual entering the area, if applicable.

(E) Logical access and security measures must be implemented on all gaming-related systems to segregate incompatible functions, prohibit unauthorized access, and prevent loss of data integrity. The measures must include:

(1) Creation and maintenance of gaming-related system user accounts, which must be reviewed for appropriate access levels at least quarterly. The review must be documented and checked for accuracy and completion by a member of the IT department; and

(2) Gaming-related system user accounts must be authenticated prior to being given access. Appropriate authentication mechanisms (passwords, biometrics, etc.) and security policies must be used.

(F) Gaming-related system data must be backed-up and recoverable. The back-up and recovery process must be logged.

(G) Gaming-related system security event logs must be monitored and reviewed for suspicious activity and abnormal operation. The commission must be notified upon confirmation of any activity or abnormal operation that results in unauthorized access to, or loss of, gaming-related system data.

(H) Remote access to gaming-related systems may be allowed, but must adhere to the following guidelines:

(1) A unique gaming-related system user account must be established for each vendor requesting remote access;

(2) A dedicated and secure communication mechanism must be used to provide remote access;

(3) Each instance of remote access must be activated by the casino operator's IT department;

(4) Remote access must be deactivated by the casino operator's IT department at the conclusion of each instance of remote access; and

(5) Each instance of remote access must be logged. At a minimum, the log must include the following information:

(a) Date and time remote access capability was activated;

(b) Date and time remote access capability was deactivated;

(c) System accessed, including manufacturer and version number;

(d) First and last name of the individual or unique service request tracking number assigned by the licensed gaming-related vendor remotely accessing the system;

(e) First name, last name, and license number of the IT department member who activated the remote access capability;

(f) First name, last name, and license number of the IT department member who deactivated the remote access capability; and

(g) The reason for remote access, including a description of the actions taken during the remote access session.

(I) Each casino operator's internal controls must contain provisions for IT, which include, but are not limited to:

(1) Procedures for the control and installation of gaming-related system software. A software control log evidencing all authorized changes to software must be maintained and reviewed for accuracy and completion by a member of the IT department; and

(2) Procedures for the examination of gaming-related system software to detect changes, whether authorized or not. The examination must occur at least monthly and must be logged and reviewed for accuracy and completion by a member of the IT department.

(A) Each casino facility must have a main cashier's cage adjacent to the gaming floor.

(B) Each casino facility may also have one or more satellite cages separate and apart from the main cashier's cage that may be used for performing some of the functions of the main cashier's cage.

(C) Each casino facility must have a main bank located in a secure area of the casino facility.

(D) Each casino facility must have a count room located in a secure area of the casino facility.

(E) The main cashier's cage, main bank, and count room must be equipped with the following security controls:

(1) A double-door entry and exit system (mantrap) that contains different locks on each door and will not permit a person to pass through the second door until the first door is securely locked. Access to each door of the mantrap must be controlled by different independent casino departments. An emergency exit without a mantrap may be installed in these locations as approved by the executive director;

(2) Automatically triggered alarms monitored by the surveillance department which sound when any door is opened unexpectedly;

(3) Manually triggered silent alarms accessible to each workstation monitored by the surveillance department; and

(4) Tables used for the count must be constructed of clear glass or similar transparent material so that all activity may be monitored by the surveillance department.

(F) Any window in a cashier's cage, main bank, or count room must be secured in a manner that prevents any person from passing through the opening.

(G) Each casino operator's access controls must detail the access restrictions and processes of all casino cashiering areas, including the main cashier's cage, satellite cages, main bank, and count rooms.

(H) Unless otherwise approved by the executive director, the casino cashiering areas, including the main cashier's cage, satellite cages, main bank, and count rooms, must only be used for the processing of casino gaming and promotional transactions.

(I) Each casino operator must offer services for converting cashless wagering instruments to cash at all times during which the casino facility is open for business.

(A) Each casino operator's internal controls must detail the procedures for operating the cages, main bank, and satellite cages. The procedures must provide for the following:

(1) The organization, number, and qualifications of staff;

(2) The beginning and ending times for each shift;

(3) Documentation to support any transfers between the cage, main bank, or satellite cages, and adequate security to provide safety of funds being moved;

(4) The recording of perpetual inventory and the reconciliation of physical inventory to that perpetual inventory upon the changing of shifts, and documentation to support such information;

(5) The documentation of imprest amounts being transferred upon the changing of shifts, and signatures of the incoming and outgoing cashiers or supervisors; and

(6) Adequate key control to assure the security of funds during a shift.

