Arbutus
  Pentana

PAWS: Audit & Risk Management Software

Make all table tags (td and tr) of class "text", or derivative (currently no borders at all).
The Pentana Audit Work System is an integrated software suite designed by Pentana to help GRC professionals manage a wide range of audit, risk and compliance operations.
Go to details for Audit Execution Go to details for Unscheduled Investigations Go to details for Recommendations and Actions Go to details for Audit Planning Go to details for Audit Report and Sign Off Go to details for Risk Management Go to details for Risk Assessment Go to details for Audit Universe Go to details for reports Go to details for libraries Go to details for data PAWS - Supporting the audit and risk management processes Click on a part of the diagram to navigate to the details.

Supporting your process and methodology
Risk and Controls analysis PAWS supports Audit, Risk Management and Compliance processes without forcing its users to a particular methodology or workflow. For illustration purposes, however, the software suite is explained using the approach illustrated above.

Around the world successful GRC professionals in a variety of industries including banking, government, energy, healthcare, manufacturing, and regulatory authorities rely on the PAWS to deliver results in their day-to-day activities.

PAWS illustrated
PAWS - Audit universe Back to Overview
Management of auditable entities Auditable Entities (usually processes or departments) are defined in PAWS with attributes such as name, type, location, manager, etc.
The Navigator efficiently helps the user to divide the organisation into groups. Any entity attribute can be used in the navigator.
Terminology and tool tips via aliases All attribute names can be changed via the Aliases, to tune PAWS to the organisation's terminology. Additional Tool tips will assist the user to fill out the correct information. Most attributes can be configured to use free-text fields, user-defined fixed pick-lists or combo boxes.
Configuration of RCM (risk and control matrix) The RCM (Risk and Control Matrix) can be fully configured up to 10 by 10 levels. The numeric scores per cell can be defined manually or calculated automatically, while the names for the levels can be changed (e.g. "Very High"). The colours can also be modified by the administrator.
PAWS - Risk Assessment Back to Overview
PAWS supports two types of assessments:
  • High-level or Strategic Risk Assessments
  • Entity or Audit Control & Risk Assessments
Both types can be performed as:
  • Self-assessments by business users (e.g. managers)
  • Assessments by auditors, risk managers or compliance officers
Strategic risk assessment by audit Strategic Risks are general risks applicable to any entity (e.g. size, budget, stability). Auditors or Risk Managers can score each of these factors. Combined with a weighting factor the scores result in an overall score.
Web-based strategic risk questionnaires Scoring the strategic risks can be done via web-based multiple-choice questionnaires which the audit team assigns to the business users. As such, department managers can answer the questions and add optional comments.
Risk and control assessments by internal audit As part of an audit, the auditor can score the entity's specific risks and controls. Controls are scored via pre-defined values set up in the RCM (e.g. "satisfactory", "inadequate"). Risks are scored as Inherent Risks (i.e. before controls) and Residual Risks (i.e. after controls).
Entity risk and control self-assessment by management If set up, business users can also score the entity-specific risks & controls for their processes or departments via the web interface. This self-assessment can be part of the risk management policy or SOX compliance.
PAWS - Risk Management Back to Overview
Strategic risk review Based on the Strategic Risk Scores entities can be compared to each other. Furthermore, the relative scores can assist auditors in setting priorities and annual audit planning.
Risk heatmap with drill-down The risk heat map lists all defined entity risks in the inherent risk matrix and residual risk matrix. Both Navigators help the risk manager to focus on certain entities or risks. The drill-down feature will display the appropriate risks when any of the cells in the matrices is selected.
Risks analysis by rating with drill-down The Risks by Colour heatmap makes it easy to compare parts of the organisation based on the entity-specific risks. Based on the navigators, the risks are grouped per entity attribute (e.g. type, country, manager) or per risk attribute (e.g. financial, HR, PR).
Risks reported over time A view of risks over time can include the inherent and residual risk scores, both from the Internal Audit perspective as the business (self-assessment) view.
PAWS - Audit Planning Back to Overview
High-level audit scheduling The audit manager schedules audits on the entities. PAWS will suggest when to perform audits, based on the strategic risk scores.
The high-level planning informs the audit manager when resource problems might occur or when additional work could be scheduled.
PAWS - Unscheduled Investigations Back to Overview
Defining an unscheduled audit Not all audits, or projects are planned beforehand. Based on certain developments (e.g. mergers, high-risk project, suspicions of fraud) audits or missions can be added directly to the entity.

PAWS - Audit Execution Back to Overview
Audit scope defined by Objectives, Risks & Controls The scope of the audit is basically defined by the objectives, risks and controls added to the audit. These can be inherited from the parent entity, pulled in from the library, or manually added in the audit.
Audit work programme The audit work plan is retrieved from the library which may contain plans for different types of audit (e.g. SOX, Risk review, Financial review, Fraud investigation). This approach ensures efficient planning and a consistent audit approach throughout the organisation and auditors.
Automatically completed announcement letter Each step or test in the work plan may include default work papers (e.g. test procedures, photographs, templates).

