Skip to content

Insights

What is IPE in a SOC Examination?

During a SOC examination, one might hear the term “IPE” used by the service auditor. This acronym stands for “Information Provided by the Entity,” and it is an important aspect of the examination that helps to provide assurance over entity support relating to sample-based populations. This article will cover when service auditors evaluate IPE and how it can impact the examination process.

SOC 1 and SOC 2 examinations are assurance-based examination reports provided by a CPA firm that provides an opinion for internal controls over financial reporting (SOC 1) or controls within a system (SOC 2). As part of the examination, the service auditor must obtain evidence for controls to validate whether the control is properly designed (Type I) and operating effectively (Type II). According to the American Institute of Certified Public Accountants (AICPA), for assertion-based examination engagements, “when using information produced by the entity, the practitioner (service auditor) should evaluate whether the information is sufficiently reliable for the practitioner’s purposes, including, as necessary, the following: a.) Obtaining evidence about the accuracy and completeness of the information, and b.) Evaluating whether the information is sufficiently precise and detailed for the practitioner’s purposes” (AICPA, AT-C 205.36).

So, how does the service auditor evaluate whether the evidence provided is accurate or complete? For controls involving IPE, an auditor can perform a combination of tests to address the completeness, accuracy, and integrity of the data or reports. Examples of tests that can be performed are as follows:

  1. Examine the source of the IPE;
  2. Examine the parameters, query, or script used to produce the IPE;
  3. Match data between the IPE and the source, and/or;
  4. Examine the IPE for gaps in sequence or timing.

In addition to the above tests, controls requiring management’s use of IPE, such as reviewing access listings, the service auditor can examine company procedures to evaluate the IPE source and the completeness, accuracy, and integrity.

During a SOC examination, if a service auditor cannot validate the completeness and accuracy of the IPE, they may 1) perform additional tests to gain comfort over the IPE, 2) choose not to rely on the evidence provided, or 3) try to obtain information from a different source. For example, an entity provides an employee listing in Excel that is not system generated, but manually tracked, and certain controls require a sample of employees. The service auditor could perform procedures over the Excel file to validate the report is complete and accurate. Another alternative is the service auditor could obtain the listing of employees from the company’s payroll system or other system. This could provide more accurate information when it comes to completeness and accuracy for the population of employees.

As described above, IPE is an important aspect of both SOC 1 and SOC 2 examinations. In order to opine on the process or system, service auditors must become comfortable with the information provided including completeness and accuracy. This comfort can be obtained via additional procedures, observing information pulled directly by the entity and other methods.

For more information, be sure to visit our System and Organization Controls (SOC) service page, and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA with further questions regarding SOC 1 reports, SOC 2 reports, and our services.

About the Author

Chris Fieger

Chris joined McKonly & Asbury in 2019 and is currently a Manager with the firm. He is a member of the firm’s System and Organization Controls (SOC) & Technology consulting practice, performing SOC 1, SOC 2, and SOC 3 engagements, as… Read more

Related Services

Subscribe to Our Newsletter