Compliance Audit Manual - Malta Gaming Authority

1y ago
24 Views
2 Downloads
940.03 KB
40 Pages
Last View : 2d ago
Last Download : 2m ago
Upload by : Asher Boatman
Transcription

Compliance Audit Manual

MGA/G/001 V1 08/2018DisclaimerThis manual is designed to assist auditors in performing and documenting the major considerationswhen performing a compliance review in terms of the Gaming Act (Cap. 583 of the Laws of Malta) onbehalf of the Malta Gaming Authority (hereinafter the ‘Authority’).This manual is not exhaustive of all the checks and procedures that shall be performed. Auditors shallutilise this manual in light of their professional judgement and the facts and circumstances involvedin the setup of each particular licensee. Auditors are required to maintain their professionalscepticism and develop other procedures to address the risks associated with the particular licence,in line with professional standards.To this end, auditors are expected to perform additional tests as necessary to address identified risksand to comply with the following: the Gaming Act (Cap. 583 of the Laws of Malta); the Authorisation Regulations, Commercial Communications Regulations, Compliance andEnforcement Regulations, Definitions Regulations, Gaming Licence Fees Regulations, GamingTax Regulations, Player Protection Regulations and Premises Regulations; the Authorisations and Compliance Directive and the Player Protection Directive; the Companies Act (Cap. 386 of the Laws of Malta); the Prevention of Money Laundering Act (Cap. 373 of the Laws of Malta); the Prevention of Money Laundering and Funding of Terrorism Regulations (S.L. 373.01); the FIAU’s Implementing Procedures (as updated from time to time) issued in terms ofRegulation 17 of the Prevention of Money Laundering and Funding of Terrorism Regulations; taxation legislation; and any other applicable laws, regulations, directives, guidelines or standards or any otherdocument which may be applicable from time to time.Notwithstanding the above, the procedures defined in this manual are mandatory and need to becompleted for each compliance review.The Authority may from time to time amend the manual and include any additional procedures and/orrequirements as it may deem necessary. Furthermore, the Authority may provide additional guidanceas to any other specific measures that the auditors shall be required to undertake.PublicPage 2 of 40

MGA/G/001 V1 08/2018AbbreviationsThe following is a list of abbreviations used throughout this MSEEAEUFIAUKYCMFSAMGAMLROPCI DSSPPDPPRRNGRTPT&CsUPSPublicFull NameAuthorisations and Compliance DirectiveAnti-Money LaunderingApplication SoftwareAuthorisations ommercial Communications RegulationsClosed-Circuit TelevisionCompliance and Enforcement RegulationsDocument Management SystemEuropean Economic AreaEuropean UnionFinancial Intelligence Analysis UnitKnow Your ClientMalta Financial Services AuthorityMalta Gaming AuthorityMoney Laundering Reporting OfficerPayment Card Industry Data Security StandardPlayer Protection DirectivePlayer Protection RegulationsRandom Number GeneratorReturn to PlayerTerms and ConditionsUninterruptible Power SupplyPage 3 of 40

MGA/G/001 V1 08/2018Contents123456Standing Information . 61.1Entity Changes. 61.2Licensee Information . 61.3Previous Findings and Follow-up . 7Human Resources . 82.1Company Structure . 82.2Corporate Group Licence Checks . 82.3Key Persons . 8Financial Analysis . 103.1Player Funds . 103.2Tax . 103.3Financials . 11Information Technology . 134.1System Access Control Policy . 134.2Information Security Policy . 134.3Incident Response Policy . 144.4Change Management Procedure . 154.5Business Partners . 154.6Business Continuity and Disaster Recovery . 164.7Backup Procedure . 174.8System Architecture . 174.9Application Architecture . 184.10Network Infrastructure . 19Gaming Operation. 205.1User Management Policy . 205.2RNG . 205.3Gaming System and Related Procedures . 215.4Back-Office (For B2Cs and B2Bs offering back-office to B2Cs) . 21B2C Checks . 246.1Player Complaints . 246.2Commercial Communications . 246.3Websites/Apps . 256.4Terms and Conditions . 266.5Games’ Rules . 276.6Players’ Accounts . 27PublicPage 4 of 40

