External auditor outsourcing contracts and engagement letters

Status: Live

The organization will maintain copies of all outsourced auditing contracts, engagement letters, audit reports, and policies and procedures. [UCF ID 01188]

Supporting and supported controls

This control directly supports:

External auditors [UCF Control ID 00683]

This control has the following supporting controls:

Review of external auditor outsourcing contracts and engagement letters [UCF Control ID 01189]

Review of external auditor outsourcing scope and work to be performed [UCF Control ID 01190]

Authority documents complied with:

FFIEC IT Examination Handbook – Audit, August 2003, Pg 7, Pg 22, Exam Tier I Obj 11.1; Securities Exchange Act of 1934, § 78j-1(l); German Corporate Governance Code ("The Code"), June 6, 2008, ¶ 7.2.2; The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003, ¶ V.1.2

Banking and Finance Guidance

An engagement letter should be written for external auditors that defines the expectations and responsibilities of both parties; the scope, frequency, and cost of the audit work to be conducted; the timeframe for the work; the resource requirements; the required reports; and the protocols for changing the contract; that states organizational information must be kept confidential; that audit reports are the property of the organization; and the location of where audit reports and work papers are being stored; and that provides the process for resolving problems. [Pg 7, Pg 22, Exam Tier I Obj 11.1, FFIEC IT Examination Handbook – Audit, August 2003]

NASD NYSE Guidance

It is unlawful for an organization to hire a public accounting firm to conduct an audit if the organization's chief executive officer, chief financial officer, controller, chief accounting officer, or other individual holding an equivalent position in the organization was employed by the public accounting firm or participated in an audit of the organization within the past year. [§ 78j-1(l), Securities Exchange Act of 1934]

Other European and African Guidance

The Supervisory Board is responsible for hiring the auditor and setting the fees paid to the auditor. [¶ 7.2.2, German Corporate Governance Code ("The Code"), June 6, 2008]

The audit committee must determine to what degree the external auditor will be involved in the publication and content of the financial reports. [¶ V.1.2, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003]