Common use of Internal Audit Clause in Contracts

Internal Audit. (1) Within ninety (90) days of the date of this Agreement, the Bank shall submit to the ADC for review and prior written determination of no supervisory objection an acceptable, comprehensive, written independent internal audit program that adequately assesses controls and operations to allow the Board and management to understand the sufficiency of the Bank’s internal controls system (“Internal Audit Program”). (2) Management shall ensure the Internal Audit Program complies with the standards for internal audit systems set forth in Section II.B of the Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to 12 C.F.R. Part 30. Refer to the “Internal and External Audits” booklet of the Comptroller’s Handbook for related safe and sound principles. The Internal Audit Program shall incorporate standards of safety and soundness that are commensurate with the Bank’s size, complexity, scope of activities, and risk profile and shall, at a minimum: (a) Provide an objective, independent review and evaluation of bank activities, internal controls, and management information systems; (b) require the development of an annual risk assessment of the Bank’s auditable areas, with annual documented Board approval of the risk assessment; (c) require the development of an internal audit plan that is risk-based and provides adequate audit scope, coverage, and frequency for all areas of the Bank, with annual documented Board approval of the internal audit plan and Board notification of any material variances from the plan; (d) address the use of third-parties to complete any internal audit activities, including documented Board approval of selection and termination of third-parties; refer to OCC Bulletin 2023-17, “Third-Party Relationships: Interagency Guidance on Risk Management,” for related safe and sound principles; (e) evaluate the reliability, adequacy, and effectiveness of the Bank’s internal control system, whether owned by the Bank or a third party; (f) evaluate whether the Bank’s internal controls system results in prompt and accurate recording of transactions and proper safeguarding of assets; (g) determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes; (h) require all internal audits to be supported through adequate transaction testing, which includes documenting the transaction testing methodology, sample size, the accounts and names selected for testing, the documents reviewed as part of the testing, and the results of transaction testing; (i) require management to take appropriate and timely steps to address control deficiencies and audit report recommendations and report its validated progress to the Board on at least a quarterly basis and require the Board to make a documented determination of whether the actions taken by management are satisfactory; (j) require all internal audit reports to be in writing and distributed directly, not through any intervening party, to the Board in a timely manner after audit completion; and (k) require audit work papers and documentation that provides a meaningful audit trail and validation for audit findings, conclusions, and recommendations. (3) The Board shall provide effective oversight of the Internal Audit Program, including: (a) verifying that management has adequately staffed the internal audit function, using internal resources and/or third parties, with respect to both the number of auditors required and their knowledge, skills, and experience; (b) verifying the internal audit function is independent and objective. The person responsible for implementing the Internal Audit Program shall functionally report directly to the Board, which shall direct his or her activities, set compensation, and evaluate performance; (c) verifying management’s actions to address material weaknesses in a timely manner and, where appropriate, directing management to take additional action; and (d) verifying management satisfies all statutory, regulatory, and supervisory requirements. (4) The internal audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC shall have access to all reports and work papers of the internal audit staff and any third parties providing internal audit services. (5) Upon receipt of the ADC’s written determination of no supervisory objection to the Internal Audit Program or to any subsequent amendment to the Internal Audit Program, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the Internal Audit Program. The Board shall review the effectiveness of the Internal Audit Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Internal Audit Program as needed or directed by the OCC. Any amendment to the Internal Audit Program must be submitted to the ADC for review and prior written determination of no supervisory objection.

