SOC Audit IPE Explained: How to Avoid Delays, Rework and Exceptions

In a SOC report audit, one of the most important, but often misunderstood, aspects is Information Provided by the Entity (IPE).

If you are preparing for a SOC 1 or SOC 2 audit, understanding how to prepare reliable IPE can significantly reduce audit delays, rework, follow-up requests or even potential exceptions from the auditors.

What is IPE?

IPE is any report, data extract or documentation your organization provides to auditors to support control testing. It can include system-generated reports such as user access listings, transaction logs, ticket exports or configuration reports, spreadsheets and screenshots from the system itself. Auditors use IPE to assess whether controls are properly designed and operating effectively and as part of their procedures to assess whether such data can be relied upon.

Why Does IPE Matter in a SOC Audit?

Auditors cannot rely on evidence simply because it was provided; they need to determine whether it is complete and accurate for the system, time frame or population being tested. If IPE is unreliable, testing results may not be dependable, which can lead to expanded procedures, additional evidence requests, timing issues or control exceptions. Put simply: strong controls can still fail testing if the supporting IPE is not trustworthy or reliable.

What “Quality Evidence” Looks Like

Reliable IPE typically demonstrates these characteristics:

• Completeness: Includes the full population in scope (e.g., all users, all transactions, all changes)
• Accuracy: Reflects the true state of the system and has not been inappropriately altered
• Relevance: Directly supports the specific control being tested and the in-scope system/process
• Timeliness: Aligns to the audit period and is generated at the right point in time
• Consistency: Can be reconciled to the system information when appropriate (counts/totals/records match)

Practical Steps to Strengthen IPE Reliability

You do not need a complex program to improve IPE quality, just repeatable practices carried out consistently when preparing evidence for auditors:

1. Validate key reports and evidence
   • Perform simple checks (record counts, totals, exceptions) and reconcile to system sources where feasible
   • Spot-check a few items back to the system to confirm the output is accurate
   • If a screenshot is provided for evidence, include the date and time stamp in the screenshot (bottom-right for Windows devices or top-right for Mac), information showing what system the information was generated from such as the URL or system/server name and full menus or configurations.
2. Document report logic and parameters
   • Capture the basics: report name, source system, filters/criteria, time period and the date/time generated
   • Provide screenshots of custom scripts or queries, whether ad-hoc or scheduled
   • Ensure someone else could re-run the report and get the same output
3. Limit manual handling
   • Prefer system exports over re-keying data into manual spreadsheets
   • If spreadsheets are necessary, keep the original export and use version control or file protection
4. Control access to report creation and changes
   • Restrict who can run sensitive reports and who can modify report logic
   • This reduces the risk of unintentional changes (or inappropriate edits)
5. Retain evidence of review
   • Keep proof that the report/evidence was reviewed and approved (workflow approval, ticket notes, email sign-off, timestamped review)
   • Ensure the review ties to the exact version provided to the auditor

Common IPE Pitfalls to Avoid

• Providing screenshots only with no supporting detail or underlying data without date and time stamps
• Submitting manually edited spreadsheets without an audit trail or controls
• Missing report criteria (filters/parameters), making scope unclear
• Using inconsistent parameters between periods, preventing reliable comparison
• Providing only part of a configuration or menu. Often it is better to provide the entire screen to auditors, even if only one line may be relevant.

IPE is the foundation of a SOC report because it supports the design and operation of each control. By focusing on completeness, accuracy and controlled handling, organizations can improve audit efficiency, build auditor confidence and reduce the likelihood of avoidable findings. Addressing IPE early helps streamline SOC audit testing and reduces uncertainty during fieldwork.

About Schneider Downs Risk Advisory

Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.

Explore our full Risk Advisory Service offerings or contact the team at [email protected]