I own a CPA firm that specializes in IT auditing, so I naturally think all banks should have annual IT audits.
I am not aware of a regulatory requirement that mandates a frequency for IT audits. But, many insurance companies now require annual IT audits--so check your policy. If your policy has such a requirement, and if your bank suffers an IT-related embezzlement and no audit has been done, you'll likely find your coverage has been abrogated.
Also check to see if the IT audit has to be done by a CPA firm. A few insurance companies have added this stipulation to the "annual audit" requirement. I know of two cases where insurance companies refused to indemnify banks for embezzlement losses, because the IT audits were done by individuals the insurance companies deemed unqualified. (In both instances, the Auditors were retired Regulatory Examiners that did ". . . IT audits on the side.")
Regards,
Wayne Barnett, CPA
800-680-8692
www.barnettcpa.com
wbarnett@barnettcpa.com
Wayne Barnett, President
Wayne Barnett Software
A Texas Corporation
877-945-4344
www.barnettsoftware.com
wbarnett@barnettsoftware.com