Best Practices for IPE Audits and Controls [2021 Updated]

Art Turrubiartes Joshua Hollis
Art Turrubiartes & Joshua Hollis
Best Practices for IPE Audits and Controls [2021 Updated]

The PCAOB’s requirements regarding IPE and Electronic Audit Evidence have impacted the requisite workload for controls testing. The question for CAEs is: what do these new requirements mean for their company, and how can Internal Audit manage it?

Read below for our article discussing the pain points of managing IPE audits, developing IPE controls and best practices for staying compliant. Learn more by downloading your free copy of AuditBoard’s IPE Best Practices guide below.

What Is an IPE Audit and Why Must We Address It?

Information provided by the entity (IPE) is any information that is produced by the company and provided as audit evidence, whether it be for your controls testing or substantive procedures performed by external audit. In some environments, this is also referred to as electronic audit evidence (EAE) or key reports/spreadsheets.

Navigating Geopolitical Risk

Why Are ITGCs Not Enough?

In some cases, they can be. Ultimately, it depends on how comfortable auditors are with the accuracy and completeness of IPE in a particular company. Most companies still rely on spreadsheets to some extent and reports coming out of systems can be modified by the end user.

Thus, there is still a risk that the information could be misreported based on human error or fraud. In these cases, auditors will still require there to be some additional procedures around completeness and accuracy of reports/spreadsheets.

How Do We Manage IPE in Our Environment?

A good starting point is to identify all reports and spreadsheets currently being used by business owners for your existing SOX controls. This should give you a good starting population of all your IPE. From here, you should identify any other key financial documents that your company is generating which are critical to financial statements, either directly or indirectly.

Once you have a population, there are several approaches Internal Audit teams can take to manage IPE risk, including:

  1. Locking up your IT environment.
  2. Enhancing existing business process controls.
  3. Maintaining a separate category of “IPE” controls.
  4. Automating IPE control management. 

Learn More about IPE Audits and Controls

Want to learn more about IPE audits and controls? Download our free guide on IPE Best Practices below.

Fill out the form below to get your free copy of IPE Best Practices, updated for 2021.
IPE Best Practices
Art Turrubiartes

Art Turrubiartes, CPA, is the VP of Product Solutions at AuditBoard. Before joining AuditBoard, Art was a Risk consultant at EY, and has 5 years of internal audit experience within the Technology and Media & Entertainment sectors. Art’s focus at AuditBoard is to help internal audit teams drive efficiency in their programs and ultimately provide the best product solutions to clients. Connect with Art on LinkedIn.

Art Turrubiartes

Joshua Hollis, MBA, CISA, was Senior Manager of Product Solutions at AuditBoard. An alumni of RBC Capital Markets as well as PwC & EY, Josh has spent nearly a decade of his career consulting with some of the world’s largest financial institutions on the topics of audit best practices, finance and IT processes, risk programs, and regulatory compliance.

Related Articles