Effective Internal Audit in iGaming: Why Boards Need More Than Compliance Checklists

Many of the biggest audit failures in iGaming do not begin with a missing policy. They begin with a policy everyone assumes is already working.

An operator may have documented AML procedures, customer monitoring rules, source-of-funds checks and safer gambling escalation processes in place for years. The issue appears when live customer activity tells a different story: high-risk accounts are reviewed too late, payment data is split across providers, or customer interactions are closed despite clear markers of harm.

For boards and senior management, internal audit in iGaming is now less about formal compliance comfort and more about operational visibility.

Robert Penfold, Head of Internal Audit at eGaming Integrity, argued in a recent SiGMA News interview that

audit should reflect operational reality rather than documentation alone.

The conversation has shifted at board level as well.

For operators active across multiple jurisdictions, that has direct commercial implications. Weak oversight can quickly become a licensing issue, a payments-partner concern or an investor confidence problem long before it escalates into a headline enforcement case.

Policies rarely fail all at once

In practice, operational weaknesses usually emerge gradually.

A source-of-funds process may function perfectly for standard customer reviews but break down during periods of high-velocity deposits, when manual escalation queues become overloaded. An affiliate campaign may bring in players whose activity triggers multiple AML or safer gambling indicators faster than review teams can realistically respond. A payment provider integration may technically support transaction monitoring while still creating blind spots because data fields do not align cleanly across systems.

Auditors increasingly walk through live cases, test escalation handling, review customer interactions, examine withdrawal approvals and challenge whether reporting actually reflects what frontline teams experience. For example, in a high-risk customer review, an audit should check who reviewed the file, what payment data was available, whether source-of-funds evidence was complete, whether the safer gambling interaction was recorded and who owned the next step after escalation.

A compliance sign-off before a market launch is useful only if the live workflow proves it. Audits should check whether customer due diligence was applied after launch, whether exceptions were documented and whether safer gambling teams saw behavioural signals before a financial threshold was reached.

For leadership teams, the question is not whether a framework exists. It is whether the business can still defend how that framework operates at scale.

Regulators are increasingly focused on evidence

Recent enforcement action in the UK has reinforced a clear regulatory direction: operators are expected to prove that policies are actively implemented, monitored and tested.

In August 2025, the UK Gambling Commission fined ProgressPlay Limited £1 million following AML and social responsibility failings. The regulator also required the company to undergo a third-party audit. Among the issues identified were weaknesses in transaction scrutiny, customer risk assessments and source-of-funds procedures. UKGC Director of Enforcement and Intelligence John Pierce said operators must have policies and procedures that are “actively implemented and regularly tested” to confirm they work in practice.

The same issue appeared in later UKGC actions. Platinum Gaming Limited, operator of unibet.co.uk and uk.bingo.com, agreed to a £10 million settlement in October 2025, with a third-party audit, a follow-up independent review and an internal investigation required as part of the outcome. NetBet Enterprises later agreed to pay £650,000 after the Commission identified AML and social responsibility failings, including overreliance on financial triggers and weaknesses linked to third-party relationships and high-stakes gambling.

The UKGC said the operator failed to properly account for previously blocked accounts linked to money laundering risks.

For audit teams, the lesson is practical: test customer risk assessments, escalation thresholds, review quality, source-of-funds evidence, high-risk account handling and the management information that reaches senior leaders.

That is precisely the territory a mature internal audit function should be examining.

The same pressure is visible beyond the UK.

In December 2024, AUSTRAC commenced civil penalty proceedings against Entain Group Pty Ltd, operator of Ladbrokes and Neds in Australia, alleging serious and systemic AML/CTF non-compliance. AUSTRAC alleged deficiencies involving board and senior management oversight, third-party deposit channels, customer identity controls and source-of-funds checks linked to higher-risk customers.

AUSTRAC CEO Brendan Thomas said:

betting operators must understand who their customers are even when relying on third parties to process transactions.

