Updated February 02, 2022
How much does information produced by the entity (IPE) affect the work you do? Do you ever wish you had greater confidence in the level of documentation you have over key controls? Could you use help improving your documentation procedures?
Here we have laid out a helpful roadmap to the successful identification, evaluation and documentation of IPE in your financial reporting control environment.
When we discuss IPE with controllers and control owners, the initial reaction is usually “What is that?” or “Oh no, more work.” Though there is no sugarcoating the fact that the latter is true, the first question is an important one.
IPE is any information that is produced internally by a company being audited and provided as audit evidence, whether for use in the execution of internal controls or for substantive audit procedures performed by an external auditor. It’s good to ask:
To be able to answer these questions thoroughly, you need to understand what is considered IPE and the different risks associated with using IPE in the execution of internal controls.
Once you have identified whether IPE is being used in the execution of internal controls or as audit evidence, how do you document your consideration of the evidence sufficiently? It is important to note that different auditors may require different kinds of evidence. However, no matter who the auditor is, several key questions must always be considered and answered.
It is the control owner’s responsibility to demonstrate that the information used in the performance of a control is complete and accurate. In many cases, the individual performing the review as part of the control did not originate that data. Therefore, the reviewer must be satisfied that the presented workpaper is complete and accurate.
To document IPE properly, the process owner must first be able to answer the following questions:
Identifying the report is imperative because it dictates its risk level, which in turn dictates the level of assurance required. For details on the different types of reports and their corresponding risk rankings, see three types of IPE and IPE risks.
Important parameters include the date range and the exclusion or inclusion of certain data. Such parameters indicate what data was pulled from the system and is the starting point of the IPE. If the data being pulled is inaccurate, the reporting and execution of the control has been compromised, and incorrect data yields inaccurate results.
Data is typically exported as PDF, Excel, CSV (commas separated values), or text files, each of which has its own characteristics. Although PDF is the least prone to manipulation, it cannot be used easily for further calculations on its own. An Excel file export is the most common format, as it allows for the use of formulas and the performance of various operations on the data.
A CSV file does not allow for operations to be performed on the data. However, because the data in a CSV file is in a tabular format, one can perform Excel-like functions on it.
Text files, which contain no special formatting, are difficult to use. It is hard to guarantee that the data was exported completely and accurately, and this problem only gets more difficult as the volume of data grows.
Such documentation might include a screenshot capturing the export details, or a copy of a report that was rerun to ensure the appropriate data has been included. When the preparer performs a control and uses certain data, it is the responsibility of the reviewer to corroborate that the data used in the execution of the control is complete and accurate. When the preparer includes a screenshot, it allows the reviewer to ensure completeness and accuracy in two ways. The preferred way is by agreeing the total dollar amount or hash total per the extract report back to the screenshot. The second way is to agree the line count of the extract report back to the screenshot.
If a screenshot was not or could not be provided due to restrictions of the system, the reviewer would need to rerun the report, which should agree to the original report used by the preparer.
If you were able to successfully agree the data to supporting documentation, then you are finished. You have ensured completeness and accuracy over the data used, and the IPE may be relied on.
However, if you were not able to agree the data to supporting documentation, and the variance cannot be explained, you must revisit the performed procedures. You may want to double-check the parameters used or investigate whether the data was manipulated incorrectly after it was extracted.
We hope you found this roadmap valuable and can begin to apply these principles in your business.
Contact our SOX and compliance experts if you would like a consultation about IPE or internal controls that pertains to your company or industry in particular.