Classic file types are no longer available for use as of January 2021. You can transition your classic files or download a PDF. Learn More

Key Report Testing - Best Practices




  • Donna White

    We have created an IPE test phase, by quarter for our controls. This phase is added to the regular control test. Our external auditors asked for this as they said it will make it easier for them to find that type of testing. We have to test reports every three years, and when they change. We also require evidence of report generation procedures (system screen shots).

    Our external auditor explained what they consider to be the two types of IPE tests:

    1. A control where mangement is expected to validate the C&A of a report as part of control execution. This will be tested as part of the normal control test with an IPE test phase added, and a cross reference to where the testing is located. This is being done so the external audit IT team can readily idenfity this type of tesing. In addition to the validation done by management we require screen shots showing how the report / file was generated.
    2. Reports / file we rely upon as part of internal audit control testing (e.g. new hire report, user listing,etc.).GITC controls over the environment used to generate the report have to be effective. We gather the same evidence as listed in item 1 but we also have to tie record counts and such, make sure the data returned matched that requested, etc.  In some cases, we have to recreate the report using the parameters shown in the query, or work with IT to obtain the raw data and then recreate the report. That is typically when a report is new, changed or it has been three years.

    Thank you for the question. I"m looking forward to reading other responses.

    I am anxious as to what other are doing as well. Thanks for the question.

  • Stephanie Campese

    Thanks Donna,   the work done is it actually done by IT, the business, or the people performing the testing?   We were thinking that the area owner of each report was responsible to demonstrate they validated the C&A (and provide evidence), and from a testing perspective our role is to see the evidence and some level of approval from the owner.

    We were thinking the 3 year rotation as well,  I think having a separate phase sounds like a great idea and is something I will bring to the team.

  • Donna White

    If a report is used as part of a control, then the control owner is responsible for validating the C&A of the data / file. If we independently ask for a report then we had to do that work.


Please sign in to leave a comment.