Form 18**SDI.

2, Loans Overview

Risk of Material Misstatement Worksheet — Overview

GENERAL INSTRUCTIONS
This template has been developed to provide illustrative examples to assist engagement teams in addressing the Risks of Material Misstatement (ROMM) for material classes of transactions and
account balances. The pre-populated risks of material misstatement (i.e., "what could go wrong") and relevant control activities included within this template are derived from the "Core Risks and
Controls" section of Form 1830SDI-2, Risk and Controls Guide — Banking and Finance — Loans, for the specified account. The substantive procedures responsive to the risks identified are derived
from Form 1840SDI-2, Substantive Procedures Guide — Banking and Finance — Loans.

Terminology
Within this template, the term class of transactions refers to Income Statement accounts and account balance refers to Balance Sheet accounts. The term transaction type is used to
describe an activity or series of activities that results in one or more classes of transactions, account balances, and disclosures. [Derived from U.S. AAM 13200.8a.]

Transaction Types, Relevant Assertions, or Risks of Material Misstatement Referenced to Other Audit Area Documentation
To the extent that a relevant assertion or a transaction type is appropriately addressed and documented within documentation of another class of transactions, account balance, or disclosure ROMM
template, redundant documentation is not necessary — although specific referencing is appropriate. Consider referencing, as appropriate, to other audit sections that document the risks of
material misstatement, relevant control activities, and planned procedures to test the operating effectiveness of the control activities and substantive procedures.

ROMM Overview Tab

This worksheet within the template is intended to be a “dashboard” presenting a summary of the audit plan for the account including the (1) relevant control activities and substantive procedures
that address each risk of material misstatement and (2) related control design, implementation, and operating effectiveness conclusions. The dashboard provides internal linking between the
summarized description and the more extensive description of the control activities and/or substantive procedures on subsequent worksheets within the template. Note: It is recommended that
the control description under the column labeled “Control That Addresses Risk of Material Misstatement — Control Name” be less than 100 characters due to requirements
within the forthcoming Engagement Management System of the Deloitte Audit platform. For information on how to create links for additional controls (e.g., an entity-specific control),
engagement teams may look to the following topics within the Excel Help function: “creating a hyperlink to a specific location in a workbook” and “preventing invalid data entry in a worksheet (text
length).”

Related Process-Flow Diagrams

See the Guide to Developing Process Flow Diagrams for related process flow diagrams that illustrate the applicable risks and controls from this ROMM.

Risks of Material Misstatement Related to Presentation and Disclosure

This template does not include common risks of material misstatement related to presentation and disclosure. Engagement teams may document risks of material misstatement and the planned
audit response related to material disclosures within each of the ROMM templates by account. Alternatively, engagement teams may use Form 18**S.20, Presentation and Disclosure, to document
risks of material misstatement and the planned audit response for all material presentation and disclosure risks.

CUSTOMIZATION OF RISKS OF MATERIAL MISSTATEMENT, CONTROL ACTIVITIES, AND RELATED PROCEDURES

This template is designed to assist audit engagement teams in the evaluation of the risks of material misstatement (i.e., "what could go wrong") and responsive procedures. The risks of material
misstatement, relevant control activities, and substantive procedures provided in this template may or may not be applicable to or at the level of specificity for your engagement. Engagement
teams will need to consider their specific facts and circumstances, including the risk assessment performed, to determine whether modification of this pre-populated ROMM
template may be needed. Other items excluded from this template may need to be added based on the specifics of the engagement.
Form 18**SDI.2, Loans ROMM Overview
Loans: Audit Plan by Material Account Balance (Balance Sheet)/Class of Transaction (Income Statement)/Disclosure — ROMM Overview
Assertion Name
Identification of Risk of
— Relevant Assertion
Material Misstatement
("What Could Go Wrong") {a}

Presentation &
Completeness
Valuation and
Risk Control

obligations
Associated Control Implementation

Rights and

Disclosure
allocation
Existence
Account Balance/ Classification of Risk of with the Design Conclusion Control OE
Class of Significant Inherent Risk Material Control Conclusion (Implemented, Conclusion
Transaction/ Findings or (Normal, Misstatement (Not Higher, Control That Addresses Risk of Material Misstatement (Effective, Not (Effective,
ID Disclosure Risk Description Issues? Significant) due to Fraud? Higher) — Control Name Ineffective) Implemented) Ineffective) Substantive Procedures Planned
Note 1 Note 2 Note 3 Note 4 Note 5 Note 6 Note 7 Note 8 Note 9 Note 10
Loans — Originations x x Recorded loan originations and Profile the loan population
and Purchases purchases do not represent
loans originated or purchased by
the entity. Review and approval of loan originations and purchases prior to recording of the note.
Confirm loans serviced by the entity

All authorized source documents supporting loan originations and purchases and changes to the loan master file are compared to the loan master file to ensure they were input properly.
Rollforward test for loans tested prior to year end (as applicable)

Management reconciles detailed records of daily loan activity to the subsidiary ledger and the general ledger on a timely basis, with reconciling items investigated and cleared timely. There is existence and use of segregation o
The lending system generates a daily report which captures and lists new and renewal loan activity and certain specific information that is evaluated by knowledgeable client personnel (e.g., relationship assistants, loan servicin

The institution has a credit administration department which reviews the origination files to ensure underwriting policies and procedures were followed to ensure that loans recorded represent loans originated or purchased by t

Loans — Originations x x Loan originations and purchases Profile the loan population
and Purchases are not recorded at the proper
amount.
All authorized source documents supporting loan originations and purchases and changes to the loan master file are compared to the loan master file to ensure they were input properly.
Confirm loans serviced by the entity

Management reconciles detailed records of daily loan activity to the subsidiary ledger and the general ledger on a timely basis, with reconciling items investigated and cleared timely. There is existence and use of segregation o
The lending system generates a daily report which captures and lists new and renewal loan activity and certain specific information that is evaluated by knowledgeable client personnel (e.g., relationship assistants, loan servicin

The institution has a credit administration department which reviews the origination files to ensure underwriting policies and procedures were followed to ensure that loans recorded represent loans originated or purchased by t
Form 18**SDI.2, Loans ROMM Overview
Assertion Name
Identification of Risk of
— Relevant Assertion
Material Misstatement
("What Could Go Wrong") {a}

Presentation &
Completeness
Valuation and
Risk Control

obligations
Associated Control Implementation

Rights and

Disclosure
allocation
Existence
Account Balance/ Classification of Risk of with the Design Conclusion Control OE
Class of Significant Inherent Risk Material Control Conclusion (Implemented, Conclusion
Transaction/ Findings or (Normal, Misstatement (Not Higher, Control That Addresses Risk of Material Misstatement (Effective, Not (Effective,
ID Disclosure Risk Description Issues? Significant) due to Fraud? Higher) — Control Name Ineffective) Implemented) Ineffective) Substantive Procedures Planned
Note 1 Note 2 Note 3 Note 4 Note 5 Note 6 Note 7 Note 8 Note 9 Note 10
Loans — Originations x x Loan originations and purchases Confirm loans serviced by the entity
and Purchases are not recorded to the proper
account type (e.g., commercial
loan recorded inappropriately as
All authorized source documents supporting loan originations and purchases and changes to the loan master file are compared to the loan master file to ensure they were input properly.
consumer loan). Such
misclassification could result in Management reconciles detailed records of daily loan activity to the subsidiary ledger and the general ledger on a timely basis, with reconciling items investigated and cleared timely. There is existence and use of segregation o
an inappropriate application of
allowance percentages to notes
issued (e.g., consumer valuation
percentages could be applied to
commercial loans).

The lending system generates a daily report which captures and lists new and renewal loan activity and certain specific information that is evaluated by knowledgeable client personnel (e.g. relationship assistants, loan servicing

The institution has a credit administration department which reviews the origination files to ensure underwriting policies and procedures were followed to ensure that loans recorded represent loans originated or purchased by t

Loans — Originations x Loans originated or purchased Perform detail testing of loan sales
and Purchases for sale are not specifically
identified as held for sale and
could result in a valuation error
due to improper accounting
treatment being applied. Management approves the loan as HFS based on specific criteria established by the asset and liability committee, and identifies loans as HFS while in the Pipeline. Upon management approval, loans are designated as HFS in
Perform detail testing of the designation of loan type (held for sale v. held for investment)

Asset Liabilities Management committee reviews and approves asset classifications.

Loans — Originations x The entity does not have the The entity's intent and ability to hold securities designated as H2M is assessed at inception and on an ongoing basis throughout the yearEvaluate
to ensureand
thetest
designation
loans held
continues
for sale to be appropriate.
and Purchases intent and ability to hold held-to-
maturity loans to maturity.
Without the intent and ability to
hold loans designated as held-
to-maturity, the loans may not be
properly valued in the financial
statements (historical cost vs.
fair value).

Loans — Originations x AFS loans are not recorded at The company has an established process to value the HFS loan portfolio. The fair value adjustment is supported by documentation and reviewed
Evaluate and
by management.
test loans held for sale
and Purchases fair value.

Loans — Originations x x Loan originations or purchases Review unsettled transactions and other transactions several days before and after the te
and Purchases are not recorded in the
appropriate period.
All authorized source documents supporting loan originations and purchases and changes to the loan master file are compared to the loan master file to ensure they were input properly and in the appropriate period.
Form 18**SDI.2, Loans ROMM Overview
Assertion Name
Identification of Risk of
— Relevant Assertion
Material Misstatement
("What Could Go Wrong") {a}

Presentation &
Completeness
Valuation and
Risk Control

obligations
Associated Control Implementation

Rights and

Disclosure
allocation
Existence
Account Balance/ Classification of Risk of with the Design Conclusion Control OE
Loans — Originations
Class of x x Loan originations or purchases Significant Inherent Risk Material Control Conclusion (Implemented, Conclusion Review unsettled transactions and other transactions several days before and after the te
and Transaction/
Purchases are not recorded in the Findings or (Normal, Misstatement (Not Higher, Control That Addresses Risk of Material Misstatement (Effective, Not (Effective,
ID Disclosure appropriate
Riskperiod.
Description Issues? Significant) due to Fraud? Higher) — Control Name Ineffective) Implemented) Ineffective) Substantive Procedures Planned
Note 1 Note 2 Note 3 Note 4 Note 5 Note 6 Note 7 Note 8 Note 9 Note 10

Management reconciles detailed records of loans and related accounts on a timely basis.
The lending system generates a daily report which captures and lists new and renewal loan activity and certain specific information that is evaluated by knowledgeable client personnel (e.g., relationship assistants, loan servicin

The institution has a credit administration department which reviews the origination files to ensure underwriting policies and procedures were followed to ensure that loans recorded represent loans originated or purchased by t

Loans — Originations x All loans originated with related Policies and procedures relating to loan underwriting and boarding are documented and are reviewed and regularly updated. Such policies
Perform
include
detail
lending
testing
to related
of loans
parties
to related
and affiliates.
parties.
and Purchases parties (or related party loans
purchased) are not appropriately
identified, resulting in a
misstatement of the related party
disclosures. The institution has a credit administration department which reviews the origination files to ensure underwriting policies and procedures were followed to ensure that loans recorded represent loans originated or purchased by t

Loan Originations and x All loan originations and The lending system generates a daily report which captures and lists new and renewal loan activity and certain specific information that isReview
evaluated
unsettled
by knowledgeable
transactions client
and other
personnel
transactions
(e.g., relationship
several daysassistants,
before andloan
after
servicin
the te
Purchases purchases are not recorded.

