Common use of Internal Audit Clause in Contracts

Internal Audit. (1) Within ninety (90) days of the date of this Agreement, the Bank shall develop and the Board shall adopt an acceptable, independent, comprehensive, written internal audit program that adequately assesses controls and operations to allow the Board and management to understand the sufficiency of the Bank’s internal controls system (“Internal Audit Program”). (2) Management shall ensure the Internal Audit Program complies with the standards for internal audit systems set forth in Section II.B of the Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to 12 C.F.R. Part 30. Refer to the “Internal and External Audits” booklet of the Comptroller’s Handbook for related safe and sound principles. The Internal Audit Program shall incorporate standards of safety and soundness that are commensurate with the Bank’s size, complexity, scope of activities, and risk profile and shall, at a minimum: (a) provide an objective, independent review and evaluation of the Bank’s activities, internal controls, and management information systems; (b) require the development of an annual risk assessment of the Bank’s auditable areas, with annual documented Audit Committee approval of the risk assessment; (c) require the development of an internal audit plan that is risk-based and provides adequate audit scope, coverage, and frequency for all areas of the Bank, with annual documented Audit Committee approval of the internal audit plan and Audit Committee notification of any material variance from the plan. Audit scope must cover: (i) compliance risk management functions, including management structure and effectiveness, board reporting, and the effectiveness of internal controls to mitigate violations of law and regulations. (ii) allowance for credit losses (ACL) risk management, policy, and methodology; and (iii) insider activities, including identification and documentation of related interests, fees paid to insiders, and insider-related recordkeeping. (d) address the use of third-parties to complete any internal audit activities, including documented Audit Committee approval of selection and termination of third-parties; refer to OCC Bulletin 2023-17, “Third-Party Relationships: Interagency Guidance on Risk Management,” for related safe and sound principles; (e) evaluate the reliability, adequacy, and effectiveness of the Bank’s internal controls system, whether operated by the Bank or a third-party, and identify the root cause of identified deficiencies; (f) evaluate whether the Bank’s internal controls system results in prompt and accurate recording of transactions and proper safeguarding of assets; (g) determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes; (h) require all internal audits to be supported through adequate transaction testing, which includes documenting the transaction testing methodology, sample size, the accounts and names selected for testing, the documents reviewed as part of the testing, and the results of transaction testing; (i) require management to take appropriate and timely steps to address control deficiencies and audit report recommendations and report its validated progress to the Audit Committee on at least a monthly/quarterly basis and require the Audit Committee to make a documented determination of whether the actions taken by management are satisfactory; (j) require all internal audit reports to be in writing and distributed directly, not through any intervening party, to the Audit Committee in a timely manner after audit completion; and (k) require audit work papers and documentation that provides a meaningful audit trail and validation for audit findings, conclusions, and recommendations. (3) The Board shall provide effective oversight of the Internal Audit Program, including: (a) verifying that management has adequately staffed the internal audit function, using internal resources and/or third-parties, with respect to both the number of auditors required and their knowledge, skills, and experience; (b) verifying the internal audit function is independent and objective. The person responsible for implementing the Internal Audit Program shall functionally report directly to the Audit Committee, which shall direct his or her activities, set compensation, and evaluate performance; (c) verifying management’s actions to address material weaknesses in a timely manner and, where appropriate, directing management to take additional action; and (d) verifying management satisfies all statutory, regulatory, and supervisory requirements. (4) The internal audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC shall have access to all reports and work papers of the internal audit staff and any third parties providing internal audit service. (5) Upon adoption of the Internal Audit Program, Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the Internal Audit Program and any amendments thereto. The Board shall review the effectiveness of the Internal Audit Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Internal Audit Program as needed or directed by the OCC.

