Common use of Internal Audit Clause in Contracts

Internal Audit. (1) Within sixty (60) days of the date of this Agreement, the Board shall adopt, and the Bank, subject to Board review and monitoring, shall implement and thereafter adhere to an independent, internal audit program to correct the internal audit deficiencies described in the most recent ▇▇▇. The independent, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, (March 17, 2003) and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, to: (a) detect and identify the root causes of irregularities and weak practices in and other exceptions to the Bank's operations; (b) determine the Bank's level of compliance with all applicable laws, rules, regulations and regulatory guidance, including consumer protection laws, regulations, and regulatory guidance; (c) assess and report on the effectiveness of policies, procedures, controls, risk management practices, and management information systems; (d) evaluate the Bank's adherence to established policies and procedures; (e) adequately and timely evaluate the efficiency and effectiveness of the Bank’s corporate governance, internal controls, and risk management functions; (f) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions to ensure timely implementation, verification and documentation of corrective action; and (g) review and evaluate the Bank’s actions taken to comply with this Agreement. (2) As part of this audit program, the Board shall evaluate the audit reports of any party providing services to the Bank, and shall assess the impact on the Bank of any audit deficiencies cited in such reports. (3) The Board shall ensure the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, experience level and number of individuals employed. (4) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described in this Article shall be independent, qualified and report directly to the Board Audit Committee, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening party. (5) All audit reports shall be in writing. The Board shall ensure immediate actions are undertaken to correct deficiencies cited in audit reports and shall maintain a written record describing the deficiency, the projected corrective action, and the status of the corrective action. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remedied, and that the audit staff maintain a written record describing those actions. The Board shall provide for a timely, independent, written follow-up for any uncorrected deficiencies. (6) The audit staff shall have access to any records necessary for the proper conduct of its activities. OCC examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (7) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy Comptroller.

Internal Audit. (1) Within sixty thirty (6030) days of the date of this Agreementdays, the Board shall adopt, review and revise the Bank, subject to Board review ’s internal audit program and monitoring, shall implement ensure implementation of and thereafter adhere Bank adherence to an independent, internal audit program to correct that adequately identifies the internal Bank’s audit deficiencies described universe and includes a risk-based evaluation of all financial and non-financial areas of the Bank for inclusion in the most recent ▇▇▇Bank’s audit plan. The independentprogram’s scope, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, (March 17, 2003) and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program documentation shall be sufficient, at a minimum, sufficient to: (a) ensure the development and maintenance of a risk-based audit plan, covering both financial and non-financial areas of the Bank, that includes risk assessments to support the frequency and scope of reviews for all areas covered by the plan; (b) ensure that the risk-based audit plan is annually approved by the Board or its designated committee; (c) ensure that any deviation of sixty (60) days or more from the Board approved audit plan requires, and only occurs with, the prior written approval of the Board or its designated committee; (d) ensure that the Board or its designated committee maintains a process to track adherence to the approved audit plan; (e) detect and identify the root causes of irregularities and weak practices in and other exceptions to the Bank's operations; (bf) determine the Bank's level of compliance with all applicable laws, rules, regulations rules and regulatory guidanceregulations, including consumer protection laws, compliance and BSA/AML related laws and regulations, and regulatory guidance; (cg) assess and report on the effectiveness of policies, procedures, controls, risk management practices, and management information systemsoversight relating to each area covered by the audit plan; (dh) evaluate the Bank's ’s adherence to established policies policies, procedures and procedures; (e) adequately and timely evaluate the efficiency and effectiveness of programs, including the Bank’s corporate governanceadherence to the consumer compliance, internal controls, BSA/AML and risk third party management functions; (f) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions programs required to ensure timely implementation, verification and documentation be developed under the terms of corrective actionthis Agreement; and (gi) review and evaluate ensure an appropriate level of testing to support the audit findings in all areas, including in the BSA/AML area, testing that covers the adequacy of the Bank’s actions taken to comply ’s: (i) customer risk identification practices; (ii) systems for monitoring transactions and accounts for suspicious activity; and (iii) identification of suspicious activity and compliance with this Agreementsuspicious activity reporting requirements. (2) As part of this audit program, the Board shall evaluate the audit reports of any party providing services to the Bank, and shall assess the impact on the Bank of any audit deficiencies cited in such reports. If the Board’s designated committee is charged with responsibility for reviewing the audit reports, the committee shall report its findings to the full Board. (3) The Board shall ensure that the audit function is supported by an adequately staffed department or outside firmBank has processes, including personnel (with respect to qualifications, both the experience level and number of individuals employed), and control systems to ensure implementation of and adherence to the audit program developed pursuant to this Article. (4) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described in this Article shall be independent, qualified and report directly to the Board Audit Committee, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening party. (5) All audit reports shall be in writing. The Board shall ensure immediate actions are undertaken taken to correct remedy deficiencies cited in audit reports reports, and shall that auditors maintain a written record describing the deficiency, the projected corrective action, and the status of the corrective action. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remedied, and that the audit staff maintain a written record describing those such actions. The Board shall provide for a timely, independent, written follow-up for any uncorrected deficiencies. (6) The audit staff shall have access to any records necessary for the proper conduct of its activities. OCC examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (75) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy Comptroller.

Internal Audit. (1) Within sixty ninety (6090) days of after the effective date of this Agreement, the Board shall adopt, and review the Bank, subject to Board review and monitoring, shall implement and thereafter adhere to an independent, ’s internal audit program to correct the internal audit deficiencies described in the most recent ▇▇▇. The independent, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, (March 17, 2003) and shall include an annual written audit plan using a ensure sufficient risk based approach sufficient audit coverage by an adequately staffed department or outside firm, with respect to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth both experience level and scope number of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actionsindividuals employed, and an assessment of internal to ensure that audit effectivenessscheduling, staff levels, scope and staff performance. The independent, internal audit program shall be sufficient, at a minimum, testing are sufficient to: (a) detect and identify the root causes of irregularities and weak practices in and other exceptions to the Bank's operations; (b) determine the Bank's level of compliance with all applicable laws, rules, rules and regulations and regulatory guidance, including consumer protection laws, regulations, and regulatory OCC guidance; (c) assess and report on the effectiveness of policies, procedures, controls, risk management practices, and management information systems; (d) evaluate the Bank's adherence to established policies and procedures, including the Bank's adherence to its loan policies related to underwriting standards and problem loan identification and classification; (d) ensure adequate audit coverage in all areas; and (e) adequately and timely evaluate the efficiency and effectiveness adequacy of the Bank’s corporate governance, 's internal controls, and risk management functions; (f) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions to ensure timely implementation, verification and documentation of corrective action; and (g) review and evaluate the Bank’s actions taken to comply with this Agreementcontrol systems. (2) As part Within ninety (90) days after the effective date of this audit programAgreement, the Board shall evaluate establish, implement and thereafter ensure adherence to a process to: (a) track the auditor’s progress in completing the annual audit schedule developed to meet the objectives in paragraph (1); and (b) ensure the auditor maintains an appropriate audit trail, which documents the procedures performed and supports the conclusions contained in the audit reports of any party providing services to the Bank, and shall assess the impact on the Bank of any audit deficiencies cited in such reports. (3) The Board shall ensure the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, experience level and number of individuals employed. (4) The Board shall ensure that the audit program is independent. The persons independent by requiring that the person(s) responsible for implementing the internal audit program described in this Article above shall not be independent, qualified responsible for any operational area and report that such person(s) reports directly to the Board Audit CommitteeBoard, which or a designated committee thereof, that shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee or such designated committee and not through any intervening party. (54) All audit The Board shall ensure that the auditor provides written reports shall be in writingdetailing any exceptions, deficiencies or recommendations noted as a result of its review. The Board shall also ensure that immediate actions are undertaken to correct remedy deficiencies cited or to address other audit recommendations in audit reports and shall maintain a written record describing the deficiency, the projected corrective action, and the status of the corrective action. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remediedthese reports, and that the audit staff maintain independent auditor maintains a written record describing those actions. The Board Board, or a designated committee thereof, shall provide for a timely, independent, written meet at least quarterly to review the auditor's reports and to verify timely follow-up for any uncorrected deficiencieson cited deficiencies and recommendations. (6) The audit staff shall have access to any records necessary for the proper conduct of its activities. OCC examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (75) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy Comptroller. (6) The Board shall ensure that the Bank has processes, personnel, and control systems to ensure implementation of and adherence to the program developed pursuant to this Article.

Internal Audit. (1) Within sixty The Internal Audit Executive (60the “Auditor”) days shall report directly to the Audit/Risk Committee of the date Board, be evaluated by that group, although s/he may report administratively to the Chairman of this Agreementthe Board, President and Chief Executive Officer, and shall participate as an ex-officio member of the Disclosure Control Committee. (2) Within ninety (90) days, the Audit/Risk Committee of the Board shall adopt, and the Bank, subject to Board review and monitoring, shall implement and thereafter adhere take the necessary steps to ensure the Bank has an independent, internal audit program to correct the internal audit deficiencies described in the most recent ▇▇▇. The independentof sufficient scope, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, (March 17, 2003) and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levelsfrequency, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, to: (a) detect irregularities, weak practices, violations of law and identify the root causes regulation, breaches of irregularities fiduciary duty, and weak practices in unsafe and other exceptions to the Bank's operationsunsound banking practices; (b) determine assess and report the Bank's level effectiveness of compliance with all applicable lawspolicy, rulesprocedure, regulations and regulatory guidance, including consumer protection laws, regulationscontrols, and regulatory guidancemanagement relating to accounting and financial reporting; (c) assess ensure that the Bank establishes and report on the effectiveness of policies, procedures, controls, risk management practices, and management information systemsmaintains adequate “internal controls over financial reporting;” (d) evaluate the Bank's adherence to established policies ensure that accounting policy and procedures;procedures are functioning effectively and that necessary documentation and communication are occurring; and (e) adequately and timely evaluate the efficiency and effectiveness of the Bank’s corporate governance, internal controls, and risk management functions; (f) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions to ensure timely implementation, verification and documentation of corrective action; and (g) review and evaluate provide an opinion regarding whether regulatory reports beginning with the Bank’s actions taken to comply with this Agreement. quarter ending March 31, 2005 contain “material misstatements” within thirty (230) As part days of this audit program, the Board shall evaluate the audit reports of any party providing services to the Bank, and shall assess the impact on the Bank of any audit deficiencies cited in such reportseach filing. (3) The If the Audit/Risk Committee of the Board becomes aware of one or more “material weaknesses” in the “internal control structure and procedures for financial reporting,” and if the weaknesses are not corrected within the quarter identified, the Audit/Risk Committee of the Board shall ensure notify management of Huntington Bancshares, Inc. of the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, experience level and number existence of individuals employedthe “material weaknesses.” (4) The Upon completion of its annual audit of the Huntington Bancshares, Inc. financial statements, the Audit/Risk Committee of the Board shall ensure that obtain from the audit program is independent. The persons responsible for implementing the internal audit program described in this Article shall be independent, qualified and report directly external auditor a list of all proposed adjustments to the Board Audit CommitteeBank’s books and records, which shall have whether or not deemed material, along with an explanation of how the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening partyproposed adjustment was resolved. (5) All audit reports shall be For purposes of this Agreement, “internal control structure and procedures for financial reporting” has the same meaning as that term is used in writing. The Board shall ensure immediate actions are undertaken to correct deficiencies cited in audit reports and shall maintain a written record describing the deficiency, the projected corrective action, and the status Section 404 of the corrective action▇▇▇▇▇▇▇▇- ▇▇▇▇▇ Act of 2002; “material weaknesses” has the same meaning as that term is used in Statement on Auditing Standards (“SAS”) No. The Board shall ensure that internal audit management provides detailed written explanation 60 (AU 325.15); and “material misstatements has the same meaning as the term is used in those circumstances, if any, where the deficiencies cannot be remedied, and that the audit staff maintain a written record describing those actionsSEC’s Staff Accounting Bulletin No. The Board shall provide for a timely, independent, written follow-up for any uncorrected deficiencies99 on Materiality (“SAB 99”). (6) The audit staff shall have access to any records necessary for the proper conduct of its activities. OCC examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (7) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy Comptroller.

