Information Used in a Control (IUC)

Information Produced by the Entity (IPE)

LATCO Webcast
October 18, 2018
Today’s Presenters

Horacio Bernal
NPPD Argentina

Michelle Donahue
U.S. Audit & Assurance Services Managing Director

Zak Fullerton
U.S. Audit & Assurance Services Manager

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 2

Information Used in a Control
(IUC)

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 3

Common IUC Observations

“Failed to sufficiently test the design and operating

effectiveness of the aspect of the control that
addressed the accuracy of the incident date and claim
payment date attributes included in the loss run
reports used in the performance of other controls.”

“Failed to perform sufficient procedures to test the

design and operating effectiveness of controls over
the valuation and presentation and disclosure of
investments in government securities, as the
engagement team failed to (1) identify and test
controls over the accuracy of the comparison
spreadsheet and the accuracy and completeness of
“Failed to directly test both the automated the IUC…”
application controls responsible for transferring
and organizing claims data attributes throughout
the various systems described above and the
automated SAS script controls responsible for
producing the claims lag triangles, or otherwise
test the accuracy of a sufficient sample of claims
data attributes included in the claims lag
triangles.”

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 4

Key Theme

Identification and
appropriate testing of
controls that address the
accuracy and
completeness of relevant
IUC

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 5

Information Used in a Control
Illustrative Question

Resources, Guidance and Leading Practices

Illustrative Question
PCAOB ISA

Has information used in the control been • Internal Control Guide, • DTTL Internal Control Guide
appropriately identified? Have controls Chapter 10 Testing Controls - ISA, Chapter 7
that address the completeness and that Address the Accuracy Information Used in a
accuracy of IUC been identified and and Completeness of Control
tested? Information Used in a • Control Activity
Relevant Control Understanding Template
• Form 4120CRE, Control (EMS linked testing
Testing Template – Control template)
With a Review Element –
PCAOB

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 6

Information Used in a Control

1. Identify the information used by a

relevant control that address a relevant
risk(s) of material misstatement (RoMMs)

2. Determine which aspects of the

information is relevant to the effectiveness
of the relevant control

3. Understand how the information is

produced

Consider:
• The source data
• The report logic (extraction &
calculations)
• User entered parameters

Identify and test the controls that

address the accuracy and
completeness of the information
© 2018 Deloitte Touche Tohmatsu. All rights reserved. 7
IUC-Focused Management Review Control Guiding Principles

Guiding principle 2: Management review controls relating to an estimate or

of the accounting for an infrequent transaction or event are typically designed
to address a risk of material misstatement in combination with the controls
over the relevant information that the estimate or accounting for the
infrequent transaction or event is based upon.

Guiding principle 3: Management review controls using system-

generated reports typically rely on the underlying IT systems and
therefore the controls over the generation of the report also need to be
identified and tested, including reports obtained from service
organizations.

Guiding principle 4: Management review controls that use a non-system-

generated report (e.g., Excel) which consists of data extracted from IT systems
typically rely on the extraction and preparation of the report and therefore the
controls over the generation of the report also need to be identified and tested.

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 8

Information Used in a Control
How the IUC is Generated – System Generated Report

EXAMPLES:

Deloitte Guidance Q&A IC 10-6, “Illustrative Example — System Generated Report ”

Deloitte Guidance Q&A IC 10-11, “Illustrative Example — Identifying the Controls Over the Source Data
Used to Generate a Report (User-Entered Parameters)”
Deloitte Guidance Q&A IC 10-12, “Illustrative Example — System Report Generated from Packaged
Software”
Deloitte Guidance Q&A IC 9-4, “Illustrative Example — Review of Budget to Actual”

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 9

Information Used in a Control
How the IUC is Generated – Non-System Generated Report

EXAMPLES:

Deloitte Guidance Q&A IC 10-7, "Illustrative Example — Non-System-Generated Report — Query Subject
to GITCs"
Deloitte Guidance Q&A IC 10-8:"Illustrative Example — Non-System-Generated Report – Query Not
Subject to GITCs"
Deloitte Guidance Q&A IC 10-10, "Illustrative Example — Non-System-Generated Report Checked by the
User"

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 10

Information Used in a Control
Documentation Considerations

Our documentation would generally address:

• The name of the reports that represents IUC

• A description of how the report is generated
• An understanding of how and when the report is used
• The controls over the source data, parameters and report logic that were
identified and tested
• Any significant findings or issues identified, the conclusions reached and any
significant judgments made in reaching those conclusions

We may document these considerations in the Form 4120S/4120SR/4120CRE for the

control that uses the IUC.

