External auditors of public companies have come under increasing pressure from the Public Company Accounting Oversight Board (PCAOB). One area of particular emphasis has been the reliance of external auditors on information produced by entity (IPE), and the need for increased rigor to ensure that the information is accurate and reliable.
You might be asking, “What is IPE?” IPE is information presented in reports used in the operation of a control. It also relates to reports run and data extractions to support audit tests. It is sometimes referred to as electronic audit evidence (EAE). When considering the completeness and accuracy of information used in the operation of a review control, it is important to focus on the individual relevant data elements. The effectiveness of management review controls and other IPE dependent controls depends to a large extent on the quality of the information being reviewed.
For a vast majority of organizations, IPE testing is an integral part of their overall control testing activities, which is positive to see. Testing IPE becomes a critical focus point once Sarbanes-Oxley Section 404(b) becomes a requirement. For emerging growth companies, pre-IPO and pre-Sarbanes-Oxley organizations, there is less emphasis on IPE. But once the internal control over financial reporting attestation requirements of Section 404(b) kick in, IPE testing is emphasized far more.
Protiviti’s annual Sarbanes-Oxley compliance survey asked the question “To what extent do you test other information produced by entity (IPE) for data used to execute key controls?” Access the survey report to analyze the results from the 2016 survey respondents.
Other questions asked in this benchmarking survey include:
- During fiscal year 2015, was your organization required to issue a cybersecurity disclosure (according to CF Disclosure Guidance: Topic No. 2)?
- With regard to Sarbanes-Oxley compliance efforts, who in your organization has primary responsibility for 1) executive sponsorship, 2) execution, and 3) supporting related testing efforts?
- If your external audit firm required significant changes to Sarbanes-Oxley compliance activities in 2015, to what extent do you believe those changes are the result of the inspections of the registered accounting firms by the PCAOB?
- What was the impact of the PCAOB’s inspection reports on external auditors on your organization’s costs for the following Sarbanes-Oxley compliance activities?
- For processes that your company outsources, are you receiving SOC 1 reports?
If you haven’t done so already, download a copy of this benchmarking report and related infographic.