MGA/G/001 V1 08/201876.7Player Protection. 286.8Protections of Minors & Vulnerable People . 296.9Problem Gambling . 306.10Player Exclusion . 306.11Limits . 316.12Reality Check . 326.13Games . 326.14Type 2 Checks. 336.15Type 3 Checks. 346.16Type 4 Checks. 346.17KYC . 356.18Funds Management . 376.19AML . 37B2B Checks . 40PublicPage 5 of 40

MGA/G/001 V1 08/20181 Standing Information1.1Entity ChangesNameChecks1.1.1 Notification ofChangesWhen performing the onsite visit and checks, list down instanceswhereby there were changes implemented by the Licensee which havenot been notified to the Authority as required by Regulations 36 and 37of the Authorisations and Compliance Directive.1.1.2 Certificate ofIncorporationObtain the Licensee’s Certificate of incorporation and perform MFSAsearch for any statutory changes.1.1.3 Company’s MainObjectivesIdentify whether the company’s main objectives included in theMemorandum and Article of Association were changed. If so, indicatethe changes.1.1.4 Additional FindingsList down any additional findings.1.2Licensee InformationNameChecks1.2.1 Licence InformationSheetDetermine whether the MGA is holding the latest information regardingthe following items. List down any discrepancies noted.1) Registered address;2) Operating address;3) Public telephone number (to be published on the MGA'swebsite);4) Entity telephone number;5) Key Persons contact details (email address, mobile phonenumber and office telephone number);6) Board of Directors;7) Qualifying Ultimate Beneficial Owner(s);8) Consultant (if applicable);9) Website(s) operated by the Licensee;10) Details of bank guarantee (if applicable);11) Players bank account(s) number(s) and name of creditinstitution(s);12) Financial / Payment Institutions names and accounts;13) Operating bank account(s) number(s) and name of creditinstitution(s);14) B2B suppliers (if applicable);15) Backend/Back-Office/Control system;16) Gaming Hardware owner (managing the gaming controlsystem);PublicPage 6 of 40

MGA/G/001 V1 08/201817) Co-location/Hosting supplier(s);18) Number of employees;19) Licences from foreign jurisdiction.1.3Previous Findings and Follow-upNameChecks1.3.1 Licence ConditionsDetermine whether licence conditions were rectified.1.3.2 System AuditsDetermine whether issues noted in previous System Audits wererectified.1.3.3 Compliance AuditsDetermine whether issues noted in previous Compliance Audits wererectified.PublicPage 7 of 40

MGA/G/001 V1 08/20182 Human Resources2.1Company StructureNameChecks2.1.1 Human ResourcesRoles & ResponsibilitiesObtain a copy of the Human Resources Roles & Responsibilitiesdocument from Licensee and determine whether the MGA has thelatest copy.2.1.2 Human ResourcesRoles & ResponsibilitiesAdherenceExamine the company’s adherence to its Human Resources Roles &Responsibilities document and list down any discrepancies noted.2.2Corporate Group Licence ChecksNameChecks2.2.1 Corporate GroupChartObtain a copy of the corporate group chart. Indicate whether the MGAis in possession of the latest copy and indicate any discrepancies.2.2.2 Parent Entity ControlCheck that the parent entity exercises control to the extent of over 90%over other bodies within the same corporate group as per Gaming Act.2.2.3 B2B ObligationsIf the Corporate Group is offering services to other operators licencedby the MGA that do not fall under the said group, check that the Groupis in possession of a valid B2B licence.2.3Key PersonsNameChecks2.3.1 Key PersonsObtain and submit a list of Key Persons.2.3.2 Key FunctionsIndicate whether all Key Functions roles are occupied and assigned.2.3.3 Key PersonsContractsCheck that the duties of Key Persons are in line with their level ofauthority by examining a sufficiently large sample of contracts of KeyPersons.2.3.4 Key PersonsSupervisory RoleDetermine whether the Key Persons are indeed performing supervisoryroles in the operations of the Licensee.This can be seen through signatories on files, correspondence, access tothe front end / back end of the gaming system, capability of extractinggaming reports and monthly gaming / tax reports to be submitted tothe MGA, incident reporting, correspondence on complaints, etc.PublicPage 8 of 40

MGA/G/001 V1 08/20182.3.5 Additional FindingsPublicList down any additional findings.Page 9 of 40

