How much does IPE affect the work you do? Do you ever wish you had greater confidence in the level of documentation you have over key controls? Could you use help improving your documentation procedures? In Part 2 of our IPE guide, we have laid out a helpful roadmap to the successful identification, evaluation, and documentation of IPE in your financial reporting control environment.
When we discuss IPE with controllers and control owners, the initial reaction is usually “What is that?” or “Oh no, more work.” Though there is no sugarcoating the fact that the latter is true, the first question is an important one. “Information produced by the entity” (IPE) is any information that is produced internally by a company being audited and provided as audit evidence, whether for use in the execution of internal controls or for substantive audit procedures performed by an external auditor. (For more about what constitutes IPE and the different risks associated with using IPE in the execution of internal controls, see Part 1 of our IPE Guide.)
- What value does IPE consideration add to the documentation of a control?
- How do we ensure the documentation surrounding IPE is sufficient?
To be able to answer these questions thoroughly, we first need to understand what is considered IPE and the different risks associated with using IPE in the execution of internal controls. See Part 1 of our IPE Guide, for more information on this subject.
Once you have identified whether IPE is being used in the execution of internal controls or as audit evidence, how do you document your consideration of the evidence sufficiently? It is important to note that different auditors may require different kinds of evidence. However, no matter who the auditor is, several key questions must always be considered and answered. It is the control owner’s responsibility to demonstrate that the information used in the performance of a control is complete and accurate. In many cases, the individual performing the review as part of the control did not originate that data. Therefore, the reviewer must be satisfied that the presented workpaper is complete and accurate.
How to document IPE
To document IPE properly, the process owner must first be able to answer the following questions:
What is the name and type of the report that was run?
- Identifying the report is imperative because it dictates its risk level, which in turn dictates the level of assurance required. For details on the different types of reports and their corresponding risk rankings, please see Part 1 of our IPE Guide.
What parameters were used?
- Important parameters include the date range and the exclusion or inclusion of certain data. Such parameters indicate what data was pulled from the system and is the starting point of the IPE. If the data being pulled is inaccurate, the reporting and execution of the control has been compromised, and incorrect data yields inaccurate results.
How is the data exported?
- Data is typically exported as PDF, Excel, CSV (commas separated values), or text files, each of which has its own characteristics. Although PDF is the least prone to manipulation, it cannot be used easily for further calculations on its own. An Excel file export is the most common format, as it allows for the use of formulas and the performance of various operations on the data. A CSV file does not allow for operations to be performed on the data. However, because the data in a CSV file is in a tabular format, one can perform Excel-like functions on it. Text files, which contain no special formatting, are difficult to use. It is hard to guarantee that the data was exported completely and accurately, and this problem only gets more difficult as the volume of data grows.
Is there supporting documentation?
- Such documentation might include a screenshot capturing the export details, or a copy of a report that was rerun to ensure the appropriate data has been included. When the preparer performs a control and uses certain data, it is the responsibility of the reviewer to corroborate that the data used in the execution of the control is complete and accurate. When the preparer includes a screenshot, it allows the reviewer to ensure completeness and accuracy in two ways. The preferred way is by agreeing the total dollar amount or hash total per the extract report back to the screenshot. The second way is to agree the line count of the extract report back to the screenshot. If a screenshot was not or could not be provided due to restrictions of the system, the reviewer would need to rerun the report, which should agree to the original report used by the preparer.
Are you able to verify that the data was exported completely and accurately and has not been manipulated or improperly excluded?
- If you were able to successfully agree the data to supporting documentation, then you are finished. You have ensured completeness and accuracy over the data used, and the IPE may be relied on. However, if you were not able to agree the data to supporting documentation, and the variance cannot be explained, you must revisit the performed procedures. You may want to double-check the parameters used or investigate whether the data was manipulated incorrectly after it was extracted.
We hope you found this roadmap valuable and can begin to apply these principles in your business. Stay tuned for more IPE insights in Part 3 of our IPE Guide.
Looking for SOX Compliance Expertise? We’re Here to Help.
Now that we have some clarity on the three types of IPE and the corresponding levels of documentation and assurance they require, we encourage you to take your documentation to the next level. Since the inception of the Sarbanes-Oxley (SOX) Act in 2002, Holtzman Partners has been helping clients to design and maintain a system of internal control over financial reporting that meets the necessary regulatory and PCAOB compliance standards. For our clients, which range from middle-market to large multinational conglomerates, we have always dedicated ourselves to delivering stellar results. With decades of experience, our Partners and skilled personnel have earned a strong reputation for providing SOX compliance services.
Whether you are looking for a full-blown internal audit team or simply a SOX veteran for a consultation, we have you covered. Get in touch if you would like a detailed consultation about IPE or internal controls that pertains to your company or industry in particular. Learn more about our suite of SOX Readiness & Compliance services here.
- Three Types of IPE and IPE Risks: A Controller’s Guide to SOX Compliance
- IPE Tips, Tricks & Traps: A Controller’s Guide to SOX Compliance
- How Venture Capitalist & Private Equity Investors Should Investigate The Companies They Want to Buy
- Up to Speed on Sarbanes-Oxley (SOX)? What Pre-IPO Companies Need to Know