Armanino Blog
Three Types of IPE and IPE Risks: A Controller’s Guide to SOX Compliance
by Luke Childress, Jonathan Bayeff
February 12, 2021

Updated February 03, 2022

Information produced by the entity (IPE) is any information that is produced internally by the company being audited and provided as audit evidence, whether for use in the execution of internal controls or for substantive audit procedures performed by an external auditor. In this article, we will discuss the three types of IPE you are most likely to encounter and the level of documentation and assurance each of them requires.

IPE that is subject to information technology general controls (ITGCs) does not typically require as high a level of assurance as an IPE that is not subject to ITGCs. Let’s take a closer look at the three types of IPE, from most to least risky.

Types of IPE and Their Risks

High risk

An ad hoc query, which is not subject to ITGC, is the riskiest of the three types and is any nonstandard query created to produce information on an as-needed basis. It requires a great level of assurance, because the end user may use any set of parameters while generating a report. Because it is a report that has not been previously vetted or tested, it will require greater scrutiny from auditors. Without involving the auditor’s IT team, an auditor cannot verify if the parameters entered by the process owner will generate a report that is complete and accurate.

Medium risk

Custom reports are reports produced by the company’s in-house IT team. They are often generated when the business team requires that a certain data set be produced by the company’s enterprise resource planning (ERP) system. When an ERP system (e.g., Oracle NetSuite, QAD, Microsoft Dynamics 365, SAGE, SAP and EPICOR) lacks a standard or canned report that will satisfy the requirement, a custom report is required. The business team, therefore, works with the IT team to develop a query to produce the required result. Because this type of IPE has expected results that the business team can anticipate, it is not as risky as ad hoc queries. Custom reports are subject to normal testing and approval by the IT and business teams.

Low risk

Standard or canned reports are reports that come right out of the box. They have been developed by a software company and are included with ERP systems. Canned reports are preformatted and distributed to an entire organization. The end user on the business team, and in some cases on the IT team, has little to no ability to modify or reformat these reports. Because such reports can hardly be edited, they require less scrutiny by auditors.

If you need assistance with SOX compliance, contact our experts.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Related News & Insights
Lessons Learned From SVB: Update Your Investment Management Policy to Mitigate Risk
Take proactive steps to strengthen your investment management policy and ensure your company’s long-term stability.

March 20, 2023
Penetration Testing: What It Is, Why It’s Important and How It Can Benefit Your Business
Do you know where your cybersecurity blind spots are? A pen test can help you find out.

March 20, 2023
Insurer Validates and Optimizes HR System Changes Through Benefit Audit
Case Study
Learn how audit services helped an insurer validate their current system processes and uncover fixes to minimize risk.

February 16, 2023