What an effective internal audit actually looks like in iGaming
- May 21
- 2 min read
Robert Penfold, Head of Internal Audit at eGaming Integrity, has written for SiGMA News on what effective internal audit looks like in practice for iGaming businesses.
The article follows Robert’s previous piece on why internal audit in iGaming is still often misunderstood. This time, he looks at what separates a useful internal audit from a report that simply gets filed away.
Robert’s central point is that effective internal audit rests on four things: risk, process reality, ownership and follow-through. In other words, the value is not in proving that a policy exists. The value is in understanding whether the control actually works when the business is under pressure.
That matters in iGaming because businesses often move faster than their governance frameworks. New markets, new suppliers, product launches and regulatory changes can all create a gap between what is documented and what is happening operationally. Robert makes the point that an audit should start by asking where the business is most vulnerable today, rather than arriving with a predetermined checklist.
The article also looks at third-party risk, which remains a major issue across the sector. Operators rely heavily on payment providers, KYC and AML tools, fraud systems, safer gambling technology, platforms, sportsbook feeds and game studios. Each of those relationships carries risk, and the real question is not simply whether a contract exists, but how the relationship is managed day to day.
Robert also makes an important point about follow-through. An audit is not finished when the report is written. It is finished when the business understands what needs fixing, who owns the action, and what needs to happen next.
For boards, senior management, compliance teams and operational leads, the article is a useful reminder that internal audit should not be treated as a paperwork exercise. Done properly, it gives leadership an honest view of how the business is running before a regulator, incident or enforcement action brings the issue to the surface.
Read Robert’s full article on SiGMA News here.