Internal Audit. (1) Within sixty The Internal Audit Executive (60the “Auditor”) days shall report directly to the Audit/Risk Committee of the date Board, be evaluated by that group, although s/he may report administratively to the Chairman of this Agreementthe Board, President and Chief Executive Officer, and shall participate as an ex-officio member of the Disclosure Control Committee. (2) Within ninety (90) days, the Audit/Risk Committee of the Board shall adopt, and the Bank, subject to Board review and monitoring, shall implement and thereafter adhere take the necessary steps to ensure the Bank has an independent, internal audit program to correct the internal audit deficiencies described in the most recent ▇▇▇. The independentof sufficient scope, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, (March 17, 2003) and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levelsfrequency, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, to: (a) detect irregularities, weak practices, violations of law and identify the root causes regulation, breaches of irregularities fiduciary duty, and weak practices in unsafe and other exceptions to the Bank's operationsunsound banking practices; (b) determine assess and report the Bank's level effectiveness of compliance with all applicable lawspolicy, rulesprocedure, regulations and regulatory guidance, including consumer protection laws, regulationscontrols, and regulatory guidancemanagement relating to accounting and financial reporting; (c) assess ensure that the Bank establishes and report on the effectiveness of policies, procedures, controls, risk management practices, and management information systemsmaintains adequate “internal controls over financial reporting;” (d) evaluate the Bank's adherence to established policies ensure that accounting policy and procedures;procedures are functioning effectively and that necessary documentation and communication are occurring; and (e) adequately and timely evaluate the efficiency and effectiveness of the Bank’s corporate governance, internal controls, and risk management functions; (f) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions to ensure timely implementation, verification and documentation of corrective action; and (g) review and evaluate provide an opinion regarding whether regulatory reports beginning with the Bank’s actions taken to comply with this Agreement. quarter ending March 31, 2005 contain “material misstatements” within thirty (230) As part days of this audit program, the Board shall evaluate the audit reports of any party providing services to the Bank, and shall assess the impact on the Bank of any audit deficiencies cited in such reportseach filing. (3) The If the Audit/Risk Committee of the Board becomes aware of one or more “material weaknesses” in the “internal control structure and procedures for financial reporting,” and if the weaknesses are not corrected within the quarter identified, the Audit/Risk Committee of the Board shall ensure notify management of Huntington Bancshares, Inc. of the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, experience level and number existence of individuals employedthe “material weaknesses.” (4) The Upon completion of its annual audit of the Huntington Bancshares, Inc. financial statements, the Audit/Risk Committee of the Board shall ensure that obtain from the audit program is independent. The persons responsible for implementing the internal audit program described in this Article shall be independent, qualified and report directly external auditor a list of all proposed adjustments to the Board Audit CommitteeBank’s books and records, which shall have whether or not deemed material, along with an explanation of how the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening partyproposed adjustment was resolved. (5) All audit reports shall be For purposes of this Agreement, “internal control structure and procedures for financial reporting” has the same meaning as that term is used in writing. The Board shall ensure immediate actions are undertaken to correct deficiencies cited in audit reports and shall maintain a written record describing the deficiency, the projected corrective action, and the status Section 404 of the corrective actionS▇▇▇▇▇▇▇-▇▇▇▇▇ Act of 2002; “material weaknesses” has the same meaning as that term is used in Statement on Auditing Standards (“SAS”) No. The Board shall ensure that internal audit management provides detailed written explanation 60 (AU 325.15); and “material misstatements has the same meaning as the term is used in those circumstances, if any, where the deficiencies cannot be remedied, and that the audit staff maintain a written record describing those actionsSEC’s Staff Accounting Bulletin No. The Board shall provide for a timely, independent, written follow-up for any uncorrected deficiencies99 on Materiality (“SAB 99”). (6) The audit staff shall have access to any records necessary for the proper conduct of its activities. OCC examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (7) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy Comptroller.

Internal Audit. (1) Within sixty ninety (6090) days of the date of this Agreement, the Board Bank shall adopt, and submit to the Bank, subject to Board Assistant Deputy Comptroller for review and monitoringprior written determination of no supervisory objection an acceptable, shall implement and thereafter adhere to an independent, comprehensive, written internal audit program that adequately assesses controls and operations to correct allow the Board and management to understand the sufficiency of the Bank’s internal controls system (“Internal Audit Program”). (2) Management shall ensure the Internal Audit Program complies with the standards for internal audit deficiencies described systems set forth in Section II.B of the most recent ▇▇▇Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to 12 C.F.R. Part 30. Refer to the “Internal and External Audits” booklet of the Comptroller’s Handbook for related safe and sound principles. The independent, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit Program shall incorporate standards of safety and Internal Audit Outsourcingsoundness that are commensurate with the Bank’s size, (March 17complexity, 2003) scope of activities, and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program profile and shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, to: (a) detect provide an objective, independent review and identify the root causes evaluation of irregularities and weak practices in and other exceptions to the Bank's operations; (b) determine the Bank's level of compliance with all applicable laws’s activities, rules, regulations and regulatory guidance, including consumer protection laws, regulations, and regulatory guidance; (c) assess and report on the effectiveness of policies, procedures, internal controls, risk management practices, and management information systems; (b) require the development of an annual risk assessment of the Bank’s auditable areas, with annual documented Audit Committee approval of the risk assessment; (c) require the development of an internal audit plan that is risk-based and provides adequate audit scope, coverage, and frequency for all areas of the Bank, with annual documented Audit Committee approval of the internal audit plan and Audit Committee notification of any material variance from the plan; (d) evaluate address the Bank's adherence use of third-parties to established policies complete any internal audit activities, including documented Audit Committee approval of selection and procedurestermination of third-parties; refer to OCC Bulletin 2023-17, “Third-Party Relationships: Interagency Guidance on Risk Management,” for related safe and sound principles; (e) adequately and timely evaluate the efficiency reliability, adequacy, and effectiveness of the Bank’s corporate governanceinternal controls system, internal controlswhether operated by the Bank or a third-party, and risk management functionsidentify the root cause of identified deficiencies; (f) ensure evaluate whether the Bank’s internal controls system results in prompt and accurate recording of transactions and proper safeguarding of assets; (g) determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes; (h) require all internal audits to be supported through adequate transaction testing, which includes documenting the transaction testing methodology, sample size, the accounts and names selected for testing, the documents reviewed as part of the testing, and the results of transaction testing; (i) require management to take appropriate and timely steps to address control deficiencies and appropriate follow-up audit report recommendations and report its validated progress to the Audit Committee on identified deficienciesat least a quarterly basis and require the Audit Committee to make a documented determination of whether the actions taken by management are satisfactory; (j) require all internal audit reports to be in writing and distributed directly, weak practices and other exceptions not through any intervening party, to ensure the Audit Committee in a timely implementation, verification and documentation of corrective actionmanner after audit completion; and (gk) review require audit work papers and evaluate the Bank’s actions taken to comply with this Agreement. (2) As part of this documentation that provides a meaningful audit programtrail and validation for audit findings, the Board shall evaluate the audit reports of any party providing services to the Bankconclusions, and shall assess the impact on the Bank of any audit deficiencies cited in such reportsrecommendations. (3) The Board shall ensure provide effective oversight of the Internal Audit Program, including: (a) verifying that management has adequately staffed the internal audit function, using internal resources and/or third-parties, with respect to both the number of auditors required and their knowledge, skills, and experience; (b) verifying the internal audit function is supported by an adequately staffed department independent and objective. The person responsible for implementing the Internal Audit Program shall functionally report directly to the Audit Committee, which shall direct his or outside firmher activities, including with respect set compensation, and evaluate performance; (c) verifying management’s actions to qualificationsaddress material weaknesses in a timely manner and, experience level where appropriate, directing management to take additional action; (d) requiring the Audit Committee to perform adequate and number documented review of individuals employedaudit workpapers to ensure quality and reasonableness of internal audit’s work, findings, and recommendations; and (e) verifying management satisfies all statutory, regulatory, and supervisory requirements. (4) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described in this Article shall be independent, qualified and report directly to the Board Audit Committee, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening party. (5) All audit reports shall be in writing. The Board shall ensure immediate actions are undertaken to correct deficiencies cited in audit reports and shall maintain a written record describing the deficiency, the projected corrective action, and the status of the corrective action. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remedied, and that the audit staff maintain a written record describing those actions. The Board shall provide for a timely, independent, written follow-up for any uncorrected deficiencies. (6) The audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC examiners shall have access to all reports and work papers of the internal audit staff and any other third parties working on its behalfproviding internal audit services. (75) Upon adoption, a copy Within thirty (30) days following receipt of the internal audit program Assistant Deputy Comptroller’s written determination of no supervisory objection to the Internal Audit Program or to any subsequent amendment to the Internal Audit Program, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the Internal Audit Program. The Board shall review the effectiveness of the Internal Audit Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Internal Audit Program as needed or directed by the OCC. Any amendment to the Internal Audit Program must be promptly submitted to the Assistant Deputy ComptrollerComptroller for review and prior written determination of no supervisory objection.

