TGTR refers to the process used to provide assurance to players and regulators that the games being used by online gambling sites are operated in an independent, fair and random manner. This ‘best in class process’ of verifiability was developed to ensure complete player confidence in operator practices and to increase confidence in the industry generally.

Players and regulators can identify those operators that have subscribed to the rigorous TGTR process by inspecting the online site for eCOGRA’s Fairness Certificates that display:

• Monthly payout percentage reports for slots, table games, poker games and all other games;
• Monthly poker card shuffling reports; and
• Bi-annual random number generator reports for blackjack, roulette and video poker.

Recognising the need to shift from traditional source code testing in the land-based environment, the TGTR process was developed to address the unique issues faced by a more complex online gaming environment. Rather than simply focusing on the source code or the output generated, as would be the case in a typical ‘output-based’ testing environment, TGTR is a risk-based process that requires the continuous review of the entire gaming system and environment, and is based on best practice audit principles.

The TGTR process has been continuously enhanced and refined over a period of eight years through input received from Big 4 accounting firms and leading software providers within the industry.

TGTR is a risk-based process and consist of four levels of assurance that are required to be demonstrated and successfully completed to provide enough comfort that games are operated in an independent, fair and random manner. The four levels of assurance that are completed during the TGTR process are explained further below:

i) Assurance Level 1 – Ensure reliance can be placed on the internal control environment in which the software is developed and changes are affected
Assurance Level 1 is concerned with ensuring that the internal control environment within which the gaming software is developed, implemented and maintained is continuously operated in a safe, secure and reliable manner, and in accordance with best practice. It aims to establish the level of reliance and comfort that can be placed on the output (gameplay results) that is generated by the gaming software.

Assurance is achieved by subjecting the internal control environment of the gambling software supplier to rigorous independent, annual, risk-based audits that focus on the adequacy of controls within the information security, business continuity and disaster recovery, change control and software development areas.

The formal audit process is based on comprehensive work programs to ensure the work is consistently performed and documented in accordance with the eGAP requirements. Findings are reported to the software supplier’s senior management, and 100% compliance is required in all areas before final submission to eCOGRA’s Seals Compliance Committee for approval. Further governance and independence to this process is achieved by the completion of an annual quality assurance review by KPMG.

For more information on the eGAP requirements applicable to software providers refer to www.ecogra.org/egap.

ii) Assurance Level 2 - Ensure that the data produced by the software has not been manipulated or corrupted
Assurance Level 2 is concerned with verifying that the data produced by the gaming software was not manipulated or corrupted in any way before being displayed to the player, and that all the data produced by the gaming software has been received by eCOGRA for analysis.

Assurance is achieved by subjecting the gaming and financial data generated by the gaming software to rigorous, independent, risk-based assessments such as trend analysis that focus on the integrity, completeness and consistency of the data.

Further comfort is achieved by ensuring a complete set of data was obtained by performing financial reconciliations between independent sources, and any resulting discrepancies would indicate possible tampering.

The correctness of financial data used in reconciliations is verified on a monthly basis during the completion of payout percentage reviews. Payout percentage reports are issued monthly to eCOGRA operators if all financial data reconciles.

Random number generator assessments are based on a formal RNG methodology and involves various recognised statistical tests that are performed on the gaming data.

For random number generator reports to be issued all financial data must reconcile and RNG tests performed must fall within the accepted ranges required for a pass.

Further assurance and independence to these processes is achieved by the completion of an annual quality assurance review by auditors KPMG on the RNG methodology, and the processes used in the calculation of payout percentages and the assessment of randomness of games.

iii) Assurance Level 3 – Ensure that reports published on the gaming websites have not been tampered with
Assurance Level 3 involves ensuring that once payout percentage and random number generator reports are issued, the published results cannot be manipulated.

Assurance is achieved through eCOGRA centrally controlling the publishing of reports on the relevant websites, preventing possible tampering of data before and after final publishing.

Further comfort to this process is achieved by reviewing published reports on a regular basis during the operator eGAP reviews.

iii) Assurance Level 4 – Ensure complete quality and independence of the process
Assurance Level 4 is a fundamental component necessary to validate the overall quality and correctness of the TGTR process and approach followed at each assurance level. eCOGRA’s governance structure allows for complete quality control and independent assessment through the use of auditors KPMG to perform annual quality assurance reviews.

KPMG, as a recognised international accounting firm, is appointed with the objective of ensuring that the governance structure, responsibilities, processes and approach implemented within eCOGRA’s Data Services, and Compliance and Advisory departments are in line with best practice and industry requirements, and comply with recognised audit practices and principles.

Yes, the eCOGRA teams directly involved in the eGAP reviews and data analysis process have been involved in this work, previously conducted by auditors PricewaterhouseCoopers, for a cumulative total of 18 years.

Data Services team
Manager: B.Com (Information Systems, Economics), CISA, 6 years online gaming industry experience, 15 years IT security and audit experience with PwC and financial institutions.
Staff: Data Warehouse specialist, 3 years industry experience, 20 years data management experience.

Compliance and Advisory Services team
Manager: B.Sc Hons (Information Systems), CISA, 7 years online gaming industry experience, 7 years IT security and audit experience with PwC.
Staff: B.Sc Hons Cum Laude (Computer Science), CISA, 2 years IT security and audit experience with PwC.

