I believe SAFE Act is another one that is specifically required to be audited annually, regardless of risk assessment.
There's "required" and then "strongly expected." We were written up last year in our (FDIC) compliance examination for not auditing flood and fair lending annually even though our risk assessments were moderate (due to zero audit and examiner findings the last 3 years and because our compliance officer reviews a large sample quarterly, etc.). Our Safety and Soundness examiners will write us up if we don't audit Reg O annually. The examiners specifically said, regardless of risk assessment, when civil monetary penalties are involved, you must audit annually. Or maybe better stated, your risk assessments are expected to be high for these areas so that you will audit them annually.
Last edited by DerrickAuditor; 06/22/11 05:48 PM.