Clark Schaefer
Share this
IT Audit Guide for Ohio Sports Gaming: Rule 3775-16-20

IT Audit Guide for Ohio Sports Gaming: Rule 3775-16-20

The rundown
  • To help you prepare we have created this comprehensive guide on how sports gaming proprietors can comply with the requirements of Rule 3775-16-20.

Ohio Rule 3775-16-20 mandates that all sports gaming proprietors in the state must contract with an independent third party to perform an IT audit. This audit is crucial for ensuring the integrity, security, and compliance of the sports gaming system.

The cybersecurity team at Clark Schaefer Consulting is already assisting new sports books in completing these IT audits. To help you prepare we have created this comprehensive guide on how sports gaming proprietors can comply with the requirements of Rule 3775-16-20.

Selecting an Approved Independent Third Party:

The first step towards compliance is to select an independent third party that is approved by the executive director. The third party must be qualified, independent, and capable of performing the IT audit. It is essential to thoroughly evaluate potential auditors based on their expertise, experience, and reputation in conducting IT audits for the gaming industry.

Timing of Sports Gaming Audits:

According to the rule, an IT audit must be performed within ninety days of commencing initial operations and at least once each calendar year thereafter. Sports gaming proprietors must establish a schedule for conducting these audits to ensure they are completed within the required timeframe.

Scope of the Sports Gaming Audit:

The IT audit and corresponding report should assess several key areas:

a) Design, Controls, Maintenance, and Security of IT Systems:

The audit should evaluate the design, controls, maintenance, and security measures implemented by the sports gaming proprietor in their IT systems. This includes assessing network infrastructure, data storage, backup and recovery processes, user access controls, and cybersecurity protocols.

b) Compliance with IT and Sports Gaming System Requirements:

The audit must verify the sports gaming proprietor’s compliance with the IT and sports gaming system requirements outlined in Rule 3775-16-20. This involves reviewing whether the systems adhere to the prescribed technical standards, operational protocols, and data protection measures.

c) Other Requirements:

The executive director may specify additional subjects that need to be assessed during the audit. Sports gaming proprietors must be prepared to address any specific requirements communicated by the regulatory authority.

Engaging in the Audit Process:

Once the third-party auditor is selected, sports gaming proprietors should actively engage in the audit process. This involves providing the auditor with access to relevant systems, data, and documentation necessary for conducting a thorough assessment. Clear communication and collaboration between the sports gaming proprietor and the auditor are vital throughout the audit engagement.

Reviewing the Audit Report:

After the completion of the audit, the independent third party will provide a detailed report. Sports gaming proprietors must carefully review the report to understand the findings, recommendations, and any areas of non-compliance that need to be addressed. The report should be comprehensive, highlighting both strengths and weaknesses in the IT systems and compliance processes.

Addressing Findings and Recommendations:

If any deficiencies or non-compliance issues are identified in the audit report, sports gaming proprietors must take prompt action to rectify them. This may involve implementing improved controls, enhancing security measures, updating policies and procedures, or making necessary system modifications. It is crucial to document the remediation steps taken to address the identified issues.

Ongoing Compliance:

Compliance with Rule 3775-16-20 is an ongoing requirement. Sports gaming proprietors should establish a culture of continuous monitoring, periodic self-assessment, and proactive risk management to ensure ongoing compliance with IT and sports gaming system requirements. Regularly reviewing and updating internal controls, security measures, and IT policies is essential to mitigate risks and maintain compliance.

Complying with Ohio Rule 3775-16-20 is essential for sports gaming proprietors to operate within the state’s regulatory framework and maintain the security and integrity of their IT systems. Our cybersecurity team has the experience and expertise to complete your IT audit now and provide you with the continuing audits that you will need to stay in compliance.



We specialize in providing top-notch, enterprise-level cybersecurity solutions designed to protect your critical business data and digital assets.

Expert Contributors

Tom Armstrong

Senior Manager
Tom is specialized in the identification, assessment, mitigation and prioritization of risks and internal controls for a wide range of business cycles, information systems and corporate governance.
You may also like