We are a bank with a two employee audit department for a bank of $800 million in assets. The bank runs "lean and mean" regarding the staffing of other departments, thus our annual risk assessments produced by the Audit Department, comes out with a large number of high risk areas / functions that we need to review. We were just examined and the use of "limited resources" came up a couple of times in reference to the Audit Department. The department is staffed with a manager who performs audits about 30% - 40% of the time with the remainder of time toward administration and supervision. The other staff member audits about 90% of the time with the rest of the time devoted to miscellaneous duties. Without increasing the staff or outsourcing, how does one achieve the goal of meeting annual audit schedules under this scenerio? Does one limit the procedures performed in each area so that only the "super high" risks are reviewed in an area, perform audit reviews from a higher level (no substantive testing, just ICQ and leave it at that), or does one limit the sample size of items reviewed, or all of the above? Over the last couple of years the Audit Department has enhanced the comprehensiveness of its procedures and approach to come up with material findings; however, to reduce the number of audit procedures and sample size goes against logic since they have produced material results in the past and are standard procedures employed by any well run audit department. I have seen audit programs used by other financial institutions that would examine two or three major topics in an areas, while a complete audit program would require 6 or more; is this the only approach available that would in essence create a further "drilled down" ranking of all the "high" risk rated topics within an area / department/ function?

Any thoughts, any audit programs, or processes one might have that have been developed under this same scenerio would be most beneficial if can be shared.

Thank you most sincerely in advanced.

Are there serious shortcomings in other departments being audited? Normally the highest risk get the most frequent in depth audits, and it stretches out and becomes less intense from there. "Limited resources" is usually code for "increase staff".

What always drives me crazy about regulators criticizing audit while the other departments are having issues is that you can audit until the cows come home but if the issues are not being fixed, the real issue is not being addressed. Increasing staff in audit won't fix the problems in the bank. If audits are weak and missing issues, that is one thing. But if the problems are not being addressed, that is another conversation entirely.