General ledger balances are formally reconciled to lending system reports on a regular basis.

Clearing and suspense accounts are reviewed, and unposted and suspense items are cleared in a timely manner by appropriate personnel.

Loans — Servicing x Payments made by the borrower All loan payments (whether through lockbox, teller, EFT, automatic debit, or otherwise) are recorded and total receipts are reconciled to funds
Confirm
posted
loanstoserviced
the loanby
account
the entity
on a daily basis, with lock box deposits transferred to th
are not applied to the loan
balance.

All cash accounts are reconciled on a daily basis, with discrepancies investigated timely, and subject to manager review.

Loan statements are mailed periodically to borrowers. Any discrepancies reported by the borrowers are investigated.

General ledger balances are reconciled to lending system reports on a regular basis.

Loans — Servicing x Payments not made by the All loan payments (whether through lockbox, teller, EFT, automatic debit, or otherwise) are recorded and total receipts are reconciled to funds
Confirm
posted
loanstoserviced
the loanby
account
the entity
on a daily basis, with lock box deposits transferred to th
borrower are applied to the loan
balance.
Form 18**SDI.2, Loans ROMM Overview
Assertion Name
Identification of Risk of
— Relevant Assertion
Material Misstatement
("What Could Go Wrong") {a}

Presentation &
Completeness
Valuation and
Risk Control

obligations
Associated Control Implementation

Rights and
Loans — Servicing x Payments not made by the Confirm loans serviced by the entity

Disclosure
allocation
Existence
Account Balance/ borrower are applied to the loan Classification of Risk of with the Design Conclusion Control OE
Class of balance. Significant Inherent Risk Material Control Conclusion (Implemented, Conclusion
Transaction/ Findings or (Normal, Misstatement (Not Higher, Control That Addresses Risk of Material Misstatement (Effective, Not (Effective,
ID Disclosure Risk Description Issues? Significant) due to Fraud? Higher) — Control Name Ineffective) Implemented) Ineffective) Substantive Procedures Planned
Note 1 Note 2 Note 3 Note 4 Note 5 Note 6 Note 7 Note 8 Note 9 Note 10
All cash accounts are reconciled on a daily basis, with discrepancies investigated timely, and subject to manager review.

Loan statements are mailed periodically to borrowers. Any discrepancies reported by the borrowers are investigated.

General ledger balances are reconciled to lending system reports on a regular basis.

Loans — Servicing x All loan payments received are All loan payments (whether through lockbox, teller, EFT, automatic debit, or otherwise) are recorded and total receipts are reconciled to funds
Confirm
posted
loanstoserviced
the loanby
account
the entity
on a daily basis, with lock box deposits transferred to th
not processed.

All cash accounts are reconciled on a daily basis, with discrepancies investigated timely, and subject to manager review.

Loans — Servicing x x Payments made by the borrower All loan payments (whether through lockbox, teller, EFT, automatic debit, or otherwise) are recorded and total receipts are reconciled to funds
Confirm
posted
loanstoserviced
the loanby
account
the entity
on a daily basis, with lock box deposits transferred to th
on the loans are not applied in
the correct period.

All cash accounts are reconciled on a daily basis, with discrepancies investigated timely, and subject to manager review.

Loan statements are mailed periodically to borrowers. Any discrepancies reported by the borrowers are investigated.

Loans — Servicing x x Payments made by the borrower All loan payments (whether through lockbox, teller, EFT, automatic debit, or otherwise) are recorded and total receipts are reconciled to funds
Confirm
posted
loanstoserviced
the loanby
account
the entity
on a daily basis, with lock box deposits transferred to th
on the loans are not applied
accurately (e.g., applied to
wrong loan).

All cash accounts are reconciled on a daily basis, with discrepancies investigated timely, and subject to manager review.

Loan statements are mailed periodically to borrowers. Any discrepancies reported by the borrowers are investigated.

Loans — Servicing x Payments recorded do not All loan payments (whether through lockbox, teller, EFT, automatic debit, or otherwise) are recorded and total receipts are reconciled to funds
Confirm
posted
loanstoserviced
the loanby
account
the entity
on a daily basis, with lock box deposits transferred to th
actually represent loan
payments received.

All cash accounts are reconciled on a daily basis, with discrepancies investigated timely, and subject to manager review.

Loans — Deferred x Direct origination costs captured Performance of a standard cost analysis is completed on a regular basis to capture accurate deferred loan costs and fees realized over the
Evaluate
life of the
the loan.
entity's methodology and perform detail testing of deferred loan costs.
Loan Costs in the analysis used to develop
the fees and costs contain
inappropriate costs for
capitalization and deferral. Deferred fees are identified and loan costs are validated in accordance with the institution’s policies and procedures. The institution's policies limit those costs to be deferred to the direct costs associated with the underlying loa
Form 18**SDI.2, Loans ROMM Overview
Assertion Name
Identification of Risk of
— Relevant Assertion
Material Misstatement
("What Could Go Wrong") {a}

Presentation &
Completeness
Valuation and
Risk Control

obligations
Associated Control Implementation

Rights and

Disclosure
allocation
Existence
Account Balance/ Classification of Risk of with the Design Conclusion Control OE
Class of Significant Inherent Risk Material Control Conclusion (Implemented, Conclusion
Transaction/ Findings or (Normal, Misstatement (Not Higher, Control That Addresses Risk of Material Misstatement (Effective, Not (Effective,
ID Disclosure Risk Description Issues? Significant) due to Fraud? Higher) — Control Name Ineffective) Implemented) Ineffective) Substantive Procedures Planned
Note 1 Note 2 Note 3 Note 4 Note 5 Note 6 Note 7 Note 8 Note 9 Note 10
Loans — Deferred x x Deferred loan fees/costs are not Evaluate the entity's methodology and perform detail testing of deferred loan costs and fe
Loan Costs properly identified and
recognized for deferral under
ASC 310-20 for each loan.
All authorized source documents supporting loan originations and purchases and changes to the loan master file are compared to the loan master file to ensure they were input properly.
The institution has a credit administration department which reviews the origination files to ensure underwriting policies and procedures were followed to ensure that loans recorded represent loans originated or purchased by th

All loan modifications, including extensions, are approved by a specified committee.

Deferred fees are identified and loan costs are validated in accordance with the institution’s policies and procedures. The institution's policies limit those costs to be deferred to the direct costs associated with the underlying loa

Loans — Deferred x x Deferred loan fees/costs are not Evaluate the entity's methodology and perform detail testing of deferred loan costs.
Loan Costs recorded in the proper period.

All authorized source documents supporting loan originations and purchases and changes to the loan master file are compared to the loan master file to ensure they were input properly.

The institution has a credit administration department which reviews the origination files to ensure underwriting policies and procedures were followed to ensure that loans recorded represent loans originated or purchased by t
Deferred fees are identified and loan costs are validated in accordance with the institution’s policies and procedures. The institution's policies limit those costs to be deferred to the direct costs associated with the underlying loa

Loans — x Loan modifications/extensions All loan modifications (which includes extensions) are approved by a specified Committee Obtain a detail of all loans modified during the current year. Detail test the population to
Modifications and are performed without approval
extensions and consideration to legal and
accounting ramifications.

Loans — x x x x Loan modifications/extensions All loan modifications (which includes extensions) are approved by a specified Committee Obtain a detail of all loans modified during the current year. Detail test the population to
Modifications and that represent concessions not
extensions in the normal course of business
are not identified as troubled
debt restructurings.

Note: See considerations of TDRs within Form 18**SDI.3, Allowance for Loan and Lease Losses.
Form 18**SDI.2, Loans ROMM Overview
Assertion Name
Identification of Risk of
— Relevant Assertion
Material Misstatement
("What Could Go Wrong") {a}

Presentation &
Completeness
Valuation and
Risk Control

obligations
Associated Control Implementation

Rights and

Disclosure
allocation
Existence
Account Balance/ Classification of Risk of with the Design Conclusion Control OE
Class of Significant Inherent Risk Material Control Conclusion (Implemented, Conclusion
Transaction/ Findings or (Normal, Misstatement (Not Higher, Control That Addresses Risk of Material Misstatement (Effective, Not (Effective,
ID Disclosure Risk Description Issues? Significant) due to Fraud? Higher) — Control Name Ineffective) Implemented) Ineffective) Substantive Procedures Planned
Note 1 Note 2 Note 3 Note 4 Note 5 Note 6 Note 7 Note 8 Note 9 Note 10
Loans — Loan Sales x x x x Loan sales are not recorded at Perform detail testing of loan sales
the proper amount.

All authorized source documents supporting loan sales and changes to the loan master file are compared to the loan master file to ensure they were input properly.

Loans sold are reconciled to loan sheet generated by lending system.

Loans — Loan Sales x Loan sales are not recorded to Perform detail testing of loan sales
the proper account.

All authorized source documents supporting loan sales and changes to the loan master file.

Loans sold are reconciled to loan sheet generated by lending system.

Loans — Loan Sales x Recorded loan sales do not Perform detail testing of loan sales
represent sales of loans
originated or purchased by the
institution.
All authorized source documents supporting loan sales and changes to the loan master file are compared to the loan master file to ensure they were input properly.

Loans sold are reconciled to loan sheet generated by lending system.

Loans — Loan Sales x x Loan sales are not recorded or Review unsettled transactions and other transactions several days before and after the te
are not recorded in the Loans sold are reconciled to a daily loans sold summary generated by lending system.
appropriate period.

All authorized source documents supporting loan sales and changes to the loan master file are compared to the loan master file to ensure that the loan sale was properly approved and input into the system in the appropriate p

Loan Commitments x Outstanding commitments to Perform detail testing of loan commitments

originate loans are not identified
or recorded.
Review and approval of loan originations and purchases

All authorized source documents supporting loan originations and purchases and changes to the loan master file are compared to the loan master file to ensure they were input properly.

Management reconciles detailed records of loans and related accounts on a timely basis.
Loan Commitments x Loan commitments are recorded Perform detail testing of loan commitments
for which there is no actual
commitment.
All authorized source documents supporting loan originations and purchases and changes to the loan master file are compared to the loan master file to ensure they were input properly.

Management reconciles detailed records of loans and related accounts on a timely basis.
Loan Commitments x Loan commitments are not Perform detail testing of loan commitments
properly designated (e.g., held
for sale vs. held for investment).

All authorized source documents supporting loan originations and purchases and changes to the loan master file are compared to the loan master file to ensure they were input properly.
Perform detail testing of the designation of loan type (held for sale v. held for investment)

Management reconciles detailed records of loans and related accounts on a timely basis.

The institution has a credit administration department which reviews the origination files to ensure underwriting policies and procedures were followed to ensure that loans recorded represent loans originated or purchased by th
Form 18**SDI.2, Loans ROMM Overview
Assertion Name
Identification of Risk of
— Relevant Assertion
Material Misstatement
("What Could Go Wrong") {a}

Presentation &
Completeness
Valuation and
Risk Control

obligations
Associated Control Implementation

Rights and

Disclosure
allocation
Existence
Account Balance/ Classification of Risk of with the Design Conclusion Control OE
Class of Significant Inherent Risk Material Control Conclusion (Implemented, Conclusion
Transaction/ Findings or (Normal, Misstatement (Not Higher, Control That Addresses Risk of Material Misstatement (Effective, Not (Effective,
ID Disclosure Risk Description Issues? Significant) due to Fraud? Higher) — Control Name Ineffective) Implemented) Ineffective) Substantive Procedures Planned
Note 1 Note 2 Note 3 Note 4 Note 5 Note 6 Note 7 Note 8 Note 9 Note 10
Loan Commitments x x x Loan commitments are not Perform detail testing of loan commitments
recorded at the correct amount.

