4 steps to achieving “IPE” confidence for SOX Compliance
How comfortable are you with the system-generated data you use to make important decisions? Are you confident that data fully supports your key controls for Sarbanes-Oxley (SOX) compliance, or are you experiencing challenges in your approach to “IPE”?
We started asking questions and found that while our clients generally agreed on the definition of Information Produced by the Entity (IPE), there were different ideas about how to ensure that information is accurate and complete. Here’s one thing we can all agree on: in this regulatory climate, organizations subject to or getting ready for SOX compliance are expected to put a high level of emphasis on validating the completeness and accuracy of their IPE.
That’s because the Public Company Accounting Oversight Board (PCAOB) is taking a closer look at the work of external auditors – and specifically at their audit procedures covering IPE. External auditors are pushing that pressure down the line, demanding more rigor around IPE from management in its assessment of SOX controls. This increased focus makes it more important than ever to be able to demonstrate that you understand the source and reliability of the data going into your reports and spreadsheets (collectively “key reports”).
Why? Because if an audit reveals that there’s inaccurate or incomplete data supporting your controls, your organization potentially faces the consequences of disclosing a material weakness in your SEC filings. Afterwards, you’ll be under the microscope to demonstrate the significant and costly effort it could take to remediate the issue.
We have been working with our clients to develop and implement a work stream within their SOX compliance program, designed to inventory their data, map it to key controls and timely validate its completeness and accuracy.
This approach enables management to take ownership of IPE quality by understanding exactly how the underlying data supports and benefits their control activities. It also provides a sustainable process to manage the ongoing reliability of that data and impacted controls, as well as improving adherence to COSO 2013 framework principles.
Here are four key steps that can help you develop your approach.
Create an IPE Inventory
The first step is to create an inventory by starting a list or Excel file that identifies all reports that support your key SOX controls. Then determine which attributes to track for each report. These may include:
- Report category (standard, custom or ad-hoc)
- Control number supported (how data maps to key controls)
- Data source (a specific system, application or database)
- System/tool generating IPE
- Report owner
- Report custodian
- Last change date
Categorize your IPE
Next, classify your reports into one of three primary categories: standard, custom or ad-hoc. This process makes it possible to develop appropriate completeness and accuracy assessment and testing procedures based on how specific reports were created.
- A standard or canned report is designed by the application provider and comes with the application package. It typically cannot be reconfigured by end users.
- A custom report is built or configured by IT (or by a software provider at the company’s request) to meet specific needs, using the data or the functionality of the software. An example would be a SQL report that pulls data from the application database using custom query/program.
- An ad-hoc query is the result of a more “Wild West” approach, in which an end user has access to plug in a set of parameters to generate a report. Because of the way this kind of query is created, it’s more likely to contain errors or inconsistencies requiring additional scrutiny.
Determine your validation approach
Once you’ve sorted reports into categories, determine the validation approach for each category type and perform completeness and accuracy validation procedures. Such validation may serve as a “baseline”, depending on the report category, that can be prospectively leveraged with consideration to the effectiveness of controls over change managementTo tackle this step, look at the underlying code and parameters that capture data for the three different report types above. Your review may include:
- Obtain and evaluate programs/queries generating the reports
- Obtain and evaluate parameters used
- Sample data in resulting report
- Identify data sources (database, system)
Evidence retained by management
- Program code/queries
- Screen shots of parameters used to run the report
- Report dates
- Report validation supporting documents
Sustain the IPE process
It’s important to come up with an approach you can sustain going forward – which means staying on top of any changes in people, process, or systems that affect your key report inventory, and then following up with additional validation as needed. For example, if the responsibility for generating a specific report changes hands, you need to be able to quickly reflect that change in your inventory; it is a living document that should be updated timely as needed.
Here are a few action items that can help provide accountability throughout your process.
- Assign the ultimate owner for the overall key report inventory. This person will coordinate with report owners and custodians to make sure the inventory is timely updated for any necessary changes.
- Assign the owner and the custodian for individual key reports. The owner is responsible for the information in the report, while the custodian is the technical administrator.
- Train and communicate with report owners and custodians to make sure they understand their responsibilities.
- Establish and document a key report maintenance process. Define owner responsibilities such as providing information to the inventory owner and keeping user access and change management IT General Controls in compliance. Establish custodian responsibilities, which include making sure there are no changes to the report and that no access is granted without owner approval, as well as strictly following your change management process if changes are needed. Document the impact of any changes to the reports related to completeness and accuracy.
- Establish and document a new key report development process. Make user access, user acceptance testing and retained evidence documents subject to IT general control activities. Communicate this process with the inventory owner.
Build up your comfort level
As companies use more and more system-generated data to support key control activities and make important management decisions, it will become increasingly important to make sure the information used is both accurate and complete. A robust IPE validation program can offer assurance in the reliability of data supporting your key control activities and help those controls remain effective as changes occur both within your organization and in the regulatory environment.
If you have questions or need additional resources to develop your own IPE validation program, contact us! Bridgepoint’s Risk & Compliance experts can advise your management team and help you develop and assess validation approaches that will enable compliance, change management and sustainability to support your IPE-reliant controls.