Common use of Effectiveness of Controls Clause in Contracts

Effectiveness of Controls. (a) The parties acknowledge that: (i) each party’s management and independent auditors are now and/or in the future may be required under the Xxxxxxxx-Xxxxx Act of 2002 and related regulations and the Federal Deposit Insurance Corporation Improvement Act of 1991 and related regulations (collectively, the “Relevant Laws”) to, among other things, assess the effectiveness of its internal controls over financial reporting and state in its report whether such internal controls are effective; and (ii) because each party has entered into a significant transaction with the other as described in this Agreement, the controls used by the parties (including controls that restrict unauthorized access to Systems, data and programs) are relevant to each party’s evaluation of its internal controls. Having acknowledged the foregoing, and subject to the terms of Section 4.14 and Section 4.16, each party hereby agrees to cooperate with the other party and its independent auditor as reasonably necessary to facilitate such party’s ability to comply with its obligations under the Relevant Laws. (b) Company will: (i) maintain an internal controls structure pertaining to the Program in such manner and at such times as is consistent with the practices of well-managed operations performing services substantially similar to Company’s obligations set forth in this Agreement, and (ii) cause to be conducted by a nationally recognized external auditor, as * 41 requested by Bank but no more frequently than annually in the case of each item referred to in clauses (A) and (B), (A) SSAE 16 (Type II) SOC 1 audits covering financial controls over not less than a twelve (12) month period ending not earlier than August 1 and not later than August 31 (or another mutually agreed upon timeline), and (B) SOC 2 (Type II) audits covering trust service principles over not less than a twelve (12) month period ending not earlier than August 1 and not later than August 31 in respect of each of its data centers and facilities from which Program services (including back-up or disaster recovery services) are provided, covering IT application and data security controls, including controls related to Payment Card Industry Data Security Standards applicable to the Program. Prior to conducting audits pursuant to subsection (ii), the parties will mutually agree on the Person that will perform such audits and the controls to be assessed, the in-scope business and technical processes, and the reports to be produced, which, in any event, will include the description and results of such assessments. Bank may request Company to add to or modify the scope of any assessments and reports if required to fulfill Bank’s control obligations in connection with its annual audit or as required to comply with Applicable Law, and Company will not unreasonably withhold consent to such requests. Company will deliver the report of each such audit to Bank not later than September 30 of each year (or pursuant to a mutually agreed-upon timeline). At Bank’s request, any reports, tests or other summaries prepared by such independent audit or testing firm shall be addressed to Bank and Company. The parties’ agreement regarding the cost allocation in connection with the foregoing audits and testing and certain other matters is set forth in Schedule 4.16. (c) [RESERVED] (d) If Bank assumes any servicing obligations in connection with the Program, the parties shall mutually agree, each acting in good faith, regarding internal controls auditing and testing requirements may become applicable to Bank in light of Bank’s activities under this Agreement. In addition, Bank shall agree to undergo and share with Company such internal controls auditing and testing procedures that are required to comply with Applicable Law. (e) The parties agree that following the Effective Date an assessment of Company’s Systems related to the issuing and servicing of the Credit Cards of the Program shall be performed and completed prior to the Closing Date. Bank and Company shall mutually agree, each acting reasonably, on (i) the controls to be assessed, the in-scope Systems, and the report to be produced, which will include the description and results of the assessment, and (ii) the independent third party who will perform the assessment. Company shall provide Bank with the executive summary of the report and, if the report contains a deficiency, then prior to the Closing Date, Company shall deliver to Bank for review and approval a remediation plan that addresses any error, deficiency or other gap identified in the assessment. Company will execute such remediation plan in accordance with its terms and at its own expense. Bank shall pay all costs of the third party in completing the assessment and producing the report.

