IPE Best Practices for Audits and Controls

IPE Best Practices for Audits and Controls

The PCAOB’s requirements regarding information provided by the entity (IPE)and Electronic Audit Evidence (EAE) have evolved over time in response to the outgrowth of information technology and impacted the requisite workload for controls testing. Now, it’s a no-brainer to keep audit evidence, internal controls documentation, and other information used for compliance and audit purposes in digital, rather than physical format — at least in most cases. Much of the information used for financial reporting and other regulatory requirements comes from IT systems. To address the risks associated with this transformation in audit procedures, regulators increased the scrutiny placed on system-generated audit evidence, like IPE and EAE. The question for CAEs is: how do these IPE requirements affect their internal audit team’s tests of controls, and what auditing standards need to be met to satisfy external auditors?

We’ll walk you through some of the best practices and pain points for IPE, and you can learn more by downloading your free copy of AuditBoard’s IPE Best Practices guide below.

What Is IPE and How Does It Affect Modern Audits?

IPE stands for information produced or provided by the entity. Sometimes, IPE is also referred to as EAE, or electronic audit evidence.  IPE is any information that is produced by the company or entity that is being audited, and provided as audit evidence, whether it’s for tests of controls or substantive procedures. IPE commonly takes the form of key reports or key spreadsheets that the entity uses in its operations.

IPE testing will occur during Sarbanes-Oxley (SOX) audits and Service Organization Controls (SOC) reporting audit procedures and may be incorporated as part of risk assessment procedures as well.

In order to use IPE documentation as evidence in control testing, the auditors must determine whether the IPA is complete and accurate (sometimes known as C&A). This consists of three core components that characterize good system-generated IPE:

A copy of IPE in its original form should also be retained. Supporting documents to explain or evidence the completeness and accuracy of IPE should be sufficiently detailed to allow another auditor to follow the steps used to generate that evidence and come to the same result.

The onus to design and execute tests of IPE and obtain comfort over the evidence is upon the auditors, not the entity that is being tested. Together, the auditors’ combined audit process, documentation, tests, and workpapers should demonstrate that the IPE used to come to their conclusions is reliable, complete, and accurate, and mitigates any audit risk associated with IPE. Assessing the integrity of IPE encourages auditors to maintain a stance of professional skepticism that is crucial to the discipline. IPE testing and documentation are also included in the PCAOB’s review of CPA firms’ audits — another important reason to educate control owners and stakeholders about the importance of completeness and accuracy when generating reports for the purposes of the audit.

When the completeness and accuracy of IPE cannot be verified, auditors have the option of not using that report or evidence for testing; performing additional procedures to gain comfort over the IPE, or drawing information from a different source system.sting; performing additional procedures to gain comfort over the IPE; or drawing information from a different source system.

How Does IPE Support SOX Compliance?

Complete and accurate IPE is a cornerstone of Sarbanes-Oxley (SOX) compliance and controls testing. Today, any testing that is performed over a report, listing, or spreadsheets provided by the entity must meet auditing standards for IPE, which means verifying the source of the information, along with the logic and parameters that were applied to produce the information. For instance, system-generated reports must demonstrate traceability back to original source data and undergo robust validation to confirm the report is both complete and accurate.

Without adequate completeness and accuracy for IPE, that evidence might not be usable, or require additional procedures and resources to gain comfort over it. External auditors performing SOX procedures are especially vigilant for completeness and accuracy of IPE due to the PCAOB’s stringency. The PCAOB emphasizes that IPE must be complete, tamper-proof, and accompanied by adequate documentation to support audit conclusions.

IPE and Audit Procedure Best Practices

IPE and the importance of completeness and accuracy in audits can be a major bottleneck for auditors and their clients or stakeholders. Sometimes, the request for screenshots and evidence to demonstrate the integrity of IPE can seem redundant or obsolete to stakeholders — in these cases, patience and willingness to educate are your best friends. Other best practices to follow are to manage IPE proactively and maintain IPE documentation.

Manage IPE Proactively

A good starting point and best practice for managing IPE is to identify all reports and spreadsheets currently being used by business owners and control owners for your existing SOX controls. This should give you a good starting list of all your IPE. From here, you should identify any other key documents your company is generating which are critical to financial statements or risk management, either directly or indirectly.

By keeping these documents organized and ready to pull, your organization will be ready to provide accurate IPE to auditors upon request.

Maintain IPE Documentation

To further streamline the management of IPE and the use of IPE for your organization’s audits, whether they’re for SOX compliance, SOC, or any other framework, your organization should maintain and update documentation about the IPE in your environment. The list of IPE, also known as a population, is a good start. By adding additional information to the list, such as the name of the report and the steps used to produce it, your organization can make IPE testing a cinch, and reduce the amount of time and resources expended on testing. The more clearly an auditor understands how IPE was generated and where it came from, the quicker the IPE verification process goes.

Image: Table of IPE Documentation

Emerging Technologies Revolutionizing IPE Management

As organizations increasingly rely on complex IT systems to generate critical financial and operational data, emerging technologies is changing how IPE is managed, tested, and validated. Artificial Intelligence (AI), Robotic Process Automation (RPA), and blockchain offer innovative ways to improve efficiency, accuracy, and compliance in the IPE space.

AI-Powered Data Validation

AI algorithms can quickly analyze large volumes of IPE to identify anomalies or inconsistencies in source data. For instance, machine learning models can flag discrepancies in report logic or unexpected patterns in financial data, providing auditors with insights that would be difficult to uncover manually.