All authorized source documents supporting loan originations and purchases and changes to the loan master file are compared to the loan master file to ensure they were input properly.

Management reconciles detailed records of loans and related accounts on a timely basis.
Loan Commitments x Loan commitments to originate Perform detail testing of loan commitments
mortgage loans that are
designated as held-for-sale are
not properly accounted for and
fair valued as a derivative
instrument.

Management approves the loan as HFS based on specific criteria established by the asset and liability committee, and identifies loans as HFS while in the Pipeline. Management further reviews the designation of the HFS loan

The company has an established process to value the held for sale loan portfolio. The fair value adjustment is supported by documentation and reviewed by management.

Management reviews the fair value calculation and supporting documentation for loan commitments accounted for as derivatives prior to being recorded into the general ledger.

Refer to Form 18**SDI.3 for What Could Go Wrong examples specific to loan valuation.

Loans — Reporting x Loan balances are not broken Test report disclosures for adequacy and appropriateness by independently completing t
out at appropriate classification
levels.
Corporate accounting completes a GAAP checklist each quarter prior to issuance of the Form 10Q/10K to verify that all required disclosures are met.

The Company holds Disclosure Committee meetings prior to sending a draft to the Audit Committee.
Loans — Reporting x All loan activity requiring Test report disclosures for adequacy and appropriateness by independently completing t
disclosure under ASC 310,
Receivables, is not presented.
Corporate accounting completes a GAAP checklist each quarter prior to issuance of the Form 10Q/10K to verify that all required disclosures are met.

The Company holds Disclosure Committee meetings prior to sending a draft to the Audit Committee.
Loans — Reporting x Loan disclosures may not be Test report disclosures for adequacy and appropriateness by independently completing t
adequate in accordance with
U.S. GAAP (ASC 310) or are not
properly included in the financial Corporate accounting completes a GAAP checklist each quarter prior to issuance of the Form 10Q/10K to verify that all required disclosures are met.
statements.

The Company holds Disclosure Committee meetings prior to sending a draft to the Audit Committee.
Loans — Reporting x Failure to disclose significant Test report disclosures for adequacy and appropriateness by independently completing t
accounting policies on loans,
such as basis of accounting for
loans and lease financings, Corporate accounting completes a GAAP checklist each quarter prior to issuance of the Form 10Q/10K to verify that all required disclosures are met.
including those classified as
HFS, the policy for placing loans
(and trade receivables if
applicable), on nonaccrual status
(or discontinuing accrual of
interest), etc.
Form 18**SDI.2, Loans ROMM Overview
Assertion Name
Identification of Risk of
— Relevant Assertion
Material Misstatement
("What Could Go Wrong") {a}

Presentation &
Completeness
Valuation and
Risk Control

obligations
Associated Control Implementation

Rights and

Disclosure
allocation
Existence
Account Balance/ Classification of Risk of with the Design Conclusion Control OE
Class of Significant Inherent Risk Material Control Conclusion (Implemented, Conclusion
Loans — Reporting
Transaction/ x Failure to disclose significant Findings or (Normal, Misstatement (Not Higher, Control That Addresses Risk of Material Misstatement (Effective, Not (Effective,
ID Disclosure accounting
Riskpolicies on loans,
Description Issues? Significant) due to Fraud? Higher) — Control Name Ineffective) Implemented) Ineffective) Substantive Procedures Planned
such as basis of accounting for
Note 1 Note 2 loans and lease Note 3
financings, Note 4 Note 5 Note 6 Note 7 Note 8 Note 9 Note 10
including those classified as
HFS, the policy for placing loans
(and trade receivables if
applicable), on nonaccrual status
(or discontinuing accrual of
interest), etc.

The Company holds Disclosure Committee meetings prior to sending a draft to the Audit Committee.
Loans — Reporting x Failure to disclose information Test report disclosures for adequacy and appropriateness by independently completing t
on loans that has been
restructured in a TDR.
Corporate accounting completes a GAAP checklist each quarter prior to issuance of the Form 10Q/10K to verify that all required disclosures are met.

The Company holds Disclosure Committee meetings prior to sending a draft to the Audit Committee.
Form 18**SDI.2, Loans Plan Control Testing
Loans: Audit Plan by Material Account Balance (Balance Sheet)/Class of Transaction (Income Statement)/Disclosure — Control Testing

Application
Control Operating System Findings and Observations
Effectiveness Testing Operating (if control is (None Noted, Change to Plan,
Strategy Frequency Is IPE Used automated Deficiency, Identified or
(Test in Current Period, (Annually, Quarterly, in Testing or and/or we are Testing Suspected Fraud, Management
Using Prior Period Monthly, Weekly, Performing a testing IPE Testing Reference — Reference to Letter Comment, Material
Control That Addresses Risk of Material Misstatement Evidence, OE Testing Not Control Year Daily, Many Times per Control Relevant List IPE through tests of Reference — General IT Evaluation of Planned Nature, Timing, and Extent of Procedures to Evaluate Testing Weakness, Significant
Control ID — Description Required) Last Tested Day, As Needed) Automated? Control? controls) IPE Controls D&I Operating Effectiveness (OE) of Controls Reference — OE Deficiency)
Note 8 Note 11 Note 12 Note 13 Note 14 Note 15 Note 16 Note 17 Note 18 Note 19 Note 20 Note 21
Loans originated or purchased are reviewed and approved by knowledgeable
personnel prior to funding and recording of the note (a loan committee or senior
loan officer), with consideration given to the reputation of the lending institution, its
underwriting standards, and its servicing portfolio (for loans purchased).

All authorized source documents supporting loan originations and purchases and
changes to the loan master file are compared to the loan master file to ensure
they were input properly. This comparison is performed by an individual
independent of the booking process.

Management reconciles detailed records of daily loan activity to the subsidiary

ledger and the general ledger on a timely basis, with reconciling items
investigated and cleared timely. There is existence and use of segregation of
duties for reconciliation procedures, including appropriate reviews and clearing of
reconciling items timely.

The institution has a credit administration department which reviews the

origination files to ensure underwriting policies and procedures were followed to
ensure that loans recorded represent true loans originated or purchased by the
entity, are recorded in the appropriate period, and are appropriately identified as
related party (as applicable). The department also reviews the details of the loan,
including the terms, rates, deferred costs, and verifies such data agrees to
information in the entity's lending system.

Management approves the loan as AFS based on specific criteria established by

the asset and liability committee, and identifies loans as AFS while in the Pipeline.
Upon management approval, loans are designated as AFS in the receivables
subledger.

Asset Liabilities Management committee meets monthly to discuss the

appropriateness of the classification of assets. Any transfers of loans between
categories is discussed and documented within the minutes.

Management reviews the fair value calculation and supporting documentation for
loan commitments accounted for as derivatives prior to being recorded into the
general ledger.

The entity's intent and ability to hold securities designated as H2M is assessed
on an ongoing basis throughout the year to ensure the designation continues to
be appropriate. Such assessment is based on a retrospective review (to identify
H2M designations sold) and a review of the current H2M portfolio to ensure the
designation remains appropriate.

The company has an established process to value the HFS loan portfolio, based
on quotes from purchasers or analysis of comparable actively traded markets.
The fair value adjustment is supported by documentation and reviewed by
management.

Policies and procedures relating to loan underwriting and boarding are

documented and are reviewed and regularly updated. Such policies include
lending to related parties and affiliates.

The lending system generates a daily report which captures and lists new and
renewal loan activity and certain specific information that is evaluated by
knowledgeable client personnel (e.g., relationship assistants, loan servicing
personnel) to ensure that newly funded or purchased loans are recorded. This
report is reviewed by lending management.

All loan payments (whether through lockbox, teller, EFT, automatic debit, or
otherwise) are recorded and total receipts are reconciled to funds posted to the
loan account on a daily basis, with lock box deposits transferred to the appropriate
custodial account daily.
Form 18**SDI.2, Loans Plan Control Testing

Application
Control Operating System Findings and Observations
Effectiveness Testing Operating (if control is (None Noted, Change to Plan,
Strategy Frequency Is IPE Used automated Deficiency, Identified or
(Test in Current Period, (Annually, Quarterly, in Testing or and/or we are Testing Suspected Fraud, Management
Using Prior Period Monthly, Weekly, Performing a testing IPE Testing Reference — Reference to Letter Comment, Material
Control That Addresses Risk of Material Misstatement Evidence, OE Testing Not Control Year Daily, Many Times per Control Relevant List IPE through tests of Reference — General IT Evaluation of Planned Nature, Timing, and Extent of Procedures to Evaluate Testing Weakness, Significant
Control ID — Description Required) Last Tested Day, As Needed) Automated? Control? controls) IPE Controls D&I Operating Effectiveness (OE) of Controls Reference — OE Deficiency)
Note 8 Note 11 Note 12 Note 13 Note 14 Note 15 Note 16 Note 17 Note 18 Note 19 Note 20 Note 21
All cash accounts are reconciled on a daily basis, with discrepancies investigated
timely, and subject to manager review.

Loan statements are mailed periodically to borrowers. Any discrepancies

reported by the borrowers are investigated.

General ledger balances are reconciled to lending system reports on a regular

basis. Reconciliations are reviewed and approved by management.

Clearing and suspense accounts are reviewed, and unposted and suspense items
are cleared in a timely manner by appropriate personnel.

Performance of a standard cost analysis is completed on a regular basis to

capture accurate deferred loan costs and fees realized over the life of the loan.

Deferred fees are identified and loan costs are validated in accordance with the
institution’s policies and procedures. The institution's policies limit those costs to
be deferred to the direct costs associated with the underlying loans.

All loan modifications, including extensions, are approved by a specified

committee, which includes the Controller or equivalent who would have sufficient
knowledge of the accounting ramifications of restructurings (e.g., TDR, deferred
fee implications).

Loans sold are reconciled to a daily loans sold summary generated by lending
system which details loans sold for the period under review.

All authorized source documents supporting loan sales and changes to the loan
master file are compared to the loan master file to ensure that the loan sale was
properly approved and input into the system in the appropriate period.

Corporate accounting completes a GAAP checklist each quarter prior to issuance

of the Form 10Q/10K to verify that all required disclosures are met, which includes
compliance with ASC 310, Receivables.