Internal Audit. (1) Within ninety sixty (9060) days of the date of this Agreement, the Bank shall develop develop, and the Board shall adopt an acceptableadopt, independent, a comprehensive, written internal audit program that adequately assesses controls and operations to allow the Board and management to understand the sufficiency of the Bank’s internal controls control system (“Internal Audit Program”). Upon adoption, Bank management subject to Board review and ongoing monitoring, shall immediately implement and adhere to the Internal Audit Program and any amendments or revisions thereto. (2) Management shall ensure the Internal Audit Program complies Program’s compliance with the standards for internal audit systems set forth in Section II.B of the Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to 12 C.F.R. Part 30. Refer to the “Internal and External Audits” booklet of the Comptroller’s Comptroller Handbook for related safe and sound principlesguidance. The Internal Audit Program shall incorporate standards of safety and soundness standards that are commensurate with the Bank’s size, complexity, scope of activities, and risk profile and shall, at a minimum: (a) provide an objective, independent review and evaluation of the Bank’s activities, internal controls, and management information systems; (b) require the development of an annual risk assessment of the Bank’s auditable areas, with annual documented Audit Committee approval of the risk assessment; (c) require the development of an internal audit plan that is a risk-based and provides adequate audit scope, coverage, and frequency for all areas of the Bank, with annual documented Audit Committee Board approval of the internal audit plan and Audit Committee Board notification of any material variance from the plan. Audit scope must cover:; (i) compliance risk management functions, including management structure and effectiveness, board reporting, and the effectiveness of internal controls to mitigate violations of law and regulations. (ii) allowance for credit losses (ACL) risk management, policy, and methodology; and (iii) insider activities, including identification and documentation of related interests, fees paid to insiders, and insider-related recordkeeping. (db) address the use of third-parties to complete any internal audit activities, including documented Audit Committee Board approval of selection and termination of third-parties; refer to OCC Bulletin 20232013-1729, “Third-Party Relationships: Interagency Guidance on Risk Management,” for related safe and sound principles; (ec) evaluate the reliability, adequacy, and effectiveness of the Bank’s internal controls system, whether operated by the Bank or a third-party, and identify the root cause of identified deficiencies; (fd) evaluate whether the Bank’s internal controls system results in prompt and accurate recording of transactions and proper safeguarding of assets; (ge) determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes; (hf) require all internal audits to be supported through adequate transaction testing, which includes documenting the transaction testing methodology, sample size, the accounts and names selected for testing, the documents reviewed as part of the testing, and the results of transaction testing; (i) require determine whether management to take is taking appropriate and timely steps to address control deficiencies and audit report recommendations recommendations, that the progress of such steps is adequately validated, documented, and report its validated tracked, and that such progress is reported to the Audit Committee Board on at least a monthly/quarterly basis and require the Audit Committee to make a documented determination of whether the actions taken by management are satisfactorybasis; (jg) require all internal audit reports to be in writing and distributed directly, not through any intervening party, to the Audit Committee Board in a timely manner after audit completion; and (kh) require audit work papers and documentation that provides a meaningful audit trail and validation for audit findings, conclusions, and recommendations. (3) The Board shall provide effective oversight of the Internal Audit Program, including: (a) verifying that management has adequately staffed the internal audit function, using internal resources and/or third-parties, with respect to both the number of auditors required and their knowledge, skills, and experience; (b) verifying the internal audit function is independent and objective. The person responsible for implementing the Internal Audit Program shall functionally report directly to the Audit CommitteeBoard, which shall direct his or her activities, set compensation, and evaluate performance; (c) verifying management’s actions to address material weaknesses in a timely manner and, where appropriate, directing management to take additional action; and (d) verifying management satisfies all statutory, regulatory, and supervisory requirements. (4) The internal audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC shall have access to all reports and work papers of the internal audit staff and any third parties providing internal audit serviceservices. (5) Upon adoption Within thirty (30) days following receipt of the ADC’s written determination of no supervisory objection to the Internal Audit Program or to any subsequent amendment to the Internal Audit Program, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the Internal Audit Program and any amendments theretoProgram. The Board shall review the effectiveness of the Internal Audit Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Internal Audit Program as needed or directed by the OCC. Any amendment to the Internal Audit Program must be submitted to the ADC for review and prior written determination of no supervisory objection.

Internal Audit. (1) Within ninety (90) days of the date of this Agreement, the Bank shall develop submit to the ADC for review and the Board shall adopt prior written determination of no supervisory objection an acceptable, independent, comprehensive, written independent internal audit program that adequately assesses controls and operations to allow the Board and management to understand the sufficiency of the Bank’s internal controls system (“Internal Audit Program”). (2) Management shall ensure the Internal Audit Program complies with the standards for internal audit systems set forth in Section II.B of the Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to 12 C.F.R. Part 30. Refer to the “Internal and External Audits” booklet of the Comptroller’s Handbook for related safe and sound principles. The Internal Audit Program shall incorporate standards of safety and soundness that are commensurate with the Bank’s size, complexity, scope of activities, and risk profile and shall, at a minimum: (a) provide Provide an objective, independent review and evaluation of the Bank’s bank activities, internal controls, and management information systems; (b) require the development of an annual risk assessment of the Bank’s auditable areas, with annual documented Audit Committee Board approval of the risk assessment; (c) require the development of an internal audit plan that is risk-based and provides adequate audit scope, coverage, and frequency for all areas of the Bank, with annual documented Audit Committee Board approval of the internal audit plan and Audit Committee Board notification of any material variance variances from