CMS Case Study

The Audit Committee will fulfill its duties and responsibilities as follows:

A. General

• Adopt a formal written Audit Policy that is approved by the full Board of Directors that specifies scope of responsibility, process, membership, etc. The Policy will be reviewed as necessary, but at least annually. • Maintain minutes or other records of meetings and activities. • Report ACIT Committee actions to the Board with such recommendations as the Committee may deem appropriate. • As part of executing the responsibility to foster open communications, the ACIT Committee will meet in separate executive sessions without members of senior management present with the Independent Accountants and the Chief Audit Officer to discuss matters that the Audit Committee believes should be discussed privately. • Conduct or authorize investigations into matters within the Audit Committee’s scope of responsibilities. The Audit Committee shall be empowered and funded to retain independent counsel, accountants, or others to advise the Audit Committee in the conduct of any investigation.

B. Audit Engagement

Engage Internal Auditors that specify the scope of work for each audit. Audit scope will be based on Risk and will include recommendations when areas of weakness have been noted. The Regulatory and Legal Compliance Audits and Reviews to be performed include the following:

● Internal Audit ● Internal Controls and Safeguards ● Bank Secrecy Act (BSA / AML / SAR / Identity Theft)

● Automated Clearing House (ACH) Audit ● Deposit/Operations Compliance Review ● Lending Compliance Review ● Safe Act ● Fair Lending Review ● HMDA Data Verification Review ● Information Technology Audit ● Network Vulnerability Assessment ● The Interest Rate Risk Review ● Liquidity and Fund Management Review

The Internal Audit Firm shall act as a consultant and have no Bank staff employees. It does not have the authority to initiate or approve accounting transactions of any nature, nor does the Internal Audit Firm administer or supervise any bank operational functions. The Internal Audit Firm will operate in complete independence from the rest of the bank. It is responsible to the Audit & Compliance Committee for conducting an effective audit program. The Internal Auditors will maintain adequate training and proficiency in their areas of audit responsibility and in generally accepted auditing standards. They will maintain the confidentiality of information acquired through audits and examinations. They will not

Reviewed by Board of Directors on 5.27.21