When technology teams talk about SOC 2 Readiness, the conversation often starts with controls. Controls are the mechanism for reducing risk and meeting the Trust Services Criteria, the control criteria established by the AICPA. Yet in practice, SOC Examinations frequently hinge on something more basic: whether the organization can produce information that auditors can rely on to evaluate what the controls actually did.
That information has a name: Information Produced by the Entity (IPE). IPE includes reports, listings, logs, dashboards, screenshots, and data extracts generated by systems. It’s commonly used as evidence in SOC Examination testing, where its accuracy and completeness are critical. Since it’s often created outside the audit process, it can be easy to underestimate how much weight it carries once the process starts.
When Does IPE Commonly Become a Bottleneck?
SOC Examinations rely heavily on information produced by management rather than direct observation by the auditor. Auditors evaluate whether controls operated as described by inspecting system outputs, activity logs, and populations used to perform reviews. Even when controls are properly designed and executed, unreliable IPE can undermine audit conclusions. If auditors cannot rely on the information, then they may need to expand testing, request additional evidence, or conclude that controls did not operate as expected.
For software-as-a-service (SaaS) and technology companies, that pressure often collides with three common realities:
- Modern systems are interconnected. Evidence may be produced by multiple tools, pipelines, and integrations. If the “system of record” is unclear, audit questions increase.
- Change is constant. Report logic and configurations can drift as teams update their systems. Without periodic review, what used to be accurate may not remain accurate over time.
- Manual work creeps in. Exports, spreadsheets, and ad hoc filters may be used to get a job done quickly. However, manual manipulation can reduce auditor reliance unless the process is controlled and well-documented.
Why Doesn’t “System-Generated” Always Mean “Audit-Ready?”
In a SOC 2 Examination, “system-generated” doesn’t automatically mean “audit-ready.” Auditing standards require auditors to evaluate the reliability of the information used in testing, regardless of source or format. Auditors look at how the information is generated, including the systems involved, report logic, and parameters, along with any manual intervention.
Reliability is typically looked at through two lenses:
- Accuracy – Does the report correctly reflect underlying system activity and data?
- Completeness – Does the population include all relevant users, transactions, or events within scope?
If those questions cannot be addressed efficiently, follow‑ups, rework, and timeline pressure may increase.
What Does “Good” Look Like & Where Does IPE Fit?
A scalable SOC 2 program treats IPE as integral to control evidence, not as an after‑the‑fact audit deliverable. Three building blocks typically help technology organizations reduce reactive work.
1) Create an IPE map tied to your control narrative
Start by listing each SOC control and the IPE used to support it. For example:
- Logical access reviews rely on user listings and privileged access populations;
- Change management controls rely on change populations from the right system layer;
- Monitoring controls rely on alerts, logs, and investigation documentation; and
- Incident response relies on incident logs and evidence of response actions.
The aim is clarity: what you expect the IPE to show, where it comes from, and why it aligns to the control.
2) Add lightweight reliability steps: accuracy and completeness checks
You do not need a heavy framework to make IPE more reliable. SOC & HITRUST® professionals at Forvis Mazars suggest practical methods, such as the following:
Controls supporting accuracy
- Validate report logic, filters, calculations, and system queries used to generate the information;
- Reconcile report outputs to reliable source data to confirm that outputs reflect underlying activity; and
- Periodically review reports, especially after system or configuration changes.
Controls supporting completeness
- Reconcile record counts to expected totals to avoid omissions;
- Validate date ranges and parameters to capture the full review period; and
- Confirm inclusion of relevant account types, including privileged, service, and system accounts.
These steps can be faster to complete proactively than to rework during an examination.
3) Tie IPE reliability to ITGCs where it matters most
IT General Controls (ITGCs) provide assurance that report logic and underlying data cannot be altered without authorization. Strong access and change management controls increase auditor confidence that IPE is consistent and repeatable. Weak ITGCs can lead auditors to increase testing or reduce reliance on IPE even when the report appears sound.
For technology teams, this is often the “hidden accelerator.” When ITGCs align, evidence discussions can be smooth.
Where Does IPE Tend to Break Down in Practice?
Within SaaS environments, issues with IPE can arise from manual spreadsheet filtering, unclear report logic, and gaps in ownership. Manual filtering may be appropriate, but it should be documented, including what was filtered, why it was necessary, and how completeness was maintained. Report logic should be easy to explain, with clear parameters, sources, and retrieval steps for key outputs. Clear ownership also matters, and assigning an appropriate owner for each critical IPE source can help support reliable evidence over time.
SaaS IPE Top Considerations
- Consider building a one-page IPE map for your top SOC 2 controls and assign owners;
- For the top five IPE items, document source, parameters, and retrieval steps, plus a simple record count tie-out;
- Identify where manual filtering or manipulation occurs and replace it with controlled system outputs when possible; and
- Align IPE controls with access and change management to support repeatability.
How Forvis Mazars Can Help
SOC 2 Readiness is about being able to support that the evidence your organization produces can be relied upon, consistently, period over period. As discussed during a recent webinar, “The SOCial Hour: IPE Fundamentals for SOC Examinations,” IPE should be integrated into control execution throughout the year, rather than assembled in response to audit requests. When IPE is treated as foundational, SOC work can be more predictable, less reactive, and easier to scale.
If you’d like assistance translating your SOC 2 controls into an IPE map and audit-ready evidence routines, SOC & HITRUST professionals at Forvis Mazars are ready to help. Connect with our professionals today to ask your questions and get started on seamless SOC Reporting and market differentiation.