The Company holds Disclosure Committee meetings prior to sending a draft to

the Audit Committee. The Disclosure Committee reviews the 10Q and 10K and
documents results of review. The committee is composed of members
throughout senior management in various aspects of the organization, including
the Manager responsible for loan accounting.
Form 18**SDI.2, Loans Plan Substantive Testing
Loans: Audit Plan by Material Account Balance (Balance Sheet)/Class of Transaction (Income Statement)/Disclosure — Substantive Testing Testing Information Produced by the Entity
[Risk (Not Significant) and Relying (IPE)
on Controls — Low Extent of Testing
Risk (Not Significant) and Relying on
Controls — Normal Extent of Testing Findings and
Significant Risk and Relying on Observations
Controls Application (None Noted, Change to
Risk (Not Significant) and Not Is IPE used in System Plan, Identified or
Relying on Controls Performing (if testing IPE Testing Suspected Fraud,
Significant Risk and Not Relying on Substantive List IPE through tests of Reference — Testing Reference — Management Letter
ID Substantive Procedures Planned Controls] Testing? controls) IPE Substantive Procedures Comment, Misstatement)
Note 10 Note 22 Note 14 Note 15 Note 16 Note 20 Note 21

LSP 1 Profile the loan population

A. Test reconciliation of the detailed population from the source subledger to the subledger totals.
1. Obtain a reconciliation of the detailed records to the associated general ledger accounts.
2. Identify and test reconciling items based on sampling guidance and compare to reconciling items identified by entity.
3. Compare the account balances from the reconciliations to the amounts recorded in the subledger.
B. Identify items that exhibit characteristics of audit interest.
1. Perform an analysis of relevant monetary characteristics. Monetary characteristics may include (per U.S. AAM 23002-1B, The Profiling
Approach)
A. Mean, median, and maximum amounts
B. The dollar and item count stratification of the items in the population (e.g., 2,000 items between $0 and $10,000, 3,000 items between
$10,001 and $50,000)
C. Negative amounts
D. Benford Analysis.

2. Perform an analysis of relevant nonmonetary characteristics. Nonmonetary information associated with each item in a population, such
as descriptions, names, and certain flags, can often exhibit strong indicators of the existence of a possible misstatement.
3. Determine the characteristics of audit interest to be used to segregate the population into subpopulations that are more likely to contain
misstatements. See further discussion of nonmonetary characteristics within U.S. AAM 23002-1B.
C. Define subpopulations of items that exhibit characteristics of audit interest.
1. Use file interrogation techniques to produce reports that identify items that exhibit characteristics of audit interest.
2. Define the subpopulations as follows:
a. Define individual subpopulations that each contains items exhibiting different characteristics of audit interest.
b. Define one remainder population that contains items that do not exhibit characteristics of audit interest.
D. Determine appropriate sample sizes and make a selection of items for detail testing.
1. The appropriate sample size for each subpopulation of items exhibiting characteristics of audit interest
2. The appropriate sample size for the remainder population should be the lesser of 10 items or should be determined by taking the total
remainder population and determining the sample based on U.S. AAM 23002-4, Tests of Details.
E. Perform tests of details (follow detail testing procedures below).
F. Evaluate the results of profiling approach procedures.
1. If a misstatement is detected in one of the subpopulations of items exhibiting characteristics of audit interest or the remainder population,
perform additional procedures based on procedures noted within the profiling approach in U.S. AAM 23002-1B.
G. Document the following related to the use of a profiling approach:
1. The audit Engagement Partner's conclusion that the use of a profiling approach is appropriate, including indication of account balances
and potential errors that are tested using the profiling approach.
2. Characteristics of audit interest for purposes of applying the profiling approach, as well as a list or summary of items deemed to exhibit
characteristics of audit interest, by subpopulation
3. The specific items selected, reasons for selecting such items (or the subpopulation from which items were selected), as well as the
results of audit procedures performed and inquiries made related to such items
H. Year-end Update
1. For Profiling procedures performed at an interim date, re-profile the data at year-end based on the characteristics in B., C., and D. above
to validate the appropriateness of the individual samples for each subpopulation. If subpopulations increased in size indicating additional
sample procedures warranted, make additional selections and perform procedures.
2. Perform procedures over reconciliations as noted in A. above to validate the account balances.

LSP 2 Confirm loans serviced by the entity

A. Test reconciliation from the loans subledgers to the general ledger.
1. Obtain a reconciliation of the detailed records to the associated general ledger accounts.
2. Identify and test reconciling items based on sampling guidance and compare to reconciling items identified by entity.
3. Compare the account balances from the subledgers to the amounts recorded in the general ledger.
B. Make a selection of loans for confirmation - based on Step 1.
1. Prepare positive confirmation requests confirming outstanding principal balances for the sample selected. Mail the confirmation requests
under our control, determine that the requests are properly addressed (i.e., obtain audit evidence about the accuracy and completeness of
addresses provided by the entity), and request that all replies be sent directly to our office.
Form 18**SDI.2, Loans Plan Substantive Testing
Testing Information Produced by the Entity
[Risk (Not Significant) and Relying (IPE)
LSP 2 on Controls — Low Extent of Testing
Risk (Not Significant) and Relying on
Controls — Normal Extent of Testing Findings and
Significant Risk and Relying on Observations
Controls Application (None Noted, Change to
Risk (Not Significant) and Not Is IPE used in System Plan, Identified or
Relying on Controls Performing (if testing IPE Testing Suspected Fraud,
Significant Risk and Not Relying on Substantive List IPE through tests of Reference — Testing Reference — Management Letter
ID Substantive Procedures Planned Controls] Testing? controls) IPE Substantive Procedures Comment, Misstatement)
Note 10 Note 22 Note 14 Note 15 Note 16 Note 20 Note 21
a. For confirmations sent, perform procedures to ensure that the address on the confirmation request was addressed to the account holder
selected for testing.
b. Agree control totals to subsidiary ledgers.
2. Send second requests for non-replies.
3. Compare replies to requests. Reconcile or have entity reconcile exceptions. Investigate any differences.
4. Perform alternative procedures, such as review of loan file documentation and subsequent payments, for positive confirmation non-
replies and no-mail confirmations that were not sent and investigate significant or unusual items noted. For actual differences, extrapolate
the error and post error to summary of passed adjustments.
5. For confirmations not received via mail (i.e., fax or email), perform the following: (1) verify the telephone, fax, or email information using
telephone books, business directories, or other outside sources such as the official third party websites, yellowpages.com, yahoo directory
service, etc., (2) contact the confirming party and request that the actual physical confirmation be sent to us via mail, (3) two of our
personnel (of appropriate levels of management) should contact the confirming party to verify the confirmed information, and request a
written follow-up or, for a telecopy, fax, or email, the actual document transmitted and for each such confirmation we should confirm the key
terms of each confirmation to assure that the electronic confirmation was, indeed, originated by the confirming party, and (4) if we are
unable to obtain a written follow-up or, for a telecopy, fax, or email, the actual document transmitted, write a memorandum covering the
procedures used and the results of the telephone, telecopy, fax, or email inquiry. This memorandum should be signed by both our
personnel involved in contacting the confirming party and approved by the audit Engagement Partner.

6. Prepare a summary of confirmation results. Consider whether additional procedures are warranted.

LSP 3 Evaluate and test loans held for sale

A. Review an aging of mortgage loans held for sale to determine if any loans appear to be misclassified (i.e., not readily marketable).
Determine if any stale loans noted have defects or if they are not salable at normal market prices.
B. Based on loan sale activity, aging of loans held for sale, normal delivery periods, inquiries of management, comments and criticisms by
regulators, and other appropriate information, evaluate whether there is evidence that certain loans or pools of loans currently classified as
held for sale, should be classified and evaluated as loans held for investment or vice versa.
C. Review the entity's policies for determining cost and market value of loans held for sale.
D. Perform detail tests of management's estimate of the fair value of loans held for sale.
1. Make a selection of the loans held for sale.
2. Agree the fair value of the loan to supporting market quotes for the loan, based on its characteristics. Consider the following:
Mortgage:
-Fair value for mortgage loans covered by investor commitments shall be based on committed values.
-Fair value for uncommitted loans shall be based on the market in which the mortgage banking enterprise normally operates. That
determination would include consideration of the following:
--Market prices and yields sought by the mortgage banking enterprise's normal market outlets
--Quoted Government National Mortgage Association (GNMA) security prices or other public market quotations for long-term
mortgage loan rates
-- Federal Home Loan Mortgage Corporation (FHLMC) and Federal National Mortgage Association (FNMA) current delivery prices

Commercial:
--Quoted (binding) bids from third parties
--Appraised values of the associated collateral
-Include appraisal checklists and appraisal excerpts in the working papers
-Valuations by third parties
3. Agree the cost components of the recorded loan balance (net of points, fees, etc.) to supporting documentation and recalculate the net
recorded cost
4. Test the mathematical accuracy of the total cost and fair value, respectively, for loans held for sale schedules.
5. If cost exceeds fair value, determine that the excess amount has been accounted for as a valuation allowance, and has been included
in the determination of net income.
6. Determine that the method used in ascertaining the lower of cost or fair value of loans (that is, aggregate or individual loan basis) has
been disclosed.
7. Evaluate results of tests.
8. Subsequent Events - Make a representative sample of commercial loans sold, utilizing the year-end recorded balances as the base for
the random sample, and compare to market values recorded by the institution to determine the reasonableness of the recorded values
Form 18**SDI.2, Loans Plan Substantive Testing
Testing Information Produced by the Entity
[Risk (Not Significant) and Relying (IPE)
on Controls — Low Extent of Testing
Risk (Not Significant) and Relying on
Controls — Normal Extent of Testing Findings and
Significant Risk and Relying on Observations
Controls Application (None Noted, Change to
Risk (Not Significant) and Not Is IPE used in System Plan, Identified or
Relying on Controls Performing (if testing IPE Testing Suspected Fraud,
Significant Risk and Not Relying on Substantive List IPE through tests of Reference — Testing Reference — Management Letter
ID Substantive Procedures Planned Controls] Testing? controls) IPE Substantive Procedures Comment, Misstatement)
Note 10 Note 22 Note 14 Note 15 Note 16 Note 20 Note 21
9. For those loans selected in step 8, review the supporting documentation to understand management's intentions related to the loan.
Conclude whether or not management properly transferred the loan to held for sale during the appropriate period.

LSP 4 Obtain a report detailing unsettled transactions (in process loans or loan sales). Review unsettled transactions and other
transactions several days before and after the testing date and determine that they were recorded in the proper period.

LSP 5 Perform detail testing of loans to related parties.

A. Obtain a schedule of loans to related parties (e.g., officers, directors, stockholders, and related entities) and determine that such loans
are in accordance with the institution’s lending policies, were properly approved, and are within applicable regulatory limitations. Test the
schedule as considered necessary. Evaluate for disclosure in the financial statements.
B. Obtain information regarding loans pledged as collateral to secure public deposits or other purposes. Determine that such information
has been included in the management representation letter.
C. Test report disclosures and determine that disclosures are adequate.
D. Utilizing the population of loans subject to confirmation search for officer, director, and other known related parties names in the
population. Ensure that these items have been appropriately identified in the related party detail.

LSP 6 Evaluate the entity's methodology and perform detail testing of deferred loan costs and fees. - Detail Testing
A. Review the institution's methodology for deferring and amortizing loan origination fees and costs.
B. Review the institution's methodology for establishing the standard origination cost per loan and consider whether the frequency of the
institution's review of standard costs is adequate.
C. Obtain a schedule of deferred loan origination fees and costs showing beginning and ending balances, additions, amortization and
reductions related to loan sales. Test the summarization of the schedule. Agree ending balances to subsidiary records and to the general
ledger. Test reconciling items between the subsidiary records and the general ledger as appropriate.
D. Make a sample of loans originated during the current period and test loan origination fees and costs deferred and agree to recording in
the general ledger.
1.1 Obtain supporting documentation, including fee analysis
1.2 Recalculate amortization of loan origination fees and costs deferred.
1.3 Agree the origination fees and costs deferred to the general ledger
E. Make a sample of loans outstanding during the period and perform the following:
1.1 Obtain supporting documentation, including fee analysis
1.2 Agree the current period amortization of net deferred loan origination fees or costs to the general ledger.
1.3 For each selection recalculate the amortization for a selected month during the period (selections should be allocated to selected
months during the period so that the entire period under audit is adequately tested) and agree to recording in the general ledger. Investigate
differences.
F. Evaluate results of testing.

