Jeanne has successfully led the implementation of numerous internal audits and Sarbanes-Oxley 404 compliance projects. Through her organized and efficient execution of compliance work, she has gained experience in analyzing, correcting deficiencies and testing financial processes. In order to fully understand and test the relevant controls during a compliance report audit, it is important that practitioners do not fall on a slippery slope of over-scope and over-testing of IUC and PEI. It is also important that practitioners take the necessary steps to understand the controls relevant to their procedures and whether these controls depend on PPE or IUC. As a result of this decision, an auditor will be able to effectively decide on the adequacy and operating effectiveness of the control with all the important considerations necessary to do so. In the following sections, you will find some examples of test procedures that can be performed as IPE/IUC test steps and considerations when performing a compliance audit. A69 Professional judgment is essential to the proper performance of a certification engagement. Indeed, the interpretation of relevant ethical requirements and relevant AT/C sections, as well as the informed decisions required throughout the engagement, cannot be made without applying the relevant knowledge and experience to the facts and circumstances. Given the different requirements between the PCAOB and the AICPA, it is clear that there is room for interpretation as to the extent to which the practitioner`s detailed testing procedures should go to test PPE and IUC. What for? Because if an audit reveals that there is inaccurate or incomplete data to support your controls, your company may face consequences if you disclose a significant vulnerability in your SEC filings. After that, you will be examined to demonstrate the significant and expensive effort that might be required to solve the problem.
If you have any questions about IPE or UIC considerations, or are interested in how IPE/IUC will be considered for your upcoming SOC reports or other required audit services, contact Rhonda Willert and the Linford & Co team for a compelling discussion on the topic! Clearview has a proven methodology to help companies meet the expectations of their regulators and external auditors for the completeness and accuracy of the POI. We start by implementing a process to capture and identify all relevant elements that require consideration of completeness and accuracy, and then adapt our approach to meet each IPE requirement based on our clients` needs. Our methodology includes core activities such as: However, when determining the relevant controls, it is important to determine which controls can be reduced to focus. A company should begin its IPE and UCI analysis by focusing on controls that it believes should be tested by regulators or compliance practitioners to meet audit requirements. These controls can be considered as the relevant controls for audits, as well as the initial considerations of the PEI and the UCI. Most companies still rely heavily on various spreadsheets, system downloads, and manual updates in their day-to-day operations. These procedures create many opportunities for misreporting of information due to possible errors or fraud. While financial systems and other technologies continue to advance, businesses – as well as auditors – must continually assess the risks associated with the information (i.e., key reports) generated from these applications. An SOC practitioner should use professional skepticism and judgment to address IUC and PEI considerations throughout the review, and for each piece of evidence, they inspect and use it to support their control procedures. With these control steps, and with these control steps in mind, a SOX audit with SOC report relevance is appropriately handled by SOC report users as expected. At Clearview, we work closely with our clients` regulators and external auditors to guide management in developing their internal controls and ensure that IPE requirements are properly considered and documented. There is no specific audit at the IUC/PEI; Rather, procedures are performed to test relevant controls, which include test steps developed to understand that the UCI and/or IPE are complete and accurate.
The information produced by the company and the information used in the controls is often in the form of a report. Reports can be generated by the system, generated manually, or a combination of both (manually downloading system data entered into an Excel spreadsheet). A company could spend a lot of time and money trying to improve the completeness and accuracy of all its IPEs and UCIs in its control environments. To avoid spending too much time or money on this area, an organization typically focuses primarily on the relevant controls that support its SOX and SOC compliance requirements. Rhonda is a partner at Linford & Co. and provides risk management services, including Service Organization Control (SOC) and internal audit services (IT and business process audits). Rhonda holds its CPA, CISSP, PMP and CISA certifications and provides world-class customer service. Previously, Rhonda was a Managing Director at Deloitte and brings extensive expertise in risk management and compliance. The old adage of Sarbanes-Oxley (SOX) compliance, an exercise in „ticking the box,“ has fallen by the wayside. In recent years, the Public Company Accounting Oversight Board (PCAOB) has placed greater emphasis on how organizations feel comfortable with the completeness and accuracy of information used for financial reporting and how to perform internal controls, often referred to as Information Produced by Entity (EPIs). And it`s not just about reports; The concept of IPE can include anything from standard reports to queries generated with business intelligence software, complex spreadsheets and end-user data. A 2020 survey by Ernst & Young asked more than 100 clients worldwide if they had any issues with IPE, and unsurprisingly, nearly 50% of respondents confirmed that they had encountered difficulties meeting IPE requirements during the last audit period.
In some cases, control actors even stated that they believed that the IPE requirements for detection were becoming more onerous than the effort to carry out the control itself. In order to create procedures to test the accuracy and completeness of PPE and IUC, a practitioner must understand PPE in detail. A practitioner should understand what IPE/IUC is, how IPE/IUC was generated, and how it is used to support the associated control or audit test. For example, a practitioner should understand whether the POI/UCI was generated by the system and, if so, what the source data was and where the source data came from (from which database or system), the reporting logic used to generate the report, and the parameters used to retrieve the POI/IUC. There is a subtle difference between the two terms, but it is important to understand the difference. For IUC, the company must have controls in place to ensure that the information is complete and accurate. At the PEI, the practitioner (auditor) must perform checks to ensure that the information is complete and correct. `When using the information provided by the entity as audit evidence, the statutory auditor should assess whether the information is sufficient and appropriate for the audit by applying procedures to: Relevant controls are those controls necessary to achieve the objectives and requirements of the audit. Some practitioners refer to the relevant controls as „key controls.“ An entity can have hundreds of controls.
Each control is important in its own way, with the risk it was created to mitigate, and each is important to the company`s operations and financial activities. The information provided by the unit (IPE) represents all the information used by a statutory auditor to reach the conclusions on which the audit report is based, whether for the audit of internal controls or the conduct of validation procedures. When using PPE as audit evidence, the statutory auditor shall assess whether this is sufficient and appropriate for the purposes of the audit, which shall be achieved by carrying out procedures to verify the accuracy and completeness of the information or by reviewing checks on the accuracy and completeness of that information. The AICPA Attestation Standards (official standards listed below – applicable to SOC 1 and SOC 2 exams) state that the IPE and IUC procedures are a matter of professional professional skepticism and judgment of the practitioner conducting the audit: Indeed, the Public Company Accounting Oversight Board (PCAOB) takes a closer look at the work of external auditors – and in particular their audit procedures for IPE. External auditors are pushing this pressure at all levels, demanding more rigour from management regarding PEI when assessing SOX controls.