Internal Audit. (1) Within ninety (90) days of the date of this AgreementBy June 30, 2024, the Bank shall submit to the ADC Assistant Deputy Comptroller for review and prior written determination of no supervisory objection an acceptable, independent, comprehensive, revised written independent internal audit program that adequately assesses controls and operations to allow the Board and management to understand the sufficiency of the Bank’s internal controls system (“Internal Audit Program”). (2) Management shall ensure the Internal Audit Program complies with the standards for internal audit systems set forth in Section II.B of the Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to 12 C.F.R. Part 30. Refer to the “Internal and External Audits” booklet of the Comptroller’s Handbook for related safe and sound principles. The Internal Audit Program shall incorporate standards of safety and soundness that are commensurate with the Bank’s size, complexity, scope of activities, and risk profile and shall, at a minimum: (a) Provide provide an objective, independent review and evaluation of bank the Bank’s activities, internal controls, and management information systems; (b) require the development of an annual risk assessment of the Bank’s auditable areas, with annual documented Board Audit Committee approval of the risk assessment; (c) require the development of an internal audit plan that is risk-based and provides adequate audit scope, coverage, and frequency for all areas of the Bank, with annual documented Board Audit Committee approval of the internal audit plan and Board Audit Committee notification of any material variances variance from the plan; (d) address the use of third-third parties to complete any internal audit activities, including documented Board Audit Committee approval of selection and termination of third-third parties; refer to OCC Bulletin 2023-17, “Third-Party Relationships: Interagency Guidance on Risk Management,” for related safe and sound principles; (e) evaluate the reliability, adequacy, and effectiveness of the Bank’s internal control controls system, whether owned operated by the Bank or a third party, and identify the root cause of identified deficiencies; (f) evaluate whether the Bank’s internal controls system results in prompt and accurate recording of transactions and proper safeguarding of assets; (g) determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes; (h) require all internal audits to be supported through adequate transaction testingtesting of Bank specific transactions, which includes documenting the transaction testing methodology, sample size, the accounts and names selected for testing, the documents reviewed as part of the testing, and the results of transaction testing; (i) require management to take appropriate and timely steps to address control deficiencies and audit report recommendations and report its validated progress to the Board Audit Committee on at least a quarterly basis and require the Board Audit Committee to make a documented determination of whether the actions taken by management are satisfactory; (j) require all internal audit reports to be in writing writing, limited to audit findings specific to the Bank, and distributed directly, not through any intervening party, to the Board Audit Committee in a timely manner after audit completion; and (k) require audit work papers and documentation that provides a meaningful audit trail and validation for audit findings, conclusions, and recommendations. (3) The Board shall provide effective oversight of the Internal Audit Program, including: (a) verifying that management has adequately staffed the internal audit function, using internal resources and/or third parties, with respect to both the number of auditors required and their knowledge, skills, and experience; (b) verifying the internal audit function is independent and objective. The person responsible for implementing the Internal Audit Program shall functionally report directly to the Board, which shall direct his or her activities, set compensation, and evaluate performance; (c) verifying management’s actions to address material weaknesses in a timely manner and, where appropriate, directing management to take additional action; and (dc) verifying management satisfies all statutory, regulatory, and supervisory requirements. (4) The internal audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC shall have access to all reports and work papers of the internal audit staff and any third parties providing internal audit services. Within thirty (530) Upon days following receipt of the ADCAssistant Deputy Comptroller’s written determination of no supervisory objection to the Internal Audit Program or to any subsequent amendment to the Internal Audit Programprogram, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the Internal Audit Programprogram. The Board shall engage a qualified independent third party to validate the changes to the program to ensure they are effective. The Board shall review the effectiveness of the Internal Audit Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Internal Audit Program program as needed or directed by the OCC. Any amendment to the Internal Audit Program program must be submitted to the ADC Assistant Deputy Comptroller for review and prior written determination of no supervisory objection.

