Maria, another idea that I use is the self-assessment.
I have a self-assessment schedule for the year and have responsible area managers review areas for compliance either quarterly or semi-annually or annually depending on the reg and our internal exposure. I then use the self-assessments to help me tweak my audit program.
From a compliance perspective, I can't get to everything every year. When I do audit an area, I pull their self-assessment, retest some of that work to help limit the scope of the review. If I can rely on management to do compentent self-assessments, then I get more compliance audit coverage, because I spend less time in the areas, but get more areas done.
The audit schedule is risk ranked based on various items, including self-assessment results.
My bank uses the carrot and stick approach, if management's upfront with an issue in the self-assessment and is working on getting it fixed, it probably won't end up as a significant audit finding (some regs excepted) when audit comes in to audit. However, if management is not upfront and the audit identifies areas that the self-assessment should have uncovered, the findings become significant because management wasn't addressing the issues.
The self-assessment process is part of my Compliance Program that the Audit Committee approves.
The audit schedule gets risk ranked over a 24 month period. We outsource our internal audit work so that I prepare a budget with total number of hours that I want to audit that year. We contract to get those audits done during the year, and I hold the vendor's feet to the fire to make sure that I get the audits scheduled completed.