Internal Audit. (1) Within sixty The Internal Audit Executive (60the “Auditor”) days shall report directly to the Audit/Risk Committee of the date Board, be evaluated by that group, although s/he may report administratively to the Chairman of this Agreementthe Board, President and Chief Executive Officer, and shall participate as an ex-officio member of the Disclosure Control Committee. (2) Within ninety (90) days, the Audit/Risk Committee of the Board shall adopt, and the Bank, subject to Board review and monitoring, shall implement and thereafter adhere take the necessary steps to ensure the Bank has an independent, internal audit program to correct the internal audit deficiencies described in the most recent ▇▇▇. The independentof sufficient scope, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, (March 17, 2003) and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levelsfrequency, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, to: (a) detect irregularities, weak practices, violations of law and identify the root causes regulation, breaches of irregularities fiduciary duty, and weak practices in unsafe and other exceptions to the Bank's operationsunsound banking practices; (b) determine assess and report the Bank's level effectiveness of compliance with all applicable lawspolicy, rulesprocedure, regulations and regulatory guidance, including consumer protection laws, regulationscontrols, and regulatory guidancemanagement relating to accounting and financial reporting; (c) assess ensure that the Bank establishes and report on the effectiveness of policies, procedures, controls, risk management practices, and management information systemsmaintains adequate “internal controls over financial reporting;” (d) evaluate the Bank's adherence to established policies ensure that accounting policy and procedures;procedures are functioning effectively and that necessary documentation and communication are occurring; and (e) adequately and timely evaluate the efficiency and effectiveness of the Bank’s corporate governance, internal controls, and risk management functions; (f) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions to ensure timely implementation, verification and documentation of corrective action; and (g) review and evaluate provide an opinion regarding whether regulatory reports beginning with the Bank’s actions taken to comply with this Agreement. quarter ending March 31, 2005 contain “material misstatements” within thirty (230) As part days of this audit program, the Board shall evaluate the audit reports of any party providing services to the Bank, and shall assess the impact on the Bank of any audit deficiencies cited in such reportseach filing. (3) The If the Audit/Risk Committee of the Board becomes aware of one or more “material weaknesses” in the “internal control structure and procedures for financial reporting,” and if the weaknesses are not corrected within the quarter identified, the Audit/Risk Committee of the Board shall ensure notify management of Huntington Bancshares, Inc. of the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, experience level and number existence of individuals employedthe “material weaknesses.” (4) The Upon completion of its annual audit of the Huntington Bancshares, Inc. financial statements, the Audit/Risk Committee of the Board shall ensure that obtain from the audit program is independent. The persons responsible for implementing the internal audit program described in this Article shall be independent, qualified and report directly external auditor a list of all proposed adjustments to the Board Audit CommitteeBank’s books and records, which shall have whether or not deemed material, along with an explanation of how the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening partyproposed adjustment was resolved. (5) All audit reports shall be For purposes of this Agreement, “internal control structure and procedures for financial reporting” has the same meaning as that term is used in writing. The Board shall ensure immediate actions are undertaken to correct deficiencies cited in audit reports and shall maintain a written record describing the deficiency, the projected corrective action, and the status Section 404 of the corrective action▇▇▇▇▇▇▇▇-▇▇▇▇▇ Act of 2002; “material weaknesses” has the same meaning as that term is used in Statement on Auditing Standards (“SAS”) No. The Board shall ensure that internal audit management provides detailed written explanation 60 (AU 325.15); and “material misstatements has the same meaning as the term is used in those circumstances, if any, where the deficiencies cannot be remedied, and that the audit staff maintain a written record describing those actionsSEC’s Staff Accounting Bulletin No. The Board shall provide for a timely, independent, written follow-up for any uncorrected deficiencies99 on Materiality (“SAB 99”). (6) The audit staff shall have access to any records necessary for the proper conduct of its activities. OCC examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (7) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy Comptroller.

Internal Audit. (1) Within sixty (60) days of the date of this Agreement, the Board shall designate a committee of at least three (3) directors with relevant banking experience, to review and monitor the Bank’s implementation and adherence to the independent, internal audit program required by paragraph two (2) of this Article. A majority of the members of this committee shall not be an employee or controlling shareholder of the Bank or any of its affiliates (as the term “affiliate” is defined in 12 U.S.C. § 371c(b)(1)), or a family member of any such person. The composition of this committee shall not be identical to the composition of the Compliance Committee required by Article II of this Agreement. In the event of a change of the membership, the name of any new member shall be immediately submitted in writing to the Assistant Deputy Comptroller. (2) Within ninety (90) days of the date of this Agreement, the Board shall adopt, and the Bank, Bank (subject to Board review and monitoring, ongoing monitoring by the committee established pursuant to paragraph one (1) of this Article) shall implement and thereafter adhere ensure adherence to an independent, internal audit program to correct the internal audit deficiencies described in the most recent ▇▇▇. The independent, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, (March 17, 2003) and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, to: (a) detect and identify the root causes of irregularities and weak practices in and other exceptions to the Bank's operations; (b) determine the Bank's level of compliance with all applicable laws, rules, regulations rules and regulatory guidance, including consumer protection laws, regulations, and regulatory guidance; (c) determine the Bank’s level of compliance with the requirements of this Agreement; (d) assess and report on the effectiveness of policies, procedures, controls, risk management practices, and management information systemsoversight relating to accounting and financial reporting; (de) evaluate the Bank's adherence to established policies and procedures; (e) adequately and timely evaluate the efficiency and effectiveness of , with particular emphasis directed to the Bank’s corporate governance, internal controls, 's adherence to its loan policies concerning underwriting standards and risk management functionsproblem loan identification and classification; (f) ensure timely review and appropriate follow-up provide an opinion regarding whether regulatory reports beginning with the quarter ending March 31, 2015, contain “material misstatements” within thirty (30) days of filing; for purposes of this Article, “material misstatements” has the same meaning as the term is used in the SEC’s Staff Accounting Bulletin No. 99 on identified deficiencies, weak practices and other exceptions to ensure timely implementation, verification and documentation of corrective actionMateriality (“SAB 99”); (g) adequately cover all areas; and (gh) review and evaluate the Bank’s actions taken establish an annual audit plan using a risk based approach (with a written risk assessment) sufficient to comply with this Agreementachieve these objectives. (23) As part of this audit program, the Board or the committee established pursuant to paragraph one (1) of this Article, shall evaluate the audit reports of any party providing services to the Bank, and shall assess the impact on the Bank of any audit deficiencies cited in such reports. (34) The Board shall ensure that the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, both the experience level and number of the individuals employed. (45) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described in required by this Article shall be independent, qualified and report directly to the Board Audit CommitteeBoard, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening party. (56) All audit reports shall be in writing. The Board shall ensure that immediate actions are undertaken to correct remedy deficiencies cited in audit reports and shall maintain a written record describing the deficiency, the projected corrective action, and the status of the corrective action. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remediedreports, and that the audit staff auditors maintain a written record describing those actions. The Board shall provide for a timelyalso ensure that actions undertaken to remedy deficiencies cited in any audit report are subject to independent verification, independent, written follow-up for any uncorrected deficiencieswhich shall be documented in the Bank’s records. (67) The audit staff shall have access to any records necessary for the proper conduct of its activities. OCC The examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (7) . Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy Comptroller.

Internal Audit. (1) Within sixty (60) days of the date of this Agreementdays, the Board shall adopt, and the Bankimplement, subject to Board review and monitoring, shall implement and thereafter adhere ensure Bank adherence to an independent, internal audit program to correct that includes the internal audit deficiencies described in the most recent ▇▇▇. The independent, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, (March 17, 2003) and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, tofollowing: (a) detect Revise policies and identify the root causes procedures to improve effectiveness of irregularities Board Audit Committee oversight to ensure an adequate internal audit program, qualified and weak practices in sufficient internal audit staff, timely correction of identified deficiencies, and other exceptions to the Bank's operations;an effectively administered audit program. (b) Strengthen the internal audit program by performing the following: (i) Engage an independent firm to review the recently completed self-assessments of Audit Committee members to determine the Bank's level adequacy of compliance with all applicable laws, rules, regulations their qualifications and regulatory guidance, including consumer protection laws, regulations, and regulatory guidancetheir independence; (cii) assess Engage an independent firm to evaluate qualifications of the internal audit manager and report on internal audit staff as well as the effectiveness of policies, procedures, controls, risk management practices, and management information systemsaudit manager’s administrative capabilities; (diii) evaluate Revise the Bank's adherence internal audit risk assessment and resulting schedule to established policies ensure they are risk based and proceduresinclude all significant areas of bank operations and important processes; (eiv) adequately Review and timely evaluate the efficiency and effectiveness of the Bank’s corporate governance, internal controls, and risk revise procedures to ensure they are sufficient to properly enforce management functionsaccountability for correcting identified deficiencies; (fv) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions Improve the quality of internal audit reports to ensure timely implementationthe scope and coverage is clear and reasonable, verification provide useful and documentation of corrective action; and (g) review specific recommendations, and evaluate the Bank’s actions taken to comply detail individual loans or other matters with this Agreementdeficiencies. (2) As part of this audit program, the Board shall evaluate the audit reports of any third party providing services to the Bank, and shall assess the impact on the Bank of any audit deficiencies cited in such reports. (3) The Board shall ensure that the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, both the experience level and number of the individuals employed. (4) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described in this Article above shall be independent, qualified and report directly to the Board Audit CommitteeCommittee of the Board, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening party. (5) All audit reports shall be If the Board becomes aware of one or more “material weaknesses” in writing. The Board shall ensure immediate actions the “internal control structure and procedures for financial reporting,” and if the weaknesses are undertaken to correct deficiencies cited in audit reports and shall maintain a written record describing not corrected within the deficiencyquarter identified, the projected corrective action, and Board must notify the status management of the corrective actionYardville National Bancorp of the existence of the “material weaknesses.” For purposes of this Article, “material weaknesses” and “internal control structure and procedures for financial reporting,” have the same meaning as the terms are used in Section 404 of the S▇▇▇▇▇▇▇-▇▇▇▇▇ Act of 2002 and Statement on Auditing Standards No. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances60 (“SAS 60”), if any, where the deficiencies cannot be remedied, and that the audit staff maintain a written record describing those actions. The Board shall provide for a timely, independent, written follow-up for any uncorrected deficienciesrespectively. (6) The audit staff shall have access to any records necessary for the proper conduct of its activities. OCC examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (7) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy Comptroller.

