CMS Case Study

C loyd Bank and Trust Risk Assessment Summary 2020-2021

Audit Area

ACH

Definition (score range)

Risk Factor

Score

High (21-30)

Moderate (11-20)

Low (0-10)

Rationale

A substantial level of compliance is required with regard to ACH transactions; however, the personnel with responsibilities in this function are experienced, and they receive regular training on compliance issues. Additional compliance with NACHA is a risk within ACH. Same day ACH services present additional compliance requirements.

Regulatory requirements are limited to low-profile regulations and law issues that warrant action but have significantly lower levels of risk. Impact on accurate timely financial reporting is minimal. Likelihood of material financial reporting effect is negligible.

Significant regulatory requirements are evident; however, regulatory expectations are clear, seasoned, and considered routine. Violations if any will be technical in nature. Material financial effect is possible; however, activity is routine and noncomplex and errors would be readily evident in normal operations. Seasoned and complex manual or automated systems are important to management decision making or product delivery; however, collaborating or alternative back-up systems exist. There is no basis for control assessment, or they are thought to be weak. Minor changes since last audit are anticipated this year.

Potential violations of high profile regulations with potential fines, legal liability or costly corrective action are possible. Material financial misstatement is possible due to incorrect handling of infrequent, complex transactions or estimates. Critical management decisions may be based on these financial areas. Complex manual or automated systems are new, critical to management

Compliance

16

ACH transactions pose a risk due to their electronic nature and the potential for loss due to unauthorized activity. Additionally, the volume and aggregate dollar amounts of these transactions increase this risk. The Bank acts as both an originator and a receiver of ACH transactions; therefore, monitoring procedures have been designed to mitigate risks, and additional controls are in place with respect to ACH originators.

Nature of Transactions

17

Noncomplex systems and operations are seasoned, with well established back up routines.

The ACH origination and receipt process is essentially an automated process and employees with responsibility in this area possess appropriate knowledge, skills, and abilities with regard to ACH transactions. The Bank has implemented multi-factor authenticationthat must be entered to access ACH services. The Bank has same day ACH services. Cybersecurity continues to be a concern to ACH systems and processes.

Nature of Operations

18

decision making, or important to product delivery.

Controls are nonexistent or known to be weak.

Controls are strong or adequate.

Internal controls are in place and function adequately on an overall basis. However, the last internal audit resulted in two recommendations. The Bank has an ACH policy and corresponding procedures in place.

Internal Controls

10

Changes to systems, processes, or procedures

No changes since last audit are planned this year.

The volume of RDC customers and their transactions have gradually increased over the past year and is expected to continue to increase at a stead rate.

Major changes since last audit are anticipated this year or not recently reviewed. Management lacks experience or places low priority on internal controls.

12

Management has average experience.

Management is experienced and has high priority on controls.

Frontline sales and service for ACH is the responsibility of the Treasury Services Manager who continues to gain experience. An experienced Customer Solutions Manager is responsible for backroom support of ACH.

Management

15

88

Risk Score

- 12 -