CMS Case Study

C loyd Bank and Trust Risk Assessment Summary 2020-2021

Audit Area

Internet/Electronic Banking

Definition (score range)

Risk Factor

Score

High (21-30)

Moderate (11-20)

Low (0-10)

Rationale

Internet banking is subject to multiple regulations, including Regulation B, C, E, DD, Z, the Bank Secrecy Act, the Gramm-Leach-Bliley Act, and various other regulations from the Federal Reserve Board and the FDIC including FFEIC IT requirements. The Bank should also be in compliance with the Electronic Signatures in Global & National Commerce Act (E-Sign Act). Additionally, the Bank has to maintain compliance with the FFIEC's FIL-50-2011. Internet banking allows a customer to view account balances and transaction histories, view check and deposit ticket images, transfer money between their accounts, transfer money to external accounts, make loan payments (internally), pay bills, view account statements, set up various email or log-in account alerts, and download transaction history data into Open Financial Exchange (OFX) (e.g. Quicken and QuickBooks). The risk of a material impact on financial reporting is low; however, businesses are capable of originating ACH transactions via Internet Banking, thereby slightly increasing the risk associated with this function.

Regulatory requirements are limited to low-profile regulations and law issues that warrant action but have significantly lower levels of risk. Impact on accurate timely financial reporting is minimal. Likelihood of material financial reporting effect is negligible.

Significant regulatory requirements are evident; however, regulatory expectations are clear, seasoned, and considered routine. Violations if any will be technical in nature. Material financial effect is possible; however, activity is routine and noncomplex and errors would be readily evident in normal operations. Seasoned and complex manual or automated systems are important to management decision making or product delivery; however, collaborating or alternative back-up systems exist. There is no basis for control assessment, or they are thought to be weak. Minor changes since last audit are anticipated this year.

Potential violations of high profile regulations with potential fines, legal liability or costly corrective action are possible. Material financial misstatement is possible due to incorrect handling of infrequent, complex transactions or estimates. Critical management decisions may be based on these financial areas. Complex manual or automated systems are new, critical to management

Compliance

16

Nature of Transactions

15

Noncomplex systems and operations are seasoned, with well established back up routines.

The Internet Banking system (First Data/Apiture) is mature and established. Controls are in place to monitor and reduce risk including password security requirements.

Nature of Operations

17

decision making, or important to product delivery.

Controls are nonexistent or known to be weak.

Controls are strong or adequate.

Internal controls are in place and function adequately on an overall basis. Additionally, the Bank has an Internet Banking Policy. There were no issues related to Internet Banking in the last IT audit.

Internal Controls

10

Changes to systems, processes, or procedures

No changes since last audit are planned this year.

No changes to the internet banking process have occurred in the last 12 months. The Bank has selected a new core platform, FIS D&A, expected implementation is 2Q2022. The migration to the new core will create significant changes to internet banking in 2022.

Major changes since last audit are anticipated this year or not recently reviewed. Management lacks experience or places low priority on internal controls.

14

Management has average experience.

Management is experienced and has high priority on controls.

Members of management have achieved their positions within the Bank because of their level of knowledge, demonstrated skills, and experience within IT and the banking industry. A strong emphasis is placed on maintaining a sound control environment.

Management

10

82

Risk Score

- 15 -