IPE 101 – Assessing Management IPE Controls and Report Risks

IT Risk Advisory, Risk Advisory/Internal Audit, Sarbanes-Oxley
by Zachary Motyl
share with a colleague Download PDF

This article is part of a comprehensive series exploring IPE. You can download the complete whitepaper here.

What are key steps to assessing management IPE controls and report risks?

In our first two articles in the IPE series, we defined IPE and the difference between key reports and populations. The final piece of the puzzle is to understand testing methodologies for gaining comfort over completeness and accuracy of key reports to manage the risk associated with the data.

Understanding and Assessing Management's IPE Controls

Before the auditor designs any independent testing procedures to validate a key report, the auditor should obtain an understanding of the design and effectiveness of management’s IPE controls. This consideration includes four critical steps:

  • Assess management’s IPE controls for the completeness of the data utilized in the operation of the control
  • Assess management’s IPE controls for the accuracy of the data utilized in the operation of the control
  • Develop testing attributes over the design and operating effectiveness of the IPE controls performed by management
  • Evaluate whether the IT General Controls over systems utilized in the production of IPE have been tested and the results of that testing. If controls over IT General Controls are ineffective, additional considerations must be performed by the auditor. For example, the auditor may need to perform independent substantive testing procedures for completeness and accuracy.

Managing Key Report Risk

Once the auditor has assessed management’s control, the auditor still may be required to perform additional testing procedures which should be coordinated with the external audit team to ensure the procedure are sufficient. The first step in determining additional procedures must first be to determine the type of key report used in the control.

Standard Reports: For standard reports, the report can be relied upon as complete and accurate without the need for additional testing procedures as management has never modified the data as long as the last change date is obtained and confirmed to be a standard report.

Third Party Reports: The SOC report should be obtained and reviewed for all in-scope third parties. While the report comes from a third party source system in which management cannot directly edit the data of the report, management should still perform procedures to inspect the input parameters and ensure the parameters match the intended purpose of the control.

Custom / Ad Hoc Reports: Each external audit firm has their own guidance on what procedures are required to gain sufficient comfort, but typical testing procedures to confirm the completeness and accuracy of a custom/ad-hoc report include:

  • Performance of the Control – Most key reports used by management are utilized through a review control where management is inherently validating the completeness and accuracy of the data as a control objective and so the auditor can point to management’s review if it is designed effectively to verify the report details (accuracy) and report totals (completeness).
  • Additional Samples – The auditor will select samples from the report to trace back to source transactions (accuracy) and then select source transactions to trace into the report (completeness). This method can be very time consuming and should be looked at as a last resort to gain comfort.
  • SQL Inspection – Some scripts are able to be documented in detail as to how the data is being extracted but SQLs can also become complex very quickly and so this method is less frequently relied upon. If management or the auditor is reviewing the script, keep in mind the most important sections are typically the SELECT, FROM and WHERE statements within the script. The SELECT section should directly tie to the column headers, the FROM section identifies the database tables that houses the data, and the WHERE statement is how the data can be filtered to only be included in the report if it fits a certain criterion.
  • Sample Transaction – Depending on the situation, the auditor can work with management to process a transaction and observe how it then appears on the report. This is especially helpful when dealing with exception reports that only populate data when certain actions occur. This method is oftentimes performed through management’s TEST environment and then the additional step of verifying PROD is a mirror of TEST is completed to show how the testing is applicable to the PROD environment.
  • Understand Compensating Controls – Typically this method is not enough to gain completeness and accuracy comfort by itself, but when used in conjunction with other testing procedures, it can provide comfort over the data. This technique involves understanding the entire control universe and which controls provide comfort over the source transaction that your report is populating.

The testing methods do not have to be used individually either. Depending on the key report, performance of the control may be used to gain comfort over the completeness of the report, but a sample transaction could be used for the accuracy of the report. Regardless of which type is used, the auditor should always obtain input parameters or SQL screenshots to verify how the report was generated along with obtaining a screenshot to verify the report’s last change date and who last edited the report.

Ultimately, the amount of testing required is at the discretion of the audit team performing the procedures, which is why it is so important to coordinate the testing approach with the external audit team.

Related Articles

About Schneider Downs Risk Advisory

Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.

Explore our full Risk Advisory Service offerings or contact the team at [email protected].

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Cybersecurity, IT Risk Advisory, Risk Advisory/Internal Audit BY Nathan Shepler
8 Key Considerations When Reviewing User Access
read more >
Financial Services, Risk Advisory/Internal Audit BY Marcy King
Enhancing Focus on Risk Management and Consumer Protection
read more >
Financial Services, Fraud/Investigative & Forensic Accounting, Risk Advisory/Internal Audit BY Tyler Caven
Controlling Wire Fraud in the Financial Industry
read more >
Risk Advisory/Internal Audit BY Brendan Leech
The Top Risks Internal Audit Leaders Need to Know for 2024
read more >
IT Risk Advisory, Risk Advisory/Internal Audit, SOC 2 BY Nicholas DeLuca
SOC 2 Terminology: Vendor vs Subservice Organization vs Subcontractor vs Third Party vs Nth Party
read more >
IT Risk Advisory, Risk Advisory/Internal Audit BY Michael Sinkevich
Did Poor Change Management Contribute to the AT&T Wireless and McDonald’s Outages?
read more >
Register to receive our weekly newsletter with our most recent columns and insights.
subscribe for updates
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh
Columbus
Metropolitan Washington
Image of Prime Global Logo
follow us client portal

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×
Accept