The FFIEC IT booklet series, which succeeded the older 1996 IS Handbook, provides a great foundation for you to create your own ICQs and audit scope, objectives, and plan. The examiners still follow the 4-pronged approach of management, audit, operations, and application systems (formerly "systems development"), and they have the added focus of business continuity and information security.
Conducting a technology risk assessment or IT audit will be different for everyone, depending upon the size of your institution, whether you have a managed security service or do these things internally, and depending upon whether you're examined by standalone IT examiners or as part of your safety and soundness examination.
Only you know your enterprise and what would constitute a true "audit" of technology risk issues specific to your enterprise. A one-size-fits-all questionnaire and audit format from other BOL posters may not even be relevant to your risks and applications, and the examiners will quickly spot this. You can't go wrong with the FFIEC booklets, and I would use them as the foundation for your review.