MGA/G/001 V1 08/20183 Financial Analysis3.1Player FundsNameChecks3.1.1 AccountsDeclarationsCheck that all Player Funds Accounts are covered by declarations. TheDeclarations shall state that:1. The account is a player funds account;2. The institution will, upon request, disclose to the MGA anyinformation that is required relating to accounts holding playerfunds.3.1.2 Player Funds BalanceThe player funds account balance, including funds in transit or in theprocess of being cleared, shall at any time be at least equal to theaggregate of the amount standing to the credit of players’ accounts.Check that this is being adhered to.3.1.3 Player Funds BalanceBy taking a random sample of at least 3 Monthly Player Funds reports,determine whether the player funds account balance constitutes atleast 90% of the funds required by the Licensee to cover player funds,with the remaining balance covered by funds in transit (i.e. paymentgateways).3.1.4 Sufficient FundsBy taking a random sample of at least 3 Monthly Player Funds reports,determine whether the Licensee has sufficient funds to cover playerliabilities (and jackpots if applicable).3.1.5 JackpotsIndicate whether the Licensee is providing jackpots to players and if so,determine whether the jackpot is declared in the Monthly Player Funds.3.1.6 Information DeclaredCheck that all players’ bank accounts, financial/payment institutionsand payment gateways in use are declared to the MGA via the MonthlyPlayer Funds Reports.3.1.7 Reconciliation ofmonthly managementreportsTake a random sample of at least 3 Monthly Player Funds and, it/financial/payment institution statements, check whether theinformation declared to the MGA is accurate. This shall also take intoaccount any jackpot funds if applicable.3.2TaxNameChecks3.2.1 Gaming Tax, Licenceand ComplianceContributionsObtain a random sample of, at least, 3 Monthly Gaming RevenueDeclaration Forms and verify that the:a. Gaming tax due calculation is correct as per Part II of theGaming Tax Regulations; andPublicPage 10 of 40

MGA/G/001 V1 08/2018b. Licence and compliance contribution calculations are correct asper Part II of the Gaming Licence Fees Regulations.This can be performed by comparing the reported figures with thegaming data from the back-office.3.2.2 Timeframes3.3Obtain a random sample of, at least, 3 Monthly Gaming RevenueDeclaration Forms and determine whether the Licensee is filing thereturns (to the MGA) within the timeframes required in terms of Part Vof the Gaming Licence Fees Regulations and Part V of the Gaming TaxRegulations.FinancialsNameChecks3.3.1 ProfitabilityReview the latest Audited Financial Statements on the latestManagement Accounts submitted for the preceding 12 months andassess the performance and the financial position of the operator.3.3.2 Preparation ofManagement AccountDetermine whether the Licensee has a mechanism to preparemanagement accounts.3.3.3 Accounting SoftwareUsedIndicate the accounting software used for the generation of accountsfor internal purposes.3.3.4 Frequency ofManagement AccountsIndicate how frequently the management accounts are prepared.3.3.5 Review ofManagement AccountsIndicate whether the management accounts are reviewed by the Boardof Directors.3.3.6 Availability ofManagement AccountsIndicate the date pertaining to the latest management accounts thatwere available at the time of your review.3.3.7 Key Consideration ofBudgets / Business PlanInquire on any key consideration that can be raised from analysing theirbudgets and business plans.3.3.8 Inspection of AuditedFinancialBy inspecting the MFSA’s records / Financial Statement, determinewhether the minimum paid-up share capital has been adhered to. Theminimum paid-up share capital is as follows: For B2C Licence:o 100,000 for each type 1 and type 2 verticals;o 40,000 for each type 3 and type 4 verticals. For B2B licence: 40,000.Paid-up share capital has a capping of 240,000.PublicPage 11 of 40

MGA/G/001 V1 08/20183.3.9 Financial AccountingProceduresObtain a copy of the Financial Accounting procedures from the Licenseeand determine whether the MGA has the latest copy.3.3.10 Financial AccountingProcedures AdherenceAnalyse the Financial Accounting procedures and indicate whether theLicensee is observing and following these procedures. List down anydiscrepancies noted.3.3.11 Submission ofManagement AccountCheck whether the Licensee submitted the Management Accountswithin 30 days from the end of the half-year period (if applicable).3.3.12 Submission ofAudited FinancialStatementsCheck whether the Licensee submitted the Audited FinancialStatements within 180 days from the financial year end of the Licensee(if applicable).3.3.13 Additional FindingsList down any additional findings.PublicPage 12 of 40

