CMS Case Study

4. Findings in earlier reviews; and

5. Degree and methods of testing used.

It is the policy of the Bank to subject itself to periodic independent internal audit reviews through management, externally through independent auditors and various state and federal regulators. Management’s internal review is to involve various certification procedures, periodic internal audits of operational areas and internal loan reviews. External audit coverage will consist of financial statement audits, loan reviews and operational audits performed by independent auditors. Such audit reviews are necessary to ensure safety and soundness and compliance with Bank policies, state and federal laws, and generally accepted accounting principles. The Board of Directors (via the Audit Committee or its Chairperson) may determine the frequency of audit reviews and may order special reviews as deemed necessary. The Audit Officer is responsible for coordinating all audit activities, and reports directly to the Directors’ Audit Committee of the Board of Directors, and administratively to the Chief Operating Officer. The authority of the internal audit is derived from the Board of Directors. The Chairman of the Audit/Compliance/Identity Theft Committee (ACIT) will engage an Internal Audit Firm as a consultant to perform certain audit functions of the bank. The Board of Directors gives the ACIT Committee the authority to retain the services of outside legal counsel and/or an accountant as deemed appropriate. The Committee is responsible for ensuring the audits adhere to the guidelines of this policy; that management provides expected follow-up to corrective actions in a timely manner; and for determining if audit procedures beyond the normal scope are warranted. The ACIT Committee is comprised of four outside Directors (one shall be designated as the Chairman), and four Non-voting members of the Committee. The Non-voting members shall be the Chairman of the Board, the President/CEO, the Compliance Officer/Internal Audit Officer, and the Committee Secretary (a designated member of the Bank’s IT Department). Minutes of all meetings shall be taken and retained by the Secretary of the Committee. A copy of each meeting shall be provided to the Board Secretary as soon after the meeting as is feasible for presentation at the next full Board meeting. The voting members of the Committee will be free from any financial, family or other material personal relationship that, in the opinion of the Board or Audit Committee members, would interfere with the exercise of his or her independence from management and the company. All members of the Audit Committee should have a working familiarity with basic finance and accounting practices, and the laws and regulations governing banking. II. AUTHORITY DERIVED FROM THE BOARD

III. RESPONSIBILITIES AND DUTIES

The Audit Committee believes that its policies and procedures should remain flexible to best react to changing conditions. It should also provide reasonable assurance to the Board that the accounting and reporting practices of the corporation are in accordance with regulatory audit standards and that an effective legal, compliance and business ethics program exists.

Reviewed by Board of Directors on 5.27.21