Welcome » IT Booklets » Audit » IT Audit Roles and Responsibilities » External Auditors
External auditors typically review IT control procedures as part
of their overall evaluation of internal controls when providing an
opinion on the adequacy of an institution's financial statements.
As a rule, external auditors review the general and application
controls affecting the recording and safeguarding of assets and the
integrity of controls over financial statement preparation and
reporting. General controls include the plan of organization and
operation, documentation procedures, access to equipment and data
files, and other controls affecting overall information systems
operations. Application controls relate to specific information
systems tasks and provide reasonable assurance that the recording,
processing, and reporting of data are properly performed.
External auditors may also review the IT control procedures as
part of an outsourcing arrangement in which they are engaged to
perform all or part of the duties of the internal audit staff. Such
arrangements are discussed in more detail in the "Outsourcing
Internal IT Audit" section of this booklet.
The extent of external audit work, including work related to
information systems, should be clearly defined in an engagement
letter. Such letters should discuss the scope of the audit, the
objectives, resource requirements, audit timeframe, and resulting
reports. Examiners will typically review the engagement letter,
reports, and audit work papers to determine the extent to which
they can rely on external audit coverage and reduce their
examination scope accordingly.