System & Compliance Audits

MGA Systems and Compliance Audits

Operators licensed by the MGA are required to appoint an approved Audit Service Provider of their choice, on free commercial terms, when a review of their operations is requested by the Authority.


The review can be one of the following types:

  • Systems Audit, which is carried out as part of the MGA licensee on-boarding process or when deemed necessary by the MGA; and
  • Compliance Audit of licensed operators, which is carried out throughout the licensed period as required by the MGA.


Such audits can be beneficial to licensees by:

  • Reducing legal risks and avoiding future costs
  • Building trust with your customer base
  • Helping to identify deficiencies
  • Engaging with your employees


BDO is an approved System and compliance auditor by the MGA and is able to conduct both system and compliance audits when they are requested by the Malta Gaming Authority. We are also able to carry out mock audits in order to help licensed operators to be prepared for such reviews.


MDIA\MFSA Systems Audits

In order to obtain a Malta Financial Services Authority (MFSA) licence for VFA service offerings such as Exchanges or register ICOs, the MFSA requires a system audit under the Malta Digital Innovation Authority (MDIA) guidelines which focus on five key principles:

1. Security – The system must be protected and completely secure from unauthorised access (both physical and logical).

2. Availability – The system is available for operational use as committed and/or agreed.

3. Processing Integrity – The system processing is complete, accurate, timely, and authorised.

4. Confidentiality – The system will protect any information or data that is designated as confidential.

5. Privacy – The system will collect, use, retain, disclose, or dispose of personal information in full conformity with the commitments in the organisations privacy notice.


The audit can be categorised into two different sets:

  • Type I
    • Carried out on a certain and specified date and takes an in depth look at the control design.
    • Typically carried when an ITA is in the process of applying to be certified by the Authority; or when deemed necessary by the Authority, or other Lead Authority in Malta.
  • Type II
    • Carried out over a certain period of time, usually six months. The focus of this Type is to ascertain the operational effectiveness of the controls that are in place.
    • Carried out periodically during the operational lifetime of an ITA; or on the request of the Authority or other Lead Authority in Malta (e.g. MFSA) 

Want to know more?

Key Contacts

Get in touch with our experts