Pentana Software

July 2003

Pentana Software

Reviewed by Stephen F. Ryan III

Pentana (www.pentana.com) was established in the United Kingdom in 1992 and has expanded into the United States and Australia. Having evolved from the auditing and IT marketplace, its mission is to support auditors and other service organizations in their professional work through the innovative use of technology.

Product Overview

The Pentana Audit Work System is an integrated risk management and audit system that allows users to:

Establish a universe of auditable entities and perform audits against each entity;
Perform global and individual risk assessments;
Schedule audits;
Manage audit progress in terms of status, time spent, and key dates;
Assess specific risks and their matching controls;
Plan and perform audit tests; and
Record results, events, and points arising.

The application works at three distinct levels: universe, single entity, and single audit.

The universe mode is the default, from which users can navigate to other universe modules or launch an entity or audit to be worked on in isolation.

The two distinct types of risk assessment this system performs are “global risk assessment” and “individual risk assessment.”

Global risk assessments are carried out periodically on all of the entities in an audit universe and are performed with reference to a maintainable library of “global risk factors” (measures that allow users to compare the relative risk of entities within the universe). Additionally, the global risk scores for each entity can be captured and used to schedule and prioritize future audits. Individual global risks can be assigned to either auditable entities or individual audits, and assessed as required.

Individual risks can be allocated to custom “areas” and also to a library-maintainable pick-list of “categories.” Once categorized, controls can be defined to mitigate each risk. Accordingly, each control may be assessed as many times as required.

The audit scheduling module is geared for organizations that perform a pattern of cyclical audit scheduling, relating their schedule to the results of their global risk assessment. Engagements can also be scheduled on an as-needed basis.

The progress of audits can be managed in a variety of ways, including:

Audit status;
Key dates (variance between planned vs. actual dates; performance against targets; or by upcoming and overdue milestones); and
Workdays.

Each risk assessment is measured from 1 to 10 on the likelihood (L) of it occurring and the impact (I) if it does occur. The overall score is obtained by multiplying the two scores together, so that the highest overall risk score is 100.

In each assessment, both unmitigated risk scores and mitigated risk scores may be entered, the latter taking into account the effect of any mitigating controls. The resulting risk scores are then graded according to a “heat map,” whereby different score combinations give rise to different grades and colors. The heat map rules and colors are maintained at the system level.

This system also provides two main screens for audit testing:

Plan tests, allowing the user to add, edit, and delete tests; and
Perform tests, allowing the user to record test results and mark them as completed, reviewed, and approved.

The user can define audit tests so that he can confirm controls that mitigate risks or so that he can assess risks directly. The user can also design tests against audit areas in general.

Each test can have any of the following statuses: incomplete; complete; reviewed; and approved. Filtering facilities allow you to display only those tests that match your specified criteria. For example, an auditor may sign off a test as “complete” and an audit manager can then sign off on the same test as “reviewed” and “approved.”

To help users record their work, four features are available throughout the system:

Workpapers. Attach external work papers such as MS Word or Excel.
Points. Record various types of points arising, such as review points, findings to report to management, and points forward.
Events. Describe events that have occurred with respect to the current item, such as follow-up comments and changes in status.
Cross-references. Links that allow users to connect any two items together within the system.

Recommendations

Overall, this is a complete system that used properly can help one manage audits, track risks across an entity, and address these issues and act upon them either entity-by-entity or on an organization-wide basis. This product is best suited for internal audit departments. Additionally, you should remember that these systems are tools that help you to organize and record the results of your assessment, tests, and actionable points, and do not replace an auditor’s knowledge, experience, or professional judgment.

Stephen F. Ryan III, CITP, CPA, an application manager and tax integration specialist at American Express Tax & Business Services Inc., is a member of the NYSSCPA Technology Assurance Committee.

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

Visit the new cpajournal.com.