4 Steps to Achieve IPE Confidence for SOX Compliance
How comfortable are you with the system-generated data you use to make important decisions? Are you confident that the data supporting your key controls for SOX compliance has been validated appropriately, or are you experiencing challenges in your approach to Information Produced by the Entity (IPE)?
In this regulatory climate, organizations subject to or getting ready for SOX compliance are expected to put a high level of emphasis on validating the completeness and accuracy of their IPE.
Why IPE confidence for SOX compliance is important
The Public Company Accounting Oversight Board (PCAOB) is taking a closer look at the work of external auditors – and specifically at their audit procedures covering IPE. External auditors are pushing that pressure down the line, demanding more rigor around IPE from management in its assessment of SOX controls.
This increased focus makes it more important than ever to be able to demonstrate that you understand the source and reliability of the data going into your reports and spreadsheets (collectively “key reports”).
Why? Because if an audit reveals that there’s inaccurate or incomplete data supporting your controls, your organization potentially faces the consequences of disclosing a material weakness in your SEC filings.
Afterwards, you’ll be under the microscope to demonstrate the significant and costly effort it could take to remediate the issue.
It is essential to focus on developing a solid approach to IPE validation.
Four key steps to develop your approach to IPE validation for SOX compliance
- Create an IPE inventory.
- Categorize your IPE.
- Determine your IPE validation approach.
- Sustain the IPE process.
1. Create an IPE Inventory
The first step is to create an inventory by starting a list or Excel file that identifies all reports that support your key SOX controls. Then determine which attributes to track for each report.
Attributes to track in your IPE inventory:
- Report category (standard, custom or ad-hoc)
- Control number supported (how data maps to key controls)
- Data source (a specific system, application or database)
- System/tool generating IPE
- Report owner
- Report custodian
- Last change date
2. Categorize your IPE
Next, classify your reports into one of three primary categories: standard, custom or ad-hoc. This process makes it possible to develop appropriate completeness and accuracy assessment and testing procedures based on how specific reports were created.
Standard or Canned Reports: Designed by the application provider and comes with the application package. It typically cannot be reconfigured by end users.
Custom Report: Built or configured by IT (or by a software provider at the company’s request) to meet specific needs, using the data or the functionality of the software. An example would be a SQL report that pulls data from the application database using custom query/program.
Ad-hoc Query: The result of a more “Wild West” approach, in which an end user has access to plug in a set of parameters to generate a report. Because of the way this kind of query is created, it’s more likely to contain errors or inconsistencies requiring additional scrutiny.
3. Determine your IPE validation approach
Once you’ve sorted reports into categories, determine the validation approach for each category type and perform completeness and accuracy validation procedures.
Depending on the report category, such validation may serve as a baseline that can be prospectively leveraged with consideration to the effectiveness of controls over change management.
To tackle this step, look at the underlying code and parameters that capture data for the three different report types above.
What your IPE validation review may include:
- Validation approaches:
- Obtain and evaluate programs and queries generating the reports.
- Obtain and evaluate parameters used.
- Sample data in resulting report.
- Identify data sources (database, system).
- Evidence retained by management:
- Program code and queries.
- Screen shots of parameters used to run the report.
- Report dates.
- Report validation supporting documents.
4. Sustain the IPE process
It’s important to come up with an approach you can sustain going forward – which means staying on top of any changes in people, process, or systems that affect your key report inventory, and then following up with additional validation as needed.
For example, if the responsibility for generating a specific report changes hands, you need to be able to quickly reflect that change in your inventory; it is a living document that should be updated timely as needed.
Action items that can help provide accountability throughout the IPE process:
- Assign the ultimate owner for the overall key report inventory. This person will coordinate with report owners and custodians to make sure the inventory is timely updated for any necessary changes.
- Assign the owner and the custodian for individual key reports. The owner is responsible for the information in the report, while the custodian is the technical administrator.
- Train and communicate with report owners and custodians to make sure they understand their responsibilities.
- Establish and document a key report maintenance process. Define owner responsibilities such as providing information to the inventory owner and keeping user access and change management IT General Controls in compliance. Establish custodian responsibilities, which include making sure there are no changes to the report and that no access is granted without owner approval, as well as strictly following your change management process if changes are needed. Document the impact of any changes to the reports related to completeness and accuracy.
- Establish and document a new key report development process. Make user access, user acceptance testing and retained evidence documents subject to IT general control activities. Communicate this process with the inventory owner.
Final Thoughts on How to Ensure IPE Confidence for SOX Compliance
As companies use more and more system-generated data to support key control activities and make important management decisions, it will become increasingly important to make sure the information used is both accurate and complete.
A robust IPE validation program can offer assurance in the reliability of data supporting your key control activities and help those controls remain effective as changes occur both within your organization and in the regulatory environment.
If you have questions or need additional resources to develop your own IPE validation program, contact us! Bridgepoint’s Risk & Compliance experts can advise your management team and help you develop and assess validation approaches that will enable compliance, change management and sustainability to support your IPE-reliant controls.
By Jeanne Metz
Jeanne has managed the successful implementation of many internal audits and Sarbanes-Oxley 404 compliance projects. Her organized and efficient execution of compliance work has given her experience in analyzing, remediating deficiencies, and testing financial processes.