In some cases, they can be. Ultimately, it depends on how comfortable auditors are with the accuracy and completeness of IPE in a particular company. Most companies still rely on spreadsheets to some extent and reports coming out of systems can be modified by the end user.
Thus, there is still a risk that the information could be misreported based on human error or fraud. In these cases, auditors will still require there to be some additional procedures around completeness and accuracy of reports/spreadsheets.
How Do We Manage IPE in Our Environment?
A good starting point is to identify all reports and spreadsheets currently being used by business owners for your existing SOX controls. This should give you a good starting population of all your IPE. From here, you should identify any other key financial documents that your company is generating which are critical to financial statements, either directly or indirectly.
Once you have a population, there are several approaches Internal Audit teams can take to manage IPE risk, including:
Locking up your IT environment.
Enhancing existing business process controls.
Maintaining a separate category of “IPE” controls.
Automating IPE control management.
Learn More about IPE Audits and Controls
Want to learn more about IPE audits and controls? Download our free guide on IPE Best Practices below.
Fill out the form below to get your free copy of IPE Best Practices, updated for 2021.