Where does it say that a risk assessment is required for the audit function? I know that it was recommended by examiners during the last review, and I have completed mine, but now that I want to take it for approval, my boss is wondering why I did this in the first place, and where does it say that it is required.

I thought it might be mentioned in an FIL but I can't seem to find it. Help please.

Stop the insanity.

I don't know your regulator but the OCC discusses risk assessments as a foundation for a risk based audit program in their booklet on Internal and External Audits. Check page 14. Other regulators would have some similar guidance.

The idea being how can an audit program be risk based if no risk assessment was done?

Exams are risk-based by the FDIC, too. Specifically regarding compliance audits, I coordinate with the Chief Auditor each year as he sets his audit plan. He determines how much time his department will spend on each compliance audit based on the risk level of the regulation or the risk level of the department (determined by the Compliance Risk program). The Revised FDIC Compliance Exam procedures discuss risk-based exams. FDIC Compliance Exams

From the INTERAGENCY POLICY STATEMENT ON THE INTERNAL AUDIT FUNCTION AND ITS OUTSOURCING :

Management, staffing, and audit quality. In managing the internal audit function, the manager of internal audit is responsible for control risk assessments, audit plans, audit programs, and audit reports.

> A control risk assessment (or risk assessment methodology) documents the internal auditor's understanding of the institution's significant business activities and their associated risks. These assessments typically analyze the risks inherent in a given business line, the mitigating control processes, and the resulting residual risk exposure of the institution. They should be updated regularly to reflect changes to the system of internal control or work processes, and to incorporate new lines of business.


> An internal audit plan is based on the control risk assessment and typically includes a summary of key internal controls within each significant business activity, the timing and frequency of planned internal audit work, and a resource budget.


> An internal audit program describes the objectives of the audit work and lists the procedures that will be performed during each internal audit review.


> An audit report generally presents the purpose, scope, and results of the audit, including findings, conclusions, and recommendations. Workpapers that document the work performed and support the audit report should be maintained.