CMS Case Study

C loyd Bank and Trust Risk Assessment Summary 2020-2021

Audit Area

ATM

Definition (score range)

Risk Factor

Score

High (21-30)

Moderate (11-20)

Low (0-10)

Rationale

The ATM function has a comparatively lower level of regulatory requirements than other bank functions. However, compliance with Regulation E remains a risk to the Bank. The Bank has replaced ATMs with ADA (Americans with Disabilities Act) compliant ATMs.

Regulatory requirements are limited to low-profile regulations and law issues that warrant action but have significantly lower levels of risk. Impact on accurate timely financial reporting is minimal. Likelihood of material financial reporting effect is negligible.

Significant regulatory requirements are evident; however, regulatory expectations are clear, seasoned, and considered routine. Violations if any will be technical in nature. Material financial effect is possible; however, activity is routine and noncomplex and errors would be readily evident in normal operations. Seasoned and complex manual or automated systems are important to management decision making or product delivery; however, collaborating or alternative back-up systems exist. There is no basis for control assessment, or they are thought to be weak.

Potential violations of high profile regulations with potential fines, legal liability or costly corrective action are possible. Material financial misstatement is possible due to incorrect handling of infrequent, complex transactions or estimates. Critical management decisions may be based on these financial areas. Complex manual or automated systems are new, critical to management

Compliance

10

ATM transactions are routine and the process is almost completely automated. The Bank does not accept deposits through the ATM.

Nature of Transactions

9

Noncomplex systems and operations are seasoned, with well established back up routines.

A portion of the ATM function is outsourced to third-party service providers, and the majority of the functions performed in-house are automated. Manual operations include servicing and balancing the ATMs, which is done at the branch level. The Bank only has ATMs at their branch locations.

Nature of Operations

10

decision making, or important to product delivery.

Controls are nonexistent or known to be weak.

Controls are strong or adequate.

Internal controls are in place and function adequately on an overall basis. ATMs are balanced on a regular basis by branch employees and they are maintained under dual control. Branch level controls over ATM cards are outlined in the CSR and teller manuals. The most recent internal audit resulted in two recommendation related to ATMs (noted as part of the Branch Audit) . No significant changes occurred in the last 12 months. The Bank plans to change ATM card vendors in 2022. The new vendor will be FIS; FIS is the Bank's core system vendor.

Internal Controls

10

Changes to systems, processes, or procedures

Minor changes since last audit are anticipated this year.

No changes since last audit are planned this year.

Major changes since last audit are anticipated this year or not recently reviewed. Management lacks experience or places low priority on internal controls.

12

Management has average experience.

Management is experienced and has high priority on controls.

Members of management have achieved their positions within the Bank because of their level of knowledge, demonstrated skills, and experience within the banking industry. A strong emphasis is placed on maintaining a sound control environment.

Management

8

59

Risk Score

- 14 -