Kentucky Administrative Regulations
Title 809 - Public Protection Cabinet - Kentucky Horse Racing Commission
Chapter 10 - Technical Criteria
Section 809 KAR 10:006 - Audit and internal control standards
Universal Citation: 809 KY Admin Regs Service 10:006
Current through Register Vol. 51, No. 6, December 1, 2024
RELATES TO: KRS Chapter 230
NECESSITY, FUNCTION, AND CONFORMITY: KRS 230.260(16)(a) requires the racing commission to promulgate regulations to establish standards related to sports wagering, including standards for "maintaining and auditing books and financial records, securely maintaining records of bets and wagers, integrity requirements for sports wagering and related data surveillance and monitoring systems, and other reasonable technical criteria related to conducting sports wagering."KRS 230.811(2) requires tracks and service providers to "comply with the standards established by the racing commission. .. to ensure the integrity of the system of sports wagering." This administrative regulation establishes internal control standards, including administration and accounting controls, and specifies certain duties to permit access to the racing commission of information and records, record retention, and reporting requirements.
Section 1. Internal Controls. Before beginning operations, a licensee shall submit its administrative and accounting controls, in detail, in a system of internal controls for racing commission review and approval. The racing commission or its designee may perform any inspection necessary in order to determine conformance with the approved internal controls.
(1) Amendments to any portion of the internal
controls shall be submitted to the racing commission for approval. If, within
thirty (30) calendar days the racing commission has not approved, denied, or
otherwise provided written notice, a licensee may implement the amended
internal controls as submitted with the racing commission retaining its
authority to require further amendment, approval, or denial.
(a) The racing commission may approve, deny,
or require a revision to the amendment to the internal controls. If the
licensee is notified of a required revision, the licensee shall address the
revision within fifteen (15) calendar days, unless otherwise required by the
commission.
(b) If the racing
commission requests additional information, clarification, or revision of an
amendment to the internal controls and the licensee fails to satisfy the
request within thirty (30) calendar days after the racing commission submits
the request, the racing commission shall consider the amendment denied and it
cannot be implemented or, if previously implemented, the licensee shall cease
implementation of that amendment within fifteen (15) calendar days. If the
licensee subsequently wants to pursue the amendment, it shall resubmit the
request along with the additional information previously requested by the
racing commission.
(2)
In an emergency, the licensee may temporarily amend their internal controls.
The racing commission or its designee shall be notified immediately that an
emergency exists before the licensee temporarily amends its internal controls
due to an emergency. The licensee shall submit the temporary emergency
amendment of the internal controls to the racing commission or its designee
within twenty-four (24) hours of the amendment. The submission shall include
the detailed emergency procedures that will be implemented and the time period
the emergency procedures will be temporarily in place. Any concerns the racing
commission has with the submission shall be addressed with the licensee
promptly.
(3) The internal controls
shall include a detailed narrative description of the administrative and
accounting procedures designed to satisfy the requirements of KAR Title 809,
including the following:
(a) Reliable
accounting controls, including the standardization of forms and definition of
terms to be used in the sports wagering operations;
(b) Reporting controls which shall include
policies and procedures for the timely reporting of standard financial and
statistical information in accordance with this regulation;
(c) Access controls which include, as their
primary objective, the safeguarding of company assets;
(d) Tables of organization, which shall
provide for:
1. A system of personnel and
chain of command which permits management and supervisory personnel to be held
accountable for actions or omissions within their areas of
responsibility;
2. The segregation
of functions that are incompatible with separation of duties, so that no
employee is in a position both to commit an error or to perpetrate a fraud and
to conceal the error or fraud in the normal course of their duties;
3. Supervisory positions which permit the
authorization or supervision of necessary transactions at all relevant times;
and
4. Areas of responsibility
which are not so extensive as to be impractical for one (1) person to
monitor.
(e) A jobs
compendium detailing job descriptions, chains of command, and lines of
authority for all personnel engaged in the operation of sports wagering. The
licensee shall maintain and update the jobs compendium on a regular basis, but
at least annually;
(f) An
infrastructure and information security program; and
(g) All wagering procedures and practices
specified within the GLI-33 Standards.