MGA/G/001 V1 08/20184 Information Technology4.1System Access Control PolicyNameChecks4.1.1 System AccessControl PolicyObtain a copy of the System Access Control Policy from the Licensee anddetermine whether the MGA has the latest copy.4.1.2 System AccessControl Policy AdherenceDetermine whether the System Access Control Policy has been actuallyimplemented in practice. Tests shall include procedures on: Access rights level per job designation; Controls in place for remote access connections; and Controls for access by third parties.4.1.3 Periodic ChecksDetermine whether periodic checks by the IT department (or otherdesignated department) to check that the access rights granted to theusers on the user list are commensurate with their job responsibilitiesare being carried out. Determine the frequency of these checks andwhether they are in line with the System Access Control Policyestablished by the Licensee.4.1.4 System AccessRequestsFrom the user access list, observe the last five (5) system accessrequests and identify whether these have been authorised inaccordance with the requirements of the employee’s job function.Determine whether the specified rights have been implemented on thesystem.4.1.5 Audit TrailsCheck whether audit trails / logs of any changes performed to theregulatory data (including player data, financial data and game data)databases are kept.4.1.6 Additional FindingsList down any additional findings.4.2Information Security PolicyNameChecks4.2.1 Information SecurityPolicyObtain the latest copy of the Information Security Policy from theLicensee and determine whether the MGA has the latest copy.4.2.2 Information SecurityPolicy AdherenceDetermine whether the Information Security Policy has been actuallyimplemented in practice by designing tests, including observations, onthe following: Safeguarding of data, applications, equipment, networks; Backend automatic logoff after a period of inactivity; Data classification system; Threat of viruses and intrusion; Portable computers and media;PublicPage 13 of 40

MGA/G/001 V1 08/2018 Disposal of media and equipment;Secure communication protocol used during player activity; andSecure storage of players’ passwords and payment information.4.2.3 Awareness ofInformation Security PolicyInquire a number of employees whether they are aware of theInformation Security Policy (unless it is signed by the employees).4.2.4 Protection ofEquipmentDetermine whether hardware, servers and equipment, on which thegaming system is residing, are protected from environmental hazardand unauthorised physical access. Identify how the Licensee addressesthese hazards (e.g. CCTV, smoke, fire, humidity, UPS, emergencylighting, etc.).4.2.5 Security ofEquipmentCheck whether the Licensee installed systems (such as CCTV, smokedetection, fire suppression and access control) to protect the securityof the premises where the control system resides.4.2.6 Disciplinary ActionsInquire whether any disciplinary action has been taken against anyemployee or third party service partners who acted in violation of thispolicy.4.2.7 Independent ReviewInquire whether the Licensee obtained an independent review of theLicensee’s information security and its implementation. Identify thedate of this review, the identity of the reviewer and critical findings.4.2.8 Additional FindingsList down any additional findings.4.3Incident Response PolicyNameChecks4.3.1 Incident ResponsePolicyObtain a copy of the Incident Response Policy from the Licensee anddetermine whether the MGA has the latest copy.4.3.2 Incident ResponsePolicy AdherenceDetermine whether the Incident Response Policy has been actuallyimplemented in practice by designing and performing audit proceduresthereto.4.3.3 IncidentsInquire whether the Licensee suffered any incident.4.3.4 Incident ResponseProcedures AdherenceObtain a log of the incident activity and identify whether the Licenseehas adhered to the procedures stipulated within the Incident ResponsePolicy.Check whether the Licensee has reported incidents to the MGA within72 hours following the incident.4.3.5 Additional FindingsPublicList down any additional findings.Page 14 of 40

