CMS Case Study

Risk Assessment and Risk Based Auditing

The Bank’s Information Technology Audit Program is a risk-based system that:

1. Identifies the Bank’s data, application and operating systems, technology, facilities, and personnel.

2. Identifies the business activities and processes within each of those categories.

3. Include profiles of significant business units, departments and product lines, or systems, and their associated business risks and control features, resulting in a document describing the structure of risk and controls throughout the Bank.

4. Uses a measurement or scoring system that ranks and evaluates business and control risks for significant business units, departments, and products.

5. Includes Audit Committee approval of risk assessments and annual risk-based audit plans that establish audit schedules, audit cycles, work program scope, and resource allocation for each area audited.

6. Implements the audit plan through planning, execution, reporting and follow-up; and

7. Includes a process that regularly monitors the risk assessment and updates it at least annually for all significant business units, departments and products or systems.

The Bank uses an effective scoring system that is easily understandable, considers all relevant risk factors, and to the extent possible, avoids subjectivity by including the:

1. Adequacy of internal controls.

2. Nature of transactions (for example, the number and dollar volumes and the complexity).

3. Age of the system or application.

4. Nature of the operating environment (for example, changes in volume, degree of system and reporting centralization, sensitivity of resident or processed data, the impact on critical business processes, potential financial impact, planned conversions, and economic and regulatory environment).

5. Physical and logical security of information, equipment, and premises.

6. Adequacy of the Technology Committee, oversight, and monitoring.

7. Previous regulatory and audit results and management’s responsiveness in addressing issues.

8. Human Resources Department, including the experience of management and staff, turnover, technical competence, management’s succession plan, and the degree of delegation; and

Reviewed by Board of Directors on 5.27.21