CAAT

Since management is responsible for all aspects of the company’s systems and controls, the client would certainly have to give permission for any software installation. ACCA’s article https://www.accaglobal.com/uk/en/student/exam-support-resources/fundamentals-exams-study-resources/f8/technical-articles/auditing-computer-environment.html doesn’t say one way or the other – so in practice it may be either – under the guidance/supervision of the other. There are research articles which raise a potential independence issues if the external auditor were to do it themselves – but this is not ruled out. There are articles out there (way above AAA interest) which suggest that if a business is worth “continuous auditing” (which is what is achieved with an embedded audit module – EAM), it should have an internal audit function as a monitoring control – and the internal auditor would be better placed to use EAMs. The external auditor would then place (potentially greater) reliance on the work if internal auditor (and not need to deploy their own EAMs).