Internal audit plans should be based on risk assessments. For us, high risk areas are audited annually, moderate risk areas are audited every 2 years and low risk areas are audited every 3 years.
However, there are certain areas that examiners, external auditors, or your Board/Audit Committee may expect to be performed annually, regardless of your risk assessments.
Areas we audit annually, regardless or risk assessments, to make our examiners (FDIC) happy include: ACH (for NACHA compliance), BSA, Flood, Reg O, Fair Lending, SAFE Act, GLBA & Reg P, Trust and Reg R.
To keep our external auditors happy (different external auditors have different expectations): 401(k), year-end balance sheet audit, investments, loan & deposit confirmations.
To keep our audit committee happy (varies by bank): allowance for loan losses, employee accounts, expense reports, payroll & benefits.
To my knowledge, the only areas that MUST be audited annually is ACH (by December 1st) and SAFE Act.