Internal Audit. (1) Within ninety (90) days of the effective date of this Agreement, the Bank shall submit to the ADC Assistant Deputy Comptroller for review and prior written determination of no supervisory objection an acceptable, comprehensive, written independent internal audit program that adequately assesses controls and operations to allow the Board and management to understand the sufficiency of the Bank’s internal controls system (“Internal Audit Program”). (2) Management shall ensure the Internal Audit Program complies Program’s compliance with the standards for internal audit systems set forth in Section II.B of the Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to 12 C.F.R. Part 30. Refer to , and consistency with the safety and soundness principles articulated in the “Internal and External Audits” booklet of the Comptroller’s Handbook for related safe and sound principlesHandbook. The Internal Audit Program shall incorporate standards of safety and soundness that are commensurate with the Bank’s size, complexity, scope of activities, and risk profile and shall, at a minimum: (a) Provide an objective, independent review and evaluation of bank activities, internal controls, and management information systems; (b) require the development of an annual risk assessment of the Bank’s auditable areas, with annual documented Board approval of the risk assessment; (c) require the development of an internal audit plan that is risk-based and provides adequate audit scope, coverage, and frequency for all areas of the Bank, with annual documented Board approval of the internal audit plan and Board notification of any material variances variance from the plan; (db) address the use of third-third parties to complete any internal audit activities, including documented Board approval of selection and termination of third-third parties; refer to , consistent with the safety and soundness principles articulated in OCC Bulletin 2023-17, “Third-Party Relationships: Interagency Guidance on Risk Management,” for related safe and sound principles;” (ec) evaluate the reliability, adequacy, and effectiveness of the Bank’s internal control controls system, whether owned operated by the Bank or a third party; (fd) evaluate whether the Bank’s internal controls system results in prompt and accurate recording of transactions and proper safeguarding of assets; (ge) determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes; (hf) require all internal audits to be supported through adequate transaction testing, which includes documenting the transaction testing methodology, sample size, the accounts and names selected for testing, the documents reviewed as part of the testing, and the results of transaction testing; (i) require determine whether management to take is taking appropriate and timely steps to address control deficiencies and audit report recommendations recommendations, that the progress of such steps is adequately validated, documented, and report its validated tracked, and that such progress is reported to the Board on at least a quarterly basis and require the Board to make a documented determination of whether the actions taken by management are satisfactorybasis; (jg) require all internal audit reports to be in writing and distributed directly, not through any intervening party, to the Board in a timely manner after audit completion; and (kh) require audit work papers and documentation that provides a meaningful audit trail and validation for audit findings, conclusions, and recommendations. (3) The Board shall provide effective oversight of the Internal Audit Program, including: (a) verifying that management has adequately staffed the internal audit function, using internal resources and/or third parties, with respect to both the number of auditors required and their knowledge, skills, and experience; (b) verifying the internal audit function is independent and objective. The person responsible for implementing the Internal Audit Program shall functionally report directly to the Board, which shall direct his or her activities, set compensation, and evaluate performance; (c) verifying management’s actions to address material weaknesses in a timely manner and, where appropriate, directing management to take additional action; and (d) verifying management satisfies all statutory, regulatory, and supervisory requirements. (4) The internal audit staff and third-party vendor providing internal audit services shall have access to any records necessary for the proper conduct of its activities. The OCC shall have access to all reports and work papers of the internal audit staff and any third parties providing internal audit services. (5) Upon Within (30) days following receipt of the ADCAssistant Deputy Comptroller’s written determination of no supervisory objection to the Internal Audit Program or to any subsequent amendment to the Internal Audit Program, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the Internal Audit Program. The Board shall review the effectiveness of the Internal Audit Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Internal Audit Program as needed or directed by the OCC. Any amendment to the Internal Audit Program must be submitted to the ADC Assistant Deputy Comptroller for review and prior written determination of no supervisory objection.

