We discussed the three types of IPE and their risks in Part 1, and how to document IPE in Part 2, which we hope provides a clear understanding of what IPE is and how to document it. In this article, we will give you a few tips and tricks to help you ensure that your IPE is refined, as well as some of the common traps and pitfalls that many process owners fall into. Like so many things, the devil is in the details when it comes to IPE, and unfortunately, a shortcut is the longest distance between two points.
Tips, Tricks & Traps
- Be sure to carefully consider whether the evidence in the performance of a control requires IPE consideration.
- If the information you are using does require IPE consideration, be sure to walk your steps back and ensure there are no gaps between the exported data and the data used to perform the control.
- Make sure you have IPE coverage for each report or application used in the performance of the control.
- The great thing about IPE is that if your control does not change and the reports utilized in the performance of the control do not change either, you can be comfortable with rolling forward your IPE consideration documentation to the following period. It is imperative to set up the documentation correctly the first time, and then everything will be easier from that point.
- Be sure to keep your IPE documentation in the workbook used in the performance of the controls. This will prevent you from accidentally omitting any required procedures.
- Beware of getting complacent when rolling your IPE forward to the following period. Make sure you perform all the documented steps each and every time. The one time you do not perform all the steps, will be the sample the audit team selects.
- When using exported data in Excel, be sure to use the exact information over which you performed IPE in the performance of the control. For instance, if you have exported data in tab 1 of an Excel workbook and you agreed that data back to the source financial reporting system, do not then copy that data from tab 1 to tab 2 and use tab 2 data to perform your control. In some cases, it is wise to save the original data as a backup, but by copying the data from tab 1 to tab 2, you must perform another IPE step. The act of moving the data broke the chain linking the system and the extract data together. To fix the issue, agree the data from tab 1 to tab 2 and demonstrate that the data was moved completely and accurately.
- Do not forget that your manually prepared Excel workbook requires IPE. Even though the data is not system-generated, it is information produced by the entity through an end-user computer tool.
Looking for SOX Compliance Expertise? We’re Here to Help.
Now that we have some clarity on the three types of IPE and the corresponding levels of documentation and assurance they require, we encourage you to take your documentation to the next level. Since the inception of the Sarbanes-Oxley (SOX) Act in 2002, Holtzman Partners has been helping clients to design and maintain a system of internal control over financial reporting that meets the necessary regulatory and PCAOB compliance standards. For our clients, which range from middle-market to large multinational conglomerates, we have always dedicated ourselves to delivering stellar results. With decades of experience, our Partners and skilled personnel have earned a strong reputation for providing SOX compliance services.
Whether you are looking for a full-blown internal audit team or simply a SOX veteran for a consultation, we have you covered. Get in touch if you would like a detailed consultation about IPE or internal controls that pertains to your company or industry in particular. Learn more about our suite of SOX Readiness & Compliance services here.