WILLEMSTAD – A comprehensive audit by the Algemene Rekenkamer Curaçao has revealed significant weaknesses in the IT systems of the Curaçao Landsloterij (Lottery), raising concerns about the reliability of financial and operational data over a period of several years.
The report, titled , examined the automated environment supporting the national lottery, focusing on the lot registration system and the financial system between 2010 and 2017, with a follow-up assessment of improvements made by 2020.
The findings paint a picture of an organization that, for years, operated without adequate IT governance, formal procedures, or sufficient safeguards to guarantee the integrity of its data.
At the core of the audit is the conclusion that the Landsloterij did not have an established information security policy during the entire period under review. As a result, the systems responsible for recording lottery ticket sales, processing financial data, and supporting reporting lacked the foundational controls necessary to ensure accuracy and completeness.
The lot registration system, which tracks critical data such as sold tickets, winning numbers, and payouts across Curaçao and other Caribbean territories, was found to have serious deficiencies in its general IT controls. These controls—known as ITGC—are essential for ensuring that automated systems function properly. Without them, even well-designed application-level controls cannot be relied upon.
The audit found that key processes such as incident management, change management, access control, and backup procedures were either informal, incomplete, or entirely undocumented. For example, there was no formal procedure for reporting and resolving system incidents, meaning disruptions could go unrecorded and unresolved. Changes to the system were not consistently documented or tested, creating risks that errors or vulnerabilities could be introduced without detection.
Access management posed another major concern. The Landsloterij lacked a formal authorization structure, increasing the risk that employees had access to functions beyond what was necessary for their roles. In some cases, administrative privileges could override internal controls, while system activities could not always be traced back to individual users. Password policies were weak, and inactive accounts were not consistently disabled.
Equally troubling was the absence of formal backup and recovery procedures. Although backups were being made, there was no documented policy outlining how often they should occur or how they should be tested. This created a risk that, in the event of a system failure, critical data could be lost or unrecoverable.
The audit also highlighted risks related to physical security. The lottery’s server infrastructure was hosted externally, but no formal agreements were in place to ensure that the data center met required security standards. As a result, auditors could not verify whether access to the servers was properly controlled.
Despite these weaknesses in general IT controls, the audit found that application-level controls—mechanisms built into the system to ensure correct data processing—were generally adequate. However, because these controls depend on a secure and well-managed IT environment, their effectiveness could not be guaranteed.
This combination of factors led the Rekenkamer to conclude that there was no assurance that data processed by the lot registration system between 2010 and 2017 was accurate, complete, or timely. As a result, additional audit work was required to validate the Landsloterij’s financial statements during those years.
The financial system presented a different challenge. Due to missing documentation and the passage of time, auditors were unable to assess the effectiveness of controls for the same period. However, a review conducted in March 2020 found that key controls—such as access management and input validation—were functioning adequately at that point.
The report also reveals that the two systems—the lot registration system and the financial system—were not integrated. Data from the lottery system had to be manually entered into the financial system, increasing the risk of human error and inconsistencies in reporting.
Financial figures included in the report show that the Landsloterij generated between NAf. 24 million and NAf. 27 million annually during the review period, with approximately 45 percent of revenue paid out in prizes. This underscores the importance of reliable systems, given the scale of operations and the financial flows involved.
In response to earlier findings by auditors, the Landsloterij began implementing improvements in 2019. By 2020, the organization had introduced an information security policy and taken steps to formalize procedures for incident handling, system changes, access control, and backups. According to the Rekenkamer, all sixteen recommendations from previous IT audits had been addressed, although some still required further development into formal procedures.
The current state of the systems, as of 2020, is described as adequate in terms of design and existence of controls. However, the Rekenkamer emphasizes that the actual operation of these controls must still be tested in future audits to ensure they function effectively in practice.
The report recommends that the Minister of Finance ensure continued enforcement of the new information security framework, complete the formalization of procedures, and require the Landsloterij to report every two years on the quality of its IT control environment.
The findings highlight broader concerns about governance and oversight within state-owned entities, particularly in areas where technology plays a central role in financial accountability.