Internal Audit. (1) Within ninety (90) days of the date of this Agreement, the Bank shall submit to the ADC Assistant Deputy Comptroller for review and prior written determination of no supervisory objection an acceptable, independent, comprehensive, written independent internal audit program that adequately assesses controls and operations to allow the Board and management to understand the sufficiency of the Bank’s internal controls system (“Internal Audit Program”). (2) Management shall ensure the Internal Audit Program complies with the standards for internal audit systems set forth in Section II.B of the Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to 12 C.F.R. Part 30. Refer to the “Internal and External Audits” booklet of the Comptroller’s Handbook for related safe and sound principles. The Internal Audit Program shall incorporate standards of safety and soundness that are commensurate with the Bank’s size, complexity, scope of activities, and risk profile and shall, at a minimum: (a) Provide provide an objective, independent review and evaluation of bank the Bank’s activities, internal controls, and management information systems; (b) require the development of an annual risk assessment of the Bank’s auditable areas, with annual documented Board Audit Committee approval of the risk assessment; (c) require the development of an internal audit plan that is risk-based and provides adequate audit scope, coverage, and frequency for all areas of the Bank, with annual documented Board Audit Committee approval of the internal audit plan and Board Audit Committee notification of any material variances variance from the plan; (d) address the use of third-parties to complete any internal audit activities, including documented Board Audit Committee approval of selection and termination of third-parties; refer to OCC Bulletin 2023-17, “Third-Party Relationships: Interagency Guidance on Risk Management,” for related safe and sound principles; (e) evaluate the reliability, adequacy, and effectiveness of the Bank’s internal control controls system, whether owned operated by the Bank or a third third-party, and identify the root cause of identified deficiencies; (f) evaluate whether the Bank’s internal controls system results in prompt and accurate recording of transactions and proper safeguarding of assets; (g) determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes; (h) require all internal audits to be supported through adequate transaction testing, which includes documenting the transaction testing methodology, sample size, the accounts and names selected for testing, the documents reviewed as part of the testing, and the results of transaction testing; (i) require management to take appropriate and timely steps to address control deficiencies and audit report recommendations and report its validated progress to the Board Audit Committee on at least a quarterly basis and require the Board Audit Committee to make a documented determination of whether the actions taken by management are satisfactory; (j) require all internal audit reports to be in writing and distributed directly, not through any intervening party, to the Board Audit Committee in a timely manner after audit completion; and (k) require audit work papers and documentation that provides a meaningful audit trail and validation for audit findings, conclusions, and recommendations. (3) The Board shall provide effective oversight of the Internal Audit Program, including: (a) verifying that management has adequately staffed the internal audit function, using internal resources and/or third third-parties, with respect to both the number of auditors required and their knowledge, skills, and experience; (b) verifying the internal audit function is independent and objective. The person responsible for implementing the Internal Audit Program shall functionally report directly to the BoardAudit Committee, which shall direct his or her activities, set compensation, and evaluate performance; (c) verifying management’s actions to address material weaknesses in a timely manner and, where appropriate, directing management to take additional action; (d) requiring the Audit Committee to perform adequate and documented review of audit workpapers to ensure quality and reasonableness of internal audit’s work, findings, and recommendations; and (de) verifying management satisfies all statutory, regulatory, and supervisory requirements. (4) The internal audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC shall have access to all reports and work papers of the internal audit staff and any third parties providing internal audit services. (5) Upon Within thirty (30) days following receipt of the ADCAssistant Deputy Comptroller’s written determination of no supervisory objection to the Internal Audit Program or to any subsequent amendment to the Internal Audit Program, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the Internal Audit Program. The Board shall review the effectiveness of the Internal Audit Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Internal Audit Program as needed or directed by the OCC. Any amendment to the Internal Audit Program must be submitted to the ADC Assistant Deputy Comptroller for review and prior written determination of no supervisory objection.

