General Management Standards
GENERAL MANAGEMENT OPERATING STANDARDS
The basis for totalisator internal controls is the management control system required and used by the company over all its totalisator operations. Therefore, documentation of its management philosophy recognizing the importance of general computer controls is required. This management control philosophy must include formal written procedures for totalisator operations and documentation that these procedures are being followed. Following is an outline of the management procedures and documentation needed by a totalisator company to fulfill minimum organizational internal control requirements.
I. Personnel
A. The totalisator company must provide necessary personnel to perform the duties described in these Standards. The totalisator company may use job titles that are different from those listed throughout this document. However, the totalisator company must employ a sufficient number of personnel to ensure an adequate segregation of duties between the personnel performing the manager, programmer, operator, and technician duties.
B. The totalisator company has job descriptions along with experience, education, and organization training requirements for all of the following totalisator positions:
1. Programmers / Software Engineers
2. Systems Analysts
3. Operators
4. Technicians
5. Managers
C. The totalisator company has procedures and documentation that show the verification of totalisator position applicants' experience and education as indicated on their job applications.
D. The totalisator company has a policy of mandatory time away from the job for totalisator personnel or that management is made aware of individuals who have not taken time away from the job.
E. The totalisator company has a policy requiring continuous training for its totalisator personnel and documentation to support compliance to that policy.
F. The totalisator company must designate an individual to act as a point of contact for communications between the Racing Commission and the totalisator company.
II. Programming
Programmers must have written procedure manuals that outline structured programming methods used by the totalisator company. The manual must give the programmer sufficient information to understand the programming methodologies, base operating systems, and maintenance procedures.
III. New Totalisator System Development or Major Changes to Existing Systems
The adequacy and effectiveness of controls in computer systems begin with methods and procedures used during system and program design, development, and modification. Proper controls over these processes help make sure that systems are made to meet user requirements, are documented and tested, and contain proper controls. The totalisator company must have a written Systems Development Life Cycle (SDLC) requiring sign-offs at pertinent checkpoints. The SDLC must include the following or a Commission approved variation:
A. Written request for systems design or major changes and a method for handling and recording these requests. (Requests may come from users or EDP staff who see opportunities for greater efficiencies.)
B. Feasibility study stage.
C. General systems design stage.
D. Detailed systems specification.
E. Program testing.
F. System testing.
G. Conversion.
H. Systems acceptance by the totalisator company.
IV. Minor Program Changes or Development
Regardless of the size of the modification, procedures must be in place to manage all program changes. Controls must be established to prevent unauthorized and potentially inaccurate program changes from being incorporated into the production environment. Both scheduled and emergency changes need to be regulated so the integrity of the computer system can be relied upon. At a minimum, totalisator companies must comply with the following practices:
A. Computer programs may be revised only after receiving a written request from the defined user. The request must be on a change request form which is sequentially numbered and accounted for.
B. Program changes must be developed, tested, and compiled only in a test environment. The test environment must not be connected to an on-line totalisator network.
C. All program changes must be thoroughly tested before being placed in production.
D. All program changes must be reviewed and approved by a totalisator company supervisor prior to being placed into production.
E. The association and the Racing Commission must be made aware of and approve, in writing, any program change before placing the program change into production. No transfer of data from the test to the production environment is allowed without this written approval.
F. Programmers must not have physical access to the totalisator room nor electronic access to the production environment without prior Commission
approval.
V. Totalisator Operations
Totalisator operators must have written operations manuals maintained with each totalisator system. Procedures contained in these manuals must clarify the authority, duties, responsibilities and lines of communication for totalisator operators and managers. The operations manual must contain enough detail to ensure totalisator personnel perform their job duties effectively. The operations manual must include the duties listed in the Personnel Section and at least the following:
A. Clearly defined restrictions for totalisator room access.
B. General block diagrams of program options (menu tree) available to operators.
C. A glossary for terms used in generated reports including formulas for calculating the displayed results.
D. The relationship, if any, between information contained in generated reports.
E. Start-up and shutdown procedures.
F. General operating procedures.
G. Restart and recovery procedures.
H. Emergency procedures including a list of individuals to notify if a system requires an emergency modification.