This article is part of a comprehensive series exploring IPE. You can download the complete whitepaper here.
What are the key steps to assessing management IPE controls and report risks?
In our first two articles in the IPE series, we defined IPE and the difference between key reports and populations. The final piece of the puzzle is to understand testing methodologies for gaining comfort over completeness and accuracy of key reports to manage the risk associated with the data.
Understanding and Assessing Management’s IPE Controls
Before the auditor designs any independent testing procedures to validate a key report, the auditor should obtain an understanding of the design and effectiveness of management’s IPE controls. This consideration includes four critical steps:
- Assess management’s IPE controls for the completeness of the data utilized in the operation of the control
- Assess management’s IPE controls for the accuracy of the data utilized in the operation of the control
- Develop testing attributes over the design and operating effectiveness of the IPE controls performed by management
- Evaluate whether the IT General Controls over systems utilized in the production of IPE have been tested and the results of that testing. If controls over IT General Controls are ineffective, additional considerations must be performed by the auditor. For example, the auditor may need to perform independent substantive testing procedures for completeness and accuracy.
Managing Key Report Risk
Once the auditor has assessed management’s control, the auditor still may be required to perform additional testing procedures which should be coordinated with the external audit team to ensure the procedure are sufficient. The first step in determining additional procedures must first be to determine the type of key report used in the control.
Standard Reports: For standard reports, the report can be relied upon as complete and accurate without the need for additional testing procedures as management has never modified the data as long as the last change date is obtained and confirmed to be a standard report.
Third Party Reports: The SOC report should be obtained and reviewed for all in-scope third parties. While the report comes from a third party source system in which management cannot directly edit the data of the report, management should still perform procedures to inspect the input parameters and ensure the parameters match the intended purpose of the control.
Custom / Ad Hoc Reports: Each external audit firm has their own guidance on what procedures are required to gain sufficient comfort, but typical testing procedures to confirm the completeness and accuracy of a custom/ad-hoc report include:
- Performance of the Control – Most key reports used by management are utilized through a review control where management is inherently validating the completeness and accuracy of the data as a control objective and so the auditor can point to management’s review if it is designed effectively to verify the report details (accuracy) and report totals (completeness).
- Additional Samples – The auditor will select samples from the report to trace back to source transactions (accuracy) and then select source transactions to trace into the report (completeness). This method can be very time consuming and should be looked at as a last resort to gain comfort.
- SQL Inspection – Some scripts are able to be documented in detail as to how the data is being extracted but SQLs can also become complex very quickly and so this method is less frequently relied upon. If management or the auditor is reviewing the script, keep in mind the most important sections are typically the SELECT, FROM and WHERE statements within the script. The SELECT section should directly tie to the column headers, the FROM section identifies the database tables that houses the data, and the WHERE statement is how the data can be filtered to only be included in the report if it fits a certain criterion.
- Sample Transaction – Depending on the situation, the auditor can work with management to process a transaction and observe how it then appears on the report. This is especially helpful when dealing with exception reports that only populate data when certain actions occur. This method is oftentimes performed through management’s TEST environment and then the additional step of verifying PROD is a mirror of TEST is completed to show how the testing is applicable to the PROD environment.
- Understand Compensating Controls – Typically this method is not enough to gain completeness and accuracy comfort by itself, but when used in conjunction with other testing procedures, it can provide comfort over the data. This technique involves understanding the entire control universe and which controls provide comfort over the source transaction that your report is populating.
The testing methods do not have to be used individually either. Depending on the key report, performance of the control may be used to gain comfort over the completeness of the report, but a sample transaction could be used for the accuracy of the report. Regardless of which type is used, the auditor should always obtain input parameters or SQL screenshots to verify how the report was generated along with obtaining a screenshot to verify the report’s last change date and who last edited the report.
Ultimately, the amount of testing required is at the discretion of the audit team performing the procedures, which is why it is so important to coordinate the testing approach with the external audit team.
Related Articles
IPE 101 – Defining and Understanding Information Produced by Entity
IPE 101 – Differentiating Populations and Key Reports
About Schneider Downs Risk Advisory
Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
Explore our full Risk Advisory Service offerings or contact the team at [email protected].