What is IPE (Information Produced by Entity) in SOC 2?

What Is IPE?

IPE stands for Information Produced by Entity. It's any data your organization creates or exports that an auditor uses as audit evidence. When you pull a user list from your admin panel, export AWS IAM policies, or generate a log report — that output is IPE.

The key concern: auditors need to trust that your data is accurate. They can't just accept a spreadsheet at face value.

Examples of IPE

IPE Type	Example	What Auditors Check
User access list	Export of all users from Google Workspace	Is the list complete? Does it match the actual system?
Configuration export	AWS security group rules as JSON	Was this exported from the real environment?
Log data	Authentication logs showing MFA usage	Are the logs tamper-proof? Do they cover the full period?
Custom reports	Dashboard export showing access review completion	How was this report generated? Is the data reliable?

How Auditors Validate IPE

Auditors don't just accept your exports. They verify IPE through:

1. Completeness testing: Comparing your exported user list against a sample check in the actual system
2. Accuracy testing: Spot-checking a few entries against the source system
3. Source verification: Confirming the data came from the actual production system (not a test environment)

Why This Matters for Startups

IPE validation is where many startups get tripped up. You export a user list, but the auditor finds two accounts missing from the export. Or you provide a log report, but the auditor questions whether the reporting tool captures all events.

Best practices:

• Use direct screenshots of admin consoles alongside CSV exports
• Show the auditor the system the data came from (live or screenshot)
• Ensure exports include timestamps and are from production environments
• Use tools that generate evidence with built-in traceability

Screenata addresses IPE concerns by capturing evidence directly from your systems with timestamps, screenshots, and metadata that auditors can independently verify.