(4) To the extent a service provider is
involved in or provides any of the internal controls required in this Chapter,
the licensee's internal controls shall document the roles and responsibilities
of the service provider and shall include procedures to evaluate the adequacy
of and monitor compliance with the service provider's internal
controls.
(5) The licensee shall
stamp or otherwise mark each page of the internal controls submitted to the
racing commission with the word "CONFIDENTIAL" if the licensee does not believe
the material submitted should be subject to public disclosure.
(6) If a licensee intends to utilize any new
technology not identified in its initial proposal, it shall submit the changes
to its internal controls to incorporate the use of any such new technology to
the racing commission for approval.
(7) If the racing commission determines that
the internal controls of the licensee do not comply with the requirements of
KAR Title 809, the racing commission shall notify the licensee in writing.
Within fifteen (15) calendar days after receiving the notification, the
licensee shall amend its internal controls accordingly and shall submit, for
racing commission approval, a copy of the written internal controls, as
amended, and a description of any other remedial measure taken.
Section 2. Information Security Responsibilities. The internal controls shall ensure that an information security program is effectively implemented, and information security function responsibilities are effectively allocated.
(1) The licensee shall implement, maintain,
and comply with a comprehensive information security program, the purpose of
which shall be to take reasonable steps to protect the confidentiality,
integrity, and availability of personally identifiable information of
individuals who place a sports wager with the licensee.
(2) The licensee's information security
program shall contain administrative, technical, and physical safeguards
appropriate to the size, complexity, nature, and scope of the operations, and
the sensitivity of the personally identifiable information owned, licensed,
maintained, handled, or otherwise in the possession of the licensee.
(3) A licensee's information security forum,
data privacy committee, or other similar organizational structure comprised of
senior managers shall be formally established to monitor and review the
information security program to ensure its continuing suitability, adequacy,
and effectiveness, maintain formal minutes of meetings, and convene at least
every six months.
(4) A licensee's
information security department shall exist that is responsible for developing
a security strategy in accordance with the overall operation. The information
security department will subsequently work with the other departments to
implement the associated action plans. It shall be involved in reviewing all
tasks and processes that are necessary from the security perspective for the
licensee, including the protection of information and data, communications,
physical, virtual, personnel, and overall business operational
security.
(5) The licensee's
information security department shall report to no lower than executive level
management and shall be independent of the IT department with regard to the
management of security risk.
(6)
The licensee's information security department shall have the competencies and
be sufficiently empowered and shall have access to all necessary resources to
enable the adequate assessment, management, and reduction of risk.
(7) The licensee's chief security officer or
equivalent head of the information security department shall be a full member
of the information security forum and be responsible for recommending
information security policies and changes.
Section 3. Accounting Records. licensees shall maintain complete, accurate, and legible records of all financial transactions for five (5) years, including transactions pertaining to revenues, expenses, assets, liabilities, and equity in conformance with generally accepted accounting principles. The licensee's financial transaction reports shall be in compliance with GLI-33 Standards, unless otherwise permitted by the commission.
(1) The detailed subsidiary
records shall include:
(a) Detailed general
ledger accounts identifying all revenue, expenses, assets, liabilities, and
equity;
(b) A record of all
investments, advances, loans, and accounts receivable balances due the
establishment;
(c) A record of all
loans and other accounts payable;
(d) A record of all accounts receivable
written off as uncollectible;
(e)
Journal entries prepared;
(f) Tax
work papers used in preparation of any state or federal tax return if
applicable;
(g) Records supporting
the accumulation of the costs for complimentary services and items. A
complimentary service or item provided to individuals in the normal course of a
sports wagering business shall be recorded in an amount based upon the full
retail price normally charged for the service or item or as is otherwise
consistent with generally accepted accounting principles; and
(h) Records required by the internal
controls.
(2) The
licensee shall maintain all records supporting the adjusted gross revenue for
five (5) years.
