Sorry, doing that from a tablet and got cut off early.
Frequency and risk are something set by the audit/risk management committee based on resources and other controls. For example, underwriting is a moderate high risk which can have compensating controls which lower it. Those could be centralized underwriting, no loan officer discretion, second review, etc. That would lower the fair lending risk to a low/moderate. At that time, you would verify the controls are in effect and effective.
Taking a look at the inherent risk and bank circumstances/controls (or lack of) to come out with a residual risk is probably as important as any other step that needs to be done, and would allow the risk officer the greatest return on the time investment. You did ask about frequency - dependant on how much management wants to spend. Sometimes programs are broken up into technical and substantive sections. You do the technical, and if no, or limited exceptions are found, it's finished. If there are errors then the substantive kicks in with the detailed testing or review. The frequency should be based of the risk and the potential for it to happen.
_________________________
Integrity. With it, nothing else matters. Without it, nothing else matters.