Reference Description Concluded severity Deficiency type

CD2 Mangement review of InvesCD Control activity

CD1 Review of Actuarial AsumptCD Control activity

Anti-fraud control Component IT layer RAFIT

No No component has been selN/A N/A

No No component has been selN/A N/A

Account/disclosure and
assertion

Debt securities
measured at FVOCI
(AV) , Equity or debt
securities designated as
at FVTPL (AV) ,
Revaluation Reserve
(AV)

Employee Benefits (AV)

Severity evaluation

The potential magnitude of misstatement is considered to be low given that what is driving the
control deficiency is the lack of review of the assumptions and inputs into the calculation.
However the assumptions and inputs into the calculation are used by other banks in the industry
therefore management would not deem it required to perform much analysis of the assumptions
and inputs. Due to this, the severity evaluation was deemed not significant.
Due to the above facts, it is considered unlikely that a misstatement would occur as a result of
the control deficiency identified

The potential magnitude of misstatement is considered to be low given that what is driving the
control deficiency is the assumptions and given the nature of the deficiency specific to T&T; the
environment in T&T is considered stable as well as the assumptions utilized are in line with those
used by other banks in the industry therefore management would not deem it required to perform
much analysis of the assumptions. Due to this; the severity evaluation was deemed not significant.
Due to the above facts; it is considered unlikely that a misstatement would occur as a result of
the control deficiency identified
RAFITs
Access to programs and data
RAFIT 1.1 APD - Identification and authentication mechanisms are not implemented to restrict logical access to IT systems an
RAFIT 1.2 APD - Logical access permissions are granted to users and accounts (including shared or generic accounts) that are
commensurate with job responsibilities.
RAFIT 1.3 APD - Logical access permissions are not revoked in a timely manner
RAFIT 1.4 APD - Logical access to users and accounts (including shared or generic accounts) that can perform privileged tasks
IT systems is unauthorized or not commensurate with job responsibilities.
RAFIT 1.5 APD - Physical access to facilities housing IT systems and/or electronic media is unauthorized or not commensurate
responsibilities.
Program changes
RAFIT 2.1 PC - Unapproved changes to IT system programs are implemented into the production environment.
RAFIT 2.2 PC - Changes to IT system programs do not function as intended.
RAFIT 2.3 PC - Unapproved changes to IT system configurations are implemented into the production environment.
RAFIT 2.4 PC - Changes to IT system configurations do not function as intended
RAFIT 2.5 PC - Logical access to implement changes to IT system program or configurations into the production environment
not commensurate with job responsibilities.
Program acquisition and development
RAFIT 3.1 PD - Acquired or newly developed IT systems or major enhancements to existing IT systems are not authorized.
RAFIT 3.2 PD - Acquired or newly developed IT systems or major enhancements to existing IT systems are introduced into th
environment prior to their approval.
RAFIT 3.3 PD - Acquired or newly developed IT systems do not function as intended.
RAFIT 3.4 PD - Major enhancements to existing IT systems do not function as intended.
RAFIT 3.5 PD - Incomplete and/or inaccurate data is migrated to the production environment of acquired or newly develope
RAFIT 3.6 PD - Logical access rights are established and implemented for acquired or newly developed IT systems that are un
commensurate with job responsibilities.
Computer operations
RAFIT 4.1 CO - System jobs, processes, and/or programs do not function as intended or support the complete, accurate, and
data.
RAFIT 4.2 CO - Logical access to make changes to system jobs, processes, and/or programs is unauthorized or not commensu
responsibilities
RAFIT 4.3 CO - Backups of programs and data are incomplete.
RAFIT 4.4 CO - Backups of programs and data are not able to be restored as needed
RAFIT 4.5 CO - IT system incidents cause IT systems or data to become unavailable or inaccessible.
RAFIT 4.6 CO - IT system incidents cause IT systems to process transactions in an untimely manner.