IPE Requirements
- Under which circumstances is Information Produced by the Entity (IPE) required by your external auditor?
- Could you please provide some instances of particular IPE that your external auditor has explicitly required?
- Are IPE requirements incorporated within the language of your controls? What is the level of specificity of the requirements?
- Are there distinct IPE requirements for reports that are capable of being regenerated as opposed to those that are not?
-
1. Our auditors require IPE anytime the control is using information produced by the company in the performance of the control. All of our management review controls have IPE.
2. IPE is dependent on each control but we use a lot of reports, spreadsheets, data queries, etc. Anytime data is reviewed or analyzed we have IPE associated with it.
3. We usually have an attribute in our testing steps that provide coverage over the IPE risks or we sometime have a separate control around the IPE that is tested on how the IPE is created. Depends on the process and how the IPE is used.
4. We don't have requirements for reports that are different. For every IPE, we have to be able to answer how is it created and how does management know that is complete and accurate. So if it is system report with just the date range selected, we usually inquire on if the reviewer ensures that the date range is correct in their review and how do they document that. Sometimes we verify that the report is reconciled or tied to the general ledger or subledger.
IPE is a hot topic for us this year. Our external auditors have given us 5 IPE risks that we need to evaluate for each piece of IPE to determine if the risks are applicable and then we also have to document how we have addressed those risks for each piece of IPE. We have form we create for each IPE where we document what the IPE is, how it is created, which IPE risks are appliable, how those risks are addressed and how management has comfort over the IPE completeness and accuracy. For system reports, we do sometimes state the system is in scope for ITGC testing and has effective controls to mitigate some of the IPE risks. We use a lot of reconciliations and tying things back to the subledger or general ledger.
0Thank you so much for the detailed feedback which we find very beneficial. Could you share who is your external auditor? Ours is EY. Thanks!
0
Comments
3 comments