Completeness and Accuracy Assertions of IPE from Internal Audits Perspective

Completeness and Accuracy Assertions of IPE from Internal Audits Perspective

In an ever-evolving financial reporting and internal audit landscape with a notable reliance on IT systems, ensuring completeness and accuracy over information provided/produced by the entity (IPE) remains crucial for the public companies. Testing completeness and accuracy (C&A) has become more scrutinous and burdensome than ever before. Completeness over the information used by the entity asserts that all transactions and accounts that should be present are included, whereas accuracy asserts amounts and other data relating to recorded transactions and events have been properly recorded. The PCAOB[1] and AICPA[2] require that completeness and accuracy of audit evidence provided by the entity be tested through their auditing standards.

CBIZ Risk & Advisory Services has drafted a series of perspective papers to discuss these issues in more detail and help position organizations for success with regard to C&A. To begin our series, we’ll first define IPE, key reports and information used by the company (IUC); discuss relevant data elements (RDE) within these reports; differentiate the types of IPE, addressing risks and considerations for each; and how innovations such as modern application reporting can help address management’s risks around IPE.

IPE is data generated by the company for audit purposes, such as to determine populations for sample selection or respond to audit requests, while information used in a control (IUC) is information utilized by the company for the operation of their key controls. IPE not only encompasses IUC within its broad definition, it also includes key reports that contain relevant data elements (RDE). RDEs are financial and non-financial information that affect the operation of the control or supports a key assumption or input. RDE appears within key reports typically as column fields (e.g., AR balance for a customer).

Key reports usually fall into five categories: custom reports, canned reports, external reports, manual reports and intra-application reporting.

  1. Custom reports are developed for the organization’s needs by the organization itself or a third party (vendor, consultant, etc.). These reports involve unique queries of the system data. Since queries are subject to the risk of modification, it is crucial that control performers review the results of the custom report for accuracy and document the parameters used in the query to ensure the complete data set intended to be captured is captured.
  2.  

  3. Standard/Canned reports are those that are already configured within the system (e.g., a balance sheet extracted from an ERP for yearend). While the time frame of the data for a canned report may be customized, the type of data presented is consistent for each run of the report. While canned reports are less editable than custom reports, the risk of relying on incomplete data exists if the system-configured reports are not fully understood by management.
  4.  

  5. External reports are those provided by an outside source typically directly to the end user or exported from the source site/dashboard, such as equity information processed by a third party. These reports are typically covered by the Service Organization Controls (SOC) report as part of the end user reliance on the service organization for completeness and accuracy of the processing and extraction of information. In the event the specific report name is not covered by the SOC report, management should evaluate the information provided and determine the steps necessary for validation of the completeness and accuracy of the information. Approaches to validation testing and precision of reviews over completeness and accuracy will be addressed in the next issue in our series.
  6.  

  7. Manually created and maintained reporting, such as a fixed asset listing in Excel, are commonly used within smaller organizations with less robust IT infrastructure. Manual reports relied on for financial purposes are the most difficult to validate completeness and accuracy and pose the most risk for reporting. Some of these risks include version control, who has access to update the report, and human errors related to input and formulas.
  8.  

  9. As ERP and other financial systems have evolved, so have the reporting capabilities. For contemporary systems like SAP FIORI, the lines of IPE are being blurred. Applications are using tiles, modules, dashboards and other forms of live reporting within the system in place of exported reports. These new reporting methods present lesser risk in that they are not exported and subject to manipulation. However, they are still querying live data from database and could be incomplete or inaccurate if not developed appropriately. As such, these types of reporting should be approached like key reports; if they are custom “developed” or otherwise modifiable, testing will need to be much more robust than for standard off-the-shelf reporting.

When relying on any form of information reporting, there are four main risks throughout the process that will impact the completeness and accuracy of the report and information: input, integrity, extraction and manipulation.

There is a risk that information input into the system or manual report is input incorrectly and incompletely. Input risk can be mitigated and reduced to an acceptable level by restricting those with the ability to make inputs and adjustments, as well as implementing review controls over inputs. For example, when a purchase order is created, a review process occurs to ensure the information was input correctly as compared the purchase requisition.

Once information has been input in the system or manual report, there is risk for inaccurate and inappropriate computations and processing of the information, impacting the integrity of the information. For example, depreciation calculations may be automatically performed by the system. Therefore, it is important to ensure the depreciation calculation is configured to calculate accurately as expected for reliance on the information.

Another form of integrity risk relates to the transfer of information from one system to another. For example, information from the ERP system to the financial reporting and consolidation system. Typically, this risk can be addressed by monitoring the feed between system for failures or incomplete workflows.

When IPE is being generated for export from the system, there is a risk of inappropriate parameters used for the export, resulting in incomplete or irrelevant data included in the extraction. It is critical for management to review the parameters being utilized, especially if manually input, and document the parameters associated with each report, typically through a screenshot of the system.

Once data is extracted from the system, there is a risk of manipulation of the IPE, whether intentional or not. Exporting from a system to a spreadsheet, for example, can expose the company to inaccurate data if it is manually manipulated. Tracking changes, reviewing audit trails and reconciling back to the figures in the system are ways management can ensure exported data is accurate in terms of representing the system data.

In the first iteration of our series on completeness, accuracy and the information used by management and internal audit alike, we’ve defined concepts such as IPE, key reports, IUC and RDE, discussed their various forms, considered the risks associated with each and looked to innovations and steps on how management and internal audit can gain comfort over the data utilized in key controls. In our next discussion, we will address how management can effectively test the various forms of IPE for completeness and accuracy and the level of precision required for validation testing.

Authors:

Bryan Dziak, Director, Risk & Advisory Services

Ben Martin, Senior Manager, Risk & Advisory Services

Miranda Borla, Manager, Risk & Advisory Services

Megan Young, Manager, Risk & Advisory Services



[1] Public Company Accounting Oversight Board (PCAOB). (2020, December 31). Audit Evidence (AS 1105). Retrieved from https://pcaobus.org/oversight/standards/auditing-standards/details/AS1105

[2] American Institute of Certified Public Accountants (AICPA). (2006, December 15). Audit Evidence (AU-C 326). Retrieved from https://us.aicpa.org/content/dam/aicpa/research/standards/auditattest/downloadabledocuments/au-00326.pdf 


Copyright © 2024, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly traded and privately held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).

Completeness and Accuracy Assertions of IPE from Internal Audits Perspectivehttps://www.cbiz.com/Portals/0/Images/FSArticle_Completeness and Accuracy Assertions of IPE from Internal Audits Perspectiv_Hero-1920x1000.jpg?ver=8RgtQZmpfZNQO6EtArwrxw%3d%3dhttps://www.cbiz.com/Portals/0/Images/FSArticle_Completeness and Accuracy Assertions of IPE from Internal Audits Perspec_Thumbnail-300x200.jpg?ver=X93pYqFZAi_l85l7zUReng%3d%3dStrengthen your company's financial reporting with our expert guidance on Internal Audits. Discover how to ensure data accuracy and completeness for success.2024-05-22T17:00:00-05:00Strengthen your company's financial reporting with our expert guidance on Internal Audits. Discover how to ensure data accuracy and completeness for success.Risk MitigationAgribusinessApparel & Consumer ProductsAuto DealersConstructionFinancial InstitutionsGovernmentHealth CareHospitality & EntertainmentIndividualsManufacturing & DistributionNot-for-Profit & EducationOil & GasPension & Investment ManagementPrivate EquityProfessional ServicesPublic SectorReal EstateRestaurantsRetailTechnology & Life SciencesTransportationRisk Advisory ServicesYes