Internal Audit. (1) Within sixty (60) days of the date of this Agreement, the The Board shall adopt, and the Bank, subject to Board review and monitoring, shall implement and thereafter adhere ensure continued Bank adherence to an independent, internal audit program to correct the internal audit deficiencies described in the most recent ▇▇▇. The independent, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, (March 17, 2003) and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, to: (a) detect and identify the root causes of irregularities and weak practices in and other exceptions to the Bank's operations; (b) determine the Bank's level of compliance with all applicable laws, rules, regulations rules and regulatory guidance, including consumer protection laws, regulations, and regulatory guidance; (c) assess and report on the effectiveness of policies, procedures, controls, risk management practices, and management information systemsoversight relating to accounting and financial reporting; (d) evaluate the Bank's adherence to established policies and procedures, with particular emphasis directed to the Bank's adherence to its loan policies concerning underwriting standards and problem loan identification and classification; (e) adequately and timely evaluate the efficiency and effectiveness of the Bank’s corporate governance, internal controls, and risk management functions;cover all areas; and (f) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions establish an annual audit plan using a risk based approach sufficient to ensure timely implementation, verification and documentation of corrective action; and (g) review and evaluate the Bank’s actions taken to comply with this Agreementachieve these objectives. (2) As part of this audit program, the Board shall evaluate the audit reports of any party providing services to the Bank, and shall assess the impact on the Bank of any audit deficiencies cited in such reports. (3) The Board shall ensure that the Bank has processes, personnel, and control systems to ensure implementation of and adherence to the program developed pursuant to this Article. (4) The Board shall ensure that the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, both the experience level and number of the individuals employed. (45) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described in this Article above shall be independent, qualified and report directly to the Board Audit CommitteeBoard, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening party. (56) All audit reports shall be in writing. The Board shall ensure that immediate actions are undertaken to correct remedy deficiencies cited in audit reports and shall maintain a written record describing the deficiency, the projected corrective action, and the status of the corrective action. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remediedreports, and that the audit staff auditors maintain a written record describing those actions. The Board shall provide for a timely, independent, written follow-up for any uncorrected deficiencies. (67) The audit staff shall have access to any records necessary for the proper conduct of its activities. OCC National bank examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (7) Upon adoption8) By April 30, a copy 2008 and quarterly thereafter, copies of the internal all completed audit program reports shall be promptly submitted to the Assistant Deputy Comptroller.

Internal Audit. (1) Within sixty one-hundred and twenty (60120) days days, the Board, or a designated committee of the date of this AgreementBoard, the Board shall adopt, and the Bankimplement, subject to Board review and monitoring, shall implement and thereafter adhere ensure Bank adherence to an independent, independent internal audit program to correct the internal audit deficiencies described in the most recent ▇▇▇. The independentprogram, internal audit program shall comply with OCC Bulletin 2003-12addressing its scope, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, (March 17, 2003) and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, documentation requirements sufficient to: (a) detect and identify the root causes of irregularities and weak practices in and other exceptions to the Bank's operations; (b) determine the Bank's level of compliance with all applicable laws, rules, regulations rules and regulatory guidance, including consumer protection laws, regulations, and regulatory guidance; (c) assess and report on the effectiveness of policies, procedures, controls, risk management practices, and management information systemsoversight relating to accounting and financial reporting; (d) evaluate the Bank's adherence to established revised policies and procedures, with particular emphasis directed to the Bank's adherence to its loan, credit administration, BSA, consumer compliance, and information technology policies; (e) adequately and timely evaluate the efficiency and effectiveness of the Bank’s corporate governancecover all areas including but not limited to: information technology, internal controlsBSA, consumer regulations, financial reporting, and risk management functions;banking operations; and (f) ensure timely and appropriate follow-up on identified deficienciesestablish an annual audit plan using a risk based approach sufficient to achieve these objectives, weak practices and other exceptions to ensure timely implementation, verification and documentation of corrective action; and (g) review and evaluate from which deviations in the Bank’s actions taken to comply internal audits of more than 45 days will occur only with this AgreementBoard approval. (2) As part of this audit program, the Board shall evaluate the audit reports of any party providing services to the Bank, and shall assess the impact on the Bank of any audit deficiencies cited in such reports. (3) The Board shall ensure an appropriate level of testing to support the audit findings. (4) The Board shall ensure that the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, both the experience level and number of the individuals employed. (45) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described in this Article above shall be independent, qualified and report directly to the Board Audit CommitteeBoard, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening party, including any individual who is a director. (56) All audit reports shall be in writing. The Board shall ensure immediate actions are undertaken to correct deficiencies cited in audit reports writing and shall maintain a written record describing the deficiency, the projected corrective action, and the status of the corrective actionsupported by adequate work papers. The Board shall ensure that internal immediate actions are undertaken to remedy deficiencies cited in audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remediedreports, and that the audit staff maintain auditors verify that appropriate actions have been taken and a written record describing those actions. The Board shall provide for a timely, independent, written follow-up for any uncorrected deficienciesactions is maintained. (67) The Board must establish a formal audit tracking report that identifies exceptions and deficiencies in all areas of the Bank, management’s response and follow-up, and time periods for correction for all exceptions identified by any Bank auditor or the Comptroller. (8) The audit staff shall have access to any records necessary for the proper conduct of its activities. OCC National bank examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (7) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy Comptroller.

Internal Audit. (1) Within sixty ninety (6090) days of the date of this Agreementdays, the Board shall adopt, and the Bankimplement, subject to Board review and monitoring, shall implement and thereafter adhere ensure Bank adherence to an independent, internal audit program covering all areas of the Bank including but not limited to correct the internal audit deficiencies described consumer compliance and mortgage banking, sufficient to: (a) detect irregularities and weak practices in the most recent ▇▇▇. The independentBank’s operations; (b) determine the Bank’s level of compliance with all applicable laws, internal audit program shall comply with OCC Bulletin 2003-12rules and regulations; (c) assess and report the effectiveness of policies, Interagency Policy Statement on Internal Audit procedures, controls, and Internal Audit Outsourcing, management oversight relating to accounting and financial reporting; (March 17, 2003d) evaluate the Bank’s adherence to established policies and shall include procedures; and (e) establish an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, to: (a) detect and identify the root causes of irregularities and weak practices in and other exceptions to the Bank's operations; (b) determine the Bank's level of compliance with all applicable laws, rules, regulations and regulatory guidance, including consumer protection laws, regulations, and regulatory guidance; (c) assess and report on the effectiveness of policies, procedures, controls, risk management practices, and management information systems; (d) evaluate the Bank's adherence to established policies and procedures; (e) adequately and timely evaluate the efficiency and effectiveness of the Bank’s corporate governance, internal controls, and risk management functions; (f) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions to ensure timely implementation, verification and documentation of corrective action; and (g) review and evaluate the Bank’s actions taken to comply with this Agreementthese objectives. (2) As part of this audit program, the Board shall shall: (a) develop and implement an effective risk assessment system; (b) ensure that the written audit plan and audit frequency correlate to the risk assessment; (c) review and approve the audit schedule to ensure an appropriate risk-based scope for internal audit activities; (d) ensure that management responses address all deficiencies identified by the audit and include a commitment to measurable corrective action; (e) ensure that all significant deficiencies are corrected and that management is held accountable for failure to correct audit deficiencies; (f) ensure that all audit reports are provided directly to the Board; (g) ensure that all audits are completed as scheduled; (h) ensure that internal audits include an audit program that clearly documents the audit scope (controls to be tested and sampling methodology) and provides an audit trail of work completed including supporting workpapers; and (i) evaluate the audit reports of any party providing services to the Bank, and shall assess the impact on the Bank of any audit deficiencies cited in such reports. (3) The Board shall ensure that the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, both the experience level and number of the individuals employed. (4) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described in this Article above shall be independent, qualified and report directly to the Board Audit CommitteeBoard, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening party. (5) All audit reports shall be in writing. The Board shall ensure that immediate actions are undertaken to correct remedy deficiencies cited in audit reports reports, and shall maintain a written record describing the deficiency, the projected corrective action, and the status of the corrective action. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remedied, and that the audit staff maintain a written record describing those shall evaluate in writing the effectiveness of the corrective action and recommend additional corrective actions. The Board shall provide for a timely, independent, written follow-up for any uncorrected deficienciesas necessary. (6) The audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (7) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy Comptroller for review and determination of no supervisory objection. Upon receiving a determination of no supervisory objection from the Assistant Deputy Comptroller, the Board shall promptly implement and thereafter ensure Bank adherence to the internal audit program.

