Success in gambling has nothing to do with luck and everything to do with knowing the system -- just ask Cheryl Kondra, chief audit executive of Harrah's Entertainment.
Kondra leads a staff of 82 internal auditors in an 80,000-employee company that has completed several major acquisitions, including the 2005 $5.2 billion deal for Caesars Entertainment, in recent years. And then there are the industry-specific regulations: "Eighty-nine percent of our 2009 audit plan consists of regulatory audits," Kondra notes. "We can't not do the work. As much as we like to talk about risk-based auditing, and it's something we value, we're doing 90 percent of what we do whether we think there is risk there or not."
The system that Harrah's internal audit function uses to maximize its odds for success consists of new technology, best practices gleaned from auditors within the legacy organization and recently acquired companies, and strong relationships with other corporate functions, particularly finance and information technology (IT). Success takes the form of executing the legally mandated components of its audit plan with greater effectiveness and efficiency, the latter of which frees up hours to devote to more risk-based auditing.
"Our auditors are spending more time in the pit or up in surveillance conducting observations," she continues. "And they're coming up with new ideas for efficiencies and game protection."
Harrah's internal audit model is of particular interest right now for two reasons.
First, the current function is the product of significant merger & acquisition (M&A) activity, a dynamic that may pick up in other industries as company valuations drop in a bad economy and competitors snap them up. Harrah's postmerger internal audit integration offers valuable lessons.
Second, Harrah's internal audit function has learned how to do more with less, freeing up resources to devote to risk-based auditing and other strategic GRC activities. Most companies want to do so. "Protiviti's 2008 Internal Audit Capabilities and Needs" survey identifies computer-assisted audit techniques, continuous auditing, and data analysis, respectively, as the greatest areas in need of improvement. Many internal audit departments, regardless of their industry, face budgetary pressure to trim head count in a tough economy and regulatory pressure to avoid doing so.
"Harrah's is a good example of how analytics can be used to better address a high volume of regulatory requirements while supporting growing expectations that audit looks at the company's most important at strategic risk issue," says John Verver, a vice president with ACL Services. "The idea is to use technology to free up auditors to use their professional judgment ... and their skills are proving to be applicable not only in a traditional audit-assurance function but, increasingly, in supporting overall GRC activities."
133,500 Hours Required
U.S. casinos are subject to regulations that vary by state. Nevada and New Jersey's regulations tend to set the standards. About 75 percent of the gaming regulations with which Harrah Entertainment properties in different states must comply are similar, regardless of jurisdiction.
As Kondra emphasizes, though, nearly 90 percent of her function's audit plan (roughly 150,000 hours of work) consists of work required by state law. One of the most important objectives of these rules involves assuring that each casino company pays an appropriate percentage of revenue in taxes to the states in which it operates.
For example, the company is required to audit table games and slot operations, cage operations (the so-called "operational nerve center" of a casino where customers exchange money for chips), and slot operations up to four times per year, depending on the state. This involves scrutinizing accounting reports and, where possible, extracting information from the slot data system (SDS) that monitors every coin that flows in and out of every slot machine.
One casino may have, say, 3,000 (or more) slot machines in operation on its premises; the SDS tells accountants and auditors how much money has entered the machine year-to-date and month-to-date, how much money has poured into lucky winners' hands, and what the hold percentage is. The system's information is also used by operations staff to make decisions about where to place machines in the casino or when to move a specific machine to another casino within the company. "In these tougher economic times, you'd be amazed at how well our penny machines are doing," Kondra notes.
The amount of information contained in these systems is also amazing, and it explains why Harrah's internal audit function was in the process of examining different technology applications to help monitor those and other systems when its focus suddenly shifted to postmerger acquisition in 2005.
Postmerger IA Integration
The acquisition of Caesars followed Harrah's acquisition of three Horseshoe properties in 2004--2005. The internal-audit integration of the Horseshoe properties was relatively straightforward. These casinos primarily used highly manual auditing processes and, Kondra says, the auditing staffs at these casinos were "very open" to Harrah's practices and use of automation. Harrah's had begun using the CCH TeamMate audit management system and ACL Services' audit analytics and continuous monitoring software. The subsequent integration of Caesars' internal auditing function was far more complex -- and risky, as any large merger can be.
"In practice, postmerger integration is a huge issue for auditors," Verver asserts. "Major risks can occur when you're dealing with disparate systems and bringing organizations together. You can get control breakdowns. If you're not integrating systems efficiently, some of the biggest risks of fraud, error, and loss occur. It's interesting that one of the things on which Harrah's focused was actually using analytics to bridge the different systems and enterprises."
Some of the complexity stemmed from the fact that Caesars' internal audit had a stable, seasoned department with more than 40 employees and its own chief audit executive and the function was very engaged with its audit committee. "It wasn't that we had to learn any new regulations [with few exceptions, the two companies operated in the same regulatory jurisdictions]," Kondra recalls, "but it required a lot of thought and work to integrate our processes."
Diana Schaefer, Harrah's IT audit manager, says that the key to the successful Caesars-Harrah's internal audit integration was getting in there early. Within four months of the merger's announcement, the two functions convened to discuss their respective internal auditing approaches, processes, people and technology. (Caesars also had familiarity with ACL's tools.) Seven months later, the deal closed.
"We genuinely looked to pull the best practices from each company, regardless of the source," says Schaefer. "It was not one side pushing their way of doing things on the other. It was truly an integration, and this helped generate buy-in from both sides from the very beginning."