Effectiveness of Controls. (a) The parties acknowledge that: (i) each party’s management and independent auditors are now and/or in the future may be required under the Xxxxxxxx-Xxxxx Act of 2002 and related regulations and the Federal Deposit Insurance Corporation Improvement Act of 1991 and related regulations (collectively, the “Relevant Laws”) to, among other things, assess the effectiveness of its internal controls over financial reporting and state in its report whether such internal controls are effective; and (ii) because each party has entered into a significant transaction with the other as described in this Agreement, the controls used by the parties (including controls that restrict unauthorized access to Systemssystems, data and programs) are relevant to each party’s evaluation of its internal controls. Having acknowledged the foregoing, and subject to the terms of this Section 4.14 and Section 4.164.17, each party hereby agrees to cooperate with the other party and its independent auditor as reasonably necessary to facilitate such party’s ability to comply with its obligations under the Relevant Laws. (b) Company will: (i) maintain an internal controls structure pertaining to the Program in such manner and at such times as is consistent with the practices of well-managed operations performing services substantially similar to Company’s obligations set forth in this Agreement, and (ii) cause to be conducted by a nationally recognized external auditor, as * 41 requested by Bank but no more frequently than annually in the case of each item referred to in clauses (A) and (B), (A) SSAE 16 (Type II) SOC 1 audits covering financial controls over not less than a twelve (12) month period ending not earlier than August 1 and not later than August 31 (or another mutually agreed upon timeline), and (B) SOC 2 (Type II) audits covering trust service principles over not less than a twelve (12) month period ending not earlier than August 1 and not later than August 31 in respect of each of its data centers and facilities from which Program services (including back-up or disaster recovery services) are provided, covering IT application and data security controls, including controls related to Payment Card Industry Data Security Standards applicable to the Program. Prior to conducting audits pursuant to subsection (ii), the parties will mutually agree on the Person that will perform such audits and the controls to be assessed, the in-scope business and technical processes, and the reports to be produced, which, in any event, will include the description and results of such assessments. Bank may request Company to add to or modify the scope of any assessments and reports if required to fulfill Bank’s control obligations in connection with its annual audit or as required to comply with Applicable Law, and Company will not unreasonably withhold consent to such requests. Company will deliver the report of each such audit to Bank not later than September 30 of each year (or pursuant to a mutually agreed-upon timeline). At Bank’s request, any reports, tests or other summaries prepared by such independent audit or testing firm shall be addressed to Bank and Company. The parties’ agreement regarding the cost allocation in connection with the foregoing audits and testing and certain other matters is set forth in Schedule 4.16. (c) [RESERVED] (d) If Bank assumes any servicing obligations in connection with the Program, the parties shall mutually agree, each acting in good faith, regarding internal controls auditing and testing requirements may become applicable to Bank in light of Bank’s activities under this Agreement. In addition, Bank shall agree to undergo and share with Company such internal controls auditing and testing procedures that are required to comply with Applicable Law. (e) The parties agree that following the Effective Date an assessment of Company’s Systems related to the issuing and servicing of the Credit Cards of the Program shall be performed and completed prior to the Closing Date. Bank and Company shall mutually agree, each acting reasonably, on (i) the controls to be assessed, the in-scope Systems, and the report to be produced, which will include the description and results of the assessment, and (ii) the independent third party who will perform the assessment. Company shall provide Bank with the executive summary of the report and, if the report contains a deficiency, then prior to the Closing Date, Company shall deliver to Bank for review and approval a remediation plan that addresses any error, deficiency or other gap identified in the assessment. Company will execute such remediation plan in accordance with its terms and at its own expense. Bank shall pay all costs of the third party in completing the assessment and producing the report.