Internal Audit. (1) Within sixty (60one hundred and fifty y(150) days of the date of this Agreementdays, the Board shall adopt, and the Bankimplement, subject to Board review and monitoring, shall implement and thereafter adhere ensure Bank adherence to an independent, internal audit program to correct the internal audit deficiencies described in the most recent ▇▇▇. The independent, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, (March 17, 2003) and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, to: (a) detect and identify the root causes of irregularities and weak practices in and other exceptions to the Bank's operations; (b) determine the Bank's level of compliance with all applicable laws, rules, regulations rules and regulatory guidance, including consumer protection laws, regulations, and regulatory guidance; (c) assess and report on the effectiveness of policies, procedures, controls, risk management practices, and management information systemsoversight relating to accounting and financial reporting; (d) evaluate the Bank's adherence to established policies and procedures, with particular emphasis directed to the Bank's adherence to its loan policies concerning underwriting standards and problem loan identification and classification; (e) adequately and timely evaluate the efficiency and effectiveness of the Bank’s corporate governance, internal controls, and risk management functions;cover all areas; and (f) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions establish an annual audit plan using a risk based approach sufficient to ensure timely implementation, verification and documentation of corrective action; and (g) review and evaluate the Bank’s actions taken to comply with this Agreementachieve these objectives. (2) As part of this audit program, the Board shall evaluate the audit reports of any party providing services to the Bank, and shall assess the impact on the Bank of any audit deficiencies cited in such reports. (3) Within thirty (30) days, as part of this audit program, the Board shall define the role and responsibility of the Director of Internal Audit to be employed by the Bank, including the level of independence and authority being vested for the purpose of possessing authority to make meaningful changes to the audit process, and hire a full-time Director of Internal Audit to manage the relationship with any outside firm used and to ensure that workpapers and audit procedures are adequate. The Board shall ensure provide that the Director of Internal Audit will report directly to the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, experience level and number committee of individuals employed. (4) the Bank. The Board shall ensure that the audit program is independent. The persons responsible for implementing independent and that the internal audit program described in this Article shall be independentBank has processes, qualified personnel, and report directly control systems to ensure implementation of and adherence to the Board Audit Committee, which shall have the sole power program developed pursuant to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening partythis Article. (54) All audit reports shall be in writing. The Board shall ensure that immediate actions are undertaken to correct remedy deficiencies cited in audit reports and shall maintain a written record describing the deficiency, the projected corrective action, and the status of the corrective action. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remediedreports, and that the audit staff auditors maintain a written record describing those actions. The Board shall provide for a timely, independent, written follow-up for any uncorrected deficiencies. (65) The audit staff shall have access to any records necessary for the proper conduct of its activities. OCC National bank examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (6) If the Board becomes aware of one or more “material weaknesses” in the “internal control structure and procedures for financial reporting,” and if the weaknesses are not corrected within the quarter identified, the Board must notify the management of the holding company of the Bank of the existence of the “material weaknesses.” For purposes of this Article, “material weaknesses” and “internal control structure and procedures for financial reporting,” have the same meaning as the terms are used in Section 404 of the ▇▇▇▇▇▇▇▇-▇▇▇▇▇ Act of 2002 and Statement on Auditing Standards No. 60 (“SAS 60”), respectively. (7) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy Comptroller.

Internal Audit. (1) Within sixty (60) days of the date of this Agreementdays, the Board shall adopt, and the Bank, subject to Board review and monitoring, shall implement and thereafter adhere ensure Bank adherence to an independent, internal audit program to correct the internal audit deficiencies described in the most recent ▇▇▇. The independent, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, (March 17, 2003) and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, to: (a) establish a written audit schedule that provides for audits on a regular basis; (b) detect and identify the root causes of irregularities and weak practices in and other exceptions to the Bank's operations; ; (bc) ensure adequate coverage in all areas, consistent with the degree of risk; (d) determine the Bank's level of compliance with all applicable laws, rules, regulations and regulatory guidanceregulations; (e) in conjunction with the Bank's independent outside auditor, including consumer protection laws, regulations, and regulatory guidance; (c) assess and report on determine the effectiveness Bank's level of compliance with standard accounting policies, proceduresincluding, controlsbut not limited to, risk management practices, GAAP and management information systems; FASB accounting standards; (df) evaluate the Bank's adherence to established policies and procedures; (e) adequately and timely evaluate the efficiency and effectiveness of , with particular emphasis directed to the Bank’s corporate governance, internal controls, and 's adherence to its credit risk management functions; (f) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions to ensure timely implementation, verification and documentation of corrective actionpolicies; and (g) review and ensure that all high-risk areas are fully audited on a regular basis, including transaction testing for adequacy of internal controls; (h) evaluate the Bank’s actions taken to comply with this Agreement. (2) As part of this audit program, the Board shall evaluate the available audit reports of any party providing services to the Bank, Bank and shall assess the impact on the Bank of any audit deficiencies cited in such reports; and (i) establish an annual audit plan using risk based approach sufficient to achieve these objectives. (2) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Director. (3) The Board shall ensure that the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, both the experience level and number of individuals employed. (4) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described in this Article required by paragraph (1) shall be independent, qualified and report directly to the Board Audit CommitteeBoard, or a committee thereof, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be reviewed and responded to by appropriate Bank management and, thereafter, filed in writing directly with and approved by the Board Audit Committee and not through any intervening partyBoard, or a committee thereof. (5) All audit reports shall be in writing. The Board shall ensure that immediate actions are undertaken to correct remedy deficiencies cited in audit reports and shall maintain a written record describing the deficiency, the projected corrective action, and the status of the corrective action. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remediedreports, and that the audit staff auditors maintain a written record describing those actions and the result of those actions. The Board audit reports and written record, as well as all supporting work papers of the audit staff, shall provide for a timely, independent, written follow-up for any uncorrected deficienciesbe readily available to OCC personnel upon request. (6) The audit staff Board shall have access ensure that the Bank has processes, personnel, and control systems to any records necessary for the proper conduct ensure implementation of its activities. OCC examiners shall have access and adherence to all reports and work papers of the audit staff and any other parties working on its behalf. (7) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy Comptrollerprogram.

Internal Audit. (1) Within sixty (60) days of the date of this Agreementdays, the Board shall adopt, and the Bankimplement, subject to Board review and monitoring, shall implement and thereafter adhere ensure Bank adherence to an independent, internal audit program to correct the internal audit deficiencies described in the most recent ▇▇▇. The independent, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, (March 17, 2003) and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, to: (a) test and audit internal controls to ensure ongoing compliance with sound risk management systems and control processes; (b) detect and identify the root causes of irregularities and weak practices in and other exceptions to the Bank's operations; (bc) determine the Bank's level of compliance with all applicable laws, rules, regulations rules and regulatory guidance, including consumer protection laws, regulations, and regulatory guidance; (c) assess and report on the effectiveness of policies, procedures, controls, risk management practices, and management information systems; (d) evaluate the Bank's adherence to established policies and procedures, with particular emphasis directed to the Bank's adherence to its loan policies concerning underwriting standards and problem loan identification and classification; (e) adequately and timely evaluate the efficiency and effectiveness of the Bank’s corporate governance, internal controls, and risk management functions;ensure adequate audit coverage in all areas; and (f) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions establish an annual audit plan using a risk based approach sufficient to ensure timely implementation, verification and documentation of corrective action; and (g) review and evaluate the Bank’s actions taken to comply with this Agreementachieve these objectives. (2) As part of this audit program, the Board shall evaluate the audit reports of any party providing services to the Bank, and shall assess the impact on the Bank of any audit deficiencies cited in such reports. (3) The Board shall ensure that the Bank has processes, personnel, and control systems to ensure implementation of and adherence to the program developed pursuant to this Article. (4) The Board shall ensure that the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, both the experience level and number of the individuals employed. (45) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described in this Article above shall be independent, qualified and report directly to the Board Audit CommitteeBoard, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening party. (56) All audit reports shall be in writing. The Board shall ensure that immediate actions are undertaken to correct remedy deficiencies cited in audit reports and shall maintain a written record describing the deficiency, the projected corrective action, and the status of the corrective action. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remediedreports, and that the audit staff auditors maintain a written record describing those actions. The Board shall provide for a timely, independent, written follow-up for any uncorrected deficiencies. (67) The audit staff shall have access to any records necessary for the proper conduct of its activities. OCC National bank examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (7) 8) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy ComptrollerComptroller for review and approval.

Internal Audit. (1) Within sixty ninety (6090) days of the date of this Agreementdays, the Board shall adopt, and the Bankimplement, subject to Board review and monitoring, shall implement and thereafter adhere ensure Association adherence to an independent, internal audit program to correct the internal audit deficiencies described sufficient to: (a) detect irregularities and weak practices in the most recent ▇▇▇. The independentAssociation's operations; (b) determine the Association's level of compliance with all applicable laws, internal audit program shall comply rules and regulations; (c) assess and report the effectiveness of policies, procedures, controls, and management oversight relating to accounting and financial reporting; (d) evaluate the Association's adherence to established policies and procedures, with particular emphasis directed to the Association's adherence to its loan policies concerning underwriting standards, problem loan identification and classification, transactions with affiliates, conflicts of interests, Troubled Debt Restructuring, and adherence to OCC Bulletin 20032006-1246, Interagency Policy Statement Guidance on Internal Audit and Internal Audit Outsourcing, Commercial Real Estate (March 17, 2003CRE) and shall include Concentration Management Practices; (e) adequately cover all areas; and (f) establish an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, to: (a) detect and identify the root causes of irregularities and weak practices in and other exceptions to the Bank's operations; (b) determine the Bank's level of compliance with all applicable laws, rules, regulations and regulatory guidance, including consumer protection laws, regulations, and regulatory guidance; (c) assess and report on the effectiveness of policies, procedures, controls, risk management practices, and management information systems; (d) evaluate the Bank's adherence to established policies and procedures; (e) adequately and timely evaluate the efficiency and effectiveness of the Bank’s corporate governance, internal controls, and risk management functions; (f) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions to ensure timely implementation, verification and documentation of corrective action; and (g) review and evaluate the Bank’s actions taken to comply with this Agreementthese objectives. (2) As part of this audit program, the Board shall evaluate the audit reports of any party providing services to the BankAssociation, and shall assess the impact on the Bank Association of any audit deficiencies cited in such reports. (3) The Board shall ensure that the Association has processes, personnel, and control systems to ensure implementation of and adherence to the program developed pursuant to this Article. (4) The Board shall ensure that the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, both the experience level and number of the individuals employed. (45) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described in this Article above shall be independent, qualified and report directly to the Board Audit CommitteeBoard, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening party. (56) All audit reports shall be in writing. The Board Board, through its Audit Committee, shall ensure that immediate actions are undertaken to correct remedy deficiencies cited in audit reports reports, and shall maintain a written record describing the deficiency, the projected corrective action, and the status of the corrective action. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remedied, and that the audit staff maintain a written record describing those actions. The Board shall provide for a timely, independent, written follow-up for any uncorrected deficiencies. (67) The audit staff shall evaluate in writing the effectiveness of the corrective action and recommend additional corrective actions, as necessary. (8) The audit staff shall have access to any records necessary for the proper conduct of its activities. OCC The OCC's examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (79) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy Comptroller.

