As mentioned, your internal audit plan should be based on risk assessments. For us, high risk areas are audited annually, moderate risk areas are audited every 2 years and low risk areas are audited every 3 years.
However, there are certain areas that examiners, external auditors, or your Board/Audit Committee may expect to be performed annually, regardless of your risk assessments.
Areas we audit annually regardless or risk assessment to make our examiners (FDIC) happy include: ACH (for NACHA compliance), BSA, Flood, Reg O, Fair Lending, SAFE Act, GLBA & Reg P, Trust.
To keep our external auditors happy (different external auditors have different expectations): 401(k), key accounting areas, investments, loan & deposit confirmations.
To keep my audit committee happy (varies by bank): Allowance for loan losses, employee accounts, expense reports, payroll & benefits.
To my knowledge, the only areas that MUST be audited annually is ACH (by December 1st) and SAFE Act.