Effectiveness of Controls. (a) The parties acknowledge that: (i) each party’s management and independent auditors are now and/or in the future may be required under the Xxxxxxxx-Xxxxx Act of 2002 and related regulations and the Federal Deposit Insurance Corporation Improvement Act of 1991 and related regulations (collectively, the “Relevant Laws”) to, among other things, assess the effectiveness of its internal controls over financial reporting and state in its report whether such internal controls are effective; and (ii) because each party has entered into a significant transaction with the other as described in this Agreement, the controls used by the parties (including controls that restrict unauthorized access to Systems, data and programs) are relevant to each party’s evaluation of its internal controls. Having acknowledged the foregoing, and subject to the terms of Section 4.14 and Section 4.16, each party hereby agrees to cooperate with the other party and its independent auditor as reasonably necessary to facilitate such party’s ability to comply with its obligations under the Relevant Laws. (b) Company will: (i) maintain an internal controls structure pertaining to the Program in such manner and at such times as is consistent with the practices of well-managed operations performing services substantially similar to Company’s obligations set forth in this Agreement, and (ii) cause to be conducted by a nationally recognized external auditor, as * 41 requested by Bank but no more frequently than annually in the case of each item referred to in clauses (A) and (B), (A) SSAE 16 (Type II) SOC 1 audits covering financial controls over not less than a twelve (12) month period ending not earlier than August 1 and not later than August 31 (or another mutually agreed upon timeline), and (B) SOC 2 (Type II) audits covering trust service principles over not less than a twelve (12) month period ending not earlier than August 1 and not later than August 31 in respect of each of its data centers and facilities from which Program services (including back-up or disaster recovery services) are provided, covering IT application and data security controls, including controls related to Payment Card Industry Data Security Standards applicable to the Program. Prior to conducting audits pursuant to subsection (ii), the parties will mutually agree on the Person that will perform such audits and the controls to be assessed, the in-scope business and technical processes, and the reports to be produced, which, in any event, will include the description and results of such assessments. Bank may request Company to add to or modify the scope of any assessments and reports if required to fulfill Bank’s control obligations in connection with its annual audit or as required to comply with Applicable Law, and Company will not unreasonably withhold consent to such requests. Company will deliver the report of each such audit to Bank not later than September 30 of each year (or pursuant to a mutually agreed-upon timeline). At Bank’s request, any reports, tests or other summaries prepared by such independent audit or testing firm shall be addressed to Bank and Company. The parties’ agreement regarding the cost allocation in connection with the foregoing audits and testing and certain other matters is set forth in Schedule 4.16. (c) [RESERVED] (d) If Bank assumes any servicing obligations in connection with the Program, the parties shall mutually agree, each acting in good faith, regarding internal controls auditing and testing requirements may become applicable to Bank in light of Bank’s activities under this Agreement. In addition, Bank shall agree to undergo and share with Company such internal controls auditing and testing procedures that are required to comply with Applicable Law. (e) The parties agree that following the Effective Date an assessment of Company’s Systems related to the issuing and servicing of the Credit Cards of the Program shall be performed and completed prior to the Closing Date. Bank and Company shall mutually agree, each acting reasonably, on (i) the controls to be assessed, the in-scope Systems, and the report to be produced, which will include the description and results of the assessment, and (ii) the independent third party who will perform the assessment. Company shall provide Bank with the executive summary of the report and, if the report contains a deficiency, then prior to the Closing Date, Company shall deliver to Bank for review and approval a remediation plan that addresses any error, deficiency or other gap identified in the assessment. Company will execute such remediation plan in accordance with its terms and at its own expense. Bank shall pay all costs of the third party in completing the assessment and producing the report.

Effectiveness of Controls. (a) The parties acknowledge that: (i) each party’s management and independent auditors are now and/or in the future may be required under the Xxxxxxxx-Xxxxx Act of 2002 and related regulations and the Federal Deposit Insurance Corporation Improvement Act of 1991 and related regulations (collectively, the “Relevant Laws”) to, among other things, assess the effectiveness of its internal controls over financial reporting and state in its report whether such internal controls are effective; and (ii) because each party has entered into a significant transaction with the other as described in this Agreement, the controls used by the parties (including controls that restrict unauthorized access to Systemssystems, data and programs) are relevant to each party’s evaluation of its internal controls. Having acknowledged the foregoing, and subject to the terms of this Section 4.14 and Section 4.164.17, each party hereby agrees to cooperate with the other party and its independent auditor as reasonably necessary to facilitate such party’s ability to comply with its obligations