We are a bank with a two employee audit department for a bank of $800 million in assets. The bank runs "lean and mean" regarding the staffing of other departments, thus our annual risk assessments produced by the Audit Department, comes out with a large number of high risk areas / functions that we need to review. We were just examined and the use of "limited resources" came up a couple of times in reference to the Audit Department. The department is staffed with a manager who performs audits about 30% - 40% of the time with the remainder of time toward administration and supervision. The other staff member audits about 90% of the time with the rest of the time devoted to miscellaneous duties. Without increasing the staff or outsourcing, how does one achieve the goal of meeting annual audit schedules under this scenerio? Does one limit the procedures performed in each area so that only the "super high" risks are reviewed in an area, perform audit reviews from a higher level (no substantive testing, just ICQ and leave it at that), or does one limit the sample size of items reviewed, or all of the above? Over the last couple of years the Audit Department has enhanced the comprehensiveness of its procedures and approach to come up with material findings; however, to reduce the number of audit procedures and sample size goes against logic since they have produced material results in the past and are standard procedures employed by any well run audit department. I have seen audit programs used by other financial institutions that would examine two or three major topics in an areas, while a complete audit program would require 6 or more; is this the only approach available that would in essence create a further "drilled down" ranking of all the "high" risk rated topics within an area / department/ function?
Any thoughts, any audit programs, or processes one might have that have been developed under this same scenerio would be most beneficial if can be shared.
Thank you most sincerely in advanced.