Kyanite Blue
Practical Guides

How to Prepare for an MGA Security Audit: The Complete Operator Checklist

MGA security audits catch operators unprepared for one of three reasons: they don't know what's required, they know but haven't documented their controls, or they've documented controls that don't exist in practice. This guide addresses all three — with the exact evidence an MGA inspector will request and the common gaps that delay licence renewal.

Most MGA audit failures are documentation failures, not security failures.

What MGA Inspectors Look For

  • Information security policy: documented, board-approved, reviewed in last 12 months
  • Risk assessment: formal methodology, current risk register with mitigations
  • Penetration testing evidence: who conducted it, when, what was found, what was remediated
  • Incident register: all security incidents in the last 12 months, classified by severity
  • Third-party risk register: all ICT vendors listed, assessed, with contractual security obligations
  • Access control documentation: who has access to what, review cadence, offboarding procedures
  • Business continuity / disaster recovery plan: tested, documented, current
  • GDPR breach register: any incidents reported to IDPC, outcome recorded

The Three Most Common Audit Failure Points

  • 1. Penetration testing conducted by internal staff: MGA requires independent third-party testing
  • 2. Third-party risk register incomplete: missing payment processors, game studios, or KYC providers
  • 3. Incident register absent: operators who haven't maintained a rolling 12-month log

Frequently Asked Questions

How far in advance should we start audit preparation?

Six months minimum for first-time audits. Three months for renewal if your programme is well-maintained. The penetration test alone takes 4–6 weeks from scoping to final report.

Can Kyanite Blue produce audit-ready documentation?

Yes. Our Collective IP managed service includes MGA compliance documentation as a standard deliverable — risk registers, security policies, penetration test summaries, and evidence packs formatted for MGA submission.

Get your MGA audit documentation ready

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Related Articles

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides