March 7, 2008

Proposal & Engagement Letter

Information Technology Controls Review,

Risk Assessment and Audit Services

Sample Financial
Institution

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 1

 Table of Contents

Table of Contents 2

Firm Summary 3

Risk-Based Methodology and Scope 4-9

GLBA Review Requirements 10

Staffing 11

Other Services and Products 12

Sample Controls Review Reports 13 - 14

Sample Risk Assessment Reports 15 - 18

References and Related Experience 19

Proposed Fee 20 - 21

Engagement Letter: Agreed and Accepted 22

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 2

 Firm Summary

The Garland Group was founded in 1981 (as DCS, Inc.) by Henry E. Garland as a privately owned
company dedicated to software development and to providing consulting services, specializing in the
IBM System 36, System 38 and the IBM AS/400-iSeries. Since then, we have expanded our consulting
services to support Microsoft Windows NT/2000/2003, Citrix Metaframe/Terminal Services, Windows
Desktop Operating Systems, NOVELL, LAN/WAN Integration, Technology Audits and WEB/Internet
design. Today, The Garland Group has broadened and organized its expertise to provide one source for
all of your information management needs; consulting, and software.

The Garland Group provides all levels of Technology Risk, Audit and Compliance services for Financial
institutions and related companies. Including Risk based FFIEC Technology Audits, Risk Assessments,
Contingency planning, vulnerability assessments and management consulting services. We use unique
risk rating software combined with over 20 years of experience in the financial services industry.

Our success comes from years of experience and keeping abreast of the latest technological innovations.
With emerging capabilities such as Client/Server computing, hand-held computing, imaging, electronic
data interchange (EDI), telephony and voice/data retrieval, bar coding, relational databases and open
system connectivity, we are implementing new methods for business to achieve maximum profitability.
For the past 20+ years, our company has provided top quality expertise with proven results to a wide
variety of industries. At The Garland Group, we provide ideas and methodologies that streamline your
day-to-day operations using today’s latest technology. Most importantly, we work with you from
beginning to end making sure your needs and expectations are met on time and within budget.

For the past 20 years we have worked with financial institutions and related companies to provide audits
that comply will all FFIEC and ATM guidelines. Our reviews incorporate the most recent FFIEC guidelines
and CobiT 4.0 framework to provide you audit coverage in all the areas covered by regulators and more.

OUR TRACK RECORD

• Named to INC magazine’s INC 500 List in 1991, 1992, and 1993 as one of the fastest growing
privately-held companies in America.

• Achieved Bronze level recognition in the IBM Mark of Quality program. The Mark of Quality program
is an IBM sponsored quality competition patterned after the Malcolm Baldridge Award.

• Participant in the pre-announcement and development of the AS/400 with IBM in Rochester,
Minnesota.

• Former member of the Open Standards Committee with IBM.

• Former member of the National Advisory Council of Business Partners to IBM.

• Microsoft, Citrix, CISSP and CISA Certified Professionals

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 3

 Risk Based Methodology and Scope

Our internal audit engagement will provide consulting services to your Audit Committee of the Board of
Directors and/or designated management representative, assisting them in fulfilling their responsibility
of establishing appropriate levels of internal audit scope and procedures. This assistance will include
working with your management team in identifying risks associated with the Institution’s information
systems.

Internal Controls Review and Risk Assessment

The objective of our engagement is to examine the risk of the general controls and the policies and
procedures related to the Institution’s information systems. Our work steps will be based on the internal
control guidelines set forth in the Information Systems Handbook of the Federal Financial Institutions
Examination Council (FFIEC). These are the same control objectives used to assist regulatory examiners
in examining information systems in financial institutions and independent service bureaus. Additionally,
we have incorporated the CobiT (Control Objectives for Information Technology) framework into our
scope of work. CobiT, jointly created by ISACA and ITGI, is a generally accepted framework of best
practices for the management of IT resources. By incorporating both frameworks, our reviews provide an
overview of information systems concepts, practices, sound information systems controls, and
examination work programs. These control objectives are employed to evaluate potential risk areas
within the institution. The approach to reviewing the Technology general controls will follow a systematic
pattern of data collection, testing, observation and analysis.

Specifically, we will:
• Interview key data processing personnel.
• Review selected documentation and other documented controls.
• Observe operations activity and the control environment.
• Review security procedures and physical safeguards.
• Define and report overall risk in the Technology area.

Scope of Procedures

Testing will be performed to the extent necessary to confirm our understanding of the risk levels rep-
resented in the controls. In evaluating the MIS general controls as a basis of providing recommendations,
we will consider:

• Setting a baseline risk which will be based on the complexity of Information Systems.
• The applicability of each MIS general control objective to the environment at the Institution.
• The relative effectiveness of existing controls that support the objectives.
• The presence of compensating internal controls.
• The relative cost/benefit of various control alternatives.

The areas of MIS general controls that will be covered during the engagement are listed on the following
pages. As stated above, each area will be considered with respect to the standards set forth by the
FFIEC Information Systems Examination Handbook and CobiT framework, specifically under the
guidance of the Community Financial Institutions Information Systems Exam Work program. Each area
will also be evaluated with a focus on greater efficiencies and stronger controls.

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 4

 Risk Based Methodology and Scope

The Garland Group uses the specific guidelines set forth by the FFIEC and CobiT as a baseline to
evaluate risk. Below are brief descriptions of each of the twelve FFIEC handbooks The Garland Group
will cover for your Information Technology Audit. Each section provided in the our final reports will
contain supplements and cross-mappings to applicable CobiT control objectives. This will provide insight
about what each booklet consists of and what The Garland Group will be doing to ensure your financial
institution is in compliance.

Audit

The Garland Group, when performing controls reviews, will take into account the institution’s size,
complexity, and overall risk profile while considering following issues when evaluating the IT audit
function:

• Identify areas of greatest IT risk exposure to the institution in order to focus audit resources;
• Promote the confidentiality, integrity, and availability of information systems;
• Determine the effectiveness of management’s planning and oversight of IT activities;
• Evaluate the adequacy of operating processes and internal controls;
• Determine the adequacy of enterprise-wide compliance efforts related to IT policies and internal
control procedures; and
• Require appropriate corrective action to address deficient internal controls and follow up to ensure
management promptly and effectively implements the required actions.
• Independence of the audit function and its reporting relationship to the board of directors or its audit
committee;
• Expertise and size of the audit staff relative to the IT environment;
• Identification of the IT audit universe, risk assessment, scope, and frequency of IT audits;
• Processes in place to ensure timely tracking and resolution of reported weaknesses; and
• Documentation of IT audits, including work papers, audit reports, and follow-up.

Business Continuity Planning

Effective business continuity planning establishes the basis for financial institutions to maintain and
recover business processes when operations have been disrupted unexpectedly. Reviewing a financial
institution's BCP is an established part of examinations performed by the FFIEC member agencies, as
well as an important metric of CobiT. However, new business practices, changes in technology, and
increased terrorism concerns, have focused even greater attention on the need for effective business
continuity planning and have altered the benchmarks of an effective plan. In most cases, recovery time
objectives are now much shorter than they were even a few years ago, and for some institutions recovery
time objectives are based on hours and even minutes.

Many financial institutions are incorporating business continuity considerations into business process
development to mitigate, proactively the risk of service disruptions. In creating an effective BCP, financial
institutions should not assume a reduced demand for services during the disruption. In fact, demand for
some services (e.g., ATMs) may increase.

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 5

 Risk Based Methodology and Scope

Development and Acquisition

Development and Acquisition is defined as “an organization’s ability to identify, acquire, install, and
maintain appropriate information technology systems.” The process includes the internal development of
software applications or systems; and the purchase of hardware, software, or services from third parties.

Development and Acquisition describes common project management activities and emphasizes the
benefits of using well-structured project management techniques. The Garland Group will use general
project management standards, procedures, and controls and assess various development, acquisition,
and maintenance project risks.

The objectives of reviewing development, acquisition, and maintenance activities are to identify
weaknesses or risks that could negatively impact an organization; to identify entities whose condition or
performance requires special supervisory attention; and to subsequently recommend corrective action.
The Garland Group will conduct risk-focused reviews that assess the overall effectiveness of an
organization’s project management standards, procedures, and controls.

E-Banking

The E-Banking guidelines help identify the risks associated with electronic banking (e-banking) activities.
The review primarily covers e-banking risks from the perspective of the services or products provided to
customers.

The Garland Group will use the examination procedures and document request letter items to review
risks in the electronic delivery of financial products and services. These procedures address services and
products of varied complexity. The procedures could be used independently or in combination with
procedures from other IT Handbook booklets or from agency handbooks covering non-IT areas.

Wires - Fedline - FED Advantage or Third Party Vendors

The FedLine guidelines address the risks, risk management practices, and mitigating controls necessary
to establish and maintain an appropriate operating environment for the FedLine Funds Transfer (FT)
application.

FedLine and FED Advantage is the Federal Reserve Institution’s proprietary electronic delivery channel
for financial institution access to Federal Reserve financial services, and includes DOS-based FedLine
and FED Advantage. The guidance primarily targets operational (transaction) risks related to funds
transfers. Management, however, should also understand the indirect impact this funds transfer system
could have on other risk areas within the institution.

Should the Institution have a third party provider of funds transfer, The Garland Group will review all
security and user settings for these products.

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 6

 Risk Based Methodology and Scope

Information Security

Information is one of a financial institution’s most important assets. Protection of information assets is
necessary to establish and maintain trust between the financial institution and its customers. Timely and
reliable information is necessary to process transactions and support financial institution and customer
decisions. A financial institution’s earnings and capital can be adversely affected if information
becomes known to unauthorized parties, is altered, or is not available when it is needed.

Information security is the process by which an organization protects and secures systems, media, and
facilities that process and maintain information vital to its operations. Security programs must have
strong board and senior management level support, integration of security responsibilities and controls
throughout the organization’s business processes, and clear accountability for carrying out security
responsibilities. The Garland Group will provide guidance to examiners and organizations on determining
the level of security risks to the organization and evaluating the adequacy of the organization’s risk
management.

Management

The examination procedures in the Management guidelines, as well as control objectives outlined in the
CobiT framework, assist The Garland Group in evaluating financial institution risk management processes
to ensure effective information technology (IT) management.

Effective IT management in financial institutions maximizes the benefits from technology and supports
enterprise-wide goals and objectives. The IT department typically leads back-office operations, network
administration, and systems development and acquisition efforts. IT management also provides expertise
in choosing and operating technology solutions for an institution’s lines of business such as commercial
credit and asset management, or enterprise-wide activities such as security and business continuity
planning. This dual role and the increasing use of technology raise the importance of IT management in
effective corporate governance.

Management of IT in financial institutions is critical to the performance and success of an institution.

Sound management of technology involves more than containing costs and controlling operational risks.
An institution capable of aligning its IT infrastructure to support its business strategy adds value to its
organization and positions itself for sustained success. The board of directors and executive
management should understand and take responsibility for IT management as a critical component of
their overall corporate governance efforts.

Operations

The Operations guidelines address IT operations in the context of tactical management and daily
delivery of technology to capture, transmit, process, and store the information assets and support the
business processes of the institution. The procedures contained within the FFIEC and CobiT frameworks
assist The Garland Group in evaluating an institution’s controls and risk management processes relative
to the risks of technology systems and operations that reside in, or are connected to the institution.
Additional consideration is given to ensuring business processes are sound and that institution staff is
well-trained.

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 7

 Risk Based Methodology and Scope

Retail Payment Systems

Retail Payment Systems procedures provide guidance to examiners, financial institutions, and
technology service providers (TSP) on identifying and controlling information technology (IT)-related
risks associated with retail payment systems and related activities. Financial institutions, either in
consortiums or acting independently, remain the core providers to businesses and consumers for most
retail payment instruments and services.
The Garland Group will use the examination procedures for evaluating the risks and risk management
practices at financial institutions offering retail payment system products and services. These procedures
address services and products of varied complexity, and The Garland Group will adjust the procedures,
as appropriate, for the scope of the examination and the risk profile of the institution.

Outsourcing (if any)

Outsourcing Technology Services procedures provides guidance and examination procedures to assist
examiners and Institution management in evaluating a financial institution’s risk management processes
to establish, manage, and monitor IT outsourcing relationships. Financial institutions can outsource many
areas of operations, including all or part of any service, process, or system operation. Examples of
information technology (IT) operations frequently out-sourced by institutions and addressed in this
booklet include: the origination, processing, and settlement of payments and financial transactions;
information processing related to customer account creation and maintenance; as well as other
information and transaction processing activities that support critical functions, such as loan processing,
deposit processing, fiduciary and trading activities; security monitoring and testing; system development
and maintenance; network operations; help desk operations; and call centers. The booklet addresses an
institution’s responsibility to manage the risks associated with these outsourced IT services.

Technology Service Providers (if any)

Technology Service Providers procedures primarily governs the supervision of technology service
providers (TSPs) and briefly summarizes the Federal Financial Institutions Examination Council (FFIEC)
member agencies’ (agencies) expectations of financial institutions in the oversight and management of
their TSP relationships. The Garland Group assesses the agencies’ risk-based supervision approach, the
supervisory process, and the examination ratings used for information technology (IT) service providers.

Wholesale Payment Systems (if any)

The Wholesale Payment Systems section provides guidance to examiners and financial institution
management regarding the risks and risk-management practices when originating and transmitting
large-value payments. In addition to describing the information technology risks and controls, the
procedures also describes certain credit and liquidity risks that may be present when conducting
wholesale payment services.

The Garland Group will use the examination procedures for reviewing risks in wholesale payment
systems. These procedures address services and products of varied complexity, and The Garland Group
will adjust the procedures for the scope of the examination and the size and risk profile of the institution.

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 8

 Risk Based Methodology and Scope

Reporting

Our report will summarize the scope of our work and include our findings and recommendations
concerning the above procedures and results of our assessment of MIS general controls. We will
recommend specific changes for your consideration in order to strengthen any controls, as believed
necessary considering the associated cost and benefit relationships to the extent practical. If desired by
your management, we will also be available to provide additional consulting services to address any
finding or recommendations noted.

The procedures that we will perform are solely to assist you in the review of selected internal control
considerations and completion of certain audit procedures related to your specific internal audit
objectives. Ultimately, as is currently the case, the Board of Directors will be responsible for the scope of
internal audit procedures and the resolution of any audit findings.

Our engagement will not include an examination of all aspects of your system of internal controls or
testing of all areas of its operations, and therefore, we will not express an opinion on your system of
internal controls. Our engagement will not enable us to address legal or regulatory matters or abuses of
management discretion, including fraud or defalcations, of which matters should be properly discussed
by you with legal counsel. Our procedures will not include a detailed examination of all transactions and
cannot be relied on to disclose all errors or irregularities that may exist. Additionally, our engagement is
not for the purpose of discovering security flaws within your MIS applications software or networking
software. However, we will inform your designated management or Board representative of any such
material matters that come to our attention. Because these procedures will not constitute an audit made
in accordance with generally accepted auditing standards, they will not result in an opinion on any of the
items specified in the above audit scope, on the financial statements of Institution taken as a whole, or
on the Institution’s system of internal control. Each of the audited areas will be summarized as part of
the final Recommendations made, and will appear in final reports, once management responses are
received.

Our report will be furnished solely for the information and use of the Board of Directors, the Audit
Committee, management and the Institution’s regulatory agencies. Our procedures will not be planned
or conducted in contemplation of reliance by any other party or with respect to any specific transaction.
Therefore, items of possible interest to an unidentified party may not be specifically addressed or
matters may exist that could be assessed differently by such party. Provisions for Institution personnel
and regulators to access specific workpapers will be communicated and made available upon request.
All audit reports and workpapers will be located at our local office: 2610 West FM 544, Wylie, Texas, and
The Garland Group will maintain all workpapers on file for a period of five (5) years.

In the event we are requested or authorized by the Institution or are required by government regulation,
subpoena, or other legal process to produce our documents or our personnel as witnesses with respect
to our engagements for the Institution, the Institution will, so long as we are not a party to the
proceeding in which the information is sought, reimburse us for our professional time and expenses, as
well as the fees and expenses of our counsel, incurred in responding to such requests.

It is agreed by the Institution and The Garland Group or any other successors in interest that no claim
arising out of services rendered pursuant to this agreement by or on behalf of the Institution shall be
asserted more than two years after the date of the last report issued by The Garland Group. This letter
constitutes the complete and exclusive statement of agreement between The Garland Group and the
Institution, superseding all other communications oral or written with respect to the terms of the
engagement between the parties.

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 9

 GLBA Review Requirements

Overall Review Objectives

The Garland Group’s Technology Audit and Risk Assessment methodology is designed to cover a review
of all required policies and procedures implemented by the Gramm-Leach-Bliley Act of 1999.

The financial institution is expected to meet the following recommendations:

• Ensure the security and confidentiality of customer records and information;

• Protect against any anticipated threats or hazards to the security or integrity of such records;
• Protect against unauthorized access to or use of such records or information which could result in
substantial harm or inconvenience to any customer.

Specific Regulatory Compliance Steps Reviewed (as applicable):

The Garland Group’s extensive onsite review, verification and testing will ensure the financial institution
is:

• Placing access controls on customer information systems;

• Placing access restrictions on physical locations containing customer information;
• Encrypting electronic customer information when required;
• Adopting procedures to ensure that system modifications are consistent with the institution’s
information security program;
• Adopting dual control procedures, background checks, and segregation of duties for personnel
with access to customer information;
• Installing monitoring systems and procedures to detect attacks and intrusions into customer
information systems;
• Adopting response programs that specify the actions to be taken in the event of an actual or
suspected intrusion, including reporting to regulators and law enforcement;
• Protecting customer information from destruction or loss due to physical and environmental
hazards such as fire, water damage, or technical failure.

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 10

 Staffing

The most critical element in the successful completion of any engagement of this nature is the personnel
assigned to carry out the responsibilities.

The Garland Group is committed to excellence in the performance of the many services we offer. We can
assist you across a wide spectrum of Information Technology services. In order to be successful in
providing state-of-the-art services to our clients, we have assembled a highly skilled and dedicated team
to that allows us to perform at all levels of technology assessments and audits.

The background of our team is specifically IT orientated, and they have many years of experience and
expertise working in all phases of Information Services, and supporting Information Technology
environments. They have been responsible for managing large software installation projects, information
systems reviews, new application system design, programming, data center re-organization and re-
staffing. They have worked in many industries but most consulting areas have been in general
management, manufacturing, distribution and finance/banking industries.

In recent years, The Garland Group has specialized in managing and performing many risk-based FFIEC
governed internal technical reviews involving a variety of hardware, software and operating
environments. These reviews include all aspects of computer security and business continuity planning.
Reviews cover operations controls, systems development and documentation controls, hardware and
systems controls, access controls, data and procedural controls, physical security, application and
processing controls, compliance testing and off-site storage.

Some of the specific IT review experience includes:

• Review of software techniques

• Midrange and large mainframe systems
• Communications equipment and networks
• Operating systems
• Physical Security
• Access Security
• Systems Development and Maintenance Control
• Organizational Controls
• Various Application Controls
• Data Security
• Business Continuity Planning
• CORE Banking System Solutions

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 11

 Other Services and Products

SERVICES:

Risk Assessments
We provide a comprehensive and integrated understanding of your processes and your technologies
and how they impact your business operations. We identify ways to increase your effectiveness and
efficiency while reducing your risks.

Comprehensive Security Reviews

Our ‘CSR’ Review includes the following:
• Social Engineering
• Penetration Testing
• Vulnerability Assessments
We conduct rigorous internal and external intrusion tests, analyze the vulnerabilities, and provide you
with a report and assurance that your institution is safe and protected. Social Engineering is the practice
of deceiving people into revealing sensitive information. We use our experience to examine your
susceptibility to Social Engineering threats such as pre-text calling, dumpster diving, email phishing, U.S.
mail scams, and online reconnaissance. The CSR includes all of the tests listed above, but we can also
provide a single specified test or separate assessment if requested.

ATM Audits
ATM Networks (PULSE, STAR, NYCE, VISA, etc.) all abide by the American National Standard : X9.8,
X9.24 and X3.92 documents. The TG-3 PIN Security and KEY Management Security Review is governed
by these Standards. The ATM review, very simply, looks at the encryption of the PIN at its entry into the
system through an ATM or POS. It will analyze how the KEY’s are obtained, stored, used and will then
map the flow of the PIN to the NETWORK. This review is required to be done by an accredited auditor
that has completed the course in Network Security Compliance for PIN and KEY management.

PROJECT MANAGEMENT TOOLS:

Project Management of Audits and Services

To maximize communication between our staff and clients, The Garland Group uses a project
management tool called “Basecamp” to manage and track all aspects of the audits and services we offer.
This highly secured web-based site allows us to post and track all messages, files, reports, emails and
other necessary information needed in the course of an audit. Clients will be given limited access to this
tool through The Garland Group during the audit process. Using “Basecamp” simplifies the process
tremendously, and greatly enhances communication between staff and clients.

PRODUCTS:

RiskKey
A secure web-based risk management software tool developed by The Garland Group that will help
analyze and assess risk for your financial institution. Subscriptions are available, and more information
can be found at www.riskkey.com

Banktastic
A community helping bankers quickly find relevant, industry specific information and share it with
others. www.banktastic.com

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 12

 Sample Controls Review Reports

The following section includes samples from the full risk-based

FFIEC Controls Review Report that The Garland Group will
provide to your financial institution.

• The first sample page contains a section of the Internal/External

Audit report. (This is just one of thirteen sections defined by the
FFIEC Guidelines that will be included in the final report---see list
below--- which usually totals more than 200 pages.)

• The remaining pages are samples of the Recommendations &

Management Comments Recap page that is included in the final
reports, once the management responses have been received by
The Garland Group.

The following is a list of all of the sections that will be included in

the final reports (as they pertain to your financial institution.)

1. Recommendations
(included in Executive Summary and Controls Review Report)
2. Internal Audit
3. Management
4. Operations
5. Business Continuity Planning
6. Information Security
7. E-Banking
8. Wires/Fedline/FedAdvantage
9. Retail Payment Systems
10. Development & Acquisition
11. Gramm-Leach-Bliley
12. Outsourcing (if any)
13. Technology Service Providers (if any)
14. Wholesale Payment Systems (if any)

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 13

 Risk-Based Controls Review Report Sample

This is a page from the Internal Audit section of the workpapers used for the full FFIEC IT Audit. Each
line item is addressed individually by our auditors and documented in a spreadsheet format.

This is a screenshot of the first page of just one of the 10 or more reports you will receive in the final
reports in the full FFIEC Controls Review Section.

Sample:

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 14

 Sample Risk Assessment Reports

The following pages include samples from the full Risk

Assessment Report that The Garland Group will provide to
your financial institution.

This sample section contains sample assessment data produced by

our proprietary risk-rating software, “Risk Key.”

There are a total of eight or more reports produced by Risk Key

that are used by our Technology auditors on site.

You will receive a report on each of the following sections:

1. Recommendations and Responses Report

(see previous section for sample)
2. Report by Overall Risk
3. Report by Findings
4. Report by Threat Level
5. Report of Safeguard Level
6. Report by Person Assigned
7. Report by Upcoming Target Dates
8. Report by Past Target Dates

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 15

 Risk Assessment Report Sample

This is a sample page from the Recommendations section of the final RiskKey report you will receive.
This report includes all findings and recommendations to your financial institution from The Garland
Group, as well as the management responses and a color-coded Overall Risk Rating by our auditors.
This report is also included in the Executive Summary.

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 16

 Risk Assessment Report Samples

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 17

 Risk Assessment Report Samples

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 18

 References & Related Experience

Name: Dennis Giesecke (formerly with Inwood National Bank-Dallas)

Job Title: VP, Information Services
Company: Citizens National Bank—Henderson
Business Address: 201 W. Main St.
Henderson, Texas 75655
Business: (903) 657-8521 x350
E-mail: dgiesecke@CNBTexas.com

Name: Jan Webb

Job Title: COO
Company: Independent Bank
Business Address: 3090 Craig
McKinney, Texas 75070
Business: (972) 562-9004
E-mail: jwebb@independent-bank.com

Name: Glenna Lowe

Job Title: SVP, Risk Management & Compliance
Company: LegacyBank Texas
Business Address: 5000 Legacy Dr.
Plano, Texas 75024
Business: (972) 461-7123
E-mail: glennaL@legacytexas.com

Name: Dan Nerada

Job Title: Audit
Company: North Dallas Bank
Business: (972) 716-7150
E-mail: DNerada@ndbt.com

Name: Ross Hood

Company: Formerly with FirstBank Southwest
Mailing Address: 6012 Millie Pl.
Amarillo, Texas 79119
Business: (806) 670-0707
E-mail: kkhood@arn.net

Name: Ernest Kubacak

Job Title: Senior VP
Company: Colonial Savings
Business Address: 2626 C West Freeway
Ft. Worth, Texas 76113-2988
Business: 817-390-2000
E-mail: ernestk@colonialsavings.com

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 19

 Proposed Fee

THREE-YEAR AGREEMENT
(Beginning in 2008)
for a

Full Risk-Based Technology Controls Review & Risk Assessment

$TBD per year

(includes 1 year free use of RiskKey with one Training session)

In addition to the above fees, travel and other administrative expenses will be billed at the actual amount
incurred. The above fees include costs of producing up one copy of all final reports. Additional copies
will be produced at a charge of $15 per copy. The fees quoted in this proposal will remain valid for 90
days from the date of issuance. An initial billing of 30% of the professional fee is due upon the
acceptance of this proposal, and on each anniversary date of this agreement. Another 40% of the
professional fee is due at the end of fieldwork and the last 30% of the fee is due upon receipt of our final
report. Invoices are due and payable 15 days after receipt. Should The Garland Group not receive
management responses from the Institution within 30 days of the Institution receiving the request, The
Garland Group reserves the right to bill and collect for the final 30%.

If, during the course of this project, the nature or scope of our work should change, we would discuss
such matters with you and any expected effect on our fee estimate. The estimated fees are based on
anticipated cooperation from your personnel and the assumption that unexpected circumstances will not
be en- countered during the engagement. If significant additional time is necessary for any reason, we
will discuss it with you and arrive at a new estimate before we incur additional costs.

This Agreement shall be in effect for a period of three (3) years and shall be automatically renewed for
successive periods of one (1) year on the contract anniversary, if not terminated in writing ninety (90)
days prior to expiration. Should this agreement be renewed automatically, the total monthly cost shall
increase by 15%, and the client will be billed 30% at that time. This Agreement may be terminated
without cause with ninety (90) day written notice and payment of the early termination fee. The early
termination fee is calculated by multiplying 50% of the total remaining unpaid contract fees left in this
Agreement. Should either party breach this Agreement, it may be terminated upon ninety (90) days’
written notice.

Limitation of Liability
The Garland Group’s maximum liability relating to the services rendered under this proposal (regardless
of form of action, whether in contract, negligence or otherwise) shall be limited to the charges paid to
The Garland Group for the portion of its services or work products giving rise to the liability. In no event
shall The Garland Group be liable for consequential, special, incidental or punitive loss, damage or
expense (including without limitation, lost profits, opportunity costs, etc.) even if it has been advised of
their possible existence. The Garland Group does not make any other express or implied warranties,
including, but not limited to, the implied warranties of merchantability and fitness for a particular
purpose. In no event shall The Garland Group be liable for lost profits or consequential damages even if
The Garland Group has been advised of the possibility of such damages.

Indemnification
Client shall indemnify, defend, and hold The Garland Group, its employees, officers, and agents,
(“Indemnities”) harmless from all expenses, damages, costs, penalties, liability and amounts incurred in
judgments or settlements, including attorneys’ fees suffered by Indemnities, or any of them, as a result of
threatened, pending or completed investigations, enforcement actions, claims, demands or any and all
lawsuits against Indemnities or Client as a result of services performed.

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 20

 Proposed Fee

Client Responsibilities:
The Client shall provide complete, timely information and data to meet the requirements of the
engagement. The Client shall furnish the required information and data as expeditiously as is necessary
for the orderly progress of the work. The Garland Group will rely on its accuracy and completeness. The
Garland Group cannot be held responsible in any way for information provided by the Client. The Client
shall designate a representative authorized to make commitments on the Client’s behalf for this
Engagement and Agreement. The Authorized Representative shall render decisions promptly to avoid
delay in the progress of The Garland Group’s services. The Client’s Authorized Representative for this
engagement shall be listed in the Agreement and Acceptance section of the Proposal.

Termination for Failure to Make Payment:

The Garland Group may suspend performance of services under this Agreement if the Client fails to
make payment when due. Before suspending service, The Garland Group will give seven (7) days written
notice to Client. If The Garland Group does not receive payment in full within seven (7) days of the date
of the notice, the suspension shall take effect without further notice. If there is a suspension of services,
The Garland Group shall have no liability to the Client for delay or damage caused the Client because of
such suspension of services.

Confidentiality:
The Garland Group agrees to keep confidential:

• The financial, statistical and personnel data of the Client.

• Information that is clearly designated in writing as confidential by the Client.

The Garland Group will instruct its personnel to keep such information confidential by using the same
discretion that they would use with similar data that The Garland Group designates as confidential. If
requested by the Client, The Garland Group will return all confidential data of the Client upon termination
of this Agreement. However, The Garland Group shall not be required to keep confidential any data
which:

• Is or becomes publicly available

• Is already in The Garland Group’s possession, excluding information covered by previous
confidentiality agreements.
• Is independently developed by The Garland Group outside the scope of this Agreement.
• Is rightly obtained by/from third parties.
•
In addition, The Garland Group shall not be required to keep confidential any ideas, concepts, know-how
or techniques related to data processing.

GLBA Compliance
The Garland Group ensures that all information attained by The Garland Group, whether verbally or by
documentation, will be in compliance with Section 501 of GLBA. The Gramm Leach Bliley Act ("GLBA")
Safeguards Rule is a federal law that requires businesses that provide financial products or services to
ensure the security and confidentiality of their customers' personally identifiable, non-public financial
information. This includes electronic and paper records.

Successors and Assigns:

The Client and The Garland Group, respectively, bind themselves, their partners, successors, assigns and
legal representatives to this Agreement. Neither the Client nor The Garland Group shall assign this
Agreement without the written consent of the other.

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 21

 Engagement Letter: Agreed and Accepted

Full Risk-Based Technology Controls Review & Risk Assessment

FOR A THREE-YEAR AGREEMENT
(Beginning in 2008)

$TBD per year

(includes 1 year free use of RiskKey with one Training session)

This proposal is Agreed and Accepted by:

Financial Institution The Garland Group

_____________________________________ _____________________________________
Signature Signature

___________________________________________, 2008 ___________________________________________, 2008

Date Date

Please call (972)429-8200 if you have any questions. We look forward to working with you. If this letter
defines the arrangements, as you understand them, please sign and date the enclosed copy and return it
to us.

The Garland Group

www.thegarlandgroup.net

2610 West FM 544

Wylie, Texas 75098

Office: (972)429-8200
Fax #: (972) 429-8216

The Garland Group 2610 W. FM 544 Wylie, Texas www.thegarlandgroup.net 22