the plan. Audit scope must cover: (i) compliance risk management functions, including management structure and effectiveness, board reporting, and the effectiveness of internal controls to mitigate violations of law and regulations. (ii) allowance for credit losses (ACL) risk management, policy, and methodology; and (iii) insider activities, including identification and documentation of related interests, fees paid to insiders, and insider-related recordkeeping.; (d) address the use of third-parties to complete any internal audit activities, including documented Audit Committee Board approval of selection and termination of third-parties; refer to OCC Bulletin 2023-17, “Third-Party Relationships: Interagency Guidance on Risk Management,” for related safe and sound principles; (e) evaluate the reliability, adequacy, and effectiveness of the Bank’s internal controls control system, whether operated owned by the Bank or a third-third party, and identify the root cause of identified deficiencies; (f) evaluate whether the Bank’s internal controls system results in prompt and accurate recording of transactions and proper safeguarding of assets; (g) determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes; (h) require all internal audits to be supported through adequate transaction testing, which includes documenting the transaction testing methodology, sample size, the accounts and names selected for testing, the documents reviewed as part of the testing, and the results of transaction testing; (i) require management to take appropriate and timely steps to address control deficiencies and audit report recommendations and report its validated progress to the Audit Committee Board on at least a monthly/quarterly basis and require the Audit Committee Board to make a documented determination of whether the actions taken by management are satisfactory; (j) require all internal audit reports to be in writing and distributed directly, not through any intervening party, to the Audit Committee Board in a timely manner after audit completion; and (k) require audit work papers and documentation that provides a meaningful audit trail and validation for audit findings, conclusions, and recommendations. (3) The Board shall provide effective oversight of the Internal Audit Program, including: (a) verifying that management has adequately staffed the internal audit function, using internal resources and/or third-third parties, with respect to both the number of auditors required and their knowledge, skills, and experience; (b) verifying the internal audit function is independent and objective. The person responsible for implementing the Internal Audit Program shall functionally report directly to the Audit CommitteeBoard, which shall direct his or her activities, set compensation, and evaluate performance; (c) verifying management’s actions to address material weaknesses in a timely manner and, where appropriate, directing management to take additional action; and (d) verifying management satisfies all statutory, regulatory, and supervisory requirements. (4) The internal audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC shall have access to all reports and work papers of the internal audit staff and any third parties providing internal audit serviceservices. (5) Upon adoption receipt of the ADC’s written determination of no supervisory objection to the Internal Audit Program or to any subsequent amendment to the Internal Audit Program, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the Internal Audit Program and any amendments theretoProgram. The Board shall review the effectiveness of the Internal Audit Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Internal Audit Program as needed or directed by the OCC. Any amendment to the Internal Audit Program must be submitted to the ADC for review and prior written determination of no supervisory objection.

Internal Audit. (1) Within ninety (90) days of the date of this AgreementBy December 31, 2018, the Bank shall develop revise and after adoption by the Board shall adopt Board, implement an acceptable, independent, comprehensive, written internal audit program that adequately assesses controls is consistent with safe and operations sound standards for internal audit. Refer to allow the Board and management to understand the sufficiency of the Bank’s internal controls system (“Internal Audit Program”). (2i) Management shall ensure the Internal Audit Program complies with the standards for internal audit systems Internal Audit Systems set forth in Section II.B 11.B of the Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to 12 C.F.R. Part 30. Refer to ; (ii) the guidance set forth in the “Interagency Policy Statement on the Internal Audit Function and Its Outsourcing” (OCC Bulletin 2003-12); and (iii) Internal and External Audits” booklet Audits booklet, M-AUD, of the Comptroller’s Handbook for related safe and sound principles. The Internal Audit Program shall incorporate standards of safety and soundness that are commensurate with the Bank’s size, complexity, scope of activities, and risk profile and shall, at a minimum:(December 2016). (a2) provide an objective, independent review and evaluation As part of the Bank’s activitiesaudit program, internal controlsthe Board, and or a committee thereof, shall ensure management information systems; (b) require the development of an develops a comprehensive annual risk assessment of the Bank’s all auditable areas, with annual documented Audit Committee approval areas of the risk assessment; (c) require Bank to ensure the development of an internal audit plan that is risk-based and provides adequate audit scope, coverage, and frequency for of audits are risk-based according to the Bank’s product lines, services, and operations and that audits provide sufficient oversight over the controls of the institution’s activities. The audit scope must be expanded to include all areas in which deficiencies were identified in the 2018 Report of Examination. Risk ratings shall be appropriately supported with consideration given to inherent risk and compensating internal controls. The Bank shall incorporate the annual risk assessment into its audit schedule. (3) The Board, or a committee thereof, shall review and approve the audit scope and schedule at least annually. At least quarterly, the Audit Committee, shall review the status of the Bankaudit schedule to ensure all audits have been completed in a timely manner and that any deviation is documented and approved. (4) As part of this audit program, with annual documented Audit Committee approval the Board shall evaluate the audit reports and shall assess the impact on the Bank of any audit deficiencies cited in such reports. (5) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit plan and Audit Committee notification of any material variance from program described above shall report directly to the planBoard, or a committee thereof, which shall have the sole power to direct their activities. Audit scope must cover: (i) compliance risk management functions, including management structure and effectiveness, board reporting, and the effectiveness of internal controls to mitigate violations of law and regulations. (ii) allowance for credit losses (ACL) risk management, policy, and methodology; and (iii) insider activities, including identification and documentation of related interests, fees paid to insiders, and insider-related recordkeeping. (d) address the use of