The proceedings remain allegations before the Federal Court, but the broader message is difficult to miss. Regulators are paying closer attention to how boards oversee operational exposure inside increasingly complex digital gambling businesses.

A risk-based audit approach follows exposure, not structure

One of the biggest mistakes operators make is treating audit coverage as evenly distributed administrative work.

Risk-based audit starts with the processes where failure can quickly become a customer harm issue, a regulatory breach or a licensing problem.

For many regulated operators, AML and safer gambling remain central priorities. But the scope is widening.

Payments need separate attention. Operators may rely on several providers, alternative payment methods or outsourced onboarding services. Audit should check whether deposits, withdrawals, customer identity and provider data can be matched clearly.

Affiliate traffic creates a different risk. A campaign can bring in customers who trigger AML or safer gambling indicators quickly. Audit should test whether traffic quality is reviewed and whether commercial teams are told when those risks appear.

Product launches create another issue. Compliance sign-off before launch is useful, but audit should also check what happens after the product is live: whether market-specific controls work, whether reporting remains accurate and whether incidents are escalated.

A risk-based audit programme reflects those realities instead of following a static annual checklist.

That often means prioritising customer due diligence and source-of-funds workflows, safer gambling reviews, payment and withdrawal monitoring, third-party oversight, affiliate controls, product release governance and management information quality.

The European Gaming and Betting Association’s AML guidance reflects how much attention the sector now places on sector-specific financial crime controls. EGBA noted that its members underwent around 30 AML audits in 2021 and submitted nearly 13,000 suspicious activity reports. The guidance is not binding across all operators or jurisdictions, but it illustrates how online gambling businesses are being pushed toward increasingly sophisticated, risk-based AML practices.

Independence matters, but so does operational understanding

Internal audit cannot work effectively from a distance.

The Institute of Internal Auditors’ Three Lines Model remains useful because it clarifies accountability across the business. Operational teams own day-to-day risk. Compliance and risk functions provide oversight and challenge. Internal audit delivers independent assurance.

In practice, however, the boundaries are rarely perfectly clean inside fast-growing gambling businesses.

Operational teams may assume compliance owns escalation decisions. Compliance teams may rely heavily on reporting generated by the same systems they are supposed to challenge. Audit functions can become too detached from live workflows and miss how teams actually handle exceptions.

Stronger audit functions spend time inside operational processes rather than reviewing policy libraries alone.

They examine how analysts make decisions during customer reviews. They assess whether exception handling is documented consistently. They test whether management reporting reflects operational reality or simply presents a cleaner version of it.

Industry discussion points to the same issue. In a HIPTHER discussion on the Three Lines of Defense, Andreea D., CIA, CRMA and Head of Internal Audit at Greentube, focused on the grey zones between risk, audit, compliance and operations. For iGaming operators, those grey zones often appear around AML escalation, customer reviews and responsible gambling decisions.

The issue is rarely a complete absence of accountability. More often, accountability becomes fragmented across teams until no one has a full picture.

What boards should really expect from internal audit

For leadership teams, the value of internal audit is not reassurance for its own sake.

A good audit should show where the organisation is losing control of detail before regulators, payment providers or commercial partners identify the weakness first.

The most useful audit findings are often not dramatic breaches. They are smaller signs of operational drift: manual workarounds becoming routine, escalation thresholds interpreted differently across markets, supplier oversight relying too heavily on self-reporting, or customer reviews being completed without enough supporting evidence.

Those are board-level business risks as much as compliance concerns.

They influence licensing resilience, banking and payments relationships, acquisition readiness and how confidently an operator can expand into new regulated markets. Investors and counterparties increasingly expect operators to show not only growth metrics, but evidence that operational oversight can keep pace with scale.

For operators growing across multiple jurisdictions, internal audit increasingly acts as a reality check against executive assumptions. It shows whether reporting lines still function, whether accountability is clear and whether management information is genuinely reliable.

That is why internal audit in iGaming has become more strategic than many boards once expected.

Not because regulators want more documentation, but because modern gambling businesses have become too complex to manage on assumptions alone.