Three Types of IPE & IPE Risks: A Controller’s Guide to SOX Compliance

“Information produced by the entity” (IPE) is any information that is produced internally by the company being audited and provided as audit evidence, whether for use in the execution of internal controls or for substantive audit procedures performed by an external auditor. In this article, we will discuss the three types of IPE you are most likely to encounter, and the level of documentation and assurance each of them requires. IPE that is subject to Information Technology General Controls (ITGCs) does not typically require as high a level of assurance as an IPE that is not subject to ITGCS. Let’s take a closer look at the three types of IPE, from most to least risky.

Types of IPE and their risks

High Risk:

  • An Ad Hoc query, which is not subject to ITGC, is the riskiest of the three types. An Ad Hoc query is any nonstandard query created to produce information on an as-needed basis. It requires a great level of assurance, because the end-user may use any set of parameters while generating a report. Because it is a report that has not been previously vetted or tested, it will therefore require greater scrutiny from auditors. Without involving the auditor’s IT team, an auditor cannot verify if the parameters entered by the process owner will generate a report that is complete and accurate.

Medium Risk:

  • Custom reports are reports produced by the company’s in-house IT team. They are often generated when the business team requires that a certain data set be produced by the company’s enterprise resource planning (ERP) system. When an ERP system (e.g., Oracle NetSuite, QAD, Microsoft Dynamics 365, SAGE, SAP, and EPICOR) lacks a standard or canned report that will satisfy the requirement, a custom report is required. The business team, therefore, works with the IT Team to develop a query to produce the required result. Because this type of IPE has expected results that the business team can anticipate, it is not as risky as Ad Hoc queries. Custom reports are subject to normal testing and approval by the IT and business teams.

Low Risk:

  • Standard or canned reports are reports that come right out of the box. They have been developed by a software company and are included with ERP systems. Canned reports are preformatted and distributed to an entire organization. The end-user on the business team, and in some cases on the IT team, has little to no ability to modify or reformat these reports. Because such reports can hardly be edited, they require less scrutiny by auditors.

Looking for SOX Compliance Expertise? We’re Here to Help.

Now that we have some clarity on the three types of IPE and the corresponding levels of documentation and assurance they require, we encourage you to take your documentation to the next level. Since the inception of the Sarbanes-Oxley (SOX) Act in 2002, Holtzman Partners has been helping clients to design and maintain a system of internal control over financial reporting that meets the necessary regulatory and PCAOB compliance standards. For our clients, which range from middle-market to large multinational conglomerates, we have always dedicated ourselves to delivering stellar results. With decades of experience, our Partners and skilled personnel have earned a strong reputation for providing SOX compliance services.

Whether you are looking for a full-blown internal audit team or simply a SOX veteran for a consultation, we have you covered. Get in touch if you would like a detailed consultation about IPE or internal controls that pertains to your company or industry in particular. Learn more about our suite of SOX Readiness & Compliance services here.

Related Insights:

Was this helpful? Share to your network.