third-parties to complete any internal audit activities, including documented Audit Committee approval of selection and termination of third-parties; refer to OCC Bulletin 2023-17, “Third-Party Relationships: Interagency Guidance on Risk Management,” for related safe and sound principles; (e) evaluate the reliability, adequacy, and effectiveness of the Bank’s internal controls system, whether operated All reports prepared by the Bank audit staff shall be filed directly with the Board, or a third-party, and identify the root cause of identified deficiencies; (f) evaluate whether the Bank’s internal controls system results in prompt and accurate recording of transactions and proper safeguarding of assets; (g) determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes; (h) require all internal audits to be supported through adequate transaction testing, which includes documenting the transaction testing methodology, sample size, the accounts and names selected for testing, the documents reviewed as part of the testing, and the results of transaction testing; (i) require management to take appropriate and timely steps to address control deficiencies and audit report recommendations and report its validated progress to the Audit Committee on at least a monthly/quarterly basis and require the Audit Committee to make a documented determination of whether the actions taken by management are satisfactory; (j) require all internal audit reports to be in writing and distributed directlycommittee thereof, not through any intervening party, to the Audit Committee in a timely manner after audit completion; and (k) require audit work papers and documentation that provides a meaningful audit trail and validation for audit findings, conclusions, and recommendations. (36) All audit reports shall be in writing. The Board shall provide effective oversight of the Internal Audit Program, including: (a) verifying ensure that management has adequately staffed the internal prompt actions are undertaken to remedy deficiencies cited in audit function, using internal resources and/or third-parties, with respect to both the number of auditors required and their knowledge, skillsreports, and experience; (b) verifying the internal audit function is independent and objective. The person responsible for implementing the Internal Audit Program shall functionally report directly to the Audit Committee, which shall direct his or her activities, set compensation, and evaluate performance; (c) verifying management’s actions to address material weaknesses in that auditors maintain a timely manner and, where appropriate, directing management to take additional action; and (d) verifying management satisfies all statutory, regulatory, and supervisory requirementswritten record describing those actions. (47) The internal audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC National bank examiners shall have access to all reports and work papers of the internal audit staff and any third other parties providing internal audit serviceworking on its behalf. (5) 8) Upon adoption adoption, a copy of the Internal Audit Program, Bank management, subject to Board review and ongoing monitoring, internal audit program shall immediately implement and thereafter ensure adherence be promptly submitted to the Internal Audit Program and any amendments thereto. The Board shall review the effectiveness of the Internal Audit Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Internal Audit Program as needed or directed by the OCCAssistant Deputy Comptroller.

Internal Audit. (1) Within ninety (90) days of the effective date of this Agreement, the Bank shall develop submit to the Assistant Deputy Comptroller for review and the Board shall adopt prior written determination of no supervisory objection an acceptable, independent, comprehensive, written internal audit program that adequately assesses controls and operations to allow the Board and management to understand the sufficiency of the Bank’s internal controls system (“Internal Audit Program”). (2) Management shall ensure the Internal Audit Program complies Program’s compliance with the standards for internal audit systems set forth in Section II.B of the Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to 12 C.F.R. Part 30. Refer to , and consistency with the safety and soundness principles articulated in the “Internal and External Audits” booklet of the Comptroller’s Handbook for related safe and sound principlesHandbook. The Internal Audit Program shall incorporate standards of safety and soundness that are commensurate with the Bank’s size, complexity, scope of activities, and risk profile and shall, at a minimum: (a) provide an objective, independent review and evaluation of the Bank’s activities, internal controls, and management information systems; (b) require the development of an annual risk assessment of the Bank’s auditable areas, with annual documented Audit Committee approval of the risk assessment; (c) require the development of an internal audit plan that is risk-based and provides adequate audit scope, coverage, and frequency for all areas of the Bank, with annual documented Audit Committee Board approval of the internal audit plan and Audit Committee Board notification of any material variance from the plan. Audit scope must cover:; (i) compliance risk management functions, including management structure and effectiveness, board reporting, and the effectiveness of internal controls to mitigate violations of law and regulations. (ii) allowance for credit losses (ACL) risk management, policy, and methodology; and (iii) insider activities, including identification and documentation of related interests, fees paid to insiders, and insider-related recordkeeping. (db) address the use of third-third parties to complete any internal audit activities, including documented Audit Committee Board approval of selection and termination of third-third parties; refer to , consistent with the safety and soundness principles articulated in OCC Bulletin 2023-17, “Third-Party Relationships: Interagency Guidance on Risk Management,” for related safe and sound principles;” (ec) evaluate the reliability, adequacy, and effectiveness of the Bank’s internal controls system, whether operated by the Bank or a third-third party, and identify the root cause of identified deficiencies; (fd) evaluate whether the Bank’s internal controls system results in prompt and accurate recording of transactions and proper safeguarding of assets; (ge) determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes; (hf) require all internal audits to be supported through adequate transaction testing, which includes documenting the transaction testing methodology, sample size, the accounts and names selected for testing, the documents reviewed as part of the testing, and the results of transaction testing; (i) require determine whether management to take is taking appropriate and timely steps to address control deficiencies and audit report recommendations recommendations, that the progress of such steps is adequately validated, documented, and report its validated tracked, and that such progress is reported to the Audit Committee Board on at least a monthly/quarterly basis and require the Audit Committee to make a documented determination of whether the actions taken by management are satisfactorybasis; (jg) require all internal audit reports to be in writing and distributed directly, not through any intervening party, to the