I would agree but take it a little bit further. All areas of the bank should be included in your risk assessment including areas you don't audit. These areas may not be audited due to the fact that you consider it such a low risk but you should be able to define that through your risk assessment for the examiner purpose. Also, you would want to include in your risk assessment any areas that are audited by outside firms. Also I perform a separate I/T Risk assessment that is principally built around the FFIEC Examination booklets.
_________________________
Praise God from whom all blessings flow!