Internal Audit. (1) Within ninety sixty (9060) days of the date of this Agreement, the Bank shall submit to the ADC Assistant Deputy Comptroller for review and prior written determination of no supervisory objection an acceptable, independent, comprehensive, written independent internal audit program that adequately assesses controls and operations to allow the Board and management to understand the sufficiency of the Bank’s internal controls system (“Internal Audit Program”). (2) Management shall ensure the Internal Audit Program complies with the standards for internal audit systems set forth in Section II.B of the Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to 12 C.F.R. Part 30. Refer to the “Internal and External Audits” booklet of the Comptroller’s Handbook for related safe and sound principles. The Internal Audit Program shall incorporate standards of safety and soundness that are commensurate with the Bank’s size, complexity, scope of activities, and risk profile and shall, at a minimum: (a) Provide provide an objective, independent review and evaluation of bank the Bank’s activities, internal controls, and management information systems; (b) require the development of an annual a risk assessment that captures all of the Bank’s 's auditable areasareas and utilizes a well-supported methodology to develop a risk-based schedule of internal audits, with annual documented Board Audit Committee approval of the risk assessment; (c) require the development of an internal audit plan that is risk-based and provides adequate audit scope, coverage, and frequency for all areas of the Bank, with annual documented Board Audit Committee approval of the internal audit plan and Board Audit Committee notification of any material variances variance from the plan; (d) address the use of third-third parties to complete any internal audit activities, including documented Board Audit Committee approval of selection and termination of third-parties; refer to OCC Bulletin 2023-17, “Third-Party Relationships: Interagency Guidance on Risk Management,” for related safe and sound principles; (e) evaluate the reliability, adequacy, and effectiveness of the Bank’s internal control controls system, whether owned operated by the Bank or a third third-party, and identify the root cause of identified deficiencies; (f) evaluate whether the Bank’s internal controls system results in prompt and accurate recording of transactions and proper safeguarding of assets; (g) determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes; (h) require all internal audits to be supported through adequate transaction testing, which includes documenting the transaction testing methodology, sample size, the accounts and names selected for testing, the documents reviewed as part of the testing, and the results of transaction testing; (i) require management to take appropriate and timely steps to address control deficiencies and audit report recommendations and report its validated progress to the Board Audit Committee on at least a quarterly monthly basis and require the Board Audit Committee to make a documented determination of whether the actions taken by management are satisfactory; (j) require all internal audit reports to be in writing and distributed directly, not through any intervening party, to the Board Audit Committee in a timely manner after audit completion; and; (k) require audit work papers and documentation that provides provide a meaningful audit trail and validation for audit findings, conclusions, and recommendations; and (l) require the development of an audit finding log that allows management to track findings through remediation and validation, to assess the quality and sustainability of management’s corrective actions. (3) The Board shall provide effective oversight of the Internal Audit Program, including: (a) verifying that management has adequately staffed the internal audit function, using internal resources and/or third parties, with respect to both the number of auditors required and their knowledge, skills, and experience; (b) verifying the internal audit function is independent and objective. The person responsible for implementing the Internal Audit Program shall functionally report directly to the BoardAudit Committee, which shall direct his or her activities, set compensation, and evaluate performance; (c) verifying management’s actions to address material weaknesses in a timely manner and, where appropriate, directing management to take additional action; and (d) verifying management satisfies all statutory, regulatory, and supervisory requirements. (4) The internal audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC shall have access to all reports and work papers of the internal audit staff and any third parties providing internal audit services. (5) Upon Within thirty (30) days following receipt of the ADCAssistant Deputy Comptroller’s written determination of no supervisory objection to the Internal Audit Program or to any subsequent amendment to the Internal Audit Program, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the Internal Audit Program. The Board shall review the effectiveness of the Internal Audit Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Internal Audit Program as needed or directed by the OCC. Any amendment to the Internal Audit Program must be submitted to the ADC Assistant Deputy Comptroller for review and prior written determination of no supervisory objection.