Audit Committee Board in a timely manner after audit completion; and (kh) require audit work papers and documentation that provides a meaningful audit trail and validation for audit findings, conclusions, and recommendations. (3) The Board shall provide effective oversight of the Internal Audit Program, including: (a) verifying that management has adequately staffed the internal audit function, using internal resources and/or third-third parties, with respect to both the number of auditors required and their knowledge, skills, and experience; (b) verifying the internal audit function is independent and objective. The person responsible for implementing the Internal Audit Program shall functionally report directly to the Audit CommitteeBoard, which shall direct his or her activities, set compensation, and evaluate performance; (c) verifying management’s actions to address material weaknesses in a timely manner and, where appropriate, directing management to take additional action; and (d) verifying management satisfies all statutory, regulatory, and supervisory requirements. (4) The internal audit staff and third-party vendor providing internal audit services shall have access to any records necessary for the proper conduct of its activities. The OCC shall have access to all reports and work papers of the internal audit staff and any third parties providing internal audit serviceservices. (5) Upon adoption Within (30) days following receipt of the Assistant Deputy Comptroller’s written determination of no supervisory objection to the Internal Audit Program or to any subsequent amendment to the Internal Audit Program, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the Internal Audit Program and any amendments theretoProgram. The Board shall review the effectiveness of the Internal Audit Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Internal Audit Program as needed or directed by the OCC. Any amendment to the Internal Audit Program must be submitted to the Assistant Deputy Comptroller for review and prior written determination of no supervisory objection.

Internal Audit. (1) Within ninety thirty (9030) days of from the effective date of this Agreement, the Bank shall develop submit to the Assistant Deputy Comptroller for review and the Board shall adopt an acceptable, independent, prior written determination of no supervisory objection a comprehensive, written internal audit program that adequately assesses controls and operations to allow the Board and management to understand the sufficiency of the Bank’s internal controls system (“Internal Audit Program”). (2) Management shall ensure the Internal Audit Program complies Program’s compliance with the standards for internal audit systems set forth in Section II.B of the Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to 12 C.F.R. Part 30. Refer to the “Internal and External Audits” booklet of the Comptroller’s Handbook for related safe and sound principlesfurther guidance. The Internal Audit Program shall incorporate standards of safety and soundness that are commensurate with the Bank’s size, complexity, scope of activities, and risk profile and shall, at a minimum: (a) provide an objective, independent review and evaluation of the Bank’s activities, internal controls, and management information systems; (b) require the development of an annual risk assessment of the Bank’s auditable areas, with annual documented Audit Committee approval of the risk assessment; (c) require the development of an internal audit plan that is risk-based and provides adequate audit scope, coverage, and frequency for all areas of the Bank, with annual documented Audit Committee approval of the internal audit plan and Audit Committee notification of any material variance from the plan. Audit scope must cover:; (i) compliance risk management functions, including management structure and effectiveness, board reporting, and the effectiveness of internal controls to mitigate violations of law and regulations. (ii) allowance for credit losses (ACL) risk management, policy, and methodology; and (iii) insider activities, including identification and documentation of related interests, fees paid to insiders, and insider-related recordkeeping. (db) address the use of third-parties to complete any internal audit activities, including documented Audit Committee approval of selection and termination of third-parties; refer to OCC Bulletin 20232013-1729, “Third-Party Relationships: Interagency Guidance on Risk Management,” for related safe and sound principlesguidance; (ec) evaluate the reliability, adequacy, and effectiveness of the Bank’s internal controls system, whether operated by the Bank or a third-party, and identify the root cause of identified deficiencies; (fd) evaluate whether the Bank’s internal controls system results in prompt and accurate recording of transactions and proper safeguarding of assets; (ge) determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes; (hf) require all internal audits to be supported through adequate transaction testing, which includes documenting the transaction testing methodology, sample size, the accounts and names selected for testing, the documents reviewed as part of the testing, and the results of transaction testing; (i) require determine whether management to take is taking appropriate and timely steps to address control deficiencies and audit report recommendations recommendations, that the progress of such steps is adequately validated, documented, and report its validated tracked, and that such progress is reported to the Audit Committee on at least a monthly/quarterly basis and require the Audit Committee to make a documented determination of whether the actions taken by management are satisfactorymonthly basis; (jg) require all internal audit reports to be in writing and distributed directly, not through any intervening party, to the Audit Committee in a timely manner after audit completion; and (kh) require audit work papers and documentation that provides a meaningful audit trail and validation for audit findings, conclusions, and recommendations. (3) The Board shall provide effective oversight of the Internal Audit Program, including: (a) verifying that management has adequately staffed the internal audit function, using internal resources and/or third-parties, with respect to both the number of auditors required and their knowledge, skills, and experience; (b) verifying the internal audit function is independent and objective. The person responsible for implementing the Internal Audit Program shall functionally report directly to the Audit Committee, which shall direct his or her activities, set compensation, and evaluate performance; (c) verifying management’s actions to address material weaknesses in a timely manner and, where appropriate, directing management to take additional action; and (d) verifying management satisfies all statutory, regulatory, and supervisory requirements. (4) The internal audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC shall have access to all reports and work papers of the internal audit staff and any third parties providing internal audit service. (5) Upon adoption of the Internal Audit Program, Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the Internal Audit Program and any amendments thereto. The Board shall review the effectiveness of the Internal Audit Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Internal Audit Program as needed or directed by the OCC.