under the Relevant Laws. (b) Company will: (i) maintain an internal controls structure pertaining to the Program in such manner and at such times as is consistent with the practices of well-managed operations performing services substantially similar to Company’s obligations set forth in this Agreement, and (ii) cause to be conducted by a nationally recognized external auditor, as * 41 requested by Bank but no more frequently than annually in the case of each item referred to in clauses (A) and (B), (A) SSAE 16 (Type II) SOC 1 audits covering financial controls over not less than a twelve (12) month [*] period ending not earlier than August 1 and not later than August 31 (or another mutually agreed upon timeline), and (B) SOC 2 (Type II) audits covering trust service principles over not less than a twelve (12) month period ending not earlier than August 1 and not later than August 31 Agreed Upon Procedures in respect of each of its data centers and facilities from which Program services (including back-up or disaster recovery services) are provided, covering IT application and data security controls, including controls related to Payment Card Industry Data Security Standards applicable to the Program. Prior to conducting audits pursuant to subsection (ii), the parties Company will mutually agree on the Person that will perform such audits and provide to Bank a description of the controls to be assessed, the in-scope business and technical processes, and the reports to be produced, which, in any event, will include the description and results of such assessments. Bank may request Company to add to or modify the scope of any such assessments and reports if required to fulfill Bank’s control obligations in connection with its annual audit or as required to comply with Applicable Lawobligations, and Company will not unreasonably withhold consent to comply with such requests. If a report is anticipated to contain any material deficiency, Company will give Bank notice of such deficiency as soon as reasonably practicable. Company will deliver the report of each such audit to Bank not later than September 30 of each year (or pursuant to a mutually agreed-upon timeline). At Bank’s request, any reports, tests or other summaries prepared by such independent audit or testing firm shall be addressed to Bank and Company. The parties’ agreement regarding the cost allocation (in connection with the foregoing audits and testing and certain other matters is set forth in Schedule 4.16. (c) [RESERVED] (d) If Bank assumes any servicing obligations in connection with the Program, the parties shall mutually agree, each acting in good faith, regarding internal controls auditing and testing requirements may become applicable to Bank in light of Bank’s activities under this Agreement. In addition, Bank shall agree to undergo and share with Company such internal controls auditing and testing procedures that are required to comply with Applicable Law. (e) The parties agree that following the Effective Date an assessment of Company’s Systems related addition to the issuing and servicing of the Credit Cards of the Program shall be performed and completed prior Company). [*] If a report pursuant to the Closing Date. Bank and Company shall mutually agree, each acting reasonably, on (i) the controls to be assessed, the in-scope Systems, and the report to be produced, which will include the description and results of the assessment, and (ii) the independent third party who will perform the assessment. Company shall provide Bank with the executive summary of the report and, if the report this Section contains a deficiency, then prior to Company will no later than [*] following the Closing Datereport date, Company shall deliver to Bank for review and approval a remediation corrective action plan that addresses any that, if followed, will correct the error, deficiency or other gap identified in the assessmentfailure to perform. Company will execute the plan [*] in accordance with its terms, and conduct such remediation additional follow-up [*]. If a deficiency is deemed significant by Bank in its reasonable judgment, then at Bank’s request additional audit procedures will be conducted [*]. Company will notify Bank in writing promptly upon completion of the remediation. (c) Company will deliver to Bank, not later than November 15 of each year during the term of the Agreement, a certificate (or discussion with management of Company, Bank and Bank’s independent auditors) of the designated officer of Company dated as of November 1 certifying that Company is not aware of any event or condition which evidences a control, security or other deficiency relating to the subject matter addressed in the latest audit report delivered to Bank pursuant to this Section 4.17. If a report pursuant to this Section contains such a control, security or other deficiency, Company will promptly deliver to Bank a corrective action plan and will immediately and [*] execute the plan in accordance with its terms terms, and at its own expense. Bank shall pay all costs of will conduct [*] such additional follow-up audits as may be requested by Bank, acting reasonably, to confirm that the third party in completing the assessment and producing the reportdeficiency has been corrected.