(3) If a licensee
fails to maintain the records used by it to calculate the adjusted gross
revenue, the racing commission may compute and determine the amount upon the
basis of an audit conducted by the racing commission using available
information.
Section 4. Financial Audits. Upon application, and annually thereafter, each licensee shall submit to the racing commission, within ninety (90) calendar days of the licensee's fiscal year end, its financial audit for that fiscal year.
(1) The licensee shall operate in conformity
with financial audit conditions established in the license conditions issued by
the racing commission pursuant to
KRS
230.290(3).
(2) Upon request by the commission, the
licensee shall submit pro forma statements that present projected or estimated
financial performance, assets, and liabilities. These pro forma statements
shall include:
(a) Pro forma balance sheet: A
projected or estimated balance sheet outlining the entity's assets,
liabilities, and equity at a specific point in time;
(b) Pro forma income statement: A projected
or estimated income statement presenting the entity's anticipated revenues,
expenses, and net income for a specific period;
(c) Pro forma cash flow statement: A
projected or estimated cash flow statement demonstrating the expected cash
inflows and outflows of the entity over a specific period;
(d) Pro forma statement of retained earnings:
A projected or estimated statement reflecting changes in the entity's retained
earnings over a specific period, considering projected net income, dividends,
and other adjustments; and
(e)
Notes for financial statements: Explanatory notes providing additional
information and disclosures related to the pro forma statements, including
significant assumptions, methodologies used, and any other relevant
details.
(3) If audited
financial statements are not available, the licensee shall provide audited
financial statements of its parent company and the licensee's unaudited
financial statements, which document the licensee's financial performance,
assets, and liabilities, including:
(a) A
balance sheet;
(b) An income
statement;
(c) A cash flow
statement;
(d) A statement of
retained earnings; and
(e) Notes
for financial statements.
(4) The pro forma statements shall be clearly
labeled as unaudited and based on management's estimates and assumptions. These
statements may serve as temporary financial documentation until audited
financial statements become available.
(5) The financial audit shall be performed in
accordance with generally accepted accounting principles by an independent
certified public accountant currently authorized to practice in Kentucky, and
shall contain the opinion of the independent certified public accountant as to
its fair preparation and presentation in accordance with generally accepted
accounting principles.
(6) The
racing commission shall determine the number of copies of audits or reports
required under this procedure. The audits or reports shall be received by the
racing commission or postmarked no later than the required filing
date.
(7) The reporting year-end of
the licensee is December 31 of each year, unless otherwise approved by the
racing commission.
Section 5. Retention, Storage, and Destruction of Records. The internal controls shall include a records retention schedule, and provisions related to the storage and destruction of records that incorporates the following provisions, without limitation:
(1) Each
licensee shall maintain, in a place secure from theft, loss, or destruction,
adequate records of its business and accounting operations.
(2) A licensee shall make the records
available to the racing commission, upon request, within a time provided for by
the racing commission. A licensee shall retain the records for not less than
five (5) years.
(3) A licensee
shall keep and maintain, in a manner and form approved by the racing
commission, accurate, complete, and legible records of any books, records, or
documents pertaining to, prepared in, or generated by, the licensee.
(4) A licensee shall organize and index all
required records in a manner that enables the racing commission to locate,
inspect, review, and analyze the records with reasonable ease and
efficiency.
(5) A licensee shall
notify the racing commission in writing at least sixty (60) calendar days prior
to the scheduled destruction of any record required to be retained in
accordance with this section, if within the five (5) year record retention
requirement. Such notice shall list each type of record scheduled for
destruction, including a description sufficient to identify the records
included; the retention period; and the date of destruction. If documents are
to be destroyed in the normal course of business in accordance with document
retention policies previously set forth in the internal controls approved by
the racing commission, no notice to the racing commission shall be
required.
