I've been working in IT Auditing for close to 5 years, primarily with SAP clients, but a few non-SAP clients as well, as an independent contractor (sub to E&Y and a perm gig with KPMG). What I find most enjoyable is being on the internal side, sinmply because I get to interact with the control owners and am able to obtain the best evidence available to show the effectiveness of said control. I've also been able while in this capacity to provide some consulting in the event SOD's are discovered, helping the client develop mitigating controls. Now I've also been able to maintain my own audot independence with regards to documenting tests and results as well, so I really like this side of the coin. External audits usually require reliance on someone else's work, and sometimes reperformance can get a little sketchy with what you have in terms of evidence, which provides a challenge. You have zero interaction with the client, which can complicate things as well, so those would be my negatives on the matter.
I also enjoy getting familiar with the client's IT setup, business vertical, and whatever controls they have around multiple systems. That can pose a challenge, but one I often look forward to engaging. Like the other poster mentioned, it does force me as an auditor to keep abreast of new technologies and how they're managed in terms of SOX and other IT Audit compliance regulations.
I hope this has helped answer your question. Feel free to reach out to me @firstname.lastname@example.org if you wish to discuss further.
John C. Fielder