Evaluate the entity's methodology and perform detail testing of deferred loan costs. - Substantive Testing
A. Review the institution’s methodology for deferring and amortizing loan origination fees and costs. Determine whether the methodology is
consistent with SFAS 91 (ASC 310-20).

B. Review the institution's methodology for establishing the standard origination cost per loan. Determine whether the methodology is
consistent with SFAS 91 (ASC 310-20), and consider whether the frequency of the institution's review of standard costs is adequate.
C. Obtain a schedule of deferred loan origination fees and costs showing beginning and ending balances, additions, amortization, and
reductions related to loan sales. Test the summarization of the schedule. Agree ending balances to subsidiary records and to the general
ledger. Test reconciling items between the subsidiary records and the general ledger as appropriate.
D. Perform substantive analytical procedures to test loan origination fees and loan origination costs deferred during the period.
1.1. Use ACL (or another method if more efficient) to disaggregate both the data used to build the expectations and the various recorded
loan origination fee and cost amounts at a level of detail sufficient to enable us to obtain the desired level of assurance based on a
comparison of amounts. Consider the following means of disaggregation: by period (e.g., quarterly, monthly, or weekly); by account,
location, or division or by nature of expense.
1.2 Determine that the data used to develop our expectation is independent and reliable, and if we are using information produced by the
entity, that it is accurate and complete. Consider using the following data when we develop our expectation, as applicable:
Form 18**SDI.2, Loans Plan Substantive Testing
Testing Information Produced by the Entity
[Risk (Not Significant) and Relying (IPE)
on Controls — Low Extent of Testing
Risk (Not Significant) and Relying on
Controls — Normal Extent of Testing Findings and
Significant Risk and Relying on Observations
Controls Application (None Noted, Change to
Risk (Not Significant) and Not Is IPE used in System Plan, Identified or
Relying on Controls Performing (if testing IPE Testing Suspected Fraud,
Significant Risk and Not Relying on Substantive List IPE through tests of Reference — Testing Reference — Management Letter
ID Substantive Procedures Planned Controls] Testing? controls) IPE Substantive Procedures Comment, Misstatement)
Note 10 Note 22 Note 14 Note 15 Note 16 Note 20 Note 21

a. The average loan fees charged, per loan, as a percentage of principal during the period
b. The number of loans for which loan origination fees were charged and loan origination costs were incurred during the period
c. The standard origination cost per loan
d. Prior-period amounts or fee and cost ratios, adjusted for known factors during the current period.
E. Evaluate results of tests.
LSP 7 Obtain a detail of all loans modified during the current year. Detail test the population to determine that the loan was appropriately
identified/not identified as a TDR.

A. Review the institution’s methodology for loan modifications and TDR.

1. Obtain a detail listing of all loans modified during the current year.
2. Make a sample of the modified loans.
3. Perform the following:
a. For each selection, evaluate the nature of the modification and the revision to the note to ensure that it was recorded appropriately.
b. Evaluate the modification for TDR implications.
4. Evaluate TDRs for impairment pursuant to the steps identified in Form 18**SDI.3, Allowance for Loan and Lease Losses.

B. Utilize ACL to evaluate the completeness of loans identified as TDRs. Utilizing ACL query the population to identify:
1. Changes in interest rates
2. Extension of maturity date or nonaccrual periods
3. Modification of payment terms
4. Evaluate whether items identified via the ACL query are appropriately included/excluded from the TDR listing.
LSP 8 Perform detail testing of loan sales
A. Obtain a schedule of loan sales and make a selection of loan sales during the audit period for detail testing.
1. Make a selection of loan sales from the schedule. If the entity has a large volume of loan sales, consider use of the profiling approach.

2. Agree terms of the sale to an agreement with the purchaser and trace cash receipt to supporting documentation.
3. Test the allocation of the total cost basis of the loan to the servicing assets and the loans (without the servicing assets) based on relative
fair value at the date of sale. Test the fair values based on cash sales proceeds for the loan and valuation model for the contractually
specified servicing fees as appropriate. Trace the recording of the servicing assets to proper recording in the general ledger.

4. Review the contractually specified servicing fee contained in the agreement.

5. Recalculate the components of the gain or loss on the sale of the loan and trace to proper recording in the general ledger.
a. Determine that loan origination fees and direct loan origination costs deferred in accordance with SFAS 91 (ASC 310-20) are
appropriately included in determination of gains/losses from sales of loans.

LSP 9 Perform detail testing of the designation of loan type (held for sale v. held for investment).
Review the entity's overall policy and strategies for loans.
Determine the criterion by which management designates loans as held for investment vs. held for sale.
Review the population of held for sale loans to ensure they are appropriately designated in compliance with the entity's policy.
Obtain a schedule of loans sold during the year and evaluate the original designation of notes sold.

LSP 10 Perform detail testing of loan commitments

A. Obtain a schedule of all loan commitments and related fees as of the testing date and perform the following procedures:
1. Make a sample of loans funded during an appropriate period subsequent to year-end.
2. Obtain supporting documentation.
3. Assess whether such loans should be included in the schedule of commitments outstanding at the end of the current period.
4. Based on our determination in step A3 agree such loans to the proper inclusion or exclusion of the schedule of loan commitments.

B. Verify loan commitment fees is tested in conjunction with noninterest income.

C. Determine that valuation of significant commitments is tested in the audit area for the allowance for loan and lease losses.
D. Determine that valuation of loan commitments accounted for as derivatives (held for sale) is tested in the audit area of derivatives.

E. Evaluate results of tests.

Form 18**SDI.2, Loans Plan Substantive Testing
Testing Information Produced by the Entity
[Risk (Not Significant) and Relying (IPE)
on Controls — Low Extent of Testing
Risk (Not Significant) and Relying on
Controls — Normal Extent of Testing Findings and
Significant Risk and Relying on Observations
Controls Application (None Noted, Change to
Risk (Not Significant) and Not Is IPE used in System Plan, Identified or
Relying on Controls Performing (if testing IPE Testing Suspected Fraud,
Significant Risk and Not Relying on Substantive List IPE through tests of Reference — Testing Reference — Management Letter
ID Substantive Procedures Planned Controls] Testing? controls) IPE Substantive Procedures Comment, Misstatement)
Note 10 Note 22 Note 14 Note 15 Note 16 Note 20 Note 21
LSP 11 Test report disclosures for adequacy and appropriateness by independently completing the appropriate disclosure checklists.

LSP 12 Rollforward test for loans tested prior to year-end (as applicable)
A. Review reconciliations of subsidiary records of loans, loans purchased and participations purchased together
with the related escrow, loans-in-process, deferred loan origination fees or costs, and accrued interest receivable
balances to the general ledger at year-end. Test reconciling items as appropriate.
B. Evaluate significant accounting entries between the interim test date and year-end for the following:
1. Nonroutine, nonsystematic adjustments to the final recorded account balance in the general ledger
2. Unusual items used in reconciling the subsidiary ledgers to the general ledger.
C. Perform substantive analytical procedures by developing expectations of the loan balances at year-end:
1. Use ACL (or another method if more efficient) to disaggregate the data used to build the expectations at a level of detail sufficient to
enable us to obtain the desired level of assurance based on a comparison of amounts.
D. Review sales of loans subsequent to year-end to determine if classification as of year-end was in accordance with entity's stated intent
and ability.
E. Update procedures performed in Procedure LSP 11 through the balance sheet date.
F. For those loans categories that will not be tested using substantive analytical procedures, obtain a schedule of loan activity between the
interim testing date and year-end. Agree originations, payoffs, and payments to supporting activity summaries.
1. Make a sample of originations, payoffs, and payments.
2. Agree to supporting documentation.
3. Agree to recording in the general ledger.
4. Consider confirming selected new loans as of year-end. Refer to Section LSP 2 for confirmation procedures.
G. Review sales of loans subsequent to year-end to determine if classification as of year-end was in accordance
with entity's stated intent and ability.
Form 18**SDI.2, Loans Notes

NOTES

Note 1 Account Balance/Class of Transactions/Disclosure

Within this template, the term class of transactions refers to Income Statement accounts and account balance refers to Balance Sheet accounts. The term
transaction type is used to describe an activity or series of activities that results in one or more classes of transactions, account balances, and disclosures. [Derived from
U.S. AAM 13200.8a.]

Note 2 Relevant AssertionsThe assertions are considered at the class of transactions, account balance, and disclosure level. See the "Assertions" tab of this template for a description and exampl

NOTE: For a class of transactions (Income Statement account), account balance (Balance Sheet account), or disclosure, if an assertion is not considered relevant, include
documentation in the working papers explaining why the assertion is not relevant for that class of transactions, account balance, or disclosure.

The determination of whether an assertion is relevant is based on inherent risk, without regard to the effect of internal controls. [U.S. AAM and PCAOB AAM Glossary]

Note 3 Risk of Material Misstatement

For the material classes of transactions, account balances, and disclosures [significant accounts and disclosures] identified, we are required to identify risks of material
misstatement at the relevant assertion level to provide a basis for designing and performing further audit procedures. [U.S. AAM 13200.3/PCAOB AAM 13200.2]

Consideration of transaction types may be relevant to our identification and assessment of risks of material misstatement at the relevant assertion level for classes of
transactions, account balances, and disclosures. [Derived from U.S. AAM 13200.8a.]

NOTE: For integrated and nonintegrated audits performed in accordance with the standards of the PCAOB or for integrated audits performed in accordance with the
standards of the AICPA, we are required to document our understanding of the flows of transactions using process flow diagrams to supplement narratives or other
documentation related to:
• Accounts or disclosures for which we have identified a significant risk
• Revenue accounts identified as material to the financial statements [Derived from U.S. AAM 23001-I.56/PCAOB AAM 12200.73.]

For nonintegrated audits performed in accordance with the standards of the AICPA, if we intend to rely on the operating effectiveness of controls in determining the nature,
timing, and extent of substantive procedures to address risks of material misstatement that are (1) significant risks or (2) related to revenue accounts identified as
material to the financial statements, we are required to document our understanding of the applicable flows of transactions related to the accounts or disclosures using
process flow diagrams to supplement narratives or other documentation. [Derived from U.S. AAM 12200.98a.]

The consideration of what can go wrong for the classes of transactions, account balances, and disclosures may assist us in identifying the risks of material misstatement,
relating these risks to the relevant assertions, and in designing more effective and efficient procedures to respond to those risks. This means that we think about those
things that could go wrong of sufficient likelihood to lead to material misstatement and does not mean that we have to contemplate all possible things that could go wrong
regardless of their likelihood. [U.S. AAM 13150.5/PCAOB AAM 13150.5, emphasis added.]

A risk of material misstatement is a risk that the financial statements are materially misstated prior to audit. This consists of two components, described as follows at the
assertion level:
- Inherent risk: The susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material, either individually or
when aggregated with other misstatements, before consideration of any related controls.
- Control risk: The risk that a misstatement could occur in an assertion about a class of transaction, account balance, or disclosure that could be material, either
individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity's internal control. [U.S. AAM
and PCAOB AAM Glossary]

A risk of material misstatement may relate to one or more relevant assertions. Further, one or more risks of material misstatement may exist for a relevant assertion.

