Reviewed by Stephen F. Ryan III
Pentana (www.pentana.com) was established in the United Kingdom in 1992 and has expanded into the United States and Australia. Having evolved from the auditing and IT marketplace, its mission is to support auditors and other service organizations in their professional work through the innovative use of technology.
The Pentana Audit Work System is an integrated risk management and audit system that allows users to:
The application works at three distinct levels: universe, single entity, and single audit.
The universe mode is the default, from which users can navigate to other universe modules or launch an entity or audit to be worked on in isolation.
The two distinct types of risk assessment this system performs are “global risk assessment” and “individual risk assessment.”
Global risk assessments are carried out periodically on all of the entities in an audit universe and are performed with reference to a maintainable library of “global risk factors” (measures that allow users to compare the relative risk of entities within the universe). Additionally, the global risk scores for each entity can be captured and used to schedule and prioritize future audits. Individual global risks can be assigned to either auditable entities or individual audits, and assessed as required.
Individual risks can be allocated to custom “areas” and also to a library-maintainable pick-list of “categories.” Once categorized, controls can be defined to mitigate each risk. Accordingly, each control may be assessed as many times as required.
The audit scheduling module is geared for organizations that perform a pattern of cyclical audit scheduling, relating their schedule to the results of their global risk assessment. Engagements can also be scheduled on an as-needed basis.
The progress of audits can be managed in a variety of ways, including:
Each risk assessment is measured from 1 to 10 on the likelihood (L) of it occurring and the impact (I) if it does occur. The overall score is obtained by multiplying the two scores together, so that the highest overall risk score is 100.
In each assessment, both unmitigated risk scores and mitigated risk scores may be entered, the latter taking into account the effect of any mitigating controls. The resulting risk scores are then graded according to a “heat map,” whereby different score combinations give rise to different grades and colors. The heat map rules and colors are maintained at the system level.
This system also provides two main screens for audit testing:
The user can define audit tests so that he can confirm controls that mitigate risks or so that he can assess risks directly. The user can also design tests against audit areas in general.
Each test can have any of the following statuses: incomplete; complete; reviewed; and approved. Filtering facilities allow you to display only those tests that match your specified criteria. For example, an auditor may sign off a test as “complete” and an audit manager can then sign off on the same test as “reviewed” and “approved.”
To help users record their work, four features are available throughout the system:
Overall, this is a complete system that used properly can help one manage audits, track risks across an entity, and address these issues and act upon them either entity-by-entity or on an organization-wide basis. This product is best suited for internal audit departments. Additionally, you should remember that these systems are tools that help you to organize and record the results of your assessment, tests, and actionable points, and do not replace an auditor’s knowledge, experience, or professional judgment.
©2006 The CPA Journal. Legal Notices
Visit the new cpajournal.com.