Updated February 03, 2022
Information produced by the entity (IPE) is any information that is produced internally by the company being audited and provided as audit evidence, whether for use in the execution of internal controls or for substantive audit procedures performed by an external auditor. In this article, we will discuss the three types of IPE you are most likely to encounter and the level of documentation and assurance each of them requires.
IPE that is subject to information technology general controls (ITGCs) does not typically require as high a level of assurance as an IPE that is not subject to ITGCs. Let’s take a closer look at the three types of IPE, from most to least risky.
An ad hoc query, which is not subject to ITGC, is the riskiest of the three types and is any nonstandard query created to produce information on an as-needed basis. It requires a great level of assurance, because the end user may use any set of parameters while generating a report. Because it is a report that has not been previously vetted or tested, it will require greater scrutiny from auditors. Without involving the auditor’s IT team, an auditor cannot verify if the parameters entered by the process owner will generate a report that is complete and accurate.
Custom reports are reports produced by the company’s in-house IT team. They are often generated when the business team requires that a certain data set be produced by the company’s enterprise resource planning (ERP) system. When an ERP system (e.g., Oracle NetSuite, QAD, Microsoft Dynamics 365, SAGE, SAP and EPICOR) lacks a standard or canned report that will satisfy the requirement, a custom report is required. The business team, therefore, works with the IT team to develop a query to produce the required result. Because this type of IPE has expected results that the business team can anticipate, it is not as risky as ad hoc queries. Custom reports are subject to normal testing and approval by the IT and business teams.
Standard or canned reports are reports that come right out of the box. They have been developed by a software company and are included with ERP systems. Canned reports are preformatted and distributed to an entire organization. The end user on the business team, and in some cases on the IT team, has little to no ability to modify or reformat these reports. Because such reports can hardly be edited, they require less scrutiny by auditors.
If you need assistance with SOX compliance, contact our experts.