Internal Audit. (1) Within ninety (90) days of the date of this AgreementBy December 31, 2018, the Bank shall develop revise and after adoption by the Board shall adopt Board, implement an acceptable, independent, comprehensive, written internal audit program that adequately assesses controls is consistent with safe and operations sound standards for internal audit. Refer to allow the Board and management to understand the sufficiency of the Bank’s internal controls system (“Internal Audit Program”). (2i) Management shall ensure the Internal Audit Program complies with the standards for internal audit systems Internal Audit Systems set forth in Section II.B of the Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to 12 C.F.R. Part 30. Refer to ; (ii) the guidance set forth in the “Interagency Policy Statement on the Internal Audit Function and Its Outsourcing” (OCC Bulletin 2003-12); and (iii) Internal and External Audits” booklet Audits booklet, M-AUD, of the Comptroller’s Handbook for related safe and sound principles. The Internal Audit Program shall incorporate standards of safety and soundness that are commensurate with the Bank’s size, complexity, scope of activities, and risk profile and shall, at a minimum:(December 2016). (a2) provide an objective, independent review and evaluation As part of the Bank’s activitiesaudit program, internal controlsthe Board, and or a committee thereof, shall ensure management information systems; (b) require the development of an develops a comprehensive annual risk assessment of the Bank’s all auditable areas, with annual documented Audit Committee approval areas of the risk assessment; (c) require Bank to ensure the development of an internal audit plan that is risk-based and provides adequate audit scope, coverage, and frequency for of audits are risk-based according to the Bank’s product lines, services, and operations and that audits provide sufficient oversight over the controls of the institution’s activities. The audit scope must be expanded to include all areas in which deficiencies were identified in the 2018 Report of Examination. Risk ratings shall be appropriately supported with consideration given to inherent risk and compensating internal controls. The Bank shall incorporate the annual risk assessment into its audit schedule. (3) The Board, or a committee thereof, shall review and approve the audit scope and schedule at least annually. At least quarterly, the Audit Committee, shall review the status of the Bankaudit schedule to ensure all audits have been completed in a timely manner and that any deviation is documented and approved. (4) As part of this audit program, with annual documented Audit Committee approval the Board shall evaluate the audit reports and shall assess the impact on the Bank of any audit deficiencies cited in such reports. (5) The Board shall ensure that the audit program is independent. The persons responsible for implementing the internal audit plan and Audit Committee notification of any material variance from program described above shall report directly to the planBoard, or a committee thereof, which shall have the sole power to direct their activities. Audit scope must cover: (i) compliance risk management functions, including management structure and effectiveness, board reporting, and the effectiveness of internal controls to mitigate violations of law and regulations. (ii) allowance for credit losses (ACL) risk management, policy, and methodology; and (iii) insider activities, including identification and documentation of related interests, fees paid to insiders, and insider-related recordkeeping. (d) address the use of third-parties to complete any internal audit activities, including documented Audit Committee approval of selection and termination of third-parties; refer to OCC Bulletin 2023-17, “Third-Party Relationships: Interagency Guidance on Risk Management,” for related safe and sound principles; (e) evaluate the reliability, adequacy, and effectiveness of the Bank’s internal controls system, whether operated All reports prepared by the Bank audit staff shall be filed directly with the Board, or a third-party, and identify the root cause of identified deficiencies; (f) evaluate whether the Bank’s internal controls system results in prompt and accurate recording of transactions and proper safeguarding of assets; (g) determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes; (h) require all internal audits to be supported through adequate transaction testing, which includes documenting the transaction testing methodology, sample size, the accounts and names selected for testing, the documents reviewed as part of the testing, and the results of transaction testing; (i) require management to take appropriate and timely steps to address control deficiencies and audit report recommendations and report its validated progress to the Audit Committee on at least a monthly/quarterly basis and require the Audit Committee to make a documented determination of whether the actions taken by management are satisfactory; (j) require all internal audit reports to be in writing and distributed directlycommittee thereof, not through any intervening party, to the Audit Committee in a timely manner after audit completion; and (k) require audit work papers and documentation that provides a meaningful audit trail and validation for audit findings, conclusions, and recommendations. (36) All audit reports shall be in writing. The Board shall provide effective oversight of the Internal Audit Program, including: (a) verifying ensure that management has adequately staffed the internal prompt actions are undertaken to remedy deficiencies cited in audit function, using internal resources and/or third-parties, with respect to both the number of auditors required and their knowledge, skillsreports, and experience; (b) verifying the internal audit function is independent and objective. The person responsible for implementing the Internal Audit Program shall functionally report directly to the Audit Committee, which shall direct his or her activities, set compensation, and evaluate performance; (c) verifying management’s actions to address material weaknesses in that auditors maintain a timely manner and, where appropriate, directing management to take additional action; and (d) verifying management satisfies all statutory, regulatory, and supervisory requirementswritten record describing those actions. (47) The internal audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC National bank examiners shall have access to all reports and work papers of the internal audit staff and any third other parties providing internal audit serviceworking on its behalf. (5) 8) Upon adoption adoption, a copy of the Internal Audit Program, Bank management, subject to Board review and ongoing monitoring, internal audit program shall immediately implement and thereafter ensure adherence be promptly submitted to the Internal Audit Program and any amendments thereto. The Board shall review the effectiveness of the Internal Audit Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Internal Audit Program as needed or directed by the OCCAssistant Deputy Comptroller.

