JOnline: Information Assurance—Online Lottery Systems 

Download Article

Online Lottery Emerging as a Large Industry

Playing a gamble is inherent to human nature. Most people enjoy playing games that have an element of risk and reward. Online lottery is one such industry that not only provides gaming entertainment but also brings forth the gambling instincts of human nature. The lure of winning a great deal of money drives the sales of lottery tickets across the world. The first modern-day lottery was launched in 1964 in New Hampshire (USA). It was quickly followed by New York (USA) in 1967 and New Jersey (USA) in 1971. Since that time, the industry has grown at a staggering pace. In the US alone, tickets are sold at 180,100 locations. It is estimated that in a few years there will be about one million point-of-sale (POS) lottery terminals in India. Further, the largest online lottery service provider in India sells 26 million lottery tickets a day.

ImageControlling and Monitoring Challenges

The online lottery business is IT-dependent and vulnerable to frauds and common information security threats. The challenge is protecting against lottery frauds, including identity misuse, forged/duplicate tickets, fake lottery programs, terrorist attacks on state-run lotteries, fake retail terminals, illegal betting, denial of service and manipulation of management information systems (MIS). The complexity in controlling and monitoring increases manifold as the key business process pertains to selling of lottery tickets and prize payout for winning tickets through POS terminals across a wide geographical spread. The POS terminals exchange data with the main servers using varied connectivity options, including VSAT, GPRS, CDMA, leased lines and dialup connections. Figure 1 illustrates the flow of data.

Understanding the Online Lottery System

It is imperative to understand the functioning of an online lottery system and how the lottery is played before designing an assurance program. First, a player approaches the POS terminal for purchasing the online lottery ticket. The player, upon making the payment for purchase of ticket, is given a play slip upon which he/she marks a choice of numbers. Then, the retailer inserts the play slip into the hopper of the POS terminal and a lottery ticket is printed. The lottery ticket contains the date and time of purchase, serial number, scheme of selected numbers, etc. In the background, before the lottery ticket is printed, the POS terminal exchanges transaction data with the server.

By far, the most famous and widely played online lottery game across several countries is the Lotto game in which players pick three, six or seven numbers from a possible choice of one to 49 on a playslip. Draws take place on designated days of a week, and prizes depend on how many numbers a player matches. The odds of winning a jackpot are typically one in 13,983,816 for a Lotto game. There are several variants to the Lotto game, such as Derby and Cards, which have similar game design features. The typical functioning of a lottery operation is shown in figure 2.

ImageThe information and related technology components of an online lottery system are the POS terminals, which are composed of a computer connected to a central server that receives, registers and acknowledges lottery ticket information, production monitoring consoles, management information servers, workstations, central routers, firewalls, wide area network including a virtual private network, and the draw POS Terminals machines through which the winning numbers are drawn.

Designing an Information Assurance Program for the Online Lottery System

An effective information assurance program plays a vital role in protecting the information assets of an online lottery system. The objectives of the program should be to ensure confidentiality, integrity and availability of information pertaining to the online lottery operations. The critical pieces of information that need protection from modification and disclosure are the sales data, transaction IDs, bet files, draw files, winners list, other transaction files, audit logs, management information reports, draw and game master files, and the source code of the application. In addition to the information security objectives, the assurance program should aim to accomplish the business goals of transparency, fairness, customer-friendliness and efficiency.

In designing the program, the audit team should consider the various threat models to the online lottery system. This will provide a sound basis for undertaking the detailed substantive audit at a later stage.

A detailed overview of the key components of an assurance program is provided in figure 3.


During the design and implementation of the assurance program, the Control Objectives for Information and related Technology (COBIT) framework can play a significant role, particularly the control objectives relating to monitoring and evaluating. In COBIT 4.0, these include:

  • Monitor and evaluate IT performance (ME1)
  • Monitor and evaluate internal control (ME2)
  • Ensure regulatory compliance (ME3)

The corresponding control objectives in COBIT 3rd Edition are:

  • Monitor the processes (M1)
  • Assess internal control adequacy (M2)
  • Provide for independent audit (M4)


The effective design and implementation of assurance programs in the online lottery industry will be crucial in determining the future growth of the industry, given the increase in lottery frauds and security breaches.

Huzeifa Unwala, CISA, FCA
is a partner at Haribhakti & Co., Chartered Accountants, a leading audit firm in India. Haribhakti & Co. is an affiliate of Moores Rowland International, which is ranked amongst the top 10 accounting groupings globally. The views expressed in this article are the personal views of the author and not necessarily the views of the firm or the professional bodies of which he is a member.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.