MGA/G/001 V1 08/20184.4Change Management ProcedureNameChecks4.4.1 Change ManagementProcedureObtain a copy of the latest Change Management Procedure anddetermine whether the MGA has the latest copy.4.4.2 Change ManagementProcedure AdherenceDetermine whether changes have been approved as per the ChangeManagement Procedure. Request copies of records held by theLicensee to evidence changes in software, hardware, networkconfiguration, etc.4.4.3 Critical ChangesDetermine whether any changes to the Essential Components (asdefined in the A&CD) were performed by the Licensee without priorapproval from the MGA.4.4.4 Key Technical SetupChangesCheck whether the MGA was notified within thirty (30) days followingchanges to the Key Technical Setup (as defined in the A&CD) took place.For the sake of clarity, this check shall not apply to changes applied toEssential Components.4.4.5 Games ChangesWith respect to B2B Licensees and B2C offering standalone games: Takea random sample of thirty (30) games and check whether the Licenseenotified the MGA about the addition of these games as required by PartIV of the C&AD.4.4.6 Changes LogsCheck whether the Licensee is retaining audit logs for any changes madeto the key technical setup within the last two (2) years.4.4.7 Additional FindingsList down any additional findings.4.5Business PartnersNameChecks4.5.1 AgreementsIndicate, if applicable, the third-parties to which services are beingoutsourced to and obtain a copy of agreements thereof, including: EEA licensed Payment Service Institutions; Critical Gaming Suppliers (as per clause 3 of the First Scheduleof the Authorisations Regulations); Material Gaming Suppliers (as per Third Schedule of theAuthorisations Regulations); Co-location facility (including web Hosting, maintain thenetwork, database and applications, and maintain and carryupgrades to the website); Replication facility (if applicable); Auditor’s Engagement Letter; Customer Support (N/A for B2B licensees); Human Resources; and Other business partners.PublicPage 15 of 40

MGA/G/001 V1 08/2018Determine whether the above noted agreements/contracts weresubmitted to the MGA and list down any ones that were not submittedto the Authority.4.5.2 Licenced CriticalGaming SuppliersIndicate whether all companies supplying the Licensee with criticalgaming supply services are licensed by the MGA.4.5.3 Material GamingSuppliersIndicate whether all companies providing the Licensee with materialgaming supply services are in possession of either:a. a material supply certificate issued by the MGA; orb. an approval issued by the Authority on a case-by-case basis tooffer services to this Licensee.4.5.4 Outsourcing PolicyRequest a copy of the Outsourcing Policy and compare it with the onesubmitted to the MGA. Determine whether the MGA has the latestcopy.4.5.5 Outsourcing PolicyAdherenceDetermine whether the Outsourcing Policy has actually beenimplemented in practice.4.5.6 Outsourcing byAuthorised PersonsCheck whether services are only being outsourced in accordance withthe Second Schedule of the MGA’s Policy on Outsourcing by AuthorisedPersons.4.5.7 Commitment towards Carry out tests to obtain information on whether the company hasfailed in honouring its commitments with third party providers.Third Party Providers4.5.8 Arbitrary and LegalRepresentativeInquire from the Licensee and the legal representative as to whetherthere were any arbitrary or legal proceedings resulting from theseagreements. Determine the resulting operational effect on theLicensee.4.5.9 Additional FindingsList down any additional findings.4.6Business Continuity and Disaster RecoveryNameChecks4.6.1 Business Continuityand Disaster RecoveryRequest a copy of the Business Continuity and Disaster Recovery Planand determine whether the MGA has the latest copy.4.6.2 List of DisruptiveEventsObtain a list of disruptive events that occurred at the Licensee detailingthe nature of the event, time, contingency plan and whether this wasescalated. Check that the policies communicated to the MGA have beenadhered to.PublicPage 16 of 40

MGA/G/001 V1 08/20184.6.3 Routine TestInquire for a list of routine tests performed by the Licensee with respectto the Disaster Recovery Plan. Determine what were the issues notedand how the Licensee addressed these shortcomings.4.6.4 Additional FindingsList down any additional findings.4.7Backup ProcedureNameChecks4.7.1 Backup ProcedureRequest a copy of the Backup Procedure and determine whether theMGA has the latest copy.4.7.2 Backup ProcedureAdherenceDetermine whether the Backup Procedure has actually beenimplemented in practice by designing and performing audit proceduresthereto. Tests shall include audit procedures on: Backups and frequency of backups; Types of backups; Offsite storage of backups; and Media restore testing plan.4.7.3 Additional FindingsList down any additional findings.4.8System ArchitectureNameChecks4.8.1 System ArchitectureObtain a copy of the System Architecture and determine whether theMGA has the latest copy.4.8.2 Key Technical SetupDetermine whether the following Key Technical Setup is documentedwithin the System Architecture:a. Hardware equipment (make & model and location);b. Virtual Machines; andc. Firewalls and routers.4.8.3 System ArchitectureAdherenceBy analysing the transmission of data packets during registration, log inand game play, determine whether the physical location of the serversis identical to what was declared in the System Architecture.4.8.4 System ArchitectureAdherenceThrough visual inspections carried out at the data centre, checkwhether the make and model of all hardware matches the make andmodel of hardware declared in the System Architecture. Tests shall beperformed on, at least, the following components: Regulatory database (including Database servers storing playerdata, financial data and game data); Backend system; Web servers;PublicPage 17 of 40