Internal Audit. (1) Within ninety (90) days of the date of this AgreementBy June 30, 2024, the Bank shall develop submit to the Assistant Deputy Comptroller for review and the Board shall adopt prior written determination of no supervisory objection an acceptable, independent, comprehensive, revised written internal audit program that adequately assesses controls and operations to allow the Board and management to understand the sufficiency of the Bank’s internal controls system (“Internal Audit Program”). (2) Management shall ensure the Internal Audit Program complies with the standards for internal audit systems set forth in Section II.B of the Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to 12 C.F.R. Part 30. Refer to the “Internal and External Audits” booklet of the Comptroller’s Handbook for related safe and sound principles. The Internal Audit Program shall incorporate standards of safety and soundness that are commensurate with the Bank’s size, complexity, scope of activities, and risk profile and shall, at a minimum: (a) provide an objective, independent review and evaluation of the Bank’s activities, internal controls, and management information systems; (b) require the development of an annual risk assessment of the Bank’s auditable areas, with annual documented Audit Committee approval of the risk assessment; (c) require the development of an internal audit plan that is risk-based and provides adequate audit scope, coverage, and frequency for all areas of the Bank, with annual documented Audit Committee approval of the internal audit plan and Audit Committee notification of any material variance from the plan. Audit scope must cover: (i) compliance risk management functions, including management structure and effectiveness, board reporting, and the effectiveness of internal controls to mitigate violations of law and regulations. (ii) allowance for credit losses (ACL) risk management, policy, and methodology; and (iii) insider activities, including identification and documentation of related interests, fees paid to insiders, and insider-related recordkeeping.; (d) address the use of third-third parties to complete any internal audit activities, including documented Audit Committee approval of selection and termination of third-third parties; refer to OCC Bulletin 2023-17, “Third-Party Relationships: Interagency Guidance on Risk Management,” for related safe and sound principles; (e) evaluate the reliability, adequacy, and effectiveness of the Bank’s internal controls system, whether operated by the Bank or a third-third party, and identify the root cause of identified deficiencies; (f) evaluate whether the Bank’s internal controls system results in prompt and accurate recording of transactions and proper safeguarding of assets; (g) determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes; (h) require all internal audits to be supported through adequate transaction testingtesting of Bank specific transactions, which includes documenting the transaction testing methodology, sample size, the accounts and names selected for testing, the documents reviewed as part of the testing, and the results of transaction testing; (i) require management to take appropriate and timely steps to address control deficiencies and audit report recommendations and report its validated progress to the Audit Committee on at least a monthly/quarterly basis and require the Audit Committee to make a documented determination of whether the actions taken by management are satisfactory; (j) require all internal audit reports to be in writing writing, limited to audit findings specific to the Bank, and distributed directly, not through any intervening party, to the Audit Committee in a timely manner after audit completion; and (k) require audit work papers and documentation that provides a meaningful audit trail and validation for audit findings, conclusions, and recommendations. (3) The Board shall provide effective oversight of the Internal Audit Program, including: (a) verifying that management has adequately staffed the internal audit function, using internal resources and/or third-third parties, with respect to both the number of auditors required and their knowledge, skills, and experience; (b) verifying the internal audit function is independent and objective. The person responsible for implementing the Internal Audit Program shall functionally report directly to the Audit Committee, which shall direct his or her activities, set compensation, and evaluate performance; (c) verifying management’s actions to address material weaknesses in a timely manner and, where appropriate, directing management to take additional action; and (dc) verifying management satisfies all statutory, regulatory, and supervisory requirements. (4) The internal audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC shall have access to all reports and work papers Within thirty (30) days following receipt of the internal audit staff and any third parties providing internal audit service. (5) Upon adoption Assistant Deputy Comptroller’s written determination of no supervisory objection to the Internal Audit ProgramProgram or to any subsequent amendment to the program, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the Internal Audit Program and any amendments theretoprogram. The Board shall engage a qualified independent third party to validate the changes to the program to ensure they are effective. The Board shall review the effectiveness of the Internal Audit Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Internal Audit Program program as needed or directed by the OCC. Any amendment to the program must be submitted to the Assistant Deputy Comptroller for review and prior written determination of no supervisory objection.

