Documenting the audit universe with Pentana

Pentana - Universe Mapping
Pentana - Universe Mapping

The audit or GRC universe

This particular page illustrates how the audit or GRC universe is modelled in Pentana:

Staff and contacts users


Pentana - Staff
Pentana – Staff

Staff users are typically the main users of the software application such as the auditors, compliance officers and risk managers.

The administrators configure the accounts for the staff and can include parameters such as name, initials, email, phone, etc. as well as several fields related to access and permissions.

The View on the screen can also expose links to assigned entities, audits and time sheets.


Pentana - Contacts
Pentana – Contacts

Contacts are typically people from “the business” (auditees, managers, action owners, etc.) which are documented in Pentana and optionally linked to elements such as incidents, findings or actions. The administrators or key users can manage all parameters for these business users including the usual such as name, initials, and contact details.

Contact users could (if so configured) interact with the system via email, two-way templates, the web interface or even the full software interface. When contact users are to interact directly, their access and permissions need to be properly configured (of course).


Departments / locations

Pentana - Entities
Pentana – Entities

Entities typically represent parts of the organisation such as departments or locations and are organised in a ragged hierarchy of “OrgUnits” (compare to files organised in folders on a drive).

Entities make up one dimension of the two-dimensional universe and are “mapped” to Processes (the second dimension).

Many analysis and reporting screens such as Risk Exposure, Control Coverage, Risk Matrix, and Control Matrix use the information (i.e. risk and control assessments) stored at entity level.


Library of processes

Pentana - Processes
Pentana – Processes

Processes make up the second dimension of the two-dimensional universe and are the key to linked components such as Objectives, Risks, Controls and Tests.

The combination of entity-process is also crucial to map elements such as Audit Scope, Incident Scope, Key Issues, Planning Risks, Problems, Findings, and Actions.

Entity-process mapping

Pentana - Universe Mapping
Pentana – Universe Mapping

Bringing the two dimensions of the universe together, the administrators or key users basically “map” which Processes actually occur within which Entities. This tells the Pentana software “what” happens “where“.

The administrators can use additional parameters for each cross section (EntityProcess) such as Fixed Audit Frequency, Budget Effort, Owner (staff), Business Owner (contact) and Comments.



Pentana - Milestones
Pentana – Milestones

The Milestones are used to store the key dates within an Audit (project) which are documented and reported against using the planned and actual dates.

The key users define the Milestones in the library (per type of audit). These Milestones are automatically brought into the audit when the audit is created.

The Milestones can be used to report against in various ways; one of which is the Home screen tile showing upcoming or overdue milestones; another way is to report the variance between planned and actual dates.

Steps Library

Pentana - Audit methodology
Pentana – Audit methodology

This library typically reflects the audit manual and comes to contain a series of audit phases and steps. These Phases and Steps can be linked to the Audit Type (but not to any particular process) so that when such an Audit is created only the appropriate Steps are retrieved from the library.

Parameters such as Ref, Title, Description and Guidance are typically stored in these components.

The Guidance field in particular is a field in which the knowledge of experienced auditors can be stored, documenting not only the “what” but also the “how” or other tricks of the trade that may help their colleagues.

Objectives, Risks, Controls & Tests Library

Pentana - Objectives, Risks, Controls, and Tests library
Pentana – Objectives, Risks, Controls, and Tests library

The Risks, Controls & Tests library actually starts the structure with Objectives linked to specific Processes (and optionally sub processes).

Multiple Risks can be attached to each Objective. The same one-to-many link is used for the child elements (Risks, Controls and Tests).

An implementation of Pentana comes with a COSO based library by default as example ORCT library.

We can tell you so much more!

Sepia Solutions specialises in this software and has a proven track record of successful implementations. This website documents just the tip of the iceberg. Invite us for an on-site presentation for a more interactive demonstration of the Pentana software. We can discuss your organisation, department and objectives to come to a tailored implementation plan.
No costs, no obligations, only additional insights.

    Fill out this form to request an on-site presentation/demonstration.