External auditors

Status: Live

The organization will ensure that the role of the external IT auditor is well defined, documented, and that the person or persons holding that title are properly trained according to their assigned duties. [UCF ID 00683]

Supporting and supported controls

This control directly supports:

Clearly define the roles and responsibilities of all involved in the auditing process [UCF Control ID 00678]

This control has the following supporting controls:

External auditor outsourcing contracts and engagement letters [UCF Control ID 01188]

External auditors must be present at the annual meeting to answer questions about how audits were conducted and what is contained in their reports [UCF Control ID 04587]

Authority documents complied with:

COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 98, Pg 99; PCAOB Auditing Standard No. 5, ¶ 4; SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.14 thru § 314.21; AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls, ¶ 2; Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Pg 31; FFIEC IT Examination Handbook – Audit, August 2003, Pg 7; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 22; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, App A.1; Securities Exchange Act of 1934, § 78j-1(g), § 78j-1(h); Federal Information Security Management Act of 2002 (FISMA), § 3545(b); ISO/IEC 15408-1:2005 Common Criteria for Information Technology Security Evaluation Part 1, § 6.1.2; EU 8th Directive (European SOX), Art 22, Art 23.3, Art 38, Art 42; OECD Principles of Corporate Governance, 2004, § V.D; German Corporate Governance Code ("The Code"), June 6, 2008, ¶ 7.2.1, ¶ 7.2.4; The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003, ¶ III.5.5, ¶ V.2.1; Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004, Sched 1 ¶ 93, Sched 1 ¶ 95, Sched 1 ¶ 96; CODE OF CORPORATE GOVERNANCE 2005, ¶ 11.5; PCAOB Auditing Standard No. 2, ¶ 30 thru ¶ 36; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 6.1.1; Archer Control Table, ATCS-007

Sarbanes Oxley Guidance

External auditors provide a unique, independent, and objective view of the organization's financial objectives. They should report on any deficiencies that they have identified, along with recommendations for improving them. [Pg 98, Pg 99, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]

The auditor should have proficiency, technical training, and independence and should exercise "due professional care." [¶ 4, PCAOB Auditing Standard No. 5]

The audit team should meet to discuss the organization's chances of having material misstatements of financial statements. The lead auditor should decide who needs to be involved in the discussion; not all members of the team need to be involved. The objective is for the team to gain an understanding of how their procedures may affect other parts of the audit and to gain a better understanding of the potential for material misstatements in their areas. The team also should discuss areas of significant audit risk, accounting procedures that are unusual, control systems, and areas where management has overridden controls. Multiple discussions may be needed for the audit team to share information. The auditor should obtain an understanding of how the organization interacts with industry and other external factors and how it works with regulations; how the organization operates; what the organization's objectives and strategies are and any related business risks; how the organization measures and reviews financial performance; and how the organization has implemented internal controls. [§ 314.14 thru § 314.21, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

[¶ 2, AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls]

Auditors should have technical training, be proficient and independent, and exercise due professional care, including professional skepticism. To be independent, an auditor should not act as management or an employee of the client, audit his or her own work, or have conflicting or mutual interests with the client. Further, the auditor must not serve as an advocate for his or her client. [¶ 30 thru ¶ 36, PCAOB Auditing Standard No. 2]

Banking and Finance Guidance

If the host country prohibits onsite examinations, the U.S. bank should hire external auditors to conduct the examination. [Pg 31, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]

External auditors should review the general controls and the application controls used by the organization. General controls include documentation procedures, physical access to equipment and data, and controls that affect the overall information systems operations. Application controls include controls for specific tasks and controls that provide assurance that the recording, processing, and reporting of data are being performed correctly. [Pg 7, FFIEC IT Examination Handbook – Audit, August 2003]

The organization should ensure the external auditor's training and experience are adequate and the auditing techniques of the third party service provider are appropriate. [Pg 22, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

[App A.1, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

NASD NYSE Guidance

Public accounting firms that perform audits for an organization are prohibited from performing non-audit services, such as bookkeeping, actuarial services, internal audit outsourcing, financial information systems design and implementation, and valuation or appraisal services, or providing investment banking services or legal services unrelated to the audit. The public accounting firm may provide non-audit services, including tax services, not stated above if pre approval is granted from the audit committee. [§ 78j-1(g), § 78j-1(h), Securities Exchange Act of 1934]

US Federal Security Guidance

[§ 3545(b), Federal Information Security Management Act of 2002 (FISMA)]

ISO Guidance

The IT auditor should determine if the countermeasures adequately protect the data and if they have been implemented correctly. If they have been implemented correctly, the system should be allowed to operate. [§ 6.1.2, ISO/IEC 15408-1:2005 Common Criteria for Information Technology Security Evaluation Part 1]

EU Guidance

To maintain its independence, auditors and audit firms must not be involved in the decision-making process of the organization being audited and not have a direct or indirect relationship (financial, employment, business, non-auditing services, etc.) with the organization. When an auditor or audit firm is replaced by another auditor or audit firm, the incoming auditor or audit firm must be given access all the information and reports created by the previous auditor or audit firm. Auditors or audit firms may be dismissed only on proper grounds. When an auditor or audit firm is dismissed or resigns, the organization being audited and the auditor or audit firm must notify the public oversight authorities with an adequate explanation. Auditors and audit firms must annually confirm in writing to the audit committee their independence, disclose annually to the audit committee any additional services provided to the audited organization, and discuss with the audit committee any threats to independence and the safeguards taken to mitigate those threats. The audit partner responsible for the audit must rotate from the audit within a maximum of 7 years and then can participate in the audit again after a period of at least 2 years. The auditor or audit partner cannot be employed in a key management position of the audited organization before at least 2 years has passed since audit resignation. [Art 22, Art 23.3, Art 38, Art 42, EU 8th Directive (European SOX)]

External auditors should exercise due professional care when conducting an audit. [§ V.D, OECD Principles of Corporate Governance, 2004]

Other European and African Guidance

The auditor must submit a report to the audit committee stating any relationships between the auditor and the organization. He/she must note the other services he/she performed over the last year and if any other services are contracted for the next year. The auditor must attend a Supervisory Board meeting to report on the results of the audit. [¶ 7.2.1, ¶ 7.2.4, German Corporate Governance Code ("The Code"), June 6, 2008]

External auditors are required to report any irregularities they discover in the financial reports to the audit committee. The external auditor must attend the annual meeting to answer any questions from shareholders. [¶ III.5.5, ¶ V.2.1, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003]

The audit committee should recommend to the Board of Directors the appointment of any external auditors. [¶ 6.1.1, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

Asia and Pacific Rim Guidance

An auditor or audit firm that conducts the audits of financial reports must state to the directors of the organization, in writing, that it has maintained its independence and professional conduct. The declaration must be given to the directors when the audit report is submitted and must be signed by the auditor or audit firm making the declaration. An auditor or audit firm that plays a significant role in the organization's audit for 5 consecutive years is not eligible to conduct an audit for the organization, unless it has not performed an audit for at least 2 successive years. The organization must not appoint an auditor or audit firm, unless the auditor or audit firm has consented before the appointment is made. [Sched 1 ¶ 93, Sched 1 ¶ 95, Sched 1 ¶ 96, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004]

The audit committee should meet with the external auditors at least annually. [¶ 11.5, CODE OF CORPORATE GOVERNANCE 2005]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of required internal and external audits completed and reviewed [UCF Control ID 01677]