Internal Audit. (1) Within ninety sixty (9060) days of the date of this Agreement, the Bank shall develop submit to the Assistant Deputy Comptroller for review and the Board shall adopt prior written determination of no supervisory objection an acceptable, independent, comprehensive, written internal audit program that adequately assesses controls and operations to allow the Board and management to understand the sufficiency of the Bank’s internal controls system (“Internal Audit Program”). (2) Management shall ensure the Internal Audit Program complies with the standards for internal audit systems set forth in Section II.B of the Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to 12 C.F.R. Part 30. Refer to the “Internal and External Audits” booklet of the Comptroller’s Handbook for related safe and sound principles. The Internal Audit Program shall incorporate standards of safety and soundness that are commensurate with the Bank’s size, complexity, scope of activities, and risk profile and shall, at a minimum: (a) provide an objective, independent review and evaluation of the Bank’s activities, internal controls, and management information systems; (b) require the development of an annual a risk assessment that captures all of the Bank’s 's auditable areasareas and utilizes a well-supported methodology to develop a risk-based schedule of internal audits, with annual documented Audit Committee approval of the risk assessment; (c) require the development of an internal audit plan that is risk-based and provides adequate audit scope, coverage, and frequency for all areas of the Bank, with annual documented Audit Committee approval of the internal audit plan and Audit Committee notification of any material variance from the plan. Audit scope must cover: (i) compliance risk management functions, including management structure and effectiveness, board reporting, and the effectiveness of internal controls to mitigate violations of law and regulations. (ii) allowance for credit losses (ACL) risk management, policy, and methodology; and (iii) insider activities, including identification and documentation of related interests, fees paid to insiders, and insider-related recordkeeping.; (d) address the use of third-third parties to complete any internal audit activities, including documented Audit Committee approval of selection and termination of third-parties; refer to OCC Bulletin 2023-17, “Third-Party Relationships: Interagency Guidance on Risk Management,” for related safe and sound principles; (e) evaluate the reliability, adequacy, and effectiveness of the Bank’s internal controls system, whether operated by the Bank or a third-party, and identify the root cause of identified deficiencies; (f) evaluate whether the Bank’s internal controls system results in prompt and accurate recording of transactions and proper safeguarding of assets; (g) determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes; (h) require all internal audits to be supported through adequate transaction testing, which includes documenting the transaction testing methodology, sample size, the accounts and names selected for testing, the documents reviewed as part of the testing, and the results of transaction testing; (i) require management to take appropriate and timely steps to address control deficiencies and audit report recommendations and report its validated progress to the Audit Committee on at least a monthly/quarterly monthly basis and require the Audit Committee to make a documented determination of whether the actions taken by management are satisfactory; (j) require all internal audit reports to be in writing and distributed directly, not through any intervening party, to the Audit Committee in a timely manner after audit completion; and; (k) require audit work papers and documentation that provides provide a meaningful audit trail and validation for audit findings, conclusions, and recommendations; and (l) require the development of an audit finding log that allows management to track findings through remediation and validation, to assess the quality and sustainability of management’s corrective actions. (3) The Board shall provide effective oversight of the Internal Audit Program, including: (a) verifying that management has adequately staffed the internal audit function, using internal resources and/or third-third parties, with respect to both the number of auditors required and their knowledge, skills, and experience; (b) verifying the internal audit function is independent and objective. The person responsible for implementing the Internal Audit Program shall functionally report directly to the Audit Committee, which shall direct his or her activities, set compensation, and evaluate performance; (c) verifying management’s actions to address material weaknesses in a timely manner and, where appropriate, directing management to take additional action; and (d) verifying management satisfies all statutory, regulatory, and supervisory requirements. (4) The internal audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC shall have access to all reports and work papers of the internal audit staff and any third parties providing internal audit serviceservices. (5) Upon adoption Within thirty (30) days following receipt of the Assistant Deputy Comptroller’s written determination of no supervisory objection to the Internal Audit Program or to any subsequent amendment to the Internal Audit Program, Bank the Board shall adopt and management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the Internal Audit Program and any amendments theretoProgram. The Board shall review the effectiveness of the Internal Audit Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Internal Audit Program as needed or directed by the OCC. Any amendment to the Internal Audit Program must be submitted to the Assistant Deputy Comptroller for review and prior written determination of no supervisory objection.