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 11

Information Produced by the
Entity (IPE)

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 12

Information Produced by the Entity
Illustrative Question

Resources, Guidance and Leading Practices

Illustrative Question
PCAOB ISA

Is testing of IPE used in either tests of • Information Produced by • How to Evaluate

detail or substantive analytical procedures the Entity Guide, Chapter Information Produced by
performed? When testing controls that 3: Testing the Accuracy and the Entity (IPE) - ISA
address the accuracy and completeness Completeness of IPE That • Information Produced by
of IPE, specifically general IT controls, We Use When Performing the Entity Practice Aid – ISA
have all three testing aspects of IPE (i.e., Substantive Procedures
source data, report logic, parameters) • Information Produced by
been addressed? the Entity Guide, Chapter
4: Testing the Accuracy and
Completeness of IPE That
We Use When Performing
Tests of Operating
Effectiveness of Relevant
Controls

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 13

Information Produced by the Entity
Types of IPE Relevant in an Audit

IPE that is Audit Evidence and Relevant to the Audit:

Types of IPE

IPE we use as IPE we use as audit

audit evidence IPE we use when
evidence when
when performing performing tests of
performing risk
substantive operating effectiveness
assessment
procedures of relevant controls
procedures

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 14

Information Produced by the Entity
Sample Size Considerations

• Each time we use IPE in a substantive test is an “instance” – we test the IPE each time
we use it.
• The number of items we select to test for each instance of IPE is based on auditor
judgment considering the nature of the IPE.

Consider using “The IPE Practical Decision Trees” to obtain an overview of our audit
approach for addressing the accuracy and completeness of IPE.

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 15

Information Produced by the Entity
Documentation Considerations

Our documentation would generally address:

• Our understanding of the nature of the IPE

• Whether our other audit procedures for the account balance, class of
transaction, or disclosure – control or substantive - address the accuracy
and/or completeness or certain attributes of the IPE
• When additional testing is needed, the planned nature and extent of
procedures
• The results of those procedures and evidence obtained
• Any significant findings or issues identified, the conclusions reached and any
significant judgments made in reaching those conclusions

Documenting IPE is a matter of professional judgment

The amount of documentation varies with the significance of the judgment

Consider using “The IPE Practical Decision Trees” to obtain an overview of our audit
approach for addressing the accuracy and completeness of IPE.

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 16

Key Takeaways and Resources

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 17

Key Takeaways

What can we suggest to

engagement teams?

Identify other controls that the

Identify all information used in a
management review control is
relevant control, particularly for
dependent upon, including automated
management review controls
controls

Sufficiently test the design & OE of

controls that address the accuracy
Test all variants of automated controls
and completeness of the relevant
information

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 18

Key Takeaways (cont.)

IUC
 Properly identify the relevant IUC (i.e., the inputs to a review control)
 Sufficiently understand and document how the IUC is generated
 For system generated reports, test the relevant GITCs and one instance of the report
logic for each variant (if GITCs are effective)
 For non-system generated reports (e.g., excel spreadsheets), identify and test the
controls that check the reliability of the data/report
 Properly document our considerations and testing evidence (e.g., in the Form
4120S/4120SR/4120CRE)
IPE
 Properly identify all relevant IPE
 Understand the nature of the IPE, the objective of the substantive audit procedure in
which the IPE will be used, and how the IPE will be used in the procedure to determine
the testing approach
 Properly document the use of professional judgment when determining the
appropriate sample size if directly testing the IPE

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 19

Resources

Internal Control Guide, Chapter 10: Testing Controls that Address the Accuracy and Completeness of
Information Used in a Relevant Control

Information Produced by the Entity Guide, Chapter 4: Plan and Perform Tests of IPE that we use When
Performing Tests of Operating Effectiveness of Relevant Controls

Information Produced by the Entity Guide, Chapter 5: Plan and Perform Procedures that Address
the Accuracy and Completeness of IPE that the Entity’s Controls are Dependent Upon

Information Produced by the Entity Guide, Appendix B: Illustrative Testing Approaches for IPE
Used in Testing Controls

Internal Control Q&A’s - IC 10-1 through 10-12

Reviewer Considerations for Testing Automated Controls – Practice Aid

Internal Control - ISA, Chapter 7 Information Used in a Control

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 20

Resources (cont.)

Information Produced by the Entity Guide, Chapter 3:

Testing the Accuracy and Completeness of IPE That
We Use When Performing Substantive Procedures

How to Evaluate Information Produced by the

Entity (IPE) - ISA

Information Produced by the Entity Practice Aid - ISA

© 2018 Deloitte Touche Tohmatsu. All rights reserved. 21

Questions?

© 2016 Deloitte Touche Tohmatsu. All rights reserved. Presentation title 22

[To edit, click View > Slide Master > Slide master1]