Effectiveness of Controls. (a) The parties acknowledge that: (i) each party’s management and independent auditors are now and/or in the future may be required under the Xxxxxxxx-Xxxxx Act of 2002 and related regulations and the Federal Deposit Insurance Corporation Improvement Act of 1991 and related regulations (collectively, the “Relevant Laws”) to, among other things, assess the effectiveness of its internal controls over financial reporting and state in its report whether such internal controls are effective; and (ii) because each party has entered into a significant transaction with the other as described in this Agreement, the controls used by the parties (including controls that restrict unauthorized access to Systemssystems, data and programs) are relevant to each party’s evaluation of its internal controls. Having acknowledged the foregoing, and subject to the terms of this Section 4.14 and Section 4.164.17, each party hereby agrees to cooperate with the other party and its independent auditor as reasonably necessary to facilitate such party’s ability to comply with its obligations under the Relevant Laws. (b) Company will: (i) maintain an internal controls structure pertaining to the Program in such manner and at such times as is consistent with the practices of well-managed operations performing services substantially similar to Company’s obligations set forth in this Agreement, and (ii) cause to be conducted by a nationally recognized external auditor, as * 41 requested by Bank but no more frequently than annually in the case of each item referred to in clauses (A) and (B), (A) SSAE 16 (Type II) SOC 1 audits covering financial controls over not less than a twelve (12) month [*] period ending not earlier than August 1 and not later than August 31 (or another mutually agreed upon timeline), and (B) SOC 2 (Type II) audits covering trust service principles over not less than a twelve (12) month period ending not earlier than August 1 and not later than August 31 Agreed Upon Procedures in respect of each of its data centers and facilities from which Program services (including back-up or disaster recovery services) are provided, covering IT application and data security controls, including controls related to Payment Card Industry Data Security Standards applicable to the Program. Prior to conducting audits pursuant [*] Indicates confidential portions omitted pursuant to a request for confidential treatment filed separately with the Commission. to subsection (ii), the parties Company will mutually agree on the Person that will perform such audits and provide to Bank a description of the controls to be assessed, the in-scope business and technical processes, and the reports to be produced, which, in any event, will include the description and results of such assessments. Bank may request Company to add to or modify the scope of any such assessments and reports if required to fulfill Bank’s control obligations in connection with its annual audit or as required to comply with Applicable Lawobligations, and Company will not unreasonably withhold consent to comply with such requests. If a report is anticipated to contain any material deficiency, Company will give Bank notice of such deficiency as soon as reasonably practicable. Company will deliver the report of each such audit to Bank not later than September 30 of each year (or pursuant to a mutually agreed-upon timeline). At Bank’s request, any reports, tests or other summaries prepared by such independent audit or testing firm shall be addressed to Bank and Company. The parties’ agreement regarding the cost allocation (in connection with the foregoing audits and testing and certain other matters is set forth in Schedule 4.16. (c) [RESERVED] (d) If Bank assumes any servicing obligations in connection with the Program, the parties shall mutually agree, each acting in good faith, regarding internal controls auditing and testing requirements may become applicable to Bank in light of Bank’s activities under this Agreement. In addition, Bank shall agree to undergo and share with Company such internal controls auditing and testing procedures that are required to comply with Applicable Law. (e) The parties agree that following the Effective Date an assessment of Company’s Systems related addition to the issuing and servicing of the Credit Cards of the Program shall be performed and completed prior Company). [*] If a report pursuant to the Closing Date. Bank and Company shall mutually agree, each acting reasonably, on (i) the controls to be assessed, the in-scope Systems, and the report to be produced, which will include the description and results of the assessment, and (ii) the independent third party who will perform the assessment. Company shall provide Bank with the executive summary of the report and, if the report this Section contains a deficiency, then prior to Company will no later than [*] following the Closing Datereport date, Company shall deliver to Bank for review and approval a remediation corrective action plan that addresses any that, if followed, will correct the error, deficiency or other gap identified in the assessmentfailure to perform. Company will execute the plan [*] in accordance with its terms, and conduct such remediation additional follow-up [*]. If a deficiency is deemed significant by Bank in its reasonable judgment, then at Bank’s request additional audit procedures will be conducted [*]. Company will notify Bank in writing promptly upon completion of the remediation. (c) Company will deliver to Bank, not later than November 15 of each year during the term of the Agreement, a certificate (or discussion with management of Company, Bank and Bank’s independent auditors) of the designated officer of Company dated as of November 1 certifying that Company is not aware of any event or condition which evidences a control, security or other deficiency relating to the subject matter addressed in the latest audit report delivered to Bank pursuant to this Section 4.17. If a report pursuant to this Section contains such a control, security or other deficiency, Company will promptly deliver to Bank a corrective action plan and will immediately and [*] execute the plan in accordance with its terms terms, and at its own expense. Bank shall pay all costs of will conduct [*] such additional follow-up audits as may be requested by Bank, acting reasonably, to confirm that the third party in completing the assessment and producing the reportdeficiency has been corrected.

