Compliance and Systems Audits Service Provider Framework

The current Compliance and Systems Audits Service Provider Framework has expired on 14th September 2017. It is the Malta Gaming Authority’s (MGA) intention to move towards a process whereby Service Providers interested in performing Compliance and/or Systems Audits may apply to the MGA for their suitability to be assessed and approved. Operators licensed by the MGA will then be in a position to engage any approved Service Provider of their choice, on free commercial terms (referred to hereinafter as the ‘new regime’).

The scope of the new regime is to engage qualified persons or companies to carry out the following services required by the MGA:

  • Systems Audit, which is carried out as part of the MGA licensee onboarding process or when deemed necessary by the MGA;
  • Compliance Audit of licensed operators, which is carried out throughout the licensed period as required by the MGA.

In order to safeguard and maintain quality of service, it is the MGA’s intention to approve Service Providers that can provide the following information and meet criteria as set below:

      List of all personnel and competencies:

  • Professional capabilities of each member of the team (IT Audit and Financial qualifications);
  • Detailed CV of each applicant.


  • Demonstrate capability of understanding and meeting the needs of the MGA;
  • Provide a general description of operations including any experience in the gaming industry;
  • Describe approach/methodology the Service Provider proposes to adopt in carrying out the reviews;
  • Provide an assessment of conflict of interest.

Sub-contracting any part of the services being requested as part of this new regime is not allowed.

The MGA will review Compliance and/or Systems Audit reports on a regular basis in order to ensure that the service provided meets the quality standards required by the Authority. In addition, the MGA shall be conducting quarterly quality reviews on all Service Providers, through its Quality Assurance team. Such reviews will include an overall assessment of the performance of Service Providers, together with the requirement to submit documentation and evidence collected whilst conducting the reviews.

Based on its findings, the MGA reserves the right to have the appropriate mechanism to remove or suspend any Service Provider from the approved list in case of unsatisfactory performance.

Upon commencement of the new regime, the MGA shall offer the approved Service Providers access to the online Licensee Relationship Management System, and provide required training where necessary, to be able to submit audit reports and other relevant deliverables using the aforementioned system. This reporting mechanism shall be mandatory. The MGA reserves the right to amend this mechanism from time to time and include any additional procedures and requirements as may be deemed necessary.

Prior to any Audit, the approved Service Providers need to submit to the MGA a letter declaring that they are free from any conflicts with the licensees or prospective applicants. Following completion, the approved Service Provider is required to provide the MGA with the following deliverables when submitting their report:

  • Duly completed checklist for the Compliance or Systems Audit, whichever is applicable;
  • A red flag report, including but not limited to, the summary of key findings and a detailed description of each of the findings, in addition to the implications of such findings, if any, remedial action that needs be taken by the licence holder and/or action to be taken by the MGA;
  • Upon request from the MGA, any evidence to sustain the findings;
  • Any other documentation which may be requested by the MGA.

The MGA intends to apply the new regime as of 2nd April 2018, in order to allow for a sufficient transitory period for all involved. Proposals from interested Service Providers will be accepted as from 1st January 2018 using the appropriate application forms to be published in due course.

The approval will be valid for two (2) years, following which, decision by the MGA to extend, review or remove this new regime will be taken.

You are kindly requested to contact the Authority on [email protected] should you have any further queries.

Skip to content