What is IPE?
IPE is any information created by a company that is used as audit evidence, whether to support internal controls or as part of a substantive audit.
This includes reports, spreadsheets, and other documents generated by the company's systems or manually.
Examples:
- Financial Reports
- Inventory and Asset Listing
- Legal Records
- Contracts
Why is IPE important?
- Audit Evidence
- Foundation for the Audit Process
- Assists in Risk Assessment
- Effective Control Testing
Types of IPE
System-Generated Reports:
These are reports automatically produced by the entity's IT systems.
- Aged accounts receivable report
- Fixed asset depreciation report
- Trial balance
- Inventory valuation report
- Past Due Report
- NPA Report
System-Extracted Data:
This is raw data pulled directly from a system, often in Excel, CSV, or text format, without added formatting or summarization.
- General ledger export
- Journal entry listings
- Sales transaction logs
- Time-stamped user access logs
Manual or User-Developed Information:
This type is manually created by employees or developed using tools like Excel, Access, or even scripts/macros.
- Spreadsheets for revenue recognition schedules
- Manually calculated accruals
- Custom budget vs. actual analysis
- Pivot table summaries
Categorization of IPE Based on Audit Use
Used in Substantive Testing
Used in Control Testing (IT or Manual Controls)
Used for Risk Assessment & Planning
Used for Walkthroughs & Understanding of Processes
Used for Analytical Procedures
IPE Used in Control Testing
Overview
Information used by the control operator to perform the control. includes any information that is relied on by the control operator to effectively execute the control.
E.g.
A credit limit exception report is used by the control operator to evaluate customers with outstanding balances greater than their approved credit limit.
As such, the credit limit exception report is relied on by the control operator in performing the control.
Specific Data Elements
A data element is a unit or type of data included within a piece of information. Data elements include both financial and nonfinancial data used in a calculation, selection or other manipulation of the information.
If the information used in the control has more than one data element, management identifies each of the specific data elements that are used in the control (RDEs) and evaluates whether those RDEs are sufficiently relevant and reliable.
Reliability
Reliability |
= |
Complete |
+ |
Accurate |
This means that such information contains:
• all the data that is necessary;
• only the data that is necessary; and
• data that is correct.
Relevance
Relevance is the relationship between the information and the objective of the control where the information is used. Information is sufficiently relevant when it has a logical connection or relationship with the objective of the planned control and is precise and detailed enough to meet the objective of the planned control.
For example, when performing a process control activity over the recoverability of accounts receivable monthly, the information used should be at a sufficiently detailed level (e.g. the customer or transaction level) and for the appropriate period.
Data Risk
Input Risk
1. Data is incompletely or inaccurately entered into the IT system or not properly converted from its original source to electronic form.
2. Data arising from hard-copy source documents or electronic data interface (EDI) may be compromised before input.
| Data Element | Control Attributes |
|---|---|
| Interest Rate | Agreed to the Term Sheet or Agreement - Input risk addressed by checking the RDE with source document. |
| Collateral Amount | Agreed to the recent valuation report / stock statement - Input risk addressed by checking the RDE with source document |
Integrity risks
1. Data is inappropriately altered during processing.
2. Data is inappropriately altered while in storage.
3. Data does not accurately transfer from one system to another.
4. Data is not valid.
| Data Element | Control Attributes |
|---|---|
| Days Past Due (DPD) | Testing IT Automated control (ITAC) over DPD by testing system logic for DPD computation. Integrity risk addressed by testing the ITAC over DPD computation. |
| Depreciation | Testing IT Automated control (ITAC) by testing system logic for depreciation calculation. Integrity risk addressed by testing the ITAC over DPD computation. |
Extraction and manipulation risks
1. The information does not contain all data when extracted.
2. The information does not contain all data when extracted.
3. The manipulation of data used to produce the information is incorrect or inaccurate.
Extraction risk may differ basis the nature of report
1. One Click Report
2.Parameter Driven Report
3.Query Driven Report
4.Report provided by Service Organization
The risk over data manipulation will vary based on where the data is extracted to and if there is intentional manipulation after extraction. Most information has some risk of manipulation after extraction.
Control activities over manipulation risk can be a combination of:
• process control activities to check that the logic is functioning as intended;
• use of validation software tools that systematically check formulas or macros (e.g. spreadsheet integrity tools); and
• use of access restrictions (e.g. password-protected server locations with restricted access and version controls).
Summary
| Data Risk | How data risk is addressed |
|---|---|
| Input |
1. Controls over input of Loan amount, maturity date, interest rate etc. 2. Controls over recording collection |
| Integrity |
1. ITAC over closing balance calculation 2. ITAC over DPD calculation 3. ITAC over data interfaces from one system to another 4. GITC over various IT application used which process these RDE |
| Extraction |
1. Control over the extraction of report by matching the total loan outstanding number with the system. 2. Control over testing the RDEs as extracted in the report with the system on sample basis. |
| Manipulation |
1. Review control over the accuracy of manipulations/modifications done. 2. Review the accuracy of formulae 3. User access controls over the spreadsheets. |
