Armanino Blog
Information Produced by the Entity (IPE) Audit & Compliance
by Luke Childress, Jonathan Bayeff
February 11, 2021

Updated February 02, 2022

How much does information produced by the entity (IPE) affect the work you do? Do you ever wish you had greater confidence in the level of documentation you have over key controls? Could you use help improving your documentation procedures?

Here we have laid out a helpful roadmap to the successful identification, evaluation and documentation of IPE in your financial reporting control environment.

When we discuss IPE with controllers and control owners, the initial reaction is usually “What is that?” or “Oh no, more work.” Though there is no sugarcoating the fact that the latter is true, the first question is an important one.

IPE is any information that is produced internally by a company being audited and provided as audit evidence, whether for use in the execution of internal controls or for substantive audit procedures performed by an external auditor. It’s good to ask:

  • What value does IPE consideration add to the documentation of a control?
  • How do we ensure the documentation surrounding IPE is sufficient?

To be able to answer these questions thoroughly, you need to understand what is considered IPE and the different risks associated with using IPE in the execution of internal controls.

Once you have identified whether IPE is being used in the execution of internal controls or as audit evidence, how do you document your consideration of the evidence sufficiently? It is important to note that different auditors may require different kinds of evidence. However, no matter who the auditor is, several key questions must always be considered and answered.

It is the control owner’s responsibility to demonstrate that the information used in the performance of a control is complete and accurate. In many cases, the individual performing the review as part of the control did not originate that data. Therefore, the reviewer must be satisfied that the presented workpaper is complete and accurate.

How to Document IPE

To document IPE properly, the process owner must first be able to answer the following questions:

What is the name and type of the report that was run?

Identifying the report is imperative because it dictates its risk level, which in turn dictates the level of assurance required. For details on the different types of reports and their corresponding risk rankings, see three types of IPE and IPE risks.

What parameters were used?

Important parameters include the date range and the exclusion or inclusion of certain data. Such parameters indicate what data was pulled from the system and is the starting point of the IPE. If the data being pulled is inaccurate, the reporting and execution of the control has been compromised, and incorrect data yields inaccurate results.

How is the data exported?

Data is typically exported as PDF, Excel, CSV (commas separated values), or text files, each of which has its own characteristics. Although PDF is the least prone to manipulation, it cannot be used easily for further calculations on its own. An Excel file export is the most common format, as it allows for the use of formulas and the performance of various operations on the data.

A CSV file does not allow for operations to be performed on the data. However, because the data in a CSV file is in a tabular format, one can perform Excel-like functions on it.

Text files, which contain no special formatting, are difficult to use. It is hard to guarantee that the data was exported completely and accurately, and this problem only gets more difficult as the volume of data grows.

Is there supporting documentation?

Such documentation might include a screenshot capturing the export details, or a copy of a report that was rerun to ensure the appropriate data has been included. When the preparer performs a control and uses certain data, it is the responsibility of the reviewer to corroborate that the data used in the execution of the control is complete and accurate. When the preparer includes a screenshot, it allows the reviewer to ensure completeness and accuracy in two ways. The preferred way is by agreeing the total dollar amount or hash total per the extract report back to the screenshot. The second way is to agree the line count of the extract report back to the screenshot.

If a screenshot was not or could not be provided due to restrictions of the system, the reviewer would need to rerun the report, which should agree to the original report used by the preparer.

Are you able to verify that the data was exported completely and accurately and has not been manipulated or improperly excluded?

If you were able to successfully agree the data to supporting documentation, then you are finished. You have ensured completeness and accuracy over the data used, and the IPE may be relied on.

However, if you were not able to agree the data to supporting documentation, and the variance cannot be explained, you must revisit the performed procedures. You may want to double-check the parameters used or investigate whether the data was manipulated incorrectly after it was extracted.

We hope you found this roadmap valuable and can begin to apply these principles in your business.

Contact our SOX and compliance experts if you would like a consultation about IPE or internal controls that pertains to your company or industry in particular.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Related News & Insights
Analytics Company Gains Strategic Edge by Validating Its Data Model
Case Study
Granular evaluation of NCS Analytics’ data model provides peace of mind for company and customers.

June 05, 2023
How the NIST Frameworks Can Benefit Your Privacy and Cybersecurity Programs
Maintain regulatory compliance, reassure stakeholders and safeguard your organization against evolving risks.

May 16, 2023
Changes to the Internal Audit IPPF: What You Need to Know and How to Prepare
Aligning with the revised framework empowers your organization to meet expectations for reliable internal audits.

May 15, 2023