CMS Case Study

• Immediately following the review, the independent auditors shall present the audit report to the Audit & Compliance Committee and the Board of Directors. It is the responsibility of bank management to follow up on recommended corrective actions within 30 days of receipt of the independent audit report.

E. Financial Statements/Internal Controls

• Review annual financial statements with management and the independent accountants to determine that the independent auditors are satisfied with the disclosure and content of the financial statements, including the nature and extent of any significant changes in accounting principles, and approve release of the annual earnings. • Consider external auditors’ judgments regarding the quality and appropriateness of financial statements. • Make inquiries of management and external auditors concerning the adequacy of the company’s system of internal controls. • Advise management and the independent auditor that they are expected to provide a timely analysis of significant current financial reporting issues and practices. • Advise financial management and the independent auditor to discuss with the Audit Committee their qualitative judgments about the appropriateness, not just the acceptability, of accounting principles and financial disclosure practices used or proposed to be adopted by the Company.

IV. IT Internal Audit Program

The Bank’s Information Technology Audit Program includes risk-based information technology audit procedures based on the Bank’s formal risk assessment methodology to determine the appropriate frequency and extent of work, and includes the following key elements:

1. Manual testing processes or utilizing a computer assisted audit program (CAAT).

2. Ensuring work papers and related documentation are well organized, clearly written, and address all areas in the scope of the audit. In addition, they are to contain sufficient evidence of the tasks performed and support the conclusions reached. 3. Senior Management and the Audit Committee are to receive summarized audit findings that effectively communicate the results of the audit. The Audit Committee is to be provided with a full audit report.

4. Establishing appropriate time frames related to the Bank’s document retention strategies; and

5. Conducting audit activities in accordance with professional auditing standards in conformance with Institute for Internal Auditors (IIA) guidelines, and those issued by the Standards Board of the Information Systems Audit and Control Association (ISACA).

Reviewed by Board of Directors on 5.27.21