(6) The racing commission
may prohibit the destruction of any record required to be retained in
accordance with this section by so notifying the licensee in writing within
forty-five (45) calendar days of receipt of the notice of destruction pursuant
to subsection (5) or within the specified retention period. Such original
record may thereafter be destroyed only upon notice from the racing commission,
or by order of the racing commission upon the petition of the licensee, or by
the racing commission on its own initiative.
(7) The licensee may use the services of a
disposal company for the destruction of any records required to be retained in
accordance with this section.
Section 6. Reserve Requirement.
(1) The
internal controls shall include a plan to maintain and protect sufficient funds
to conduct sports wagering at all times through a reserve in the amount
necessary to ensure the security of funds held in sports wagering accounts and
the ability to cover the outstanding sports wagering liability.
(a) The reserve shall be in the form of cash,
cash equivalents, payment processor receivables, payment processor reserves, an
irrevocable letter of credit, a bond, or a combination thereof.
(b) The reserve shall be not less than the
greater of $25,000 or the sum of the following amounts:
1. The daily ending cashable balance of all
sports wagering accounts;
2.
Pending withdrawals;
3. Amounts
accepted by the licensee on sports wagers whose outcomes have not been
determined; and
4. Amounts owed but
unpaid on winning sports wagers.
(c) Amounts available to patrons for wagering
that are not redeemable for cash may be excluded from the reserve
computation.
(2) A
licensee shall have access to all sports wagering account and transaction data
to ensure the amount of its reserve is sufficient. Unless otherwise directed by
the racing commission, a licensee shall file a monthly attestation with the
racing commission, which states that funds have been safeguarded under this
procedure.
(3) The racing
commission may audit a licensee's reserve at any time and may direct a licensee
to take any action necessary to ensure the requirements of this section are
met.
Section 7. Risk Management Framework. A licensee shall implement a risk management framework. This framework may be provided in-house by a unit capable of performing this function with appropriate segregation of functions and reporting duties, or by a third-party entity.
(1) The internal
controls shall contain a description of the risk management framework,
including:
(a) Automated and manual risk
management procedures;
(b) Employee
management, including access controls and segregation of duties;
(c) Information regarding identifying and
reporting fraud and suspicious conduct;
(d) Controls ensuring regulatory
compliance;
(e) Description of
Anti-Money Laundering (AML) compliance standards;
(f) Controls for accepting wagers and issuing
pay outs in excess of $10,000;
(g)
Controls for accepting multiple wagers from one patron in a 24-hour cycle,
including a process to identify patron structuring of wagers to circumvent
recording and reporting requirements;
(h) Description of all software applications
that comprise the sports wagering system;
(i) Description of all types of sports wagers
available to be offered by the licensee;
(j) Description of the procedures to prevent
past posting of wagers;
(k)
Description of the procedures to prevent individuals from placing wagers as
agents or proxies for other individuals; and
(l) Description of all integrated third-party
platforms.
(2) A
licensee shall file with the racing commission a report of any error that
occurs in offering an event or wager or if an unapproved sporting event or type
of wager is offered to the public.
Section 8. Taxation Requirements.
(1) The internal controls shall ensure
compliance with all Internal Revenue Service (IRS) requirements and the
licensee shall provide for the withholding or reporting of income tax of
patrons as required by applicable state or federal law.
(2) The licensee shall disclose potential tax
liabilities to patrons at the time of award of any sports wagering payouts in
excess of limits set by the IRS. Such disclosures will include a statement that
the obligation to pay applicable taxes on payouts is the responsibility of the
patron and that failure to pay applicable tax liabilities may result in civil
penalties or criminal liability. Upon written request, the licensee shall
provide patrons with summarized tax information on sports wagering
activities.
Section 9. Reports of Suspicious Transactions.
(1) A
transaction requires reporting under the terms of this section if it is
conducted or attempted, by, at, or through a licensee, and involves or
aggregates to at least $5,000 in funds or other assets, and the licensee knows,
suspects, or has reason to suspect that the transaction or a pattern of
transactions of which the transaction is a part:
(a) Involves funds derived from illegal
activity or is intended or conducted in order to hide or disguise funds or
assets derived from illegal activity (including, without limitation, the
ownership, nature, source, location, or control of such funds or assets) as
part of a plan to violate or evade any federal law or regulation or to avoid
any transaction reporting requirement under federal law or regulation or of the
racing commission.
