RL:
I think you will find that all of our audit programs and scopes are different. My scope even varies year-to-year.
We could send them to you, but I think you would be overwhelmed by the variances.
My suggestion (and this is just the turtle talkin') is to start with listing all of the functions of your bank....commercial lending, consumer lending, account opening....all of them! Figure out who is in charge of each process. Usually the VP that manages the work is better than the SVP in charge of the entire area. Some people will be on the list a number of times. Risk rate the whole process. Look at where you have risk, what controls (think policies, segregation, reports to managers, forms, signatures) you have in place to mitigate that risk and how well they work. Consider change in the staff performing the duties, training, new procedures or software and how material the function is the overall success of the bank. Rank your functional areas from riskiest and least risky and start auditing!
The first year I started at my current bank, I couldn't believe what our riskiest area turned out to be. Our external auditors (who review our risk assessment) thought the process was flawed, too. But not, so.... we really did have some risk in that area. Like I said at the start.... I think it really is bank-dependent. And even then, each risk assessment is a snapshot of risk at that moment.
Setting the scope basically works the same way. I get management participation, too. They do the risk assessment and, trust me, they know what keeps them up at night.
Resources? I'm an IIA member and I belong to the financial services group of that association. They have books, webinars, local meetings, national conferences, certifications, etc.
Hope at least some of this very long post is helpful.
Oh...and I almost forgot to welcome you to BOL!!! Welcome!