When I recently called out the outdated term Information Produced by the Entity (IPE) on LinkedIn, the post lit up. Clearly, SOX and Internal Audit professionals are fed up. So let’s dig into why the IPE mindset needs to shift, a real-world scenario that triggered chaos and how smart control design and smarter Information management can fix it:

The Real Issue: What “Information” Really Means in Controls

Before diving in, let’s establish two fundamental truths about Information used in the operation of a control:

1. Every manual control has a control operator responsible for performing the control.

2. Most manual controls involve a review of someone else’s work (a preparer’s) and require Information to perform the review.

Assuming the preparer used complete and accurate data? That’s a fail. Control operators need to demonstrate reliability of the Information. And often, the battleground for that proof is... Excel.

Case in Point: The Monthly Allowance for Credit Losses

Consider a common scenario -the Allowance for Credit Losses. In this example, a Company has a large uniform customer base, with extensive history. Their process follows a straightforward approach:

- A monthly Allowance is determined using the month-end aging report.

- Aging bucket reserve percentages are applied, which are re-evaluated twice per year by the controller.

Their April Allowance calculation looks like this:

‍

‍

‍

‍

‍

‍

‍

‍

‍

What Happened: From Routine Review to SOX Panic

Early May: The senior accountant performed the process activities. The accounting manager (the control operator) reviewed, added a few notes. Simple. Done. Moved on.

September: The auditors selected the April Allowance for control testing. That’s when chaos hit. Since IPE is a hot-button issue (often tied to deficiencies and PCAOB inspection failures), panic set in over the April testing. Suddenly, in September everyone was:

- Pulling raw data from the system.

- Rebuilding the report in Excel.

- Ticking, tying, footing, cross-footing, pivoting, debating… exhausting.

- Worst of all—wasting everyone’s time.

After all that? The conclusion was: "The numbers are right—so the control passes. We’ll need to do the same thing for the October version.”

Wait, what?! Let’s fix it.

As we go through this, let’s clarify two key points. First, when I refer to "Information" (capital I) I mean Information used in the operation of a control. Everything else falls under "information" (lowercase i). Second, in our Allowance example, the Control Operator didn’t actually use any Information to perform the control (yes - you read that correctly — all they did was review data within the spreadsheet). This is the exact type of misunderstanding that causes inefficiency in SOX testing.

Fix #1: Define Roles. Seriously.

One reason for the September chaos? Fuzzy roles. Let’s compare what each party should do vs. what actually happened:

Guidance from Leadership (COSO Principle 12)

Ensure control operators understand control design and documentation requirements through policies & procedures.

In our example: No guidance was provided on control design related to Information.

Control Operator (COSO Principle 10)

Design, perform, and document controls in a way that mitigates risk.

In our example: The control was too vague on how to handle Information.

Tester (COSO Principles 16 & 17)

Evaluate controls and deficiencies based on whether risks are mitigated.

In our example: Focused on IPE validation rather than risk & controls assessment.

Key Takeaway: Internal controls fall apart when roles aren’t clearly defined. Clear accountability = fewer audit headaches.

Fix #2: Design Controls That Don’t Confuse

The real issue? Poor control design. To eliminate confusion, let's break down exactly what the control operator is responsible for and what Information could be used to perform the control activities.

Control activity: Check accuracy of calculations in the Allowance data file.

Information needed: None. This step is purely a math check. 

Control activity: Compare total receivables by aging bucket to the AR Aging System Report.

Information needed: AR Aging System Report (PDF). Its reliability risks are mitigated by IT controls.

Control activity: Compare % uncollectible by aging bucket to the Uncollectible % data file.

Information needed: Uncollectible % Data File (Excel). Its reliability risks are mitigated by separate control activities (semi-annual controller review).

Key Takeaway: Break control steps apart. Know when Information matters and when it doesn’t.

Fix #3: Be Smarter about Information

Information varies by: Format (Excel, PDF), Extraction method (system-generated vs. user-generated), Customization level (canned reports vs. modified ones), Tools used (ERP, SQL, Report Writer). Most teams are so buried in spreadsheets, they lose sight of the big picture. Knowing your Information will enable you to appropriately design controls.

A Real CFO’s Aha Moment

A CFO approached me with concerns about material weaknesses tied to Information used in controls. He believed his company had 50+ reports used as Information in month-end controls. After reframing what Information actually is, he realized:

- The real number was closer to 30.

- 20 of those reports came directly from the ERP, containing report numbers, parameters, and totals—all available in PDF format.

- The remaining 10 were mixed—but manageable.

My Fix: Create a Centralized Report Repository

Store system reports (Information) in a shared folder.

Use system-generated PDFs where possible.

Have a low-cost resource run, annotate, and store the other reports.

Train control operators to validate against this repository.

The CFO’s response? “You’re saying this tiny process can eliminate my audit chaos?”

Me: - “Yes.”

The key takeaway is that Organized Information = saved time, fewer headaches.

Final Thought:

Stop Testing for Testing’s Sake. The term IPE has led to years of wasted effort. Instead of asking: "Is this data complete and accurate?" We should be asking: "Do we have controls that mitigate completeness and accuracy risks?" We then stop spinning our wheels and focus on what truly matters.

It’s time to retire IPE for good.

______________________________________

How has IPE tripped up your team? Jump into the conversation in the DataSnipper Community.

Follow Ryan Godbey, CPA and DataSnipper on LinkedIn for practical insights on controls, compliance, and finance tech.