Internal Audit. (1) Within sixty ninety (6090) days of the date of this Agreement, the Board shall adopt, and the Bank, subject to Board review and monitoring, shall implement and thereafter adhere to an develop a written independent, internal audit program to correct that: (i) comports with the internal audit deficiencies described standards for Internal Audit Systems set forth in Section II.B of 12 C.F.R. Part 30, Appendix A, Interagency Guidelines Establishing Standards for Safety and Soundness; (ii) is consistent with the most recent ▇▇▇. The independent, internal audit program shall comply with guidance set forth in OCC Bulletin 2003-12, Interagency Policy Statement on the Internal Audit Function and Internal Audit Outsourcing, Its Outsourcing (March 17, 2003) and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions), and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, (iii) is sufficient to: (a) detect and identify the root causes of irregularities and weak practices in and other exceptions to the Bank's ’s operations; (b) determine the Bank's level of compliance with all applicable laws, rules, regulations and regulatory guidance, including consumer protection laws, regulations, and regulatory guidance; (c) assess and report on the effectiveness of policies, procedures, controls, risk management practices, and management information systemsoversight relating to accounting and financial reporting; (d) evaluate the Bank's adherence to established policies and proceduresadequately cover all areas; (e) adequately establish a risk assessment process to accurately identify the scope and timely evaluate frequency of internal audits to ensure the efficiency and effectiveness of program is appropriate for the Bank’s corporate governancesize, internal controlscomplexity of activities, scope of operations, and risk management functions;profile; and (f) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions establish an annual audit plan using a risk based approach sufficient to ensure timely implementation, verification and documentation of corrective action; and (g) review and evaluate the Bank’s actions taken to comply with this Agreementachieve these objectives. (2) As part of this audit program, the Board shall evaluate the audit reports of any party providing services to the Bank, Bank and shall assess the impact on the Bank of any audit deficiencies cited in such reports. Within ninety (90) days of the date of this Agreement, the Board shall ensure that the Bank maintains an audit tracking log that includes, at minimum, all outstanding audit findings, the proposed corrective action dates, the management member responsible for corrective actions, and the steps taken to address each corrective action. The description of the steps taken to address each corrective action must be updated no less than quarterly for each corrective action. No less than quarterly the Board, or a Committee thereof, must review this audit tracking log to ensure that proper corrective actions are completed in a timely manner. Within ten (10) days of the review of the audit tracking log by Board, or a Committee thereof, a copy of the audit tracking log must be forwarded to the Assistant Deputy Comptroller. (3) The Board shall ensure that the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, both the experience level and number of the individuals employed. Any internal auditors who are employees of the Bank must receive annual training on internal audit standards and practices. (4) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described in this Article above shall be independent, qualified and report directly to the Board Audit CommitteeBoard, or a Committee thereof, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Chair of the Board Audit Committee of Directors, or another Director designated to receive such reports, and not through any intervening party. The Board, or a committee thereof, must meet at least quarterly with internal auditors to discuss findings and include discussion of the Board’s review of internal audit reports within meeting minutes. (5) The Board, or a Committee thereof, shall review and approve the audit scope and schedule at least annually. At least quarterly, the Board, or a Committee thereof, shall review the status of the audit schedule to ensure all audits have been completed in a timely manner. (6) All audit reports shall be in writing. The Board Board, or a Committee thereof, shall ensure that immediate actions are undertaken to correct remedy deficiencies cited in audit reports and shall maintain a written record describing the deficiency, the projected corrective actionreports, and the status of the corrective action. The Board Board, or a Committee thereof, shall ensure that internal audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remedied, and that the audit staff maintain a written record describing those actions. The Board shall provide must also require that internal audit reports clearly state an overall conclusion, include a conclusion on the adequacy of internal controls in each review area, and clearly communicate corrective actions for a timely, independent, written follow-up for any uncorrected deficiencieseach deficiency identified. (67) The audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (7) 8) Upon adoption, a copy development of the internal audit program required by paragraphs (1) through (7) of this Article, a copy shall be promptly submitted to the Assistant Deputy Comptroller for a prior written determination of no supervisory objection. At the next Board meeting following receipt of the Assistant Deputy Comptroller’s written determination of no supervisory objection to the internal audit program, the Board shall adopt and the Bank, subject to Board review and ongoing monitoring, shall implement and thereafter ensure adherence to the audit program.

Internal Audit. (1) Within sixty (60) days of the date of this Agreementdays, the Board shall adopt, and the Bank, subject to Board review and monitoring, shall implement and thereafter adhere ensure Bank adherence to an independent, internal audit program to correct the internal audit deficiencies described in the most recent ▇▇▇. The independent, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, (March 17, 2003) and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, to: (a) establish a written audit schedule that provides for audits on a regular basis; (b) detect and identify the root causes of irregularities and weak practices in and other exceptions to the Bank's operations; (bc) ensure adequate coverage in all areas, consistent with the degree of risk; (d) determine the Bank's level of compliance with all applicable laws, rules, regulations and regulatory guidance, including consumer protection laws, regulations, and regulatory guidance; (ce) assess and report on in conjunction with the effectiveness Bank’s independent outside auditor, determine the Bank's level of compliance with standard accounting policies, proceduresincluding, controlsbut not limited to, risk management practices, GAAP and management information systemsFASB accounting standards; (df) evaluate the Bank's adherence to established policies and procedures; (e) adequately and timely evaluate the efficiency and effectiveness of , with particular emphasis directed to the Bank’s corporate governance, internal controls, and 's adherence to its credit risk management functionspolicies; (f) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions to ensure timely implementation, verification and documentation of corrective action; and (g) review and evaluate the Bank’s actions taken to comply with this Agreement.ensure that all high-risk areas are fully audited on a regular basis, including transaction testing for adequacy of internal controls; (2h) As part of this audit program, the Board shall evaluate the available audit reports of any party providing services to the Bank, Bank and shall assess the impact on the Bank of any audit deficiencies cited in such reports; and (i) establish an annual audit plan using risk based approach sufficient to achieve these objectives. (2) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Director. (3) The Board shall ensure that the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, both the experience level and number of individuals employed. (4) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described in this Article required by paragraph (1) shall be independent, qualified and report directly to the Board Audit CommitteeBoard, or a committee thereof, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be reviewed and responded to by appropriate Bank management and, thereafter, filed in writing directly with and approved by the Board Audit Committee and not through any intervening partyBoard, or a committee thereof. (5) All audit reports shall be in writing. The Board shall ensure that immediate actions are undertaken to correct remedy deficiencies cited in audit reports and shall maintain a written record describing the deficiency, the projected corrective action, and the status of the corrective action. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remediedreports, and that the audit staff auditors maintain a written record describing those actions and the result of those actions. The Board audit reports and written record, as well as all supporting work papers of the audit staff, shall provide for a timely, independent, written follow-up for any uncorrected deficienciesbe readily available to OCC personnel upon request. (6) The audit staff Board shall have access ensure that the Bank has processes, personnel, and control systems to any records necessary for the proper conduct ensure implementation of its activities. OCC examiners shall have access and adherence to all reports and work papers of the audit staff and any other parties working on its behalf. (7) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy Comptrollerprogram.

Internal Audit. (1) Within sixty (60) days of By March 31, 2022, the date of this Agreement, Bank shall develop and the Board shall adoptadopt a comprehensive, and the Bank, subject to Board review and monitoring, shall implement and thereafter adhere to an independent, written internal audit program that adequately assesses controls and operations to correct allow the Board and management to understand the sufficiency of the Bank’s internal controls system (“Internal Audit Program”). (2) Management shall ensure the Internal Audit Program’s compliance with the standards for internal audit deficiencies described systems set forth in Section II.B of the most recent ▇▇▇Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to 12 C.F.R. Part 30. Refer to the “Internal and External Audits” booklet of the Comptroller’s Handbook for related safe and sound principles. The independent, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit Program shall incorporate standards of safety and Internal Audit Outsourcingsoundness that are commensurate with the Bank’s size, (March 17complexity, 2003) scope of activities, and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program profile and shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, to: (a) detect and identify require the root causes development of irregularities and weak practices in and other exceptions to an annual risk assessment of the Bank's operations’s auditable areas, with annual documented Audit Committee approval of the risk assessment; (b) determine require the development of an internal audit plan that is risk-based and provides adequate audit scope, coverage, and frequency for all areas of the Bank's level , with annual documented Audit Committee approval of compliance with all applicable laws, rules, regulations the internal audit plan and regulatory guidance, including consumer protection laws, regulations, and regulatory guidanceAudit Committee notification of any material variance from the plan; (c) assess address the use of third-parties to complete any internal audit activities, including documented Audit Committee approval of selection and report on the effectiveness termination of policiesthird-parties; refer to OCC Bulletin 2013-29, procedures, controls, risk management practices, “Third-Party Relationships” for related safe and management information systemssound principles; (d) evaluate the Bank's adherence to established policies and procedures; (e) adequately and timely evaluate the efficiency reliability, adequacy, and effectiveness of the Bank’s corporate governanceinternal controls system, whether operated by the Bank or a third-party; (e) evaluate whether the Bank’s internal controls, controls system results in prompt and risk management functionsaccurate recording of transactions and proper safeguarding of assets; (f) ensure determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes; (g) require (i) management to take appropriate and timely steps to address control deficiencies and appropriate follow-up audit report recommendations, (ii) the progress of such steps to be adequately validated, documented, and tracked, (iii) the progress to be reported to the Audit Committee on identified deficienciesat least a monthly basis, weak practices and other exceptions (iv) the Audit Committee to ensure determine whether the actions taken by management are satisfactory; (h) require all internal audit reports to be in writing and distributed directly, not through any intervening party, to the Audit Committee in a timely implementationmanner after audit completion; (i) require all internal audits to be supported through adequate transaction testing, verification which includes documenting the transaction testing methodology, sample size, the accounts and documentation names selected for testing, the documents reviewed as part of corrective actionthe testing, and the results of transaction testing; and (gj) review require audit work papers and evaluate the Bank’s actions taken to comply with this Agreement. (2) As part of this documentation that provides a meaningful audit programtrail and validation for audit findings, the Board shall evaluate the audit reports of any party providing services to the Bankconclusions, and shall assess the impact on the Bank of any audit deficiencies cited in such reportsrecommendations. (3) The Board shall ensure provide effective oversight of the Internal Audit Program, including: (a) verifying that management has adequately staffed the internal audit function, using internal resources and/or third-parties, with respect to both the number of auditors required and their knowledge, skills, and experience; (b) verifying the internal audit function is supported by an adequately staffed department independent and objective. The person responsible for implementing the Internal Audit Program shall functionally report directly to the Audit Committee, which shall direct his or outside firmher activities, including with respect set compensation, and evaluate performance; (c) verifying management’s actions to qualificationsaddress material weaknesses in a timely manner and, experience level where appropriate, directing management to take additional action; and (d) verifying management satisfies all statutory, regulatory, and number of individuals employedsupervisory requirements. (4) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described in this Article shall be independent, qualified and report directly to the Board Audit Committee, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening party. (5) All audit reports shall be in writing. The Board shall ensure immediate actions are undertaken to correct deficiencies cited in audit reports and shall maintain a written record describing the deficiency, the projected corrective action, and the status of the corrective action. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remedied, and that the audit staff maintain a written record describing those actions. The Board shall provide for a timely, independent, written follow-up for any uncorrected deficiencies. (6) The audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC examiners shall have access to all reports and work papers of the internal audit staff and any other third parties working on its behalfproviding internal audit services. (75) Upon adoptionadoption of the Internal Audit Program, Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the Internal Audit Program and any amendments thereto. The Board shall review the effectiveness of the Internal Audit Program at least annually, no later than January 31 of each year, and more frequently if necessary or if required by the OCC in writing, and amend the Internal Audit Program as needed or directed by the OCC. The Board shall forward a copy of the internal audit program shall be promptly submitted adopted Internal Audit Program, and any subsequent amendments thereto, to the Assistant Deputy ComptrollerDirector within ten (10) days of adoption.