(b) Is designed,
whether through structuring or other means, to evade any requirements of these
regulations or of any other regulations promulgated under the Bank Secrecy
Act;
(c) Has no business or
apparent lawful purpose or is not the sort in which the particular patron would
normally be expected to engage, and the licensee knows of no reasonable
explanation for the transaction after examining the available facts, including
the background and possible purpose of the transaction; or
(d) Involves use of the licensee to
facilitate criminal activity.
(2) A licensee may also file a report of any
suspicious transaction that it believes is relevant to the possible violation
of any law or regulation but whose reporting is not required by this
section.
(3) The report shall be
filed no later than thirty (30) calendar days after the initial detection by
the licensee of facts that may constitute a basis for filing such a report. In
situations involving violations that require immediate attention, the licensee
shall immediately notify the racing commission in addition to timely filing a
report.
(4) A licensee shall
maintain a copy of any report filed and the original or business record
equivalent of any supporting documentation for a period of five (5) years from
the date of filing the report. Supporting documentation shall be identified,
and maintained by the licensee as such, and shall be deemed to have been filed
with the report. A licensee shall make all supporting documentation available
to the racing commission and any appropriate law enforcement agencies upon
request.
(5) Unless otherwise
required by this Chapter, other law, or court order, licensee and its
directors, officers, employees, or agents who file a report pursuant to this
regulation shall not notify any person involved in the transaction that the
transaction has been reported. Any report filed with the racing commission is
confidential and may be disclosed by the racing commission in the necessary
administration of their duties and responsibilities under the Act or as
otherwise required by law or court order.
Section 10. Anti-Money Laundering (AML) Monitoring. The internal controls shall implement AML procedures and policies that adequately address the risks posed by sports wagering for the potential of money laundering and terrorist financing. The AML procedures and policies shall provide for the following:
(1) Up to date
training of employees in the identification of unusual or suspicious
transactions;
(2) Assigning an
individual or individuals to be responsible for all areas of AML by the
licensee including reporting unusual or suspicious transactions;
(3) Use of any automated data processing
systems to aid in assuring compliance; and
(4) Periodic independent tests for compliance
with a scope and frequency as required by the racing commission. Logs of all
tests shall be maintained for five (5) years.
Section 11. Integrity Monitoring and Suspicious Behavior. A licensee shall implement an integrity monitoring system. This solution may be provided in-house by a unit capable of performing this function with appropriate segregation of functions and reporting duties, or by a third-party entity.
(1) The internal
controls shall include provisions for a licensee to report to the racing
commission as soon as practicable, but in no event longer than forty-eight (48)
hours after discovery:
(a) Any information
regarding irregularities in volume or changes in odds identified as abnormal
wagering activity;
(b) Any
information relating to criminal or disciplinary proceedings commenced against
the licensee in connection with its operations;
(c) Any information relating to the
following, which shall also be reported to the relevant sports governing body
or equivalent:
1. Abnormal wagering activity
or patterns that may indicate a concern with the integrity of a sporting event
or events;
2. Any potential breach
of the internal rules and codes of conduct pertaining to sports wagering of a
relevant sports governing body or equivalent, to the extent the licensee has
actual knowledge of the potential breach; and
3. Any other conduct that corrupts a sports
wagering outcome of a sporting event or events for purposes of financial gain,
including match-fixing; or
(d) Any information relating to suspicious or
illegal wagering activities, including the use of funds derived from illegal
activity, the placement of wagers to conceal or launder funds derived from
illegal activity, the use of agents to place wagers, and the use of false
identification in placing wagers.
(2) A licensee shall maintain the
confidentiality of information provided by a sports governing body or
equivalent for purposes of investigating or preventing the conduct described in
subsection (1)(d), unless disclosure is required by the Act, the racing
commission, or other law or court order, or unless the sports governing body or
equivalent consents to its disclosure in writing.