Internal Audit. (1) Within ninety sixty (9060) days of the date of this Agreement, the Bank shall submit to develop, and the ADC for review and prior written determination of no supervisory objection an acceptableBoard shall adopt, a comprehensive, written independent internal audit program that adequately assesses controls and operations to allow the Board and management to understand the sufficiency of the Bank’s internal controls control system (“Internal Audit Program”). Upon adoption, Bank management subject to Board review and ongoing monitoring, shall immediately implement and adhere to the Internal Audit Program and any amendments or revisions thereto. (2) Management shall ensure the Internal Audit Program complies Program’s compliance with the standards for internal audit systems set forth in Section II.B of the Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to 12 C.F.R. Part 30. Refer to the “Internal and External Audits” booklet of the Comptroller’s Comptroller Handbook for related safe and sound principlesguidance. The Internal Audit Program shall incorporate standards of safety and soundness standards that are commensurate with the Bank’s size, complexity, scope of activities, and risk profile and shall, at a minimum: (a) Provide an objective, independent review and evaluation of bank activities, internal controls, and management information systems; (b) require the development of an annual risk assessment of the Bank’s auditable areas, with annual documented Board approval of the risk assessment; (c) require the development of an internal audit plan that is a risk-based and provides adequate audit scope, coverage, and frequency for all areas of the Bank, with annual documented Board approval of the internal audit plan and Board notification of any material variances variance from the plan; (db) address the use of third-parties to complete any internal audit activities, including documented Board approval of selection and termination of third-parties; refer to OCC Bulletin 20232013-1729, “Third-Party Relationships: Interagency Guidance on Risk Management,” for related safe and sound principles; (ec) evaluate the reliability, adequacy, and effectiveness of the Bank’s internal control controls system, whether owned operated by the Bank or a third third-party; (fd) evaluate whether the Bank’s internal controls system results in prompt and accurate recording of transactions and proper safeguarding of assets; (ge) determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes; (hf) require all internal audits to be supported through adequate transaction testing, which includes documenting the transaction testing methodology, sample size, the accounts and names selected for testing, the documents reviewed as part of the testing, and the results of transaction testing; (i) require determine whether management to take is taking appropriate and timely steps to address control deficiencies and audit report recommendations recommendations, that the progress of such steps is adequately validated, documented, and report its validated tracked, and that such progress is reported to the Board on at least a quarterly basis and require the Board to make a documented determination of whether the actions taken by management are satisfactorybasis; (jg) require all internal audit reports to be in writing and distributed directly, not through any intervening party, to the Board in a timely manner after audit completion; and (kh) require audit work papers and documentation that provides a meaningful audit trail and validation for audit findings, conclusions, and recommendations. (3) The Board shall provide effective oversight of the Internal Audit Program, including: (a) verifying that management has adequately staffed the internal audit function, using internal resources and/or third third-parties, with respect to both the number of auditors required and their knowledge, skills, and experience; (b) verifying the internal audit function is independent and objective. The person responsible for implementing the Internal Audit Program shall functionally report directly to the Board, which shall direct his or her activities, set compensation, and evaluate performance; (c) verifying management’s actions to address material weaknesses in a timely manner and, where appropriate, directing management to take additional action; and (d) verifying management satisfies all statutory, regulatory, and supervisory requirements. (4) The internal audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC shall have access to all reports and work papers of the internal audit staff and any third parties providing internal audit services. (5) Upon Within thirty (30) days following receipt of the ADC’s written determination of no supervisory objection to the Internal Audit Program or to any subsequent amendment to the Internal Audit Program, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the Internal Audit Program. The Board shall review the effectiveness of the Internal Audit Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Internal Audit Program as needed or directed by the OCC. Any amendment to the Internal Audit Program must be submitted to the ADC for review and prior written determination of no supervisory objection.