Internal Audit. (1) Within sixty (60) days of the date of this Agreementdays, the Board shall adopt, and the Bankimplement, subject to Board review and monitoring, shall implement and thereafter adhere ensure Bank adherence to an independent, internal audit program to correct that includes the internal audit deficiencies described in the most recent ▇▇▇. The independent, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, (March 17, 2003) and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, tofollowing: (a) detect Revise policies and identify the root causes procedures to improve effectiveness of irregularities Board Audit Committee oversight to ensure an adequate internal audit program, qualified and weak practices in sufficient internal audit staff, timely correction of identified deficiencies, and other exceptions to the Bank's operations;an effectively administered audit program. (b) Strengthen the internal audit program by performing the following: (i) Engage an independent firm to review the recently completed self- assessments of Audit Committee members to determine the Bank's level adequacy of compliance with all applicable laws, rules, regulations their qualifications and regulatory guidance, including consumer protection laws, regulations, and regulatory guidancetheir independence; (cii) assess Engage an independent firm to evaluate qualifications of the internal audit manager and report on internal audit staff as well as the effectiveness of policies, procedures, controls, risk management practices, and management information systemsaudit manager’s administrative capabilities; (diii) evaluate Revise the Bank's adherence internal audit risk assessment and resulting schedule to established policies ensure they are risk based and proceduresinclude all significant areas of bank operations and important processes; (eiv) adequately Review and timely evaluate the efficiency and effectiveness of the Bank’s corporate governance, internal controls, and risk revise procedures to ensure they are sufficient to properly enforce management functionsaccountability for correcting identified deficiencies; (fv) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions Improve the quality of internal audit reports to ensure timely implementationthe scope and coverage is clear and reasonable, verification provide useful and documentation of corrective action; and (g) review specific recommendations, and evaluate the Bank’s actions taken to comply detail individual loans or other matters with this Agreementdeficiencies. (2) As part of this audit program, the Board shall evaluate the audit reports of any third party providing services to the Bank, and shall assess the impact on the Bank of any audit deficiencies cited in such reports. (3) The Board shall ensure that the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, both the experience level and number of the individuals employed. (4) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described in this Article above shall be independent, qualified and report directly to the Board Audit CommitteeCommittee of the Board, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening party. (5) All audit reports shall be If the Board becomes aware of one or more “material weaknesses” in writing. The Board shall ensure immediate actions the “internal control structure and procedures for financial reporting,” and if the weaknesses are undertaken to correct deficiencies cited in audit reports and shall maintain a written record describing not corrected within the deficiencyquarter identified, the projected corrective action, and Board must notify the status management of the corrective actionYardville National Bancorp of the existence of the “material weaknesses.” For purposes of this Article, “material weaknesses” and “internal control structure and procedures for financial reporting,” have the same meaning as the terms are used in Section 404 of the ▇▇▇▇▇▇▇▇-▇▇▇▇▇ Act of 2002 and Statement on Auditing Standards No. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances60 (“SAS 60”), if any, where the deficiencies cannot be remedied, and that the audit staff maintain a written record describing those actions. The Board shall provide for a timely, independent, written follow-up for any uncorrected deficienciesrespectively. (6) The audit staff shall have access to any records necessary for the proper conduct of its activities. OCC examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (7) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy Comptroller.

Internal Audit. (1) Within sixty (60) days of this Agreement, the date Board shall establish an audit committee that complies with the requirements of 12 C.F.R. § 363.5. The audit committee shall meet at least quarterly. (2) The Board shall ensure that the audit function is supported by an adequately staffed department or outside firm, with respect to both the experience level and number of the individuals employed. (3) Within thirty (30) days of this Agreement, the Board shall determine whether any changes are needed regarding the Bank’s Internal Auditor, including the responsibilities, authority, structure, independence or skills of the Bank’s Internal Auditor. In particular, the Board shall ensure that the Internal Auditor operates independent of management and has sufficient training, authority, and skill to perform the assigned responsibilities. (4) Within thirty (30) days of this Agreement, the Board shall determine whether any changes are needed regarding the Internal Auditor’s supporting staff, including the responsibilities, authority, structure, independence, competencies, or capabilities of the Internal Auditor’s supporting staff. (5) Within sixty (60) days of this Agreement, the Board shall adopt, and the Bankimplement, subject to Board review and monitoring, shall implement and thereafter adhere ensure Bank adherence to an independent, independent and comprehensive internal audit program to correct the internal audit deficiencies described in the most recent ▇▇▇. The independent, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, (March 17, 2003) and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, tothat: (a) detect and identify the root causes of includes procedures to assist in completing internal operations audits; (b) detects irregularities and weak practices in and other exceptions to the Bank's ’s operations; (bc) determine determines the Bank's ’s level of compliance with all applicable laws, rules, regulations and regulatory guidance, including consumer protection laws, regulations, and regulatory guidance; (cd) assess assesses and report on reports the effectiveness of policies, procedures, controls, risk management practices, and management information systemsoversight relating to accounting and financial reporting; (de) evaluate evaluates the Bank's ’s adherence to established policies and procedures; (ef) adequately and timely evaluate establishes a line of communication for audit reporting issues between the efficiency and effectiveness of the Bank’s corporate governanceinternal auditor, internal controlsaudit committee, and risk management functionsboard of directors; (fg) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions to ensure timely implementation, verification ensures audit work papers and documentation of conclusions provide a meaningful audit trail and validation for findings and recommendations; (h) ensures timely management responses and corrective actionactions on identified weaknesses; and (gi) review and evaluate the Bank’s actions taken establishes an annual audit plan using a risk-based approach sufficient to comply with this Agreementachieve these objectives. (26) As part of this audit program, the Board shall evaluate the audit reports of any party providing services to the Bank, and shall assess the impact on the Bank of any audit deficiencies cited in such reports. (3) The Board shall ensure the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, experience level and number of individuals employed. (47) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described in this Article above shall be independent, qualified and report directly to the Board or the Board Audit Committee, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board and/or Board Audit Committee (comprised of at least two (2) external directors) and not through any intervening party. (5) All audit reports shall be in writing. The Board shall ensure immediate actions are undertaken to correct deficiencies cited in audit reports and shall maintain a written record describing the deficiency, the projected corrective action, and the status of the corrective action. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remedied, and that the audit staff maintain a written record describing those actions. The Board shall provide for a timely, independent, written follow-up for any uncorrected deficiencies. (6) The audit staff shall have access to any records necessary for the proper conduct of its activities. OCC examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (7) 8) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy Comptroller.

Internal Audit. (1) Within sixty one hundred and fifty y (60150) days of the date of this Agreementdays, the Board shall adopt, and the Bankimplement, subject to Board review and monitoring, shall implement and thereafter adhere ensure Bank adherence to an independent, internal audit program to correct the internal audit deficiencies described in the most recent ▇▇▇. The independent, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, (March 17, 2003) and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, to: (a) detect and identify the root causes of irregularities and weak practices in and other exceptions to the Bank's operations; (b) determine the Bank's level of compliance with all applicable laws, rules, regulations rules and regulatory guidance, including consumer protection laws, regulations, and regulatory guidance; (c) assess and report on the effectiveness of policies, procedures, controls, risk management practices, and management information systemsoversight relating to accounting and financial reporting; (d) evaluate the Bank's adherence to established policies and procedures, with particular emphasis directed to the Bank's adherence to its loan policies concerning underwriting standards and problem loan identification and classification; (e) adequately and timely evaluate the efficiency and effectiveness of the Bank’s corporate governance, internal controls, and risk management functions;cover all areas; and (f) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions establish an annual audit plan using a risk based approach sufficient to ensure timely implementation, verification and documentation of corrective action; and (g) review and evaluate the Bank’s actions taken to comply with this Agreementachieve these objectives. (2) As part of this audit program, the Board shall evaluate the audit reports of any party providing services to the Bank, and shall assess the impact on the Bank of any audit deficiencies cited in such reports. (3) Within thirty (30) days, as part of this audit program, the Board shall define the role and responsibility of the Director of Internal Audit to be employed by the Bank, including the level of independence and authority being vested for the purpose of possessing authority to make meaningful changes to the audit process, and hire a full-time Director of Internal Audit to manage the relationship with any outside firm used and to ensure that workpapers and audit procedures are adequate. The Board shall ensure provide that the Director of Internal Audit will report directly to the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, experience level and number committee of individuals employed. (4) the Bank. The Board shall ensure that the audit program is independent. The persons responsible for implementing independent and that the internal audit program described in this Article shall be independentBank has processes, qualified personnel, and report directly control systems to ensure implementation of and adherence to the Board Audit Committee, which shall have the sole power program developed pursuant to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening partythis Article. (54) All audit reports shall be in writing. The Board shall ensure that immediate actions are undertaken to correct remedy deficiencies cited in audit reports and shall maintain a written record describing the deficiency, the projected corrective action, and the status of the corrective action. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remediedreports, and that the audit staff auditors maintain a written record describing those actions. The Board shall provide for a timely, independent, written follow-up for any uncorrected deficiencies. (65) The audit staff shall have access to any records necessary for the proper conduct of its activities. OCC National bank examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (6) If the Board becomes aware of one or more “material weaknesses” in the “internal control structure and procedures for financial reporting,” and if the weaknesses are not corrected within the quarter identified, the Board must notify the management of the holding company of the Bank of the existence of the “material weaknesses.” For purposes of this Article, “material weaknesses” and “internal control structure and procedures for financial reporting,” have the same meaning as the terms are used in Section 404 of the ▇▇▇▇▇▇▇▇-▇▇▇▇▇ Act of 2002 and Statement on Auditing Standards No. 60 (“SAS 60”), respectively. (7) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy Comptroller.