In order to further ensure the integrity of the process and data, eCOGRA has appointed audit firm KPMG in London to regularly review the following aspects of the TGTR work:

• the people and processes involved in performing the assessments and producing reports;
• the sufficiency of testing performed;
• the RNG methodology;
• the process followed to conduct and report on RNG reviews; and
• the process followed to conduct and report on payout reconciliations.

KPMG reports to eCOGRA’s independent directors: Bill Galston, OBE, retired Chief Inspector for the Gaming Board of Great Britain; newly appointed Bill Henbrey, former head of gaming services at leading international accounting firm BDO; Frank Catania, former Assistant Attorney General and Director of New Jersey Division of Gaming Enforcement; as well as Michael Hirst, OBE, a former board member of Ladbroke Group Plc, and formerly Chairman and CEO of Hilton International.

The results of eCOGRA's recent independent Global Online Gambler Survey involving 11,000 active players showed that 88 percent of players rate monthly payout percentage reports prepared by a reputable independent third party as important, and 91 percent of respondents rated RNG fairness reports as important.

New games do impact the testing process, and for this reason the software provider must notify eCOGRA of all new games released during the month. Failure to notify us will result in unreconciled differences in the data. All new games are incorporated into the monthly review process as we review all data and not just a sample of the data.

To appreciate the advantages of TGTR testing over third party source code testing, it is important to understand the two gambling environments where these testing approaches prevail i.e. land-based play and the online gaming environment.

Land-Based Play
In the traditional land-based casino environment, a single game is typically installed and hard coded onto a fixed device. In this case, the random number generator (RNG) and the machine form a single, integrated unit of hardware that is sealed from the outside world. In order to assess the fairness of a game, regulators or the independent testing agencies that are appointed, review the game’s source code to ensure it operates as specified. Upon approval, the source code and console are locked and certification is awarded. Once the software is reviewed and burned into the EPROM chip of the gaming unit, it cannot be physically changed. EPROM is a special type of memory that retains its contents until exposed to ultraviolet light.

After the game is certified, land-based game developers and software providers do not have access to the code unless an adjustment is required. This could include installing new graphics, or making changes in rules. Once the gaming machine is operational, changes to the games do not happen very often. In the event that an adjustment is required, the source code testing process would be performed again.

To minimise the chance that an operator could switch one EPROM chip for another, regulators have access to on-site surveillance cameras and officials from the Gaming Board and the testing agency should be present if the hardware is unsealed. In addition, regulators usually require casinos to keep detailed records for instances when gaming machines are opened.

By analysing the source code of the game in the land-based environment, regulators or the testing companies that they hire, can be confident that the game performs as specified. Source code testing has worked well in traditional gaming.

Online Gaming Environment
Online gaming is a much more complex and dynamic environment. In this industry, the player is the only one with control over the hardware on which the games are being played, typically the player’s personal computer. The gaming server, the computer that runs the game, is the most critical component in online gaming.

In addition to housing the RNG, the gaming server links into a highly sophisticated transaction processor and controller that routes the millions of messages coming into the system each minute. The server provides each message with a response, creates a complete record of all messages (in and out), and generates summary information – all in real time. As with companies such as Microsoft, Oracle and Sun, gaming software providers invest large sums to develop and refine their proprietary server products – their core competitive advantage in the online gaming industry. In fact, the gaming server is the culmination of the intellectual property that is their primary asset. It’s no secret that this information is closely guarded.

In the online gaming environment, software developers work constantly to improve the end user’s experience through speed and efficiencies, increase security and reduce maintenance costs by refining the servers. Unlike a traditional gaming machine, a network system has many more points of ongoing failure, which require constant monitoring and adjustments through regular system maintenance. This could include making upgrades to the system or games, installing a new security patch from an operating system vendor such as Microsoft or Sun, fixing a bug or restoring a network fault.

In the online gaming environment, technicians require access to the gaming server at all times. Because of the frequency of changes to the software in a live operating environment, source code testing, which verifies the software’s performance only at a single point in time, is simply not suited to online gaming.

Conclusion
TGTR verification is a solution for the online gaming industry that goes far beyond trying to simply match the security of a real-world slot machine. We recognise that it’s the fairness and randomness of the final outcome that is most important to the players, and the regulators who protect them.

TGTR is enacted in the eCOGRA review and certification process once there is adequate assurance that full source code testing, implementation, version and change control are in place with the necessary security controls at the software provider, and all have been operating properly for a reasonable period of time. eCOGRA requires a thorough ongoing review of the operating environment at the software provider and operator levels, and the controls and entire processes around the implementation and testing of changes to the software. This review ensures that the possibility of anything occurring which will adversely affect the output of the system is within acceptable limits.

An additional advantage that TGTR holds over source code testing is the appropriate assurance of fairness in slots games. While source code testing is able to confirm that an RNG is performing correctly, it is not able to confirm what the payout percentage of a particular game should be. A slots game with a payout percentage of 50 percent that passes the RNG source code test will hardly be considered fair by the players.

Overall, TGTR is a solution that allows for rapid advances in technology, reduces development and regulatory costs, provides for easier dispute mediation and is easily implemented using existing methods from the broader commercial world.

TGTR is an advanced form of output-based testing that prescribes to a controls-based approach which requires a continuous review of the entire gaming system rather than only the output generated by the system, as would be the case in a typical ‘output-based’ testing environment.