TraceRiskUncategorizedAudit Scope and Frequency

Audit Scope and Frequency

Audit Scope and Frequency

Typically, the schedule of audit is cyclical. In reviewing the annual plan, the auditor should determine the appropriateness of the institution’s audit cycle. Audit planning and scheduling is also based upon the outcomes of risk assessments performed at least once annually on the listed Subjects. Generally, when residual risk is equal to or exceeds the institution’s stated risk appetite for a given Subject, best practices suggest that the Subject be audited no less than once annually and more often as deemed necessary. Subjects rated Low Risk should be audited at least once every 18 months; Subjects rated Moderate Risk should be audited at least once annually; and, Subjects rated High Risk should be audited once every 6 months until the residual risk rating is less than 5 for at least six months. As a general rule, any Subject assigned a Risk Appetite of Moderate or High should be audited at least once annually regardless of its residual risk rating. Also, the scope, timing and frequency of audits may also be influenced by the existence of a regulatory order, i.e., MRA, MOU or Consent Order.