I'm polling my fellow Internal Auditors regarding annual audit schedules......how many conducts the same audits on a frequency basis (e.g., every 12 or 18 mos.) vs. risk-based audits (whereby some areas would not deemed to be audited on a frequent basis)?
Is the latter more common these days? Are examiners concerned whether the audits are performed based on risk assessments or scheduled routine audits?

I think that the approach you take depends on the staff size you have. I think many of us here have already pointed out that we are understaffed and I would daresay that Internal Audit is an "understaffed" profession in general. That being said, I personally try to take somewhat of a more risk-based approach. The reason is simply that you only have a certain number of hours, especially if you are a one person shop, so you want those hours to be spent as wisely as possible. I think the risk-based approach allows you to do that.

I think that the risk-based approach is probably more common nowadays, but I honestly haven't been at this that long. I think that actually performing the risk assessment gives you documentation (so you can show the examiners how wonderful you are ), but it also helps you to get thinking about your particular institution and it's quirks.

I have a 12-month audit calendar in which all areas of the bank are covered. Based on risk assessments, some areas are covered more frequently, i.e., quarterly, etc. If problems are found in an annual audit, that area may be looked at again in 3 - 6 months (depending on the level and type of risk) rather than waiting another year.
Overall, it is a risk-based system, but all areas are guaranteed an audit at least once a year.
Our examiners seem to like this approach.

I use to perform a risk analysis annually to develop the upcoming annual audit plan. While we always had a goal of auditing every area every 12-18 months, that was just one risk factor in the analysis - length since last audit. Then we just let the chips fall where they may......

We use 12 months for high risk areas and 24 months for medium/low risk. If no findings in high risk areas for two audits, then area is bumped to 24 month cycle. However, loans, securities, and wire transfers will always be high risk due to high $$ amounts and potential for losses.

As one of our insurance requirements, all areas has to be audited at least once a year. Therefore, a 12 months audit schudle is prepared. I strongly agree with risk based auditing. In a big orgainzation the audit department would be unable to cover all areas in one year. Sometimes process auditing is being used as an alternative.

OCC told me that they like to see risk-based scheduling. Needless to say, that is now what I do.

Scheduling based upon a risk assessment is the only way to go. The examiners like to see that all functions are assigned a risk weighting and audits frequency based upon assigned risk.

For instance, BSA and wire trfs is audited quarterly whereas, signage is lumped in with other functions with low risk score.