RPA for Automating IPE Workflows

RPA enables organizations to automate repetitive tasks involved in IPE management, such as generating reports, extracting source data, and documenting parameters. These automated workflows reduce the risk of human error and ensure consistency in how reports are created and stored.

Blockchain for Immutable Data Integrity

Blockchain technology provides a decentralized and tamper-proof ledger for storing IPE-related data. By logging source data and report-generation steps on a blockchain, organizations can ensure that audit trails remain secure and unaltered.

Integrating these technologies into IPE management not only improves audit readiness but also positions organizations to adapt to evolving regulatory standards. Leveraging these tools ensures that organizations remain ahead of compliance challenges.

What Is the Difference Between IPE and PBC?

The differences between IPE and PBC evidence or documentation are fairly granular. IPE, information produced by the entity, actually includes and encompasses PBC evidence. PBC stands for provided by client, and means that the document or evidence was expressly provided to the auditors upon their request. IPE is broader, and includes information or reports that are used by the entity in their day-to-day operations, and not expressly for the purposes of the audit.

Workpapers or documentation that does not have an “IPE” or “PBC” notation means that the auditor created the document on their own. Consequences of Non-Compliance with IPE Standards

Failing to comply with IPE standards can have significant repercussions for organizations, ranging from regulatory penalties to reputational damage. 

  • Audit Findings: One of the most immediate consequences is the potential for external auditors to issue findings of material weaknesses or significant deficiencies, which must be disclosed to stakeholders under Sarbanes-Oxley (SOX) requirements. This disclosure can erode investor confidence, impact market valuation, and jeopardize access to capital. 
  • Audit Delays: Incomplete or inaccurate IPE can delay the audit process, leading to higher costs and resource strain as additional procedures are conducted to validate the reliability of the data.
  • Regulatory Scrutiny: The PCAOB frequently reviews the work of external auditors, and insufficient evidence of IPE completeness and accuracy can trigger inquiries or enforcement actions. Beyond regulatory risks, organizations may face operational inefficiencies caused by poor data management practices, such as errors in financial reporting or internal decision-making. 

These risks underscore the importance of comprehensive IPE management, proactive testing, and thorough documentation to ensure audit readiness and compliance with evolving standards. By prioritizing adherence to IPE standards, organizations can mitigate these risks and safeguard their long-term success.

Leverage Internal Control Management Software to Make IPE Documentation a Breeze

One of the hardest parts of managing IPE is keeping it organized, controlled, and up-to-date, while also managing who has access to modify the data. With modern Internal Control Management Software, your team can take charge of your organization’s IPE and set yourself up for success in SOX audits and beyond. Try AuditBoard today!

Frequently Asked Questions About IPE Audit and Controls

What is an IPE in an Audit and why must we address it?

IPE is information provided by the entity, and includes reports and spreadsheets that the company uses. IPE must be addressed to validate that the information has not been tampered with, and is complete and accurate.

Why is testing IPE important?

Testing IPE for completeness and accuracy is important to demonstrate the reliability and integrity of the reports and information being used for the audit.

How do we manage IPE in our environment?

IPE should be compiled into a listing or population, including commonly used reports and spreadsheets, which should then have completeness and accuracy information and metadata associated with it.

What are top audit procedures and best practices?

Two best practices for managing IPE for audits include being proactive about IPE and maintaining crucial IPE documentation.

IPE Best Practices
 
How do you perform an IPE testing audit?

Performing an IPE testing audit involves several important steps to ensure the completeness, accuracy…and reliability of the data used as audit evidence. The process typically includes:

  1. Understanding the Source Systems: Identify the IT systems generating the IPE and verify that the data originates from reliable and secure sources.
  2. Evaluating Report Logic: Review the report’s generation process, including parameters, filters, and algorithms, to confirm that the extracted data aligns with the intended scope. Translation – If an employee is generating the 2024 Trial Balance make sure the date range on the report is January 1, 2024, to December 31, 2024.  It is surprising how often the wrong dates are entered when generating an accounting report.
  3. Testing Completeness and Accuracy: Conduct detailed testing to verify that all relevant data is included (completeness) and that the data matches the underlying records (accuracy). This may involve inspecting screenshots, observing live demonstrations, or analyzing metadata.  
  4. Validating Transformations: Confirm that any data transformations—such as aggregations or calculations—are performed correctly and do not compromise the integrity of the data.
  5. Documenting Findings: Ensure the audit workpapers clearly document all procedures, evidence collected, and conclusions reached to provide a robust audit trail.

Why is IPE important in audit?

IPE forms the foundation of the evidence used to assess internal controls and financial reporting. Without reliable IPE, auditors cannot evaluate if an organization’s controls are performing effectively or whether its financial statements are free of material misstatements. Additionally,, the PCAOB emphasizes the importance of IPE because it helps to minimize audit risks associated with incomplete or inaccurate data. Long story short – accurate IPE ensures that audit evidence is reliable.

What is the difference between IPE and PBC audit?

The key difference between IPE (Information Provided by the Entity) and PBC (Provided by Client) lies in their scope and purpose.

  • IPE: Refers to information generated by the organization’s (computer) systems, such as reports or spreadsheets, that is used as evidence during the audit. IPE often supports controls testing or substantive audit procedures and requires validation for completeness and accuracy.
  • PBC: Refers to documentation explicitly provided by the client at the auditor’s request, such as contracts, policies, or additional explanations. While PBC includes IPE, it is broader in scope and encompasses any evidence requested during the audit process.

In essence, all IPE can be part of PBC, but not all PBC is IPE. Understanding this distinction helps organizations prepare and organize audit evidence more effectively.

Vice

Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.