Refer to U.S. AAM 13150 and 12200 or PCAOB AAM 13150 and 12200 for further guidance.
Form 18**SDI.2, Loans Notes
Note 4 Significant Findings or Issues
Significant findings or issues represent matters of importance to the engagement partner or Engagement Quality Control (EQC) Reviewer in planning, supervising, and
reviewing our audit. We categorize these items as significant findings or issues to draw the attention of engagement leaders to them and to designate them as matters for
which the engagement partner is required to perform a primary review in addition to that of the manager. While a significant risk gives rise to an audit response that is
incremental to that required for a normal risk, a significant finding or issue may not result in changes to the nature, timing, or extent of audit testing. However, we
separately identify significant findings or issues in our audit documentation (including our planning and summary memoranda) and subject our related work to more
detailed review by the engagement partner and EQC Reviewer.

Risks of material misstatement related to significant findings or issues, identified during planning and which affect the audit procedures performed, may result in
customization of one or all of the related risks of material misstatement, control activities, and/or the related substantive procedures described in this template.

Significant findings or issues for planning purposes include, but are not limited to, the following:

- Risks of material misstatement that are determined to be significant risks and the results of the auditing procedures performed in response to those risks
- Matters that are significant involving the selection, application, and consistency of accounting principles, including related disclosures (e.g., new accounting
pronouncements)
- Accounting for complex or unusual transactions
- Accounting estimates highly dependent upon judgment
- Significant uncertainties
- Matters that led to the classification of engagement risk as greater than normal or much greater than normal
- Circumstances that cause us significant difficulty in applying necessary audit procedures. [Derived from U.S. AAM 00200.16-16a/PCAOB AAM 00200.23-23a.]

Refer to U.S AAM 00200.16-16a/PCAOB AAM 00200.23-23a for additional guidance.

Note 5
Classification of Inherent Risk
As part of the risk assessment, we are required to determine whether any of the risks identified are, in our judgment, a significant risk. In exercising this judgment, we
are required to exclude the effects of identified controls related to the risk. [U.S. AAM 13150.52/PCAOB AAM 13150.3 and 27]

A significant risk is an identified and assessed risk of material misstatement that, in the auditor's judgment, requires special auditor consideration. [U.S. AAM and PCAOB
AAM Glossary]

Risks of material misstatement related to significant risks may result in customization of one or all of the related risks of material misstatement, control activities, and/or
related substantive procedures described in this template.

In exercising judgment as to which risks are significant risks, we are required to consider at least the following:
- Whether the risk is a risk of fraud
- Whether the risk is related to recent significant economic, accounting, or other developments and, therefore, requires special attention
- The complexity of transactions
- Whether the risk involves significant transactions with related parties
- The degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement
uncertainty
- Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual. [U.S. AAM
13150.53/PCAOB AAM 13150.28]

Presumed Significant Risks — Revenue Recognition and Management Override of Controls

When identifying and assessing the risks of material misstatement due to fraud, we are required to, based on a presumption that there are risks of fraud in revenue
recognition, evaluate which types of revenue, revenue transactions, or assertions give rise to such risks. [Excerpted from U.S. AAM 13150.46/PCAOB AAM
13150.18.]

Due to the unpredictable way in which management override of controls could occur, it is a risk of material misstatement due to fraud and thus a significant risk.
[Excerpted from U.S. AAM 13350.4/PCAOB AAM 13350.2.]

Refer to U.S. AAM 13150 and 13350 or PCAOB AAM 13150 and 13350 for further guidance.
Form 18**SDI.2, Loans Notes
Note 6 Risk of Material Misstatement Due to Fraud?
We use professional judgment to determine whether a fraud risk factor is present and whether it is to be considered in assessing the risks of material misstatement of the
financial statements due to fraud. [Derived from U.S. AAM 13150.37/PCAOB AAM 13150.14.]

We are required to treat those assessed risks of material misstatement due to fraud as significant risks and accordingly, to the extent not already done so, we are required
to obtain an understanding of the entity’s related controls, including control activities, relevant to such risks, and evaluate whether such controls have been suitably
designed and implemented to mitigate such fraud risks. [U.S. AAM 13150.42/PCAOB AAM 13150.33]

Identifying potential fraud schemes may facilitate the evaluation of the design of relevant controls and the development of effective audit procedures. [U.S. AAM
13300.49a/PCAOB AAM 13300.70b]

Refer to U.S. AAM 13150 and 13300 or PCAOB AAM 13150 and 13300 for further guidance.

Note 7
Risk Associated with the Control – For Audits Performed in Accordance with the Standards of the PCAOB and for Integrated Audits Performed in
Accordance with the Standards of the AICPA

The risk associated with a control consists of the risk that the control might not be effective and, if not effective, the risk that a material weakness would result.
[Excerpted from U.S. AAM 23001-I.71/PCAOB AAM 23001.20.]

The risk associated with a control may be assessed as either “higher” or “not higher,” based on the factors in PCAOB AS 5.47 and PCAOB AS 5.48 (PCAOB AS 13.31). See
Deloitte Guidance (Q&A) 3-1, Risk Associated with the Control — Relationship to Inherent Risk, for additional information.

It is not necessary to separately document our consideration of each factor in PCAOB AS 5.47 and PCAOB AS 5.48 (PCAOB AS 13.31); it may be possible to document our
considerations on a collective basis (e.g., for groups of controls with similar characteristics where the risk associated with the control is similar).

If the risk of material misstatement associated with the related account(s) or assertions(s) is a significant risk, the risk associated with the control is higher. [Excerpt
from U.S. AAM 23001-I.73/PCAOB AAM 23001.21a.]

Note 8 Identification and Documentation of Relevant Control Activities

Integrated Audits
If we are performing an integrated audit, control activities that are relevant to the audit include those that address the assessed risks of material misstatement for each
relevant assertion. [U.S. PCAOB AAM 12200.85]

Nonintegrated Audits
We are required to obtain an understanding of control activities relevant to the audit, being those we judge it necessary to understand in order to assess the risks of
material misstatement at the assertion level and design further audit procedures responsive to assessed risks. [Excerpt from U.S. AAM 12200.99/PCAOB AAM
12200.78.]

We are required to obtain an understanding of the process for reconciling detailed records to the general ledger for material classes of transactions and account balances.
[U.S. AAM 12200.99a/PCAOB AAM 12200.79a]

Control activities that are relevant to the audit are:

- Those that are required to be treated as such, being control activities that relate to significant risks and those that relate to risks for which substantive procedures alone
do not provide sufficient appropriate audit evidence; or
- Those that are in our judgment considered to be relevant. [U.S. AAM 12200.100/PCAOB AAM 12200.81]

Relevant controls include:

- Controls that address significant risks
- Controls that address risks for which substantive procedures alone are not sufficient
- Controls we plan to rely upon to reduce substantive testing
- Controls over journal entries
- Controls we believe it is necessary to understand in order to plan substantive procedures as part of our further audit procedures to obtain sufficient appropriate audit
evidence
- Reconciliations of detailed records to the general ledger for material classes of transactions and account balances.

When obtaining an understanding of controls that are relevant to the audit, we are required to evaluate the design of those controls and determine whether they have
been implemented, by performing procedures in addition to inquiry of the entity’s personnel. [U.S. AAM 12200.30/PCAOB AAM 12200.35]

Refer to U.S. AAM 12200/PCAOB AAM 12200 for further guidance.

Form 18**SDI.2, Loans Notes

Note 9 Conclusion — Design, Implementation, Operating Effectiveness of Controls

Was a deviation or exception identified? Does a deficiency exist? If yes, evaluate the deficiency individually and in combination with other deficiencies. Determine if the
deficiency is a deficiency, a significant deficiency, or a material weakness. Communicate the deficiency, as appropriate.

Determine whether we have a basis for relying on those controls and whether we are able to perform our planned extent of substantive procedures. If an integrated audit,
evaluate the effect on the ICFR opinion.

Refer to U.S. AAM 23001/PCAOB AAM 23001 for further guidance. Consider using Form 2342S, Evaluation of Deficiencies in Internal Control, and Form 2343S, Evaluation
of an Individual Deficiency in Internal Control, to assist in the evaluation.

Note 10 Substantive Procedures Planned

Irrespective of the assessed risks of material misstatement, we are required to design and perform substantive procedures for each relevant assertion related to each
material class of transactions, account balance, and disclosure [significant account and disclosure]. [U.S. AAM 13300.22/PCAOB AAM 13300.48]

The nature, timing, and extent of planned procedures may vary in response to the assessed risk of material misstatement at the assertion level.

A substantive procedure may address more than one risk. We may consider the audit procedures and risks which they address when planning and performing substantive
procedures so that the substantive procedures performed are effective and efficient. [U.S. AAM 23002-1.34]

Nature and Extent of Substantive Procedures

Depending on the circumstances, we may determine that:
- Performing only substantive analytical procedures will be sufficient to reduce audit risk to an acceptably low level (e.g., where our assessment of risk is supported by
audit evidence from tests of controls)
- Only tests of details are appropriate
- A combination of substantive analytical procedures and tests of details are most responsive to the assessed risks [U.S. AAM 23002-1.5/PCAOB AAM 23002-1.11]

NOTE: For audits performed in accordance with the standards of the PCAOB, for significant risks, we are required to perform substantive procedures, including tests of
details, that are specifically responsive to the assessed risks. Therefore, for audits performed in accordance with the standards of the PCAOB, regardless of whether we are
relying on controls, our substantive procedures responsive to a significant risk will either comprise tests of details alone or tests of details performed in combination with
substantive analytical procedures. [U.S. PCAOB AAM 13300.65]

Because the assessment of the risk of material misstatement takes account of internal control, the extent of substantive procedures may need to be increased when the
results from tests of controls are unsatisfactory. However, increasing the extent of an audit procedure is appropriate only if the audit procedure itself is relevant to the
specific risk. [U.S. AAM 23002-1.8/PCAOB AAM 23002-1.13]
Corollary Testing
In designing tests of details, the extent of testing is ordinarily thought of in terms of the sample size. However, other matters are also relevant, including whether it is
Depending on the classes of transactions, account balances, and disclosures being audited and the audit procedures performed, corollary testing may provide audit
more effective to use other selective means of testing. [U.S. AAM 23002-1.9/PCAOB AAM 23002-1.15]
evidence related to the risks of material misstatement identified.
Form 18**SDI.2, Loans Notes
Note 11

Control Operating Effectiveness Testing Strategy

If we are performing a nonintegrated audit and we plan to rely on controls over a risk that we have determined to be a significant risk, we are required to test those
controls in the current period. [U.S. AAM 23001.17/PCAOB AAM 31100.53, emphasis added.]

If we are performing an integrated audit, we are required to test those controls that are important to our conclusion about whether the company’s controls sufficiently
address the assessed risk of misstatement to each relevant assertion. We must test those entity-level controls that are important to our conclusion about whether the
company has effective internal control over financial reporting. [U.S. AAM 23001-I.36 and 62/PCAOB AAM 13300.34 and 38]

For audits performed in accordance with the standards of the PCAOB, or for integrated audits performed in accordance with the standards of the AICPA, we should only use
the low extent of testing set forth in U.S. AAM Figure 23001-I.1 or U.S. PCAOB AAM Figure 23001.1 for those controls where we have assessed the risk associated with
the control as lower than in the initial year (or the year when we last tested the control using at least the normal extent of testing set forth in U.S. AAM Figure 23001-I.1
or U.S. PCAOB AAM Figure 23001.1). Use of the low extent of testing set forth in U.S. AAM Figure 23001-I.1 or U.S. PCAOB AAM Figure 23001.1 is never required. [U.S.
AAM 23001-I.94/PCAOB AAM 23001.56]

If we are using the low extent of testing set forth in U.S. AAM Figure 23001-I.1 or U.S. PCAOB AAM Figure 23001.1 to test a relevant control, we are required to have (1)
assessed the risk associated with the control as "not higher"; (2) tested the operating effectiveness of the control in one of the prior two audits, using at least the sample
sizes in U.S. AAM Figure 23001-I.1 or U.S. PCAOB AAM Figure 23001.1 for a normal extent of testing, and have concluded that the control was effective; (3) confirmed
that there have been no changes in the control or the process in which it operates since the prior audit; and (4) based on consideration of (1), (2), and (3), have
concluded that the risk associated with the control is lower than in the initial year (or the year when we last tested the control using at least the normal extent of testing
set forth in U.S. AAM Figure 23001-I.1 or U.S. PCAOB AAM Figure 23001.1), such that the use of the low extent of testing set forth in U.S. AAM Figure 23001-I.1 or U.S.
PCAOB AAM Figure 23001.1 is considered appropriate. [U.S. AAM 23001-I.95/PCAOB AAM 23001.57]

If we are performing a nonintegrated audit in accordance with the standards of the PCAOB, we should obtain evidence during the current year about the design and
operating effectiveness of controls upon which we rely. [Excerpt from U.S. PCAOB AAM 23001.19]

Refer to U.S. AAM 23001 and 23001-I or PCAOB AAM 13300 and 23001 for further guidance. In addition, refer to Chapter 3, "Testing Operating Effectiveness," within the
Internal Control Guide.

NOTE: For nonintegrated audits performed in accordance with the standards of the AICPA, refer to
the guidance at U.S. AAM 23001.7-11.

Note 12 Control Year Last Tested — For Audits Performed in Accordance with the Standards of the PCAOB and for Integrated Audits Performed in Accordance with
the Standards of the AICPA

The "Control Year Last Tested" represents the last year the relevant control was tested using a normal extent of testing.

Note 13 Operating Frequency

For audits performed in accordance with the standards of the PCAOB or for integrated audits performed in accordance with the standards of the AICPA, refer to U.S. AAM
Figure 23001-I.1 or PCAOB AAM Figure 23001.1 for suggested sample sizes for inspection of documentation to support our inquiries for the purpose of testing the
operating effectiveness of controls.

Depending on the circumstances, we may use professional judgment to determine that larger sample sizes may be appropriate, for example, when we are performing tests
of controls that address one or more significant risks. [U.S. AAM 23001.40/PCAOB AAM 23001.51]

When testing the operating effectiveness of a control that operates less frequently than many times per day, depending on the nature of the control, the risk associated
with the control, and the number of times that it is applied when it operates, we may make additional selections to test its operating effectiveness. [Excerpted from U.S.
AAM 23001.40a/PCAOB AAM 23001.54.]

Refer to U.S. AAM 23001.28-42 or 23001-I.82-99/PCAOB AAM 23001.44-64 for additional guidance regarding determination of the sample size. Also, see Deloitte
Guidance Q&A IC 3-9, Determining the Frequency of a Control, for additional information.

Note 14 Information Produced by the Entity (IPE)

Form 18**SDI.2, Loans Notes
Types of IPE may include, but are not limited to:

- Standard "out of the box" reports as shipped with the system that have not been modified and do not allow for customization of inputs/outputs
- Parameter-driven reports generated by the entity's application system that allow for user selection of inputs (fields/parameters) to generate the report output
- Custom-developed reports that are not standard to the application and are defined and generated by user-operated tools such as scripts, report writers, programming
language, and query tools
- Spreadsheets that include relevant information (e.g., data (1) obtained from an outside source, (2) manually entered into a spreadsheet, (3) summarized or analyzed
using spreadsheet formulas or data exported from ledger system into an MS Access Database, and (4) then manipulated and summarized)
- Client-prepared analyses and schedules that are manually prepared by entity personnel either from information generated from the entity's system or from other internal
or external sources.

Internal Controls IPE in the Context of Internal Controls

IPE in the context of internal controls may include the following:

- Information that we rely upon to test a relevant control

- Information that entity personnel rely upon to perform a relevant control

Substantive Procedures
IPE in the Context of Substantive Audit Procedures
IPE in the context of substantive audit procedures includes information that we rely upon when performing our substantive audit procedures. If the information is the
starting point or subject of our substantive audit procedures, our planned substantive audit procedures will typically address the accuracy and completeness of the
information, and no additional procedures may therefore be necessary. In other cases, our substantive audit procedures may rely on a report that is not the subject of our
substantive audit procedures and/or tests of relevant controls, and it may be necessary to perform additional procedures to address the completeness and accuracy of the
report.

NOTE: The requirement to obtain audit evidence about the accuracy and completeness of IPE also applies when we are using the work of others. If IPE has not been
appropriately tested by those whose work we are using, we may either request that they perform the necessary procedures or we may perform the procedures ourselves.

Refer to U.S. AAM 22500-1/PCAOB AAM 22500-1 and the Information Produced by the Entity Guide for further guidance.

Note 15 Application System

Document the names of relevant application systems.

Identifying the relevant application system within this template allows us to establish the linkage between the risks of material misstatement to which the relevant
application systems and IT infrastructure relate, the relevant IT risks related to these application systems and IT infrastructure, and the general IT controls that address
such risks.

General IT controls may be relevant to the audit if:

- The entity relies on an application system or data warehouse to process or maintain data (e.g., transactions or other relevant data) related to (i) significant accounts and
disclosures or (ii) reports used in the operation of a relevant control.
- The entity relies upon the application system to perform certain automated functions that we determine are relevant to the audit, such as:
- Automated Input, Processing, and Output Controls: This includes the automation of controls related to financial reporting (e.g. a three-way match of the purchase
order, receiver, and invoice prior to payment); the automated approval of payment following an approved delegation of authority; or the automation of the interface
between two systems.
- Automated Calculations: This includes the automation of financial calculations underlying amounts that support or are related to account balances, classes of
transaction, or disclosures in the financial statements (e.g., the extension of sales price times quantity to generate sales invoices, the calculation of outstanding balance on
a loan portfolio, or the calculation of depreciation expense).
- Automated Application Access: This includes the automation of access to financial reporting transactions, including logical segregation of duties (e.g., access
restrictions to updates to inventory quantities or the systematic segregation of duties between front-office and back-office transactions for derivatives processing).
- The entity relies upon an application, data warehouse query, or report writer to generate a report that is used in the operation of relevant controls. The automation of the
report logic (which is viewed as akin to an automated control) includes the extraction criteria and algorithms (e.g., such as those found in an A/R aging report, an
exception report of goods shipped but not invoiced, or monthly financial statements).
- We have judged that it is not possible or practicable for us to obtain sufficient appropriate audit evidence to address certain risks of material misstatement by performing
only substantive procedures and the relevant controls that we have identified over such risks are automated controls or controls that rely on general IT-controls (see
Section 13300 of U.S. AAM and U.S. PCAOB AAM). [U.S. AAM 12200.95a/PCAOB AAM 12200B.11A]

IT risks and general IT controls may be documented in the IT Risk Worksheet — General Information Technology (Form 18**S-GITC) or other supporting working papers.

Note 16 Planned Procedures to Obtain Audit Evidence of Accuracy and Completeness of IPE
Reference to where IPE testing is performed.
Form 18**SDI.2, Loans Notes
NOTE: Procedures to obtain audit evidence about the accuracy and completeness of IPE may be addressed within the documentation of the planned response to test the
control or substantive procedure or aggregated and documented individually in a separate IPE workbook (Form 18**S-IPE).

For nonintegrated audits performed in accordance with the standards of the AICPA, when using information produced by the entity we are required to evaluate whether the
information is sufficiently reliable for our purposes, including as necessary in the circumstances:
• Obtaining audit evidence about the accuracy and completeness of the information
• Evaluating whether the information is sufficiently precise and detailed for our purposes. [U.S. AAM 22500-1.3]

For audits performed in accordance with the standards of the PCAOB (for integrated audits, see also U.S. AAM 22500-1.3), when using information produced by the entity
as audit evidence, we are required to evaluate whether the information is sufficient and appropriate for purposes of the audit by performing procedures to:
• Test the accuracy and completeness of the information, or test the controls over the accuracy and completeness of that information
• Evaluate whether the information is sufficiently precise and detailed for purposes of the audit. [U.S. PCAOB AAM 22500-1.2]

For audits performed in accordance with the standards of the PCAOB, when testing a relevant control that is dependent upon information produced by the entity (and the
effectiveness of the control is therefore dependent upon the accuracy and completeness of such information), we are required to (1) identify controls that address the
accuracy and completeness of such information produced by the entity and (2) test the design and operating effectiveness of such controls (see U.S. PCAOB AAM
13300.22). [U.S. AAM 22500-1.3]

Obtaining audit evidence about the accuracy and completeness of information produced by the entity includes procedures to address:
• The accuracy and completeness of the source data
• The creation and modification of the applicable report logic and parameters. [U.S. AAM 22500-1.5a/PCAOB AAM 22500-1.5a]

Refer to U.S. AAM 22500-1 or PCAOB AAM 22500-1 and the Information Produced by the Entity Guide for further guidance.

Note 17 Testing Reference — General IT Controls

Include tickmark or cross-reference (as specific as possible) to the IT Risk Worksheet — General Information Technology (Form 18**S-GITC) or other supporting working
papers where testing is documented (e.g., See working paper 4410.1, [Testing] tab).

Note 18 Reference to Evaluation of D&I

Include a tickmark or cross-reference to where the evaluation of design and implementation is documented. The evaluation of design and implementation of relevant
control activities may be documented in a separate working paper or within a tab inserted within this template.

Evaluation of Design and Implementation

Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, or
detecting and correcting, material misstatements. [U.S. AAM 12200.31/PCAOB AAM 12200.35]

Implementation of a control means that the control exists and that the entity is using it.

Refer to U.S. AAM 12200.30-40/PCAOB AAM 12200.35-38 for additional guidance regarding the evaluation of design and determination of implementation for relevant
controls.

The evaluation of the design of controls documentation may include consideration of the (1) the nature and significance of the risks of material misstatement addressed by
the control, (2) the characteristics or details of the control, and (3) the following factors to determine whether the control is appropriately designed (i.e., the precision of a
control) to address the identified risk.

Factors to Consider When Determining Whether Control Is Appropriately Designed

- Appropriateness of the purpose of the control and its correlation to the risk/assertion
- Appropriateness of the control considering the nature and significance of the risk
- Competence and authority of the person(s) performing the control
- Frequency and consistency with which the control is performed
- Level of aggregation and predictability
- Criteria for investigation and process for follow-up
- Dependency on other controls or information.

For more information regarding these factors, see the Internal Control Guide, Chapter 2, "Understanding Likely Sources of Misstatement and Testing Design Effectiveness
for Controls That Address Risk of Material Misstatement."

