This article is part of a comprehensive series exploring IPE. You can download the complete whitepaper here.
What are the two primary categories of information produced by entity (IPE)?
IPE can be broken into two main categories: Populations and Key Reports. Both represent data obtained from management but the requirements to document how the auditor obtained comfort over the data will vary.
IPE Populations
Populations are system-generated reports provided to auditors to select a sample of transactions to verify management’s control procedures. Only the auditor must attest to the completeness and accuracy of the population.
For example, when testing a control over the approval of purchase orders, auditors will test to verify that orders were appropriately approved in accordance with company policies. They must first obtain the listing of all purchase orders (i.e., the population) and confirm that this population accurately reflects all purchase orders during the defined period.
This is typically done by verifying the source system is in scope for IT General Controls testing, obtaining the relevant input parameters/query used to create the population and tying row counts from the system screenshot to the report output. Another method to gain comfort over the data is to inspect the SQL/query used to create the population to understand how the data was generated.
IPE Key Reports
If system-generated data is utilized by management to perform a control, then it is considered a key report. There are four types of key reports:
- Standard Report – The report comes from an in-scope system but has not changed since implementation by the vendor (i.e., out of the box)..
- Third-party Report – The report comes from a third-party application & covered by a SOC report.
- Custom Report – The report comes from an in-scope system but has been edited through the change management process.
- Ad Hoc Report – The report comes from an in-scope system but is generated through a SQL or data query
Key reports require both management and the auditor to ensure the data is complete and accurate. From management’s standpoint, their obligation is to ensure they are understanding what they are generating by retaining and inspecting the input parameters.
The other main component for management is verifying the report was built following the company’s change management process. When any key report is created or changed, it should go through user acceptance testing, which allows management to confirm the report is pulling the intended data completely and accurately for its anticipated use in the control.
Beyond the change management process, management should be designing their control review procedures to ensure they are checking the completeness and accuracy of each report they generate. As most management key reports are used in review controls, a common procedure for obtaining comfort over the completeness is tying the report out to the general ledger.
For comfort over the accuracy of the report, management should be reviewing the details of the report and making sure they tie to source transactions. Management should also understand what controls create the transactions that populate their report to gain further comfort over the completeness and accuracy of the report.
We will discuss the auditor’s approach for obtaining comfort over the completeness and accuracy of key reports in the next OTO IPE Article.
Related Articles
IPE 101 – Defining and Understanding Information Produced by Entity
IPE 101 – Assessing Management IPE Controls and Report Risks
About Schneider Downs Risk Advisory
Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
Explore our full Risk Advisory Service offerings or contact the team at [email protected].