MGA/G/001 V1 08/2018 Firewalls; andRouters.4.8.5 System ArchitectureAdherenceTake a random sample of thirty (30) virtual machines (if applicable) andcheck whether these are running on the hardware declared in theSystem Architecture.4.8.6 Servers OverseasIndicate whether the Licensee is making use of overseas servers.In case of servers overseas: Indicate if regulatory data (including player data, financial dataand game data) is being replicated to servers located in Malta.Check whether this is in line with what is documented with theMGA; and Perform tests to ensure that data is replicated in real-time.Indicate the replication latency. Indicate if this is in line withwhat is documented with the MGA.4.8.7 Data CentreCheck whether the Licensee is hosting in the data centres previouslydeclared to the MGA. Confirm that the Licensee did not change to adifferent data centre without informing the Authority.4.8.8 Setup LocationObserve where the Key Technical Setup is located.4.8.9 SecureCommunication ProtocolCheck that the Licensee’s websites/apps use a secure communicationprotocol during player registration, change of passwor

account any jackpot funds if applicable. 3.2 Tax Name Checks 3.2.1 Gaming Tax, Licence and Compliance Contributions Obtain a random sample of, at least, 3 Monthly Gaming Revenue Declaration Forms and verify that the: a. Gaming tax due calculation is correct as per Part II of the Gaming Tax Regulations; and

Related Documents:

VEt institution, whatever its size or factor, in Malta will be able to use. the ncFHE, as the coordinator of the project, could only achieve this 'Quality tool' with the support of four local VEt institutions in Malta: Malta College of Arts, cience and s Technology (MCAsT) which is the umbrella structure in Malta housing most of the public

video gaming has continued to grow in both strength and influence in 2021. Outside of personal game play, nearly three in ten global consumers have also watched a live gaming video stream (YouTube Gaming, Twitch, etc.), and almost one in ten currently follow a gaming influencer. Gaming personalities entertain and engage with audiences

gaming laws and the evolution of the gambling / gaming industry in India. To clarify, in this paper we have used the term 'gaming' to refer to social and casual gaming. However, under certain Indian laws, gambling activities are referred to as 'gaming', and specific references to the same may be included in this paper.

the University of Malta and caters for the needs of the Gozitan University students. This campus also provides a venue for short courses and seminars and houses the Hans Güsten Atmospheric Research Centre within the Department of Geosciences. Msida Campus: Msida, MSD 2080 Malta Valletta Campus: University of Malta Valletta Campus St Paul’s .

Software Development Effort (as a percentage) Analysis & Design Coding Testing Maintenance All values in chart are approximated from various sources and rounded. . A PERT chart model of this sequence of activities is shown . University of Malta . University of Malta 1 2 4 . University of Malta . University of Malta .

2 The Jew of Malta By Christopher Marlowe Written c. 1589-90 Earliest Extant Edition: 1633 Dramatis Personae Residents of Malta: BARABAS, a wealthy Jew. ABIGAIL, daughter to Barabas. ITHAMORE, a slave to Barabas. FERNEZE, governor of Malta. LODOWICK, his son. MATHIAS, a gentleman. KATHARINE, mother to Mathias. JACOMO, a friar. BARNARDINE, a friar. ABBESS.

The quality audit system is mainly classified in three different categories: i Internal Audit ii. External Audits iii. Regulatory Audit . Types Of Quality Audit. In food industries all three audit system may be used to carry out 1. Product manufacturing audit 2. Plant sanitation/GMP audit 3. Product Quality audit 4. HACCP audit

2nd Grade . ELA Priority Standards Grade 2 CCSS PA Core Foundational Skills RF.2.3 CC.1.1.2.D Know and apply grade level phonics and word analysis skills in decoding words. Distinguish long and short vowels when reading regularly spelled one- syllable words. Decode two-syllable words with long vowels and words with common prefixes and suffixes. Read grade level high-frequency .