One of the three default templates is the announcement letter. All relevant information is automatically retrieved from the database and copied into the document; ready for sending to the auditee.
Completing the audit tests Tests, if available in the library, are automatically added to the audit work plan. The auditors work their way through the tests, evaluating them and adding details along the way. All steps and tests should be reviewed and approved.
Documenting audit findings When tests fail to meet the standards, auditors may add findings to document what exactly went wrong and to follow-up later. Any electronic document (e.g. spreadsheets, text documents, PDF files) can be added as proof or backup material.
Attached electronic work documents The audit file in PAWS can be complete and completely paperless. Any document can be added, including scanned invoices, delivery notes, MS Outlook emails, etc.
Audit risk and control scores As part of the audit, the auditor will score the controls and risks. Special icons highlight the presence of work papers, findings, review points, cross references or events.
Audit satisfaction survey Optionally, PAWS can send out a web-based satisfaction survey. This enables the auditee to comment on the execution of the audit itself in terms of professionalism, validity of the findings and recommendations, etc.
PAWS - Recommendations and Actions Back to Overview
Defining audit actions The auditors can document recommendations and actions, based on the findings. Responses from auditees can be added by the auditor (e.g. after a review meeting).
Responding to audit findings Alternatively, the auditee can be informed of the finding and recommendation via email. Then, the auditee can respond (e.g. agree or disagree) and provide further comments via the web interface.
Adding action updates Similarly, the auditee can add action updates through the web interface. All actions and updates are stored in the database, relieving the auditor to create a consistent overview based on a collection of emails, spreadsheets and remembered conversations.
Action tracker At the universe level, the action tracker provides a flexible and interactive overview of all actions (open, closed, overdue, etc).
Appropriate actions can be selected and follow-up emails sent out to the action owners.
Audit finding and action report An alternative way of reporting actions is by means of one of the work paper templates. These templates are added to the audit (or entity) and retrieve the most recent information from the database.
PAWS - Audit Report and Sign Off Back to Overview
Audit report template The audit report is another default MS Word template which retrieves the audit information from the database to efficiently produce an audit report consistent across the organisation and time.
Audit sign-off warnings Before an audit can be signed off, PAWS will verify all Quality Assurance requirements. Some examples:
  • Steps and tests must completed, reviewed and approved
  • Risks and controls must be scored
  • Review points must be cleared
Audit sign-off & update entity risks After the audit, the auditors have a very well-founded view on the situation. As such, it may be logical to update the risk and controls of the entity with the scores attributed during the audit.
This update step is, however, optional.
PAWS - Libraries Back to Overview
Risks and controls library Libraries are the core of PAWS in terms of efficiency and standardisation.
The risks and controls library contains risks, controls and tests relevant to the organisation. Although these libraries are maintained by the audit team, some can be added as a starting point (COSO, COBIT).
Work plan library The work plan library contains all standard steps for all types of missions. Steps can be flagged as normal, default or mandatory, while work papers (report templates, guidelines, best practices) help the auditors to carry out their tasks.
Report library The report library contains pre-defined reports as well as reports created by the audit team or PAWS administrator. These reports provide an easy way to retrieve data from the database.
PAWS - Data Back to Overview
Accessing data through reports Supporting the PAWS application, is an MS SQL database.
The most efficient way to retrieve data is by defining a report using the Report Designer. Alternatives are templates, or other reporting tools.
PAWS - Reports Back to Overview
There are basically four types of reports available through PAWS:
  • Static Reports
  • MS Office templates
  • Interactive reports
  • Dashboards
Reports configured via the report designer Static reports can be defined by authorised users with the report designer.

All operational data can be reported on using these reports which can be exported to several formats (PDF, CSV, XLS, HTML, RTF, TEXT, TIFF).
MS Office report templates MS Office Templates are documents that retrieve data from the PAWS database in order to complete the report.
PAWS includes three such templates (announcement letter, audit report, and action status report), though others (see illustration) can be built to requirements.
Interactive reports with drill-down functionality PAWS provides several interactive reports with filter and drill-down features. Most of these screens have been illustrated above (action tracker, risk heat map, risks by colour, risks over time). Others include key date analysis, controls by rating, and questionnaire management.
Dashboards with drill-down functionality Dashboards are ideal for those users wishing a more visual overview of the underlying data. The visual characteristics can be changed by the users, while the underlying data is shown by clicking on the bars or slices in the chart.

PAWS Demonstrations

The Pentana Audit Work System offers many more functionalities, which we would gladly demonstrate. Please contact us to schedule a live demonstration.

     > Contact Sepia Solutions for a PAWS demonstration.
Home © 2010 Sepia Solutions bvba