We are a national bank. What areas require an annual audit?

I believe banks are expected to take a risk based approach to this and base their audit schedule on their overall compliance risk assessment. However I was wondering if there are specific areas that are required to be reviewed at least annually?

As mentioned, your internal audit plan should be based on risk assessments. For us, high risk areas are audited annually, moderate risk areas are audited every 2 years and low risk areas are audited every 3 years.

However, there are certain areas that examiners, external auditors, or your Board/Audit Committee may expect to be performed annually, regardless of your risk assessments.

Areas we audit annually regardless or risk assessment to make our examiners (FDIC) happy include: ACH (for NACHA compliance), BSA, Flood, Reg O, Fair Lending, SAFE Act, GLBA & Reg P, Trust.

To keep our external auditors happy (different external auditors have different expectations): 401(k), key accounting areas, investments, loan & deposit confirmations.

To keep my audit committee happy (varies by bank): Allowance for loan losses, employee accounts, expense reports, payroll & benefits.

To my knowledge, the only areas that MUST be audited annually is ACH (by December 1st) and SAFE Act.

BSA must be audited every 12-18 months (depending on you Bank's Risk Assessment & prior Audit and Exam findings).