The extent of documentation may vary depending upon the nature of the control and the level of subjectivity involved.
For example: Management reviews and other higher level controls (e.g., direct and precise entity-level controls) would typically require more extensive documentation
than an attribute-based control.
Form 18**SDI.2, Loans Notes

NOTE: In an integrated audit, the purpose of a test of design effectiveness is not to determine whether the control has been implemented. We do not need to separately
test implementation if we are also testing operating effectiveness. However, the procedures performed to test design and to determine implementation may be similar.

Note 19 Planned Nature, Timing, and Extent of Procedures to Evaluate Operating Effectiveness of Controls
Consider nature, timing, and extent of our tests when planning procedures to evaluate operating effectiveness of controls.

Nature of Tests of Controls

Nature of tests of controls includes inspection of documentation supporting our inquiries, reperformance supporting our inquiries, and observation supporting our inquiries.

Extent of Tests of Controls

When more persuasive audit evidence is needed regarding the effectiveness of a control, it may be appropriate to increase the extent of testing of the control. As well as
the degree of reliance on controls, matters we may consider in determining the extent of tests of controls include the following:
- The frequency of the performance of the control by the entity during the period
- The length of time during the audit period that we are relying on the operating effectiveness of the control
- The expected rate of deviation from a control
- The relevance and reliability of the audit evidence to be obtained regarding the operating effectiveness of the control at the assertion level
- The extent to which audit evidence is obtained from tests of other controls related to the assertion. [U.S. AAM 23001.28/PCAOB AAM 23001.42-43]

In addition, for PCAOB audits matters we may also consider in determining the extent of tests of controls include the following:
- The nature of the control, including, in particular, whether it is a manual control or an automated control
- For an automated control, the effectiveness of relevant general IT controls. [Excerpted from U.S. PCAOB AAM 23001.43]

Timing of Tests of Controls

We are required to test controls for the particular time, or throughout the period, for which we intend to rely on those controls, in order to provide an appropriate basis for
our intended reliance. [U.S. AAM 23001.45/PCAOB AAM 13300.19]

Refer to U.S. AAM 23001 and 23001-I or U.S. PCAOB AAM 23001 for further guidance.

NOTE: For audits performed in accordance with the standards of the PCAOB or for integrated audits performed in accordance with the standards of the AICPA, for each
control selected for testing, the evidence necessary to persuade the auditor that the control is effective depends upon the risk associated with the control. The risk
associated with a control consists of the risk that the control might not be effective and, if not effective, the risk that a material weakness would result. As the risk
associated with the control being tested increases, the evidence that the auditor should obtain also increases.
[Derived from U.S. AAM 23001-I.71/PCAOB AAM 23001.20.]

Note 20 Testing Reference

Include tickmark or cross-reference (as specific as possible) to supporting working papers where testing is documented (e.g., See working paper 4311.1, [Testing] tab).
Include reference, if applicable, to use of the work of others, use of specialists, and rollforward procedures if tested at an interim date.

Note 21 Findings and Observations

Include a tickmark or cross-reference to supporting working papers for documentation supporting the finding or observation.

NOTE: When evaluating the operating effectiveness of relevant controls, we are required to evaluate whether misstatements that have been detected by substantive
procedures indicate that controls are not operating effectively. The absence of misstatements detected by substantive procedures, however, does not provide audit
evidence that controls related to the assertion being tested are effective. [U.S. AAM 23001.50/PCAOB AAM 23001.84] The identification by us of a material
misstatement of the financial statements under audit in circumstances that indicate that the misstatement would not have been detected by the entity’s internal control is
an indicator of a material weakness. [U.S. AAM 23001.51/PCAOB AAM 23001.110]

In an audit of internal control over financial reporting, the auditor should evaluate the effect of the findings of the substantive auditing procedures performed in the audit of
financial statements on the effectiveness of internal control over financial reporting. This evaluation should include, at a minimum—
• The auditor’s risk assessments in connection with the selection and application of substantive procedures, especially those related to fraud.
• Findings with respect to illegal acts and related party transactions.
• Indications of management bias in making accounting estimates and in selecting accounting principles.
• Misstatements detected by substantive procedures. The extent of such misstatements might alter the auditor’s judgment about the effectiveness of controls. [U.S. AAM
23001-I.196/PCAOB AAM 23001.117]
Form 18**SDI.2, Loans Notes
Note 22 Planned Extent of Substantive Testing
A substantive procedure may address more than one risk of material misstatement. The planned extent of substantive testing would equate to the most extensive planned
extent of substantive testing for all risks of material misstatement to which the procedure has been linked (e.g., if a substantive procedure is addressing multiple material
misstatements and only one is a significant risk, the substantive procedure would be performed to address the extent of testing necessary to address the significant risk).

Substantive Analytical Procedures

In using our professional judgment to determine thresholds, we may refer to U.S. AAM Figure 23002-1.1 or U.S. PCAOB AAM Figure 23002-1.1.

Tests of Details
If we use audit sampling, our sample sizes may be determined using U.S. AAM Figure 23002-4.1 or U.S. PCAOB AAM Figure 23002-4.1.

Low Extent of Testing

In situations where we have identified a risk of material misstatement that is not significant and we are able to rely on the operating effectiveness of controls related to the
risk of material misstatement being tested, we may set the extent of testing as either normal or low for the purposes of determining the appropriate thresholds or
determining the appropriate sample size using U.S. AAM Figure 23002-1.1 or U.S. PCAOB AAM Figure 23002-1.1 (Determination of Threshold Table) and U.S. AAM Figure
23002-4.1 or U.S. PCAOB AAM Figure 23002-4.1 (Audit Sampling Sample Size Table), based on (1) the nature of the risk, (2) the likelihood of the occurrence of the risk,
and (3) the likely magnitude of any resulting misstatements. [Derived from U.S. AAM 23002-2.42 and 23002-4.31/PCAOB AAM 23002-2.44 and 23002-4.28.]
Form 18**SDI.2, Loans Assertions
Assertions used by us to consider the different types of potential misstatements that may occur (i.e., "what could go wrong") fall into the following three
categories and may take the following forms:
Note: The table below provides the linkage between the current Deloitte Touche Tohmatsu Limited (DTTL) Audit Approach Manual (DTTL AAM) terminology
(which is consistent with the ISAs) and PCAOB assertions.

Assertions about classes of transactions (income The following are examples of potential Misstatements relating to the assertions PCAOB Assertions
statement accounts) and events for the period under below. These examples are neither exhaustive nor always applicable as facts
audit: and circumstance may vary from one entity to the next.

Occurrence Transactions and events that have Potential Misstatements relating to the Assertion occurrence, for income statement Existence or occurrence
been recorded have occurred and account balances, may result from:
pertain to the entity. - Fictitious or unauthorized transactions are entered on source documents or directly into
the application system (input)
- Transactions are duplicated when input
- Invalid input is captured in the subsidiary ledgers.

Completeness All transactions and events that Potential Misstatements relating to the Assertion completeness, for income statement Completeness
should have been recorded have account balances, may result from:
been recorded. - Transactions or events that are not identified and therefore are not entered on a source
document or directly into the application system (input)
- Input is not captured into the subsidiary ledgers
- Input that is rejected is not resubmitted for capture in the subsidiary ledger.

Accuracy Amounts and other data relating to Potential Misstatements relating to the Assertion accuracy, for income statement account Valuation or allocation
recorded transactions and events balances, may result from:
have been recorded appropriately. - Input is inaccurately captured into the subsidiary ledgers
- Input or subsequent processing reflects amounts in excess or less than appropriate
amounts
- Processing of transactions is inaccurate (i.e., summarizing, calculating, and posting)
- Inaccurate adjustments are made to the subsidiary ledgers or general ledger.

Cutoff Transactions and events have been Potential Misstatements relating to the Assertion cutoff, for income statement account Valuation or allocation
recorded in the correct accounting balances, may result from:
period. - Transactions or events that have occurred or will occur are recorded too early (i.e., they
are recorded in a period prior to when they should have been recorded)
- Transactions or events that have occurred are recorded too late (i.e., they are recorded
in a period after the period in which they should have been recorded).

Classification Transactions and events have been Potential Misstatements relating to the Assertion classification, for income statement Valuation or allocation
recorded in the proper accounts. account balances, may result from:
- Input is recorded in the incorrect subsidiary ledger or general ledger account
- Subsequent processing of a transaction results in it being reflected in the incorrect
subsidiary ledger or general ledger account.

Assertions about account balances (balance sheet

accounts) at the period-end:
Existence Assets, liabilities, and equity interests Potential Misstatements relating to the Existence assertion, for balance sheet account Existence or occurrence
exist. balances, may result from:
- A balance sheet account balance that was previously correctly recorded no longer exists
and the sale/adjustment has not been recorded
- Sale of an asset with no recording of the sale
- Theft of an asset with no recording of the loss.

Rights and The entity holds or controls the rights Potential Misstatements relating to the Assertion rights and obligations, for balance sheet Rights and obligations
obligations to assets, and liabilities are the account balances, may result from:
obligations of the entity. - The entity no longer having the right to an asset that was previously correctly recorded
- The entity no longer having an obligation to settle a liability that was previously
correctly recorded.

Completeness All assets, liabilities, and equity Potential Misstatements relating to the Assertion completeness, for balance sheet account Completeness
interests that should have been balances, may result from:
recorded have been recorded. - A liability that should have been recorded has not been recorded (e.g., no accrual at
period-end for certain liabilities).

Valuation and Assets, liabilities, and equity interests Potential Misstatements relating to the Assertion valuation and allocation, for balance Valuation or allocation
allocation are included in the financial sheet account balances, may result from:
statements at appropriate amounts - Impairments of assets that are not identified and properly recorded
and any resulting valuation or - Inaccurate adjustments that are made to a balance sheet account balance that
allocation adjustments are inappropriately adjust the value of that balance sheet account balance
appropriately recorded. - Assets which are amortized over the incorrect period resulting in the remaining asset
balance being incorrectly valued
- Fair value adjustments that are not identified and properly recorded.

Assertions about presentation and disclosure:

Occurrence and Disclosed events, transactions, and Potential Misstatements relating to the presentation and disclosure assertions may result Presentation and disclosure
rights and other matters have occurred and from:
obligations pertain to the entity. - Fictitious or unauthorized disclosures are included in the Financial Statements
- Disclosures of contingent liabilities for which the entity no longer has an obligation for
- Disclosures that are intentionally omitted from the Financial Statements
Completeness All disclosures that should have been
- The captions in the Financial Statements result in amounts being presented in a
included in the financial statements
misleading way
have been included.
- Input is inaccurately captured into the Financial Statements
- Input into the Financial Statements reflects amounts in excess or less than appropriate
Classification and Financial information is appropriately amounts.
understandability presented and described, and
disclosures are clearly expressed.

Accuracy and Financial and other information are

valuation disclosed fairly and at appropriate
amounts.
Form 18**SDI.2, Loans Tickmarks
Tickmarks

{a} For most what could go wrongs listed within the "ROMM Overview" tab, multiple control activities have been
listed to possibly address the related risk. Engagement teams are encouraged to use professional judgment
in assessing which control or controls properly address the specific risk at their financial institution. More
than one control may apply and need to be tested to adequately address the related risk. Additionally, dual-
purpose testing may be appropriate with certain controls and substantive procedures. Therefore,
engagement teams are encouraged to consider both controls and substantive procedures when determining
the audit plan for loans.