The PCAOB’s requirements regarding information provided by the entity (IPE)and Electronic Audit Evidence (EAE) have evolved over time in response to the outgrowth of information technology and impacted the requisite workload for controls testing. Now, it’s a no-brainer to keep audit evidence, internal controls documentation, and other information used for compliance and audit purposes in digital, rather than physical format — at least in most cases. Much of the information used for financial reporting and other regulatory requirements come from IT systems. To address the risks associated with this transformation in audit procedures, regulators increased the scrutiny placed on system-generated audit evidence, like IPE and EAE. The question for CAEs is: how do these IPE requirements affect their internal audit team’s tests of controls, and what auditing standards need to be met to satisfy external auditors?
We’ll walk you through some of the best practices and pain points for IPE, and you can learn more by downloading your free copy of AuditBoard’s IPE Best Practices guide below.
What Is IPE and How Does It Affect Modern Audits?
IPE stands for information produced or provided by the entity. Sometimes, IPE is also referred to as EAE, or electronic audit evidence. () IPE is any information that is produced by the company or entity that is being audited, and provided as audit evidence, whether it’s for tests of controls or substantive procedures. IPE commonly takes the form of key reports or key spreadsheets that the entity uses in their operations.
IPE testing will occur during Sarbanes-Oxley (SOX) audits and Service Organization Controls (SOC) reporting audit procedures, and may be incorporated as part of risk assessment procedures as well.
In order to use IPE to test a control, the auditors must have comfort over the completeness and accuracy (sometimes known as C&A) of the evidence they are provided. That consists of three core components that characterize good system-generated IPE:
- Evidence to show that the information is coming from the source data or system, such as through a screenshot or live observation.
- Evidence of the report logic, such as the code, algorithms, or steps used to pull the report from the source and transform the data into a human-readable form.
- Evidence of the parameters or filters used to scope the report to the desired data set.
A copy of IPE in its original form should also be retained. Supporting documents to explain or evidence the completeness and accuracy of IPE should be sufficiently detailed to allow another auditor to follow the steps used to generate that evidence and come to the same result.
The onus to design and execute tests of IPE and obtain comfort over the evidence is upon the auditors, not the entity that is being tested. Together, the auditors’ combined audit process, documentation, tests, and workpapers should demonstrate that the IPE used to come to their conclusions is reliable, complete, and accurate, and mitigates any audit risk associated with IPE. Assessing the integrity of IPE encourages auditors to maintain a stance of professional skepticism that is crucial to the discipline. IPE testing and documentation are also included in the PCAOB’s review of CPA firms’ audits — another important reason to educate control owners and stakeholders about the importance of completeness and accuracy when generating reports for the purposes of the audit.
When the completeness and accuracy of IPE cannot be verified, auditors have the option of not using that report or evidence for testing; performing additional procedures to gain comfort over the IPE; or drawing information from a different source system.
How Does IPE Support SOX Compliance?
Complete and accurate IPE is a necessary part of SOX compliance and SOX controls testing. Today, any testing that is performed over a report, listing, or Excel document provided by the entity must meet auditing standards for IPE, which means verifying the source of the information, along with the logic and parameters that were applied to produce the information.
Without adequate completeness and accuracy for IPE, that evidence might not be usable, or require additional procedures and resources to gain comfort over it. External auditors performing SOX procedures are especially vigilant for completeness and accuracy of IPE due to the PCAOB’s stringency.
IPE and Audit Procedure Best Practices
IPE and the importance of completeness and accuracy in audits can be a major bottleneck for auditors and their clients or stakeholders. Sometimes, the request for screenshots and evidence to demonstrate the integrity of IPE can seem redundant or obsolete to stakeholders — in these cases, patience and willingness to educate are your best friends. Other best practices to follow are to manage IPE proactively and maintain IPE documentation.
Manage IPE Proactively
A good starting point and best practice for managing IPE is to identify all reports and spreadsheets currently being used by business owners and control owners for your existing SOX controls. This should give you a good starting list of all your IPE. From here, you should identify any other key documents your company is generating which are critical to financial statements or risk management, either directly or indirectly.
By keeping these documents organized and ready to pull, your organization will be ready to provide accurate IPE to auditors upon request.
Maintain IPE Documentation
To further streamline the management of IPE and the use of IPE for your organization’s audits, whether they’re for SOX compliance, SOC, or any other framework, your organization should maintain and update documentation about the IPE in your environment. The list of IPE, also known as a population, is a good start. By adding additional information to the list, such as the name of the report and the steps used to produce it, your organization can make IPE testing a cinch, and reduce the amount of time and resources expended on testing. The more clearly an auditor understands how IPE was generated and where it came from, the quicker the IPE verification process goes.
Image: Table of IPE Documentation
What Is the Difference Between IPE and PBC?
The differences between IPE and PBC evidence or documentation are fairly granular. IPE, information produced by the entity, actually includes and encompasses PBC evidence. PBC stands for provided by client, and means that the document or evidence was expressly provided to the auditors upon their request. IPE is broader, and includes information or reports that are used by the entity in their day-to-day operations, and not expressly for the purposes of the audit.
Workpapers or documentation that does not have an “IPE” or “PBC” notation means that the auditor created the document on their own.
Leverage Internal Control Management Software to Make IPE Documentation a Breeze
One of the hardest parts of managing IPE is keeping it organized, controlled, and up-to-date, while also managing who has access to modify the data. With modern Internal Control Management Software, your team can take charge of your organization’s IPE and set yourself up for success in SOX audits and beyond. Try AuditBoard today!
Frequently Asked Questions About IPE Audit and Controls
What is an IPE in an Audit and why must we address it?
IPE is information provided by the entity, and includes reports and spreadsheets that the company uses. IPE must be addressed to validate that the information has not been tampered with, and is complete and accurate.
Why is testing IPE important?
Testing IPE for completeness and accuracy is important to demonstrate the reliability and integrity of the reports and information being used for the audit.
How do we manage IPE in our environment?
IPE should be compiled into a listing or population, including commonly used reports and spreadsheets, which should then have completeness and accuracy information and metadata associated with it.
What are top audit procedures and best practices?
Two best practices for managing IPE for audits include being proactive about IPE and maintaining crucial IPE documentation.
Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.