Close this search box.
Home / Articles / IT Audit Guide for Ohio Sports Gaming: Rule 3775-16-20

IT Audit Guide for Ohio Sports Gaming: Rule 3775-16-20

July 26, 2023


Ohio Rule 3775-16-20 mandates that all sports gaming proprietors in the state must contract with an independent third party to perform an IT audit. This audit is crucial for ensuring the integrity, security, and compliance of the sports gaming system.

The cybersecurity team at Clark Schaefer Consulting is already assisting new sports books in completing these IT audits. To help you prepare we have created this comprehensive guide on how sports gaming proprietors can comply with the requirements of Rule 3775-16-20.

Selecting an Approved Independent Third Party:

The first step towards compliance is to select an independent third party that is approved by the executive director. The third party must be qualified, independent, and capable of performing the IT audit. It is essential to thoroughly evaluate potential auditors based on their expertise, experience, and reputation in conducting IT audits for the gaming industry.

Timing of Sports Gaming Audits:

According to the rule, an IT audit must be performed within ninety days of commencing initial operations and at least once each calendar year thereafter. Sports gaming proprietors must establish a schedule for conducting these audits to ensure they are completed within the required timeframe.

Scope of the Sports Gaming Audit:

The IT audit and corresponding report should assess several key areas:

a) Design, Controls, Maintenance, and Security of IT Systems:

The audit should evaluate the design, controls, maintenance, and security measures implemented by the sports gaming proprietor in their IT systems. This includes assessing network infrastructure, data storage, backup and recovery processes, user access controls, and cybersecurity protocols.

b) Compliance with IT and Sports Gaming System Requirements:

The audit must verify the sports gaming proprietor’s compliance with the IT and sports gaming system requirements outlined in Rule 3775-16-20. This involves reviewing whether the systems adhere to the prescribed technical standards, operational protocols, and data protection measures.

c) Other Requirements:

The executive director may specify additional subjects that need to be assessed during the audit. Sports gaming proprietors must be prepared to address any specific requirements communicated by the regulatory authority.

Engaging in the Audit Process:

Once the third-party auditor is selected, sports gaming proprietors should actively engage in the audit process. This involves providing the auditor with access to relevant systems, data, and documentation necessary for conducting a thorough assessment. Clear communication and collaboration between the sports gaming proprietor and the auditor are vital throughout the audit engagement.

Reviewing the Audit Report:

After the completion of the audit, the independent third party will provide a detailed report. Sports gaming proprietors must carefully review the report to understand the findings, recommendations, and any areas of non-compliance that need to be addressed. The report should be comprehensive, highlighting both strengths and weaknesses in the IT systems and compliance processes.

Addressing Findings and Recommendations:

If any deficiencies or non-compliance issues are identified in the audit report, sports gaming proprietors must take prompt action to rectify them. This may involve implementing improved controls, enhancing security measures, updating policies and procedures, or making necessary system modifications. It is crucial to document the remediation steps taken to address the identified issues.

Ongoing Compliance:

Compliance with Rule 3775-16-20 is an ongoing requirement. Sports gaming proprietors should establish a culture of continuous monitoring, periodic self-assessment, and proactive risk management to ensure ongoing compliance with IT and sports gaming system requirements. Regularly reviewing and updating internal controls, security measures, and IT policies is essential to mitigate risks and maintain compliance.

Complying with Ohio Rule 3775-16-20 is essential for sports gaming proprietors to operate within the state’s regulatory framework and maintain the security and integrity of their IT systems. The cybersecurity team at Clark Schaefer Consulting have the experience and expertise to complete your IT audit now and provide you with the continuing audits that you will need to stay in compliance.

All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a Clark Schaefer Hackett professional. Clark Schaefer Hackett will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.


Related Articles


2 Min Read

Leveraging AI to Add Value to Your Business


2 Min Read

Navigating SOX: How Compliance Shapes Trust and Stability 


2 Min Read

The Vital Imperative: Why Businesses Must Undertake Risk Assessments 


2 Min Read

The Latest on Cybersecurity Regulations from the SEC


2 Min Read

 4 Key Benefits of a Cybersecurity Live Fire Exercise 


2 Min Read

Fair Lending Compliance: What You Need to Know

Get in Touch.

What service are you looking for? We'll match you with an experienced advisor, who will help you find an effective and sustainable solution.

  • Hidden
  • This field is for validation purposes and should be left unchanged.