External auditors typically review IT control procedures as part of their overall evaluation of internal controls when providing an opinion on the adequacy of an institution's financial statements. As a rule, external auditors review the general and application controls affecting the recording and safeguarding of assets and the integrity of controls over financial statement preparation and reporting. General controls include the plan of organization and operation, documentation procedures, access to equipment and data files, and other controls affecting overall information systems operations. Application controls relate to specific information systems tasks and provide reasonable assurance that the recording, processing, and reporting of data are properly performed.
External auditors may also review the IT control procedures as part of an outsourcing arrangement in which they are engaged to perform all or part of the duties of the internal audit staff. Such arrangements are discussed in more detail in the "Outsourcing Internal IT Audit" section of this booklet.
The extent of external audit work, including work related to information systems, should be clearly defined in an engagement letter. Such letters should discuss the scope of the audit, the objectives, resource requirements, audit timeframe, and resulting reports. Examiners will typically review the engagement letter, reports, and audit work papers to determine the extent to which they can rely on external audit coverage and reduce their examination scope accordingly.
Independence and Staffing of Internal IT Audit