Reducing Frustration From Increased IPE Testing

Every year, SOX professionals and control owners face intense scrutiny from their external auditors related to IPE (Information Provided by Entity). External auditors are pushing deeper into systems and processes used to produce data utilized in the performance of controls, as well as audit evidence to a point that many SOX teams find frustrating and confusing. In some cases, the SOX teams did not anticipate the continuously increasing focus on IPE, which in some cases, has led to a reduced ability to rely on internal control testing. This article will discuss what drives the increased focus on IPE and how SOX teams and control owners can prepare the organization to meet expanding requirements to alleviate the frustration. 

How Is IPE Evaluated?

We must understand how auditors evaluate IPE to appreciate why there is increased IPE testing. External auditors will review all documentation provided by the organization to ensure it is complete and accurate,  to then be considered reliable. They will usually start by asking a series of questions about the IPE, such as:

• Where did the information come from?
• Was the information system generated, or did it require manual input?
• How can you prove the information is complete?
• Have you validated that the information returned on the report is accurate? 
• How can you verify the information was not manipulated after the report was generated?
• Is there a source for the data closer to the actual process?
• What are the report logic and parameters used to gather the data?
• Is the data being generated by an in-scope or out-of-scope system?
• Are the controls covering the system designed and operating effectively? 

The external auditor is trying to determine if the business has proven the completeness and accuracy of any IPE used in the execution of a control, and then they will test the control themselves. If the company cannot confirm the completeness and accuracy of the IPE, the control will likely fail. At that point, several downstream impacts will occur. From the organization’s perspective, the team will likely need to perform lookback procedures and remediation work to retroactively validate that incomplete or inaccurate data was not used in the performance of the control and on a go-forward basis, appropriate steps are taken to validate IPE when performing the control procedures and review. Additionally, the external auditor must perform substantive testing for the control because they cannot rely on the company’s evidence that it is operating effectively.

What Drives Increased IPE Requirements? 

For SOX, the PCAOB (Public Company Accounting Oversight Board) is one of the biggest drivers behind IPE scrutiny. In the most recent Inspection Observation Spotlight Report, the PCAOB called out IPE as an area with continuing deficiencies. As a result of these inspection findings, External Audit teams have increased their focus on data utilized by Companies in their internal controls programs to not only ensure that their audit work papers are sufficiently supported but ultimately to validate the reliability of data presented in the financial statements. This pressure has been increasingly felt by companies to produce the highest quality documentation.

In public companies, the technology and processes are getting more complex every year. Substantiating a line item in a financial statement could involve multiple subsidiaries rolling up to the general ledger through dozens of applications connected through different types of interfaces. This complexity is why the auditors are asking about the source of the information. Each time there is an interface, they need to inspect a reconciliation to prove no data was lost or added. They also need to validate and test the related IT general controls to understand who had access to the information and could have manipulated it, even accidentally.  

How Can We Reduce IPE Frustration?

Recently, many organizations have been frustrated by their external auditors asking for application source code to prove that controls are coded into their in-scope applications while testing the controls through the interface was previously acceptable. They are concerned that the external auditors have no business looking at source code and that the auditors would not understand the code if provided. In the end, the auditors are looking for evidence as close to the source as possible. 

To reduce the burden and frustration of IPE, there are a few process changes the SOX team can make:

1. Automate your controls. Manual and hybrid controls immediately require additional work to prove the information is accurate and complete.
2. Standardize your reporting processes. If you have a mix of spreadsheets and reporting engines, the team has to work harder to show how the information was aggregated. When possible, utilizing reports determined to be Standard Reports, as validated by the SOC 1 Report, or potentially directly from the vendor, will greatly reduce the burden on the team.  
3. Validate IPE through the performance of the control. Include steps to validate the completeness and accuracy of the control performance and review procedures whenever possible. 
4. Set clear IPE expectations internally. Most of the frustration comes from the control owners needing to understand why the information is necessary and how it will be used. 

Prepare the Control Owners

When the organization clearly understands why IPE is essential and how it will be used, the level of frustration is drastically reduced. SOX professionals can lead this effort by setting clear expectations and coaching the control owners through the evidence collection before it gets to the external auditors. Work with your team, and help them understand the importance of IPE, and the entire process will run smoothly when the team can confidently answer questions posed by the auditors.