Understanding and Managing Information Produced by the Entity in Audits

The world is becoming increasingly data dependent. With organizations relying on data to drive key decisions and deliver accurate insights, the challenge of maintaining data integrity is of paramount importance. In the audit world, data and reports utilized by management as part of their operations and financial reporting processes are often referred to as information produced by the entity (IPE) and is a critical component of management’s considerations when identifying and evaluating risks.

Because of its important role, IPE must be reliable, meaning it is complete and accurate for its intended purposes. To achieve that, it’s imperative that companies have procedures and controls in place to validate IPE’s integrity  . Without adequate internal controls, IPE may contain inaccurate and/or incomplete information, potentially leading to management and auditors spending additional time, effort, and resources.

IPE Types and Related Risks

Before identifying relevant controls over IPE, it’s important to understand the different types and related risks. While IPE can be composed of various types of information and classified in a variety of ways, there are three categories of IPE that are particularly relevant to key reports generated from an entity’s processes and information systems:

• Manually prepared: This type of report includes the creation of manually prepared documents (often spreadsheets, schedules, etc.). The manual IPE may or may not be created from other reports or system outputs that have been modified or aggregated into a single report. An example may be a tax provision that is in spreadsheet that has been prepared using other reports and information, such as the trial balance, account subledgers, and external sources for tax rates, etc. The manual nature of preparing the tax provision and creating or updating any formulas within introduces additional risk. Management should consider risks related to who in the organization may have access to modify the tax provision, the formulas within the report, or any of the underlying upstream data used to create it.
• Pre-programmed: Often referred to as “standard” or “canned” reports, this type of IPE generally includes reports that come pre-programmed within a system, such as those generated by third-party software as a service (SaaS) applications, or those that are programmed in the back-end code of the system. An example may be an accounts payable aging report that shows the age of invoices based on the invoice dates entered into the system.

Along with traditional IT risks, such as managing changes, access, and IT operations that are often addressed by IT general controls around the systems that support the generation of this type of IPE  , there are specific risks to consider as well. This includes, but is not limited to:

• The proper setup of parameters (e.g., buckets for aging)
• The inclusion of appropriate data in the report (e.g., is the report pulling the right information from the right data sources?)
• System logic programming (e.g., are any functions such as netting or consolidation being performed?)
• Extraction of the report from the system (e.g., is it automatically generated and posted to a shared drive, or does a user need to input parameters to generate it?)
• Custom or query-based: This type of ad hoc report may be generated by a user performing a specific query, selection of report criteria, or by using report-writer design tools. Potential risks for custom or query-based reports are similar to those in the pre-programmed category, but given that they may not have the same standard programming and repeatability as a pre-programmed report, organizations should give additional consideration as to how and where the data is queried from. They should also review who may have access to the data and queries while extracting the information. Similar to pre-programmed reports, IT general controls and access to the IPE after it is extracted are important considerations.
  
  

Evaluating IPE for Risks

An effective strategy for any organization is often for management to have a full understanding of their inventory of IPE as it relates to financial reporting and those processes that support it. Starting with the risk assessment, management should perform appropriate procedures to ensure completeness and accuracy of information used in the operation of relevant controls. Organizations should also be diligent in identifying specific criteria (including the type of IPE used, sources of information used in the IPE, and the parameters and/or logic used to generate it) to help define relevant risks. It is also important to consider other items that can have a potential impact on the reliability of IPE, such as risks around access to and modification of specific reports.

After identifying relevant risks, management should design and implement processes and controls to mitigate the risks over the completeness and accuracy of IPE. Verifying completeness means validating that no data has been omitted from a report, which, for example, may be accomplished by validating that the parameters or query code hasn’t excluded relevant data and that it falls within the correct data range. Tracing internal or external data from its source to the report offers another method that’s more manual (in the event IT general controls may not be effective) of validating the completeness of the IPE.

Management should also verify the accuracy of the IPE, which entails making sure that data points are accurate and consistent with originating transaction data, calculations are correct, etc. As with a completeness test, management can trace data from the report to the system to verify its accuracy and can also recalculate data and formulas to replicate results.

For both completeness and accuracy tests, management may want to consider any automation built into the process. Reports and IPE can be automatically generated from applications and data can be automatically fed from upstream systems. As such, it is important that management considers IT risks and controls in relation to the completeness and accuracy of the IPE.

In an integrated audit where management is assessing the effectiveness of internal control over financial reporting, management is required to test the operating effectiveness of those relevant controls over IPE to validate completeness and accuracy. 

IT General Controls and Considerations

Maintaining the integrity of IPE is an ongoing process, and rapid developments in technology have highlighted the need for effective IT general controls. Advanced tools, artificial intelligence, robotic process automation (RPA), and other evolving technologies can lead to additional risks related to data reliability. It’s imperative for management to assess how IT general controls support the continued operation of systems used to generate IPE, and to understand the impact of any identified control deficiencies affecting IPE, including:

• Evaluating risks posed by control deficiencies and how they may impact IPE generated out of the system, and designing procedures to address those risks
• Assessing potential compensating controls and whether they are designed to mitigate risks related to the completeness and accuracy of the impacted IPE, despite the identified deficiency

While advancements in technology present new challenges to data integrity, they have the potential to help maintain it as well. For example, automated data validation checks can compare data between IPE and the source system, RPA can help reduce manual intervention, and AI can help with completeness and accuracy checks. These tools, combined with an effective IT general controls environment, can help organizations maintain reliable IPE.

Looking Ahead

IPE will continue to evolve, and strong risk assessments coupled with an understanding of when IPE is utilized will help management to evolve with it. One thing that won’t change is the critical need for management to identify and evaluate risks associated with IPE, and to design controls that address risks related to its reliability. 

Learn how BDO can help your organization address IPE risks and implement controls to help safeguard its reliability.