(B) Any variances in the cages, main bank, or redemption kiosks, must be documented by the casino operator and a system must exist to identify variances by each individual cashier or redemption kiosk. If a variance exceeds five hundred dollars, the variance must be reported to the commission and investigated by the casino operator. The findings of the investigation must be forwarded to the commission.

(C) The cage accountability must be reconciled to the general ledger at least monthly.

(D) Redemption kiosks will be returned to an imprest amount and must be reconciled on a schedule as established in the casino operator's internal controls.

(E) Procedures for redemption kiosk reconciliation, for all types of transactions offered, must be described in the casino operator's internal controls and must include:

(1) Procedures for removal and counting of all currency and vouchers from the redemption kiosks;

(2) Procedures for performing and documenting fills and drops of redemption kiosks; and

(3) Procedures for documenting the imprest amount per reconciliation period.

(F) A trial balance of gaming operation accounts receivable, including the name of the customer and current balance, must be prepared at least monthly for active, inactive, settled, or written-off accounts. The trial balance of gaming operation accounts receivable must be reconciled to the general ledger each month. The reconciliation and any follow up performed must be documented, maintained for inspection, and provided to the commission upon request.

(G) All cage and credit accounting procedures and any follow-up performed must be documented, maintained for inspection, and provided to the commission upon request.

(A) Each casino operator must submit for executive director approval the specific times and procedures that table drop boxes and electronic gaming equipment (EGE) bill validator canisters will be brought to or removed from table games and EGE. The procedures may allow for the casino operator to remove table game drop boxes and EGE outside of the approved times only if the box or canister is full or has malfunctioned.

(B) The executive director may require a table game drop box or EGE bill validator canister to be removed and secured in the count room or other designated location at any time.

(C) Transportation of table game drop boxes and EGE bill validator canisters must be performed by a member of the security department and at least one other licensed employee, as designated in the casino operator's internal controls. The surveillance department must monitor the process.

(D) Table game drop box removal must be performed at least once per gaming day for all tables that offered casino gaming. Each table game drop box must be removed and replaced with an empty table game drop box in a continuous process. Upon removal from the tables, table game drop boxes must be transported in a locked trolley directly to the count room, or other secure area as approved by the executive director, and secured until the count takes place.

(E) EGE bill validator canister removal must be performed at least once per week for all EGE that offered casino gaming. Each bill validator canister must be removed and replaced with an empty bill validator canister in a continuous process. Upon removal from EGE, bill validator canisters must be transported in a locked trolley directly to the count room, or other secure area as approved by the executive director, and secured until the count takes place.

(F) Licensed employees authorized to remove table game drop boxes and EGE bill validator canisters must be precluded from having simultaneous access to remove table game drop boxes or EGE bill validator canisters and access to the drop box or canister contents.

(G) When not in use, empty table game drop boxes and EGE bill validator canisters must be stored in a locked trolley in the count room or in a secure area as approved by the executive director. Access to stored empty table game drop boxes and EGE bill validator canisters must require the involvement of at least two licensed employees from independent departments.

(H) Each table game drop box and EGE bill validator canister must:

(1) Have a unique identification number assigned to it that can be readily identified and correlates with the table game or EGE in which it is placed;

(2) Be fully enclosed, except for openings as required for the designed operation;

(3) Be designed to prohibit the removal of the contents without the use of the appropriate key (content key); and

(4) Be designed to prohibit the removal from a table game or EGE without the use of the appropriate key (release key).

(A) Each casino operator's internal controls must detail the count procedures for counting the proceeds from casino gaming.

(B) The counting process must be conducted by a count team that is independent of the cashier's cage, the accounting department, all audit functions, and of the transactions being reviewed and counted, unless otherwise approved by the executive director.

(C) The counting process must be performed by a minimum of three count team employees.

(D) There must be at least three count team employees in the count room during the counting process, until the proceeds from casino gaming have been accepted into the cage or main bank accountability.

(E) Table game drop boxes and electronic gaming equipment bill validator canisters containing the proceeds from casino gaming must only be opened and counted in the count room by the count team. Only count team members can handle the proceeds from casino gaming during the count.

(F) Access to the count room must be restricted as follows:

(1) When proceeds from casino gaming are present in the count room, access is limited to members of the count team, security, main bankers, and commission personnel. The executive director may conditionally approve temporary access for additional individuals, as requested.

(2) When proceeds from casino gaming are not present in the count room, access is limited to those detailed in the casino operator's access controls.

(G) Entering and exiting the count room during the counting process is only permitted when scheduled or for emergencies. Commission personnel may enter and exit at any time.

