Information Produced by the Entity (IPE) has long been a part of SOC Examinations, yet many organizations continue to treat IPE as a downstream documentation task, assembled in response to audit requests rather than managed as part of the ongoing operation of controls.
What has changed is not the definition of IPE but examiner expectations around completeness, accuracy, and reliability. As SOC Examinations increasingly focus on how controls operate within real environments, IPE has become a primary lens through which examiners assess whether controls can be relied upon consistently, over time, and across systems.
Within this context, IPE is no longer simply supporting evidence. In many examinations, it helps determine whether a control can be tested efficiently and whether the results can be relied upon.
“If IPE is unreliable, we may be unable to place reliance on the evidence, even if the control itself appears to be properly designed and operating effectively.”
– Karen Cardillo, “The SOCial Hour – IPE Fundamentals for SOC Examinations”
Why IPE Continues to Be a SOC Focal Point
IPE encompasses the reports, system outputs, logs, spreadsheets, and dashboards organizations use to execute and evidence their controls. Auditors rely on this information to assess control design, implementation, and operating effectiveness across SOC 1 and SOC 2 engagements.
While IPE may be system-generated or routinely used by management, it does not automatically qualify as audit evidence. Auditing standards require examiners to evaluate the reliability of all information used in testing, regardless of source or format.
Examiners increasingly evaluate the following:
- How information is generated,
- Whether report logic and parameters are understood,
- If access and change controls are in place, and
- How completeness and accuracy are validated.
“Auditors need to understand the parameters used, how the report was generated, when it was pulled from the system into Excel, and whether it was manipulated from a total transaction count perspective. A good takeaway is to put yourself in the auditor’s shoes. If the evidence would raise questions about completeness and accuracy, there are opportunities to enhance that IPE.”
– Ryan Boggs, “The SOCial Hour – IPE Fundamentals for SOC Examinations”
This shift explains why some SOC delays and exceptions stem from IPE gaps rather than missing controls.
Key Themes
1. The Shift From Control Design to Evidence Quality
Most organizations invest significant effort in defining controls, aligning them to frameworks, and scoping examinations appropriately. Where many teams continue to struggle is not with the existence of controls but with their ability to demonstrate consistent operation through reliable evidence.
IPE sits at the center of this shift. Examiners are probing beyond whether a control exists and focusing instead on whether the information supporting that control is reliable.
Under auditing standards, like AICPA or PCAOB, if the information is used as a basis for the audit procedure, the auditor must obtain evidence about the completeness and accuracy of that information. If the data cannot be verified, then that might result in various other options such as expanded testing, additional evidence requests, or control exceptions in select situations.
2. IPE Is Commonly Misunderstood
IPE is often misunderstood as:
- Any report generated from a system;
- Information the auditor will identify as problematic, if necessary; and/or
- An IT deliverable.
IPE is a management responsibility that spans finance, IT, compliance, and operations. Examiners evaluate not only the information produced but also the processes used to generate it, including report logic, system parameters, manual intervention points, version control, and governance over changes.
Management is responsible for producing information that is complete and accurate. Examiners do not design report logic or define parameters on management’s behalf.
IPE‑related issues frequently surface late within the examination cycle, when opportunities to remediate are limited and timelines are compressed. Addressing IPE earlier within the SOC lifecycle supports more efficient testing and reduces the risk of delays or evidence gaps during the examination.
3. Disconnects Between Documentation & Day-to-Day Use
Another consistent theme is the disconnect between how IPE is documented and how it’s used in practice.
Common examples include the following:
- Reports used operationally that differ from those provided for audit,
- Manual steps performed outside documented procedures,
- Changes to report logic that are not tracked or communicated, and
- Assumptions about completeness or accuracy that are not validated.
Examiners are increasingly probing these gaps, particularly in situations in which IPE supports key automated or hybrid controls.
Peer Insight: What Teams Are Asking & Prioritizing
Questions raised during the session and attendee engagement revealed that organizations are actively prioritizing the following:
- Clarifying which reports truly qualify as IPE versus operational reference data,
- Determining when validation procedures are sufficient versus excessive,
- Understanding how much documentation is “enough” without overengineering, and
- Aligning internal ownership before the examination begins.
These discussions reflect a broader shift away from one-time SOC readiness toward ongoing IPE maturity.
What Strong IPE Support Looks Like in Practice
Organizations with smoother SOC Examinations tend to:
- Clearly identify IPE tied to key controls,
- Understand and document report logic and data sources,
- Apply consistent completeness and accuracy validation,
- Assign ownership for both generation and review, and
- Treat IPE as part of ongoing operations, not simply audit preparation.
“Reliable IPE is best supported by a strong system and automated controls. IT General Controls, change management, alerts, and access controls help provide assurance that report logic and data cannot be altered without proper authorization, increasing auditor confidence that IPE is consistent, repeatable, and trustworthy.”
– Karen Cardillo, “The SOCial Hour – IPE Fundamentals for SOC Examinations”
Where Teams Tend to Over- or Under-Engineer
- Over-engineering: Creating extensive documentation for low-risk IPE that does not materially support control conclusions.
- Under-engineering: Relying on informal knowledge or undocumented assumptions for IPE tied to critical controls.
Finding the right balance requires stepping back to assess risk, reliance, and examiner expectations. SOC and HITRUST® professionals at Forvis Mazars can help teams evaluate IPE design decisions before examination pressures arise.
Signals It May Be Time to Reassess Readiness
Certain warning signs suggest that, while controls may be operating as intended, the audit trail supporting them is incomplete or unclear. Common indicators include the following:
- Repeated audit follow-ups tied to the same reports,
- Late-cycle requests for alternative evidence,
- Unclear ownership for key SOC evidence, and
- Difficulty explaining how reports are generated or validated.
These signals often point to an IPE readiness issue rather than an examination issue.
How Forvis Mazars Can Help
If you are evaluating whether your current IPE approach would stand up in a SOC Examination, a focused discussion can help clarify readiness, validate assumptions, and identify practical next steps.
Our SOC and HITRUST professionals regularly help organizations think through IPE expectations within the context of their specific environments and examination goals. Connect with our professionals today to ask your questions and learn more.