(3) A licensee receiving a report of
suspicious or illegal wagering activity shall be permitted to suspend wagering
on sporting events or types of wager related to the report, and may place a
hold on suspicious wagers while investigating, but may only cancel or void
sports wagers related to the report after receiving written approval from the
racing commission or its designee.
(4) Upon request by the racing commission or
its designee, a licensee shall provide remote, read-only access and the
necessary software and hardware for the racing commission to evaluate or
monitor the sports wagering system. If requested, the licensee shall provide
the racing commission with remote access or other approved mechanism, which
shall provide:
(a) All reports of abnormal
wagering activity;
(b) Whether the
abnormal wagering activity was subsequently determined to be suspicious or
illegal wagering activity;
(c) All
reports deemed suspicious or illegal wagering activity at the outset;
and
(d) The actions taken by the
licensee according to its integrity monitoring system.
(5) Nothing in this section shall require a
licensee to provide any information in violation of federal, state or local law
or regulation, including laws and regulations relating to privacy and
personally identifiable information.
(6) A licensee shall maintain records of all
integrity monitoring services and activities, including all reports and
suspicious or illegal wagering activity and any supporting documentation, for a
minimum of five (5) years after a sporting event occurs. The licensee shall
disclose these records to the racing commission upon request.
(7) The racing commission may require a
licensee to provide any hardware or software necessary to the racing
commission, or to an independent testing laboratory approved by the racing
commission, for evaluation of the licensee's sports wagering offering or to
conduct further monitoring of sports wagering data.
Section 12. Personally Identifiable Information Security.
(1) Any information
obtained in respect to a patron, including confidential information, personally
identifiable information and authentication credentials for a sports wagering
account, shall be collected in compliance with the licensee's privacy policies
set forth in its internal controls. Both personally identifiable information
and the sports wagering account funds shall be considered as critical assets
for the purposes of risk assessment.
(2) No employee or agent of the licensee
shall divulge any confidential information or personally identifiable
information related to a patron, the placing of any wager, or any other
sensitive information related to the operation of the licensee without the
consent of the patron, except as required by this section, the racing
commission, and as otherwise required by state or federal law.
(3) The internal controls shall include
procedures for the security and sharing of confidential information, personally
identifiable information, funds in a sports wagering account, and other
sensitive information as required by the racing commission, including:
(a) The designation and identification of one
or more employees having primary responsibility for the design, implementation,
and ongoing evaluation of such procedures and practices;
(b) The procedures to be used to determine
the nature and scope of all information collected, the locations in which such
information is stored, and the storage devices on which such information may be
recorded for purposes of storage or transfer;
(c) The measures to be utilized to protect
information from unauthorized access; and
(d) The procedures to be used if a breach of
data security has occurred, including required notification to the racing
commission.
Section 13. Complaints Pertaining to Sports Wagering. The internal controls shall provide procedures for receiving, investigating, responding to, and reporting on complaints by patrons.
(1)
When a patron makes a complaint, the licensee shall promptly issue a complaint
report, setting out:
(a) The name of the
complainant;
(b) The nature of the
complaint;
(c) The name of the
persons, if any against whom the complaint was made;
(d) The date of the complaint; and
(e) The action taken or proposed to be taken,
if any, by the licensee.
(2) All complaints received by a licensee
from a patron and the licensee's responses to complaints shall be retained for
at least five (5) years and made available to the racing commission within ten
(10) business days of any request by the racing commission.
(3) A licensee shall investigate and attempt
to resolve all complaints with the patron.
Section 14. Prohibition of Credit Extension. The internal controls shall include controls relating to not allowing the acceptance of a sports wager or deposit of funds into a sports wagering account that is derived from the extension of credit by affiliates or agents of the licensee. For purposes of this section, credit shall not be deemed to have been extended where, although funds have been deposited into a sports wagering account, the licensee is awaiting actual receipt of such funds in the ordinary course of business.
(1) Credit providers such
as small amount credit contracts shall not be advertised or marketed to
patrons.