(H) All persons present in the count room during the counting process, except commission and security personnel, must wear a full-length, one-piece, pocket-less outer garment with openings only for the arms, feet, and neck.

(I) Only transparent bags and containers are permitted in the count room.

(J) Before conducting the counting process, the count team must test the counting machines for accuracy. The test procedures must be witnessed by at least two count team members and must be documented. The test documentation must be signed by at least two count team members and included in the final count documentation. Counting machines that fail the test must not be used.

(K) Before conducting the counting process, the count team must alert the surveillance department that the counting process is about to begin.

(L) Each member of the count team must display the backs and palms of their hands to the view of the other members of the count team and a surveillance camera prior to commencing and after completing each of the following:

(1) Transporting money from the count table to the count machine or placing money into the count machine;

(2) Removing money from the count machine or transporting money from the count machine to the count table;

(3) Conducting the bulk count of loose bills at the end of the count; and

(4) Removing or returning hands from a position on or above the count table;

(5) Returning hands to a position on or above the count table; and

(6) Coming in contact with their person or that of another individual.

(M) At least three members of the count team must attest in writing as to the results of the count prior to the proceeds being given to the main banker.

(N) All proceeds from casino gaming must be turned over to a main banker who must be independent of the count team. The main banker must conduct a bulk count of the proceeds from casino gaming and then compare it to the count documentation. The main banker must attest in writing to the amount of funds. All differences must be reconciled before the remaining count team members leave the count room.

(O) The count documentation, with all supporting documents, must be delivered to the accounting department by a licensed person independent of the cashier's cage department. Alternatively, the count documentation and all supporting documents may be secured in a locked canister or other device to which only accounting personnel have access, until retrieved by the accounting department.

(A) Each casino operator must record the following information for currency inserted into a casino game, but found outside of the table game drop box or electronic gaming equipment (EGE) bill validator canister:

(1) The table game number or EGE asset number wherein the currency was inserted;

(2) The date the currency was found; and

(3) The value of the currency.

(B) The unsecured items must be brought to the count room with the proceeds from casino gaming and included in the revenue for the associated game.

(A) Each casino operator's internal controls must detail the procedures for paying manual payouts, which must include the following:

(1) Verification and documentation of the manual payout by a licensed employee of the respective department, or requirements for detailed information on payout documents that are generated by casino or slot management systems;

(2) Submission of a manual payout two-part form to the cage;

(3) Processing system overrides or adjustments;

(4) Completing and filing required tax forms;

(5) Checking the identity of patrons winning taxable payouts against required intercept databases;

(6) Documented patron acknowledgment of the amount to be paid;

(7) Documented supervisor verification of manual payouts over ten thousand dollars;

(8) The daily review of all manual payouts from EGE. The review must consist of a comparison of the EGE's recorded manual payout meter with the actual amount paid for each manual payout; and

(9) Documenting, investigating, and resolving inconsistencies encountered while reviewing manual payouts from EGE. The procedures must include:

(a) The variance threshold at which an investigation is necessary. The commission must be notified of variances requiring investigation within one week of the variance discovery;

(b) The procedures for conducting and documenting the investigation; and

(c) Notification to the commission of the investigation results upon completion.

(B) Surveillance department must monitor all manual payouts over ten thousand dollars.

(C) Security escorts must be available for patrons receiving manual payouts.

(D) A casino operator may not offer games that offer annuity or merchandise payouts unless otherwise approved by the executive director.

(A) Licensed employee's may not solicit any tip or gratuity from any patron of the casino facility.

(B) Licensed employee's acting in a supervisory capacity may not accept any tip or gratuity from a patron of the casino facility.

(C) All tips and gratuities given to table game dealers must be deposited in a transparent locked box reserved for such purpose. The tips and gratuities must be placed in a pool for distribution, pro rata, among the table game dealers, unless the tips and gratuities are given during the conduct of a player against player contest.

(A) The commission may decertify a casino operator contract if it becomes aware of a contractor that has violated statutes or rules of this state or the federal government. The decertification process is an action against the casino operator that is subject to the hearing procedures and disciplinary actions provided for under Chapters 3772-21 and 3772-22 of the Administrative Code, respectively.

(B) Money a casino operator owes to, but is not claimed by, a patron because of a casino gaming transaction is subject to Chapter 169. of the Revised Code.

(C) Each casino operator must comply with Chapter 5753. of the Revised Code and with any requests of the tax commissioner in the computation and reporting of winnings, compensation from casino gaming, and gross revenue.