By: Senior Consultant, JOSH HELLER
Whether you work in a public company setting or your organization is considering the public company route, you may have been asked, “How do you get comfortable with the completeness and accuracy of this report?”
The old adage of Sarbanes-Oxley (SOX) compliance being an exercise of ‘checking the box’ has gone by the wayside. In recent years, the Public Company Accounting Oversight Board (PCAOB) has put greater emphasis on how organizations gain comfort over the completeness and accuracy of information used for financial reporting and to perform internal controls, often referred to as IPE (Information Produced by Entity). And it’s not just reports; the concept of IPE can include everything from standard reports to queries generated using business intelligence software to complex spreadsheets and end user-maintained data. In a 2020 survey performed by Ernst & Young, over 100 clients globally were asked whether they were experiencing issues with IPE and unsurprisingly, almost 50% of the respondents confirmed that they did face challenges around satisfaction of the IPE requirements in the most recent audit period. In some cases, control performers even stated that they believe IPE requirements are becoming more cumbersome to evidence than the effort to perform the control itself.
Additionally, through our own client experiences, at Clearview we have seen another common issue: organizations often struggle to recognize what data the requirements that accompany IPE apply to. The answer is actually quite simple. IPE requirements apply to any information used in financial reporting and to perform key controls. With that said, how an organization’s management team implements controls to address the IPE requirements can be rather complex.
how we can help
Clearview has a proven methodology to help organizations meet the expectations of their regulators and external auditors with regards to IPE completeness and accuracy requirements. We begin by performing a process to scope and identify all relevant items which require consideration of completeness and accuracy, and then tailor our approach to addressing each IPE requirement based on our client’s needs. Our methodology includes core activities such as:
- Inventorying key data elements that support internal controls (including reports, queries, statements from 3rd parties, complex spreadsheets/models, etc.).
- Performing discovery to understand the source of the data, how its generated and what manipulation may occur prior to being utilized for the purposes of performing key controls.
- Baselining & benchmarking procedures for applicable reports.
- Establishing end-user computing controls to address data input and function out of complex spreadsheets.
Based on the source and type of key data being used, the specific techniques used to support completeness and accuracy may vary. For example, if a key spreadsheet model utilizes data generated out of an organization’s ERP, baselining or benchmarking the underlying report may be necessary. If the data imported into that spreadsheet is heavily manipulated from source, the specific elements of the spreadsheet (pivot table, v-lookup, etc.) may have to be verified in conjunction with the review of the output to ensure completeness and accuracy.
At Clearview we work closely with our clients’ regulators and external auditors to guide management through the development of their internal controls and help ensure IPE requirements are adequately addressed and documented.
For more information, contact Clearview Group’s subject matter experts at firstname.lastname@example.org.