The document outlines best practices for Internal Control Evaluation (IPE) in audit and compliance, emphasizing the importance of data completeness and accuracy, particularly in the context of financial reporting requirements under Sarbanes-Oxley (SOX). It identifies various risks associated with IPE, including inaccuracies from data extraction, modifications during transfer, and challenges with ad-hoc reporting, as well as advocating for a strong corporate culture around IPE practices. Additionally, it discusses the need for tailored training and ongoing evaluations to ensure compliance and security in reporting processes.

1. IPE - techniques and best
practices for your audit
and compliance programs

2. Working on Internal
Controls, Audit &
Compliance
since 2003.
Lewis@seecuring.com

3. Seecuring supports organizations through
evaluating and assisting in audit, security and
controls.
Segregation of Duties, Sensitive Access and
Patch Impact Analysis.
Provided as a service from training through to
controls evaluation.
Tailored training for: IPE, Change Management,
Management Responsibilities, Standards and
Policies.

4. • IPE Overview
• Establishing what is in scope for Financial
Reporting.
• Building a framework for baselining and managing
the IPE process.
• Maintaining the baseline, and evaluating changes
to sources.
• Creating a culture that embeds IPE into Business
Functions.

5. IPE Overview

6. Many SOX controls operate around the
review or use of data in most if not all
companies.
Due to guidance released by the Public
Company Accounting Oversight Board
(PCAOB), Sarbanes Oxley (SOX) requires
the validation of the completeness and
accuracy of IPE when using the IPE to
perform controls.

7. Completeness
• Is all data that should have been transferred from the source to
the output document included?
• Is all relevant data included in the report?
Accuracy
• Is all relevant data included in the document correct and valid?
• Is there anything included in the document that should not be
included?
• Are the subtotal, totals, formulas, and links on a report /
spreadsheet calculated correctly?
Keywords: Complete and Accurate

8. The data processed by the application from which the IPE is produced is not
complete / accurate.
IPE Risk 1
The data extracted from the application into the IPE is not as intended or is not
complete.
IPE Risk 2
Computations or categorizations performed in creation of the IPE are not
accurate.
IPE Risk 3
The data output from the application to an end-user computing tool (EUC) such
as Excel, Access, etc. is modified or lost in the transfer.
IPE Risk 4
Information added or changed using an EUC is incomplete or inaccurate.
IPE Risk 5

9. Different types of IPE
‘Canned’ Reports and Custom Reports.
• Canned Reports should still be evaluated as part of Change
Management.
• Many times the vendor changes the report and/or the processing
options.
• Release notes on canned reports tend to be weak.

10. Different types of IPE
Controlled vs Ad-Hoc Reporting
• Controlled Reports cannot be ‘tampered’ with by end users.
• Ad-Hoc reports allow for end users to process the report with
logic.

11. Different types of IPE
Controlled vs Ad-Hoc Reporting
• Controlled Reports cannot be ‘tampered’ with by end users.
• Ad-Hoc reports allow for end users to process the report with
logic.

12. Different types of IPE
Parameters -
Can be difficult to
audit, particularly
SQL or other
programmatic
solutions.
ITACs for control on
reporting

13. Different types of IPE
Generation
Any report
should be in a
format that is
not modifiable
or at least can
be audited to
avoid
corruption

14. IPE Overview

15. Establishing what is in
scope for Financial
Reporting.

16. Simple: Anything that provides
for, or supports Financial
Reporting

17. The challenge:
More and more departments are
implementing applications that don’t
require IT’s involvement.

18. The challenge:
Shadow IT – 6 in 10 workers admit to
using unsanctioned applications and
services to share data.

19. The challenge:
Three-quarters of IT leaders say
security is their top concern regarding
SaaS sprawl. Compliance (58%), costs
(57%) and shadow IT (57%) follow as
the main areas of concern, the survey

20. The challenge:
https://www.ciodive.com/news/app-
sprawl-saas-data-shadow-it-
productiv/606872/

22. Could IPE have helped
prevent the Enron
scandal?
Enron’s leadership fooled regulators with fake
holdings and off-the-books accounting practices.
Enron used special purpose vehicles (SPVs), or

23. Could IPE have helped
prevent the Enron
scandal?
SELECT account_ID, account_number, amount FROM
accounts;

24. “Everyone Has a Plan
Until They Get Punched
in the Mouth.”
Mike Tyson

25. Mike Tyson didn’t meet a
good baseline.

26. A good baseline should consider:
Why?
ITGCs and ITACs applicable?
Is the reporting method canned or
custom?
Is it Ad-hoc or Controlled?
Risk ranking of report, with justification &
relevant controls.

27. A good baseline should consider:
The testing and outcomes with
supporting evidence.
Tracking modifications.

28. Example framework

29. IPE & Culture

30. “Behind every great control
is an even greater set of
habits”

31. IPE should be embedded into corporate
culture.
• Employees aware of new applications
and services that may be in-scope.
• Responsibilities on Departments.
• Regular/periodic reviews of IPE
processes.
• IPE mapped out for anyone to

32. Forward thinking – what works for
you?
Reward or Punish? If bonuses are
awarded on good corporate
performance, could IPE be tied to it?
Punish if IPE is not followed?

33. Need help?
Training to support your IPE and other
processes, tailored to your
organization.
Video and Documentation provided.
Fostering great culture for supporting
IPE.

34. Q&A

35. Contact
lewis@seecuring.com