(2) A patron shall not be
referred to a credit provider to finance their sports wagering
activity.
(3) Personally
identifiable information related to a patron shall not be provided to any
credit provider.
Section 15. Prohibited Patrons. The internal controls shall include commercially and technologically reasonable measures to prevent access to sports wagering by any prohibited patrons at a licensed premises and online via Web site or mobile application.
(1) If a
licensee detects, or is notified of, an individual suspected of being a
prohibited patron who had engaged or is engaging in prohibited sports wagering,
the licensee shall use reasonable measures to verify whether the individual is
prohibited or not.
(2) If the
licensee is able to establish, by reasonable measures, that the individual is
prohibited, the licensee shall cancel a sports wager.
Section 16. Layoff Wagers. The internal controls shall include procedures for a licensee to accept layoff wagers placed by other licensees and place layoff wagers with other licensees for the purpose of offsetting sports wagers.
(1) The licensee
placing a layoff wager shall inform the licensee accepting the wager that the
wager is being placed by a licensee and shall disclose their
identity.
(2) A licensee may
decline to accept a layoff wager in its sole discretion.
(3) Layoff wagers shall be reported to the
racing commission promptly.
Section 17. Reports of Licensees. The internal controls shall delineate the Licensee's capacity to prepare standard reports related to sports wagering revenues, wagering liability, patron information, payouts or any combination thereof. The Internal Controls shall be amended to include any additional reports required by the commission to audit sports wagering activity to ensure that all reports are prepared in accordance with the technical conditions prescribed by the commission or its designee. The Internal Controls shall provide the licensee's process for timely filing of the reports prepared pursuant to this section. Any information provided under this section is confidential and proprietary and is exempt from disclosure unless disclosure is required by this Chapter, by other law, or by court order.
Section 18. Racing Commission Access to Sports Wagering Data. The internal controls shall detail the controls to assure that all sports wagering data the racing commission requires to be maintained under the Act or KAR Title 809 is appropriately segregated and controlled to prevent unauthorized access.
(1) Licensees
shall provide the racing commission with access to all such data, upon request
and with reasonable notice.
(2)
Licensees shall retain such data for a minimum of five (5) years.
Section 19. Independent Audit of Internal Controls. Licensees shall have their internal controls independently audited at least once every two (2) years with the results documented in a written report. This includes internal controls conducted by an affiliate on behalf of the licensee. Reports shall be maintained and available to the racing commission for five (5) years.
(1) Such
independent audits may be conducted by the racing commission, or a third-party
contractor approved by the racing commission. The racing commission may, in its
discretion, approve the licensee to complete an internal audit, if the licensee
uses an independent auditing team to serve as a third-party contractor for use
in completing this audit.
(2) The
racing commission or third-party contractor shall be responsible for auditing
the licensee's compliance with the Act and KAR Title 809, the Wagering
Procedures and Practices specified within the GLI-33 Standards, and the
internal controls.
(3)
Documentation shall be prepared to evidence all independent audit work
performed as it relates to the requirements of this section, including all
instances of noncompliance.
(4)
Independent audit reports shall include objectives, procedures and scope,
findings and conclusions, and recommendations.
(5) Independent audit findings shall be
reported to management. Management shall be required to respond to the
independent audit findings and the stated corrective measures to be taken to
avoid recurrence of the audit exception. Such management responses shall be
included in the final independent audit report.
(6) Follow-up observation and examinations
shall be performed to verify that corrective action has been taken regarding
all instances of noncompliance cited by the independent audits. The
verification shall be performed within six (6) months following the date of
notification.
(7) It is acceptable
to reuse the results of prior audits conducted within the audit period by the
same third-party contractor in another sports wagering jurisdiction. Such reuse
shall be noted in the audit report. This reuse option does not include any
internal controls unique to the Commonwealth, which will require new
audits.
STATUTORY AUTHORITY: KRS 230.260(16), 230.811(2)
Disclaimer: These regulations may not be the most recent version. Kentucky may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
