Armanino Blog
Article

Three Types of IPE and IPE Risks: A Controller’s Guide to SOX Compliance

by Luke Childress, Jonathan Bayeff
February 12, 2021

Updated February 03, 2022

Information produced by the entity (IPE) is any information that is produced internally by the company being audited and provided as audit evidence, whether for use in the execution of internal controls or for substantive audit procedures performed by an external auditor. In this article, we will discuss the three types of IPE you are most likely to encounter and the level of documentation and assurance each of them requires.

IPE that is subject to information technology general controls (ITGCs) does not typically require as high a level of assurance as an IPE that is not subject to ITGCs. Let’s take a closer look at the three types of IPE, from most to least risky.

Types of IPE and Their Risks

High risk

An ad hoc query, which is not subject to ITGC, is the riskiest of the three types and is any nonstandard query created to produce information on an as-needed basis. It requires a great level of assurance, because the end user may use any set of parameters while generating a report. Because it is a report that has not been previously vetted or tested, it will require greater scrutiny from auditors. Without involving the auditor’s IT team, an auditor cannot verify if the parameters entered by the process owner will generate a report that is complete and accurate.

Medium risk

Custom reports are reports produced by the company’s in-house IT team. They are often generated when the business team requires that a certain data set be produced by the company’s enterprise resource planning (ERP) system. When an ERP system (e.g., Oracle NetSuite, QAD, Microsoft Dynamics 365, SAGE, SAP and EPICOR) lacks a standard or canned report that will satisfy the requirement, a custom report is required. The business team, therefore, works with the IT team to develop a query to produce the required result. Because this type of IPE has expected results that the business team can anticipate, it is not as risky as ad hoc queries. Custom reports are subject to normal testing and approval by the IT and business teams.

Low risk

Standard or canned reports are reports that come right out of the box. They have been developed by a software company and are included with ERP systems. Canned reports are preformatted and distributed to an entire organization. The end user on the business team, and in some cases on the IT team, has little to no ability to modify or reformat these reports. Because such reports can hardly be edited, they require less scrutiny by auditors.

If you need assistance with SOX compliance, contact our experts.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Resources
Related News & Insights
Q2 2022 Risk Webinar
Webinar
Capital projects are excellent growth opportunities – but at what cost?

June 29, 2022 | 11:00 AM - 12:00 PM PT
SOX Internal Control Crypto
Webinar
Knowing when to implement or improve a process can help your organization save countless resources.

June 9, 2022 | 11:00 AM - 12:00 PM PT
Top Risks Organizations Will Face in 2022
Webinar
Understand ESG, data privacy and other key risk areas and how to avoid them.

March 29, 2022 | 11:00 AM - 12:00 PM PT