Effectiveness of Controls. (a) The parties acknowledge that: (i) each party’s management and independent auditors are now and/or in the future may be required under the Xxxxxxxx-Xxxxx Act of 2002 and related regulations and the Federal Deposit Insurance Corporation Improvement Act of 1991 and related regulations (collectively, the “Relevant Laws”) to, among other things, assess the effectiveness of its internal controls over financial reporting and state in its report whether such internal controls are effective; and (ii) because each party has entered into a significant transaction with the other as described in this Agreement, the controls used by the parties (including controls that restrict unauthorized access to Systemssystems, data and programs) are relevant to each party’s evaluation of its internal controls. Having acknowledged the foregoing, and subject to the terms of this Section 4.14 and Section 4.164.17, each party hereby agrees to cooperate with the other party and its independent auditor as reasonably necessary to facilitate such party’s ability to comply with its obligations under the Relevant Laws. (b) Company will: (i) maintain an internal controls structure pertaining to the Program in such manner and at such times as is consistent with the practices of well-managed operations performing services substantially similar to Company’s obligations set forth in this Agreement, and (ii) cause to be conducted by a nationally recognized external auditor, as * 41 requested by Bank but no more frequently than annually in the case of each item referred to in clauses (A) and (B), (A) SSAE 16 (Type II) SOC 1 audits covering financial controls over not less than a twelve (12) month period ending not earlier than August 1 and not later than August 31 (or another mutually agreed upon timeline), and (B) SOC 2 (Type II) audits covering trust service principles over not less than a twelve (12) month period ending not earlier than August 1 and not later than August 31 Agreed Upon Procedures in respect of each of its data centers and facilities from which Program services (including back-up or disaster recovery services) are provided, covering IT application and data security controls, including controls related to Payment Card Industry Data Security Standards applicable to the Program. Prior to conducting audits pursuant to subsection (ii), the parties Company will mutually agree on the Person that will perform such audits and provide to Bank a description of the controls to be assessed, the in-scope business and technical processes, and the reports to be produced, which, in any event, will include the description and results of such assessments. Bank may request Company to add to or modify the scope of any such assessments and reports if required to fulfill Bank’s control obligations in connection with its annual audit or as required to comply with Applicable Lawobligations, and Company will not unreasonably withhold consent to comply with such requests. If a report is anticipated to contain any material deficiency, Company will give Bank notice of such deficiency as soon as reasonably practicable. Company will deliver the report of each such audit to Bank not later than September 30 of each year (or pursuant to a mutually agreed-upon timeline). At Bank’s request, any reports, tests or other summaries prepared by such independent audit or testing firm shall be addressed to Bank and (in addition to the Company). The parties’ agreement regarding the cost allocation Company shall bear its own costs in connection with the foregoing audits and testing; provided that 50% of the costs of such independent audit or testing and certain other matters is set forth in Schedule 4.16. (c) [RESERVED] (d) If Bank assumes any servicing obligations firm in connection with the Program, the parties shall mutually agree, each acting in good faith, regarding internal controls auditing foregoing audits and testing requirements may become applicable to Bank in light of Bank’s activities under this Agreement. In addition, Bank shall agree to undergo and share with Company such internal controls auditing and testing procedures that are required to comply with Applicable Law. (e) The parties agree that following the Effective Date an assessment of Company’s Systems related to the issuing and servicing of the Credit Cards of the Program tests shall be performed and completed prior reimbursed to the Closing DateCompany by Bank. Bank and Company shall mutually agree, each acting reasonably, on (i) the controls If a report pursuant to be assessed, the in-scope Systems, and the report to be produced, which will include the description and results of the assessment, and (ii) the independent third party who will perform the assessment. Company shall provide Bank with the executive summary of the report and, if the report this Section contains a deficiency, then prior to Company will no later than thirty (30) days following the Closing Datereport date, Company shall deliver to Bank for review and approval a remediation corrective action plan that addresses any that, if followed, will correct the error, deficiency or other gap identified in the assessmentfailure to perform. Company will execute the plan at Company’s expense in accordance with its terms, and conduct such remediation additional follow-up audits at Company’s expense as may be requested by Bank, acting reasonably. If a deficiency is deemed significant by Bank in its reasonable judgment, then at Bank’s request additional audit procedures will be conducted at Company’s expense. Company will notify Bank in writing promptly upon completion of the remediation. (c) Company will deliver to Bank, not later than November 15 of each year during the term of the Agreement, a certificate (or discussion with management of Company, Bank and Bank’s independent auditors) of the designated officer of Company dated as of November 1 certifying that Company is not aware of any event or condition which evidences a control, security or other deficiency relating to the subject matter addressed in the latest audit report delivered to Bank pursuant to this Section 4.17. If a report pursuant to this Section contains such a control, security or other deficiency, Company will promptly deliver to Bank a corrective action plan and will immediately and at its cost execute the plan in accordance with its terms terms, and will conduct at its own expense. Bank shall pay all costs of cost such additional follow-up audits as may be requested by Bank, acting reasonably, to confirm that the third party in completing the assessment and producing the reportdeficiency has been corrected.