Audit Plan

I am completing my risk assessment and audit plan for 2010. I know that there are certain items that are required to be audited internally every year no matter what the risk assessment states. I want to make sure that I am not missing anything as far as REQUIRED audits to be performed EVERY year. The following is what I think must be audited:
-Investments/IRR
-CRE
-Ebanking
-BSA
-Wire Transfers
-ACH
-GLBA
Am I missing anything?

We audit the following annually regardless of the risk assessment results.

• Loans (all areas including the allowance for loan losses)
• BSA/CIP/Patriot Act
• Compliance (Deposits, Lending, Operations)
• Interest Rate Risk
• Accounting and Reporting (including investments, capital, accounting and correspondent bank accounts)
• Information Technology/Security/GLBA
• Information Technology Vulnerability Assessment
• Branch Operations
• Wires

Does anyone know which ones are REQUIRED to be audited annually. We are trying to keep costs down this year in these tough economic times. In our discussions with the audit committee of the audit plan this year, we will be weighing risk and cost. Can anyone help me with the ones that we MUST have audited no matter what the risk? For example, I have been told that Regulation W must be audited annually--is this a true statement? Help!

BSA and ACH are two that are required annually. There are probably more.

To the best of my knowledge, only the following MUST be audited (internally or externally) annually regardless of your risk assessments:

BSA (per regulation)
ACH (required by NACHA)
GLBA (expectation of our FDIC examiners)
Flood (per our FDIC examiner because of civil monetary penalties)
IRR
Trust (if Trust assets under management is significant - ours is)
Transfer Agent (required by SEC if you are publically traded)
HIPPA (if your health insurance plan is self-insured/funded)

Not required, but you might be questioned for not annually auditing:
Allowance for loan losses / Loan Review function
IT areas
Reg O
HMDA

Also, if your external auditors rely on your audit work, they may increase your external audit fees if you stop performing certain audits as they will have to increase their work load. Which audits they "require" is between you and them.

Finally, you need to consider expectations of the Board's Audit Committee. As an example, ours expect me to audit HR/Payroll and expense reports annually regardless of risk assessments.

Actually, BSA is not required to be audited annually. The time period is based upon the risk assessment, although annual tends to be the norm (I know one high risk entity that audits twice a year). From the FFIEC manual:

Independent Testing

Independent testing (audit) should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties. While the frequency of audit is not specifically defined in any statute, a sound practice is for the bank to conduct independent testing generally every 12 to 18 months, commensurate with the BSA/AML risk profile of the bank.