The integration meetings examined each overall internal audit strategy and also how each function conducted exit conferences, approached management, scrutinized documentation, hired and developed, and established work paper standards, among other processes.
"On the IT side, we spent a lot of time on the standardization of processes and systems across the enterprise," notes Schaefer. "This really allowed us to standardize our processes and testing. We used our TeamMate and ACL tools to gain efficiencies in our processes."
The Keno Problem
The primary areas that required greater efficiency related to the 89 percent of auditing required by state law.
"It's hard for us to benchmark ourselves to a FedEx or any type of company that can say, 'Well, this year we'll go to our Singapore hub, and maybe next year we won't go,'" Kondra explains. "We can't say, 'Gee, this year we'll look at slots at Caesars Palace and maybe next year we won't look at slots.' We are going to look at slots at Caesars Palace twice a year whether we think we should or not."
Call it the "keno problem." In a highly regulated industry such as gaming, the vast majority of internal audit's work consists of "have-tos" regardless of the magnitude of risks that exist in these have-to areas. Take keno, for example. The old-fashioned bingo-esque game has fallen out of favor with many gamblers, and it represents a declining source of revenue for many casino companies, including Harrah's.
"We never find any issues with keno, and people aren't playing it as much any more," Kondra explains. "But the regulators make me audit keno every year in Laughlin, Nevada, or wherever we have keno. It's frustrating because I have to believe that there is more risk in some of our retail operations, for example, but this is where the hours have to go."
To address this frustration and free up more hours for operational risk-based audits, Harrah's uses ACL's continuous monitoring technology to automate some of its state-mandated auditing work.
Greater "Perceived Control"
Although internal audit functions in less-regulated industries don't have keno audits to contend with, most still have a keno problem; the amount of manual work that they need to do pushes their human resources to the limits. By standardizing processes and using technology to conduct checklist work, internal audit functions can free staff hours to examine more strategic GRC issues.
"We've relieved our auditors from having to test the same documents manually every time," says Schaefer. "And this has opened up more opportunities for them to go look on the floor at some of the gray areas where other risks might exist. It's allowed us to conduct a greater degree of risk-based auditing than we did previously."
Kondra estimates that her function has freed up about 20 hours from its 300-hour budget for auditing table games thanks to the use of continuous monitoring and auditing technology. Internal auditors now invest those 20 hours in the surveillance room or on casino floors, in the thick of the action during the busiest times of the day. The auditors are watching how the processes they monitor on paper are playing out in practice while making sure that the right supervisors are in place and performing the right controls to mitigate table-game risks.
"If they are in the back room doing paperwork, they're not going to get those insights," Kondra notes. "Our auditors' presence on the floor also gives us more perceived control. The table games managers know that we're observing. We're watching them sign the right slips and making sure that security is located where it's supposed to be located."
The use of technology to support auditing processes has helped to reduce time and save money in other areas as well.
For example, auditing the company's active employee list against the system access list used to take the team responsible for the work several days per property. "Doing it manually was awful," reports Schaefer. "Now we've scripted it so that we get two files that we need -- the system access listing and the HR listing -- and we hit the run button. ACL pulls in both listings, makes the names match ... and then spits out results that shows if we have any duplicate employees, inactive employees, or generic listings in the system. And this takes about 90 seconds."
The test is crucial from a regulatory perspective. Some states require the company to remove inactive users within 72 hours of their inactive status becoming official. In an industry with relatively high turnover rates, ensuring that the company is adhering to this rule can be labor-intensive.
But it's not labor-intensive at all, thanks to Harrah's commitment to standardized processes and continuous monitoring technology -- and also its relationship with the rest of the business. Internal audit is required to examine these types of system access controls twice a year or annually, depending on where a casino property is located. However, managers who oversee system end users are required to comply with these rules on a daily basis. So, Harrah's internal audit function shared the ACL tool with the finance and IT functions, where the bulk of system end users reside, so that they can run the tool on a daily basis to ensure compliance while increasing the level of system security.
"It's significant," says Kondra, who repeats the phrase, as if for good luck. "It's significant."
The Secrets to Internal Audit Integration
Internal audit functions must act quickly when their companies merge with another organization. Integrating and newly integrated companies are ripe for risks, particularly when it comes to systems access and other controls around financial systems.
When Harrah's Entertainment acquired Caesars Entertainment a few years ago, the two internal audit functions quickly connected to hammer out how they would handle the $5.2 billion deal in their own domain. Harrah's Chief Audit Executive Cheryl Kondra says that there were several key steps that helped the two functions merge quickly and effectively.
"As soon as legal allowed us to go in, which was pretty quickly, we dove in," recalls Kondra, who was a vice president with responsibility for Harrah's central division at the time of the integration. "We completed it in 11 months, which made it one of the quickest acquisitions with that many properties that we've done in the history of our company. And we've done a lot over the years."
Here are a few of the integration practices she points to:
• Looking at all work papers (within the newly combined organization) to understand their underlying technique;
• Looking at all of the reports with issues to determine their progress status;
• Getting a feel for the nature of the issues in each report;
• Gaining an understanding of management's response to the issues raised by internal audit;
• Looking at the internal audit organizational chart within each property to track the number of directors, managers, and staffers at each location; and
• Scrutinizing each annual audit plan carefully