Internal Audit. (1) Within ninety (90) days of the date of this AgreementBy March 31, 2022, the Bank shall submit to develop and the ADC for review and prior written determination of no supervisory objection an acceptable, Board shall adopt a comprehensive, written independent internal audit program that adequately assesses controls and operations to allow the Board and management to understand the sufficiency of the Bank’s internal controls system (“Internal Audit Program”). (2) Management shall ensure the Internal Audit Program complies Program’s compliance with the standards for internal audit systems set forth in Section II.B of the Interagency Guidelines Establishing Standards for Safety and Soundness, Appendix A to 12 C.F.R. Part 30. Refer to the “Internal and External Audits” booklet of the Comptroller’s Handbook for related safe and sound principles. The Internal Audit Program shall incorporate standards of safety and soundness that are commensurate with the Bank’s size, complexity, scope of activities, and risk profile and shall, at a minimum: (a) Provide an objective, independent review and evaluation of bank activities, internal controls, and management information systems; (b) require the development of an annual risk assessment of the Bank’s auditable areas, with annual documented Board Audit Committee approval of the risk assessment; (cb) require the development of an internal audit plan that is risk-based and provides adequate audit scope, coverage, and frequency for all areas of the Bank, with annual documented Board Audit Committee approval of the internal audit plan and Board Audit Committee notification of any material variances variance from the plan; (dc) address the use of third-parties to complete any internal audit activities, including documented Board Audit Committee approval of selection and termination of third-parties; refer to OCC Bulletin 20232013-1729, “Third-Party Relationships: Interagency Guidance on Risk Management,” for related safe and sound principles; (ed) evaluate the reliability, adequacy, and effectiveness of the Bank’s internal control controls system, whether owned operated by the Bank or a third third-party; (fe) evaluate whether the Bank’s internal controls system results in prompt and accurate recording of transactions and proper safeguarding of assets; (gf) determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes; (g) require (i) management to take appropriate and timely steps to address control deficiencies and audit report recommendations, (ii) the progress of such steps to be adequately validated, documented, and tracked, (iii) the progress to be reported to the Audit Committee on at least a monthly basis, and (iv) the Audit Committee to determine whether the actions taken by management are satisfactory; (h) require all internal audit reports to be in writing and distributed directly, not through any intervening party, to the Audit Committee in a timely manner after audit completion; (i) require all internal audits to be supported through adequate transaction testing, which includes documenting the transaction testing methodology, sample size, the accounts and names selected for testing, the documents reviewed as part of the testing, and the results of transaction testing; (i) require management to take appropriate and timely steps to address control deficiencies and audit report recommendations and report its validated progress to the Board on at least a quarterly basis and require the Board to make a documented determination of whether the actions taken by management are satisfactory; (j) require all internal audit reports to be in writing and distributed directly, not through any intervening party, to the Board in a timely manner after audit completion; and (kj) require audit work papers and documentation that provides a meaningful audit trail and validation for audit findings, conclusions, and recommendations. (3) The Board shall provide effective oversight of the Internal Audit Program, including: (a) verifying that management has adequately staffed the internal audit function, using internal resources and/or third third-parties, with respect to both the number of auditors required and their knowledge, skills, and experience; (b) verifying the internal audit function is independent and objective. The person responsible for implementing the Internal Audit Program shall functionally report directly to the BoardAudit Committee, which shall direct his or her activities, set compensation, and evaluate performance; (c) verifying management’s actions to address material weaknesses in a timely manner and, where appropriate, directing management to take additional action; and (d) verifying management satisfies all statutory, regulatory, and supervisory requirements. (4) The internal audit staff shall have access to any records necessary for the proper conduct of its activities. The OCC shall have access to all reports and work papers of the internal audit staff and any third parties providing internal audit services. (5) Upon receipt adoption of the ADC’s written determination of no supervisory objection to the Internal Audit Program or to any subsequent amendment to the Internal Audit Program, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the Internal Audit ProgramProgram and any amendments thereto. The Board shall review the effectiveness of the Internal Audit Program at least annually, no later than January 31 of each year, and more frequently if necessary or if required by the OCC in writing, and amend the Internal Audit Program as needed or directed by the OCC. Any amendment The Board shall forward a copy of the adopted Internal Audit Program, and any subsequent amendments thereto, to the Internal Audit Program must be submitted to the ADC for review and prior written determination Director within ten (10) days of no supervisory objectionadoption.