Internal Audit. (1) Within sixty one hundred twenty (60120) days of the date of this Agreement, the Board shall adopt, and the Bankimplement, subject to Board review and monitoring, shall implement and thereafter adhere ensure Bank adherence to an independent, internal audit program that comports with the standards for Internal Audit Systems set forth in Section II.B of the Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to correct the internal audit deficiencies described 12 C.F.R. Part 170 and is sufficient to: (a) detect irregularities and weak practices in the most recent ▇▇▇Bank’s operations; (b) determine the Bank’s level of compliance with all applicable laws, rules and regulations; (c) assess and report the effectiveness of policies, procedures, controls, and management oversight relating to accounting and financial reporting; (d) evaluate the Bank’s adherence to established policies and procedures, with particular emphasis directed to the Bank’s adherence to its loan policies concerning underwriting standards and problem loan identification and classification; (e) review and provide an opinion regarding whether regulatory reports beginning with the quarter following execution of the Agreement contain “material misstatements” within thirty (30) days of filing; for purposes of this Article, “material misstatements” has the same meaning as the term is used in the SEC’s Staff Accounting Bulletin No. The independent, internal audit program shall comply with OCC Bulletin 2003-99 – Materiality (August 12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, 1999); (March 17, 2003f) and shall include adequately cover all areas; and (g) establish an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, to: (a) detect and identify the root causes of irregularities and weak practices in and other exceptions to the Bank's operations; (b) determine the Bank's level of compliance with all applicable laws, rules, regulations and regulatory guidance, including consumer protection laws, regulations, and regulatory guidance; (c) assess and report on the effectiveness of policies, procedures, controls, risk management practices, and management information systems; (d) evaluate the Bank's adherence to established policies and procedures; (e) adequately and timely evaluate the efficiency and effectiveness of the Bank’s corporate governance, internal controls, and risk management functions; (f) ensure timely and appropriate follow-up on identified deficiencies, weak practices and other exceptions to ensure timely implementation, verification and documentation of corrective action; and (g) review and evaluate the Bank’s actions taken to comply with this Agreementthese objectives. (2) The Board must ensure that changes to the audit schedule are based on changes in the risk profile of the department or area and is supported by the conclusions contained in a current, Board-approved risk assessment. (3) As part of this audit program, the Board shall evaluate the audit reports of any party providing services to the Bank, Bank and shall assess the impact on the Bank of any audit deficiencies cited in such reports. (34) The Board shall ensure that the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, both the experience level and number of the individuals employed. (45) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described in this Article above shall be independent, qualified and report directly to the Board Audit CommitteeBoard, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening party. (56) The Board shall ensure that services performed by those outside the institution are completed under a current engagement letter, or an equivalent, that details the agreed upon services, scope, timeframes, and costs of the arrangement. This agreement should be reviewed and approved by the Board or a committee thereof and should be updated annually. (7) All audit reports shall be in writing. The Board shall ensure that immediate actions are undertaken to correct remedy deficiencies cited in audit reports and shall maintain a written record describing the deficiency, the projected corrective action, and the status of the corrective action. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remediedreports, and that the audit staff auditors maintain a written record describing those actions. . (8) The Board shall provide for a timely, independent, written must ensure that audit follow-up for any uncorrected deficienciesincludes a review of the Bank’s actions to implement corrective actions. The internal auditor must verify corrective actions have been completed and test or sample the adequacy of those actions. Audit issues must only be considered closed or corrected once a subsequent internal audit verifies the desired internal controls have been implemented and are effective. (69) The audit staff shall have access to any records necessary for the proper conduct of its activities. OCC examiners Examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (710) Upon adoption, a copy of the internal audit program shall be promptly submitted to the Assistant Deputy ComptrollerComptroller within ten (10) days of Board approval. (11) The Board shall ensure that the Bank has processes, personnel, and control systems to ensure implementation of and adherence to the program developed pursuant to this Article.

Internal Audit. (1) Within sixty forty-five (6045) days of the date of this Agreementdays, the Board shall adoptreview and update the existing audit policy, incorporating a formal risk assessment of the Bank’s audit needs, and determining an adequate scope and frequency for internal audit based on the risks inherent in the Bank’s operations, subject to Board review and monitoring, including the risks inherent in the Bank’s role as servicer for the Master Trust. The revised audit policy shall implement and thereafter adhere to establish an independent, internal audit program to correct the internal audit deficiencies described that complies with guidelines set forth in the most recent ▇▇▇OCC’s Handbook on Internal and External Audit and related issuances. The independent, internal audit program shall comply with OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing, (March 17, 2003) and shall include an annual written audit plan using a risk based approach sufficient to achieve the objectives outlined in this Article, including requirements for written reports to the Board Audit Committee at least quarterly. The program shall, at a minimum, include standards for the depth and scope of audits, sampling and transaction testing, investigation of root causes, follow-up on exceptions, elevation of findings to the Board Audit Committee, validation of corrective actions, and an assessment of internal audit effectiveness, staff levels, and staff performance. The independent, internal audit program shall be sufficient, at a minimum, to: (a) describe the organization and function of the Bank’s audit function, including duties and responsibilities; (b) provide for a formal risk assessment process of the Bank’s significant business activities and inherent risks; (c) ensure adequate audit coverage of all functional areas of Bank operations that are impacted as a result of the Bank’s role as originator of the extensions of credit and servicer for the Master Trust assets, including credit operations, marketing, account management, customer service and underwriting; (d) detail the development of an adequate audit plan and audit cycle; (e) detect and identify the root causes of irregularities and weak practices in and other exceptions to the Bank's operations; (bf) determine the Bank's level of compliance with all applicable laws, rules, regulations rules and regulatory guidance, including consumer protection laws, regulations, and regulatory guidance; (c) assess and report on the effectiveness of policies, procedures, controls, risk management practices, and management information systems; (dg) evaluate the Bank's adherence to established policies policies, procedures, and proceduresinternal controls in all functional areas of the Bank; (eh) adequately provide a formal follow-up process to ensure that deficiencies and recommendations identified by internal audit are corrected and implemented in a timely evaluate the efficiency and effectiveness of the Bank’s corporate governance, internal controlsmanner, and risk management functionsthat the corrective actions are documented; (fi) ensure timely require that the Board receive status reports regarding any outstanding deficiencies and appropriate follow-up on recommendations identified deficiencies, weak practices and other exceptions to ensure timely implementation, verification and documentation of corrective actionby internal audit; and (gj) require that the Board formally review and evaluate update the Bank’s actions taken to comply with this Agreementaudit programs, policies, and procedures, at a minimum, on an annual basis. (2) As part of this audit programWithin sixty (60) days, the Board shall evaluate the audit reports of any party providing services adopt, implement, and thereafter ensure Bank adherence to the Bank, and shall assess the impact on the Bank of any revised audit deficiencies cited in such reportspolicy. (3) In connection with development of the revised audit policy, the Board shall reassess the structure and reconfirm the role of the audit committee. To the extent the audit committee overlaps with the audit committee for the Bank’s parent, the Board shall ensure that the audit committee provides sufficient priority and attention to specific needs of the Bank so that the audit committee effectively functions as an audit committee on behalf of the Bank. (4) The Board shall ensure the engagement of audit staff qualified to assess, and who are experienced in, the risks posed by the Bank’s operations, including the risks in servicing the Master Trust assets, and vendor management. The Board shall ensure that the audit function is supported by an adequately staffed department or outside firm, including with respect to qualifications, both the experience level and number of individuals employed. (45) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit program described in this Article above shall be independent, qualified and report directly to the Board Audit CommitteeBoard, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed in writing directly with the Board Audit Committee and not through any intervening party. (5) All audit reports shall be in writing. The Board shall ensure immediate actions are undertaken to correct deficiencies cited in audit reports and shall maintain a written record describing the deficiency, the projected corrective action, and the status of the corrective action. The Board shall ensure that internal audit management provides detailed written explanation in those circumstances, if any, where the deficiencies cannot be remedied, and that the audit staff maintain a written record describing those actions. The Board shall provide for a timely, independent, written follow-up for any uncorrected deficiencies. (6) The audit staff shall have access to any books and records necessary for the proper conduct of its activities. OCC National bank examiners shall have access to all reports and work papers of the audit staff and any other parties working on its behalf. (7) As part of this audit program, the Bank shall receive audit reports from all affiliated service providers and material nonaffiliated third-party service providers that review the service provider’s internal control environment and compliance program as it relates to the service(s) or product(s) being provided to the Bank. The Board shall evaluate these audit reports and shall assess the impact on the Bank of any audit deficiencies cited in such reports, including which, if any, of the service provider’s operations violate applicable laws and regulations, or are inconsistent with the Bank’s policies and procedures. The Bank’s audit program shall provide a formal follow-up process to ensure the deficiencies identified in the audit reports relating to the service(s) or product(s) provided to the Bank are corrected in a timely manner, and the corrective action is documented. (8) The Bank may rely on audit services provided by ▇▇▇▇▇▇▇’▇, Inc., or any other affiliate, in connection with the Bank’s audit program, only after the Board has determined that those audit services to be provided are adequate to meet the Bank’s audit needs, and comply with the requirements of this Article. The Board’s determination shall be adequately documented in the Bank’s revised audit policy. (9) The Board shall ensure that the Bank has processes, personnel, and control systems to ensure implementation of and adherence to the program developed pursuant to this Article. (10) Upon adoption, a copy of the internal revised audit program policy shall be promptly submitted to the Assistant Deputy Comptroller.