How does Pentana audit software support Internal Audit?

Here we illustrate how Ideagen Pentana can support the Internal Audit function in performing audits, focusing on:

Audits

Overview of audits

The Audits screen lists all the Audits or similar projects stored in Pentana and provides the easiest way to create new ones.

While Entities model parts of the organisation that are relatively stable over time, Audits are projects that start and end so over time several audits will cover the same scope (EntityProcesses) again.

The Audit becomes a container for many other components such as Steps, Objectives, Risks, Controls, Tests, Attachments, Findings, Actions, etc.

Audits details (fields / parameters)

Pentana - Audit details — Pentana – Audit details

By default, there are approximately 30 properties (fields, or parameters) that can be stored against the Audit record. These include Ref, Name, Type, Description, Purpose, Scope, Manager, Lead auditor, Rating, Conclusion, etc.

Fields such as description, purpose and conclusion are “Rich Text Fields” that can store a nearly unlimited amount of text. This text can be formatted much as in MS Word. Actually, text copied from MS Word keeps formatting and layout when pasted into Pentana.

Audit methodology

Audit steps

Typically, a large part of the audit methodology (audit manual) is captured in the Audit Steps.

Key users configure the Phases and Steps for each Audit Type in the library and when the auditors start work on the audit, these are automatically added to the audit.

Where appropriate standard attachments (e.g. MS Word template to record the opening meeting notes) are also retrieved and added.

When a Step has been carried out, the auditor may document something in the Comments field, add Notes or attach documents before marking the step as Completed.

Announcement letter

Auto-populated letter

The announcement letter template can be stored as Attachment to a Step, or as special file (“Audit Deliverable“) to be signed off. This can be the template already in use by the audit department.

However, Sepia Solutions can tailor that MS Word or MS Excel template to auto-populate with information stored in Pentana. This results in extremely efficient creation of standard documents and reports.

In the illustration the template is visible on the left, while the populated document is shown on the right. The PDF versions of the illustrations are available for the more inquisitive readers:

Offline working

Check out

Auditors can check out one or more Audits (or parts thereof) to continue working while offline.

During the check out, they select what information they wish to take with them as Read Only, and which parts they wish to Check Out (edit). To prevent potential update conflicts, no other user can update checked out components.

The auditor can subsequently work on the offline data and can Check-In or Synchronise the data when again connected to the office network (possibly via VPN).

Export read-only

A truly magnificent and unique feature is to export multiple Audits in their entirety as one big ZIP file. The generated ZIP file not only includes the audits, steps, assessments, findings, attachments, etc. but also the entire Pentana software package!

This is a perfect way to provide the complete audit in all its glory, including links, comments, review notes, etc. to third parties such as the external auditor or supervisory organisation.

You can also use an export like that during presentations or training sessions, illustrating the power of Pentana without risking changes to the audit data.

Fieldwork and documentation

Executing fieldwork tests

Pentana - Executing Tests — Pentana – Executing Tests

The actual audit work or fieldwork is handled in the Audit Execution screen and is structured as ORCT (Objectives, Risks, Controls and Tests). This structure makes it easy to consider the various aspects of the Process in question and logically leads to “how” the auditor can verify the effectiveness of the internal controls.

In the illustration, the Test (“Verify the goods received document”) fails as this document is not in use by HR. The auditor sets the Test Result to failed and adds comments motivating that choice.

Evaluating controls

Based on the (possibly numerous) Tests, the auditor can make an informed evaluation on the Controls.

By setting the levels for Design and Operation on the Control Assessment, the effectiveness is calculated based on the pre-defined matrix. Ideally, the auditor also motivates the assessment values.

Attachments can be added to any of the ORCT components to further document the underlying reason for the documented evaluation.

Risk assessment

Pentana - Assessing risks — Pentana – Assessing risks

Based on the previously assessed Controls, the auditor can make an informed Risk Assessment.

Risk Assessments are based on Likelihood and Impact (also based on a pre-defined matrix) for both the Inherent as the Residual risk.

To a large extent, such an assessment is based on professional judgement; therefore the auditor is advised to motivate the assessment in the text field.

Fieldwork overview and results

Each user can define Views to display the data the way they prefer, or key users can prepare useful Views for the team.

This way all results and evaluations can be easily displayed in one overview helping the auditor formulate optional comments against the Objective, document Findings, or draft the Audit Conclusion.

Also note that ORCT components can be marked as “Out of Scope” if they are not relevant. Obviously the related work does not have to be performed or signed off.

Findings & problems

Findings

The auditor can document Findings linked to the reviewed Process, or an individual Objective, Risk, Control or Test.

A Finding includes fields such as Ref, Title, Description and Recommendation as well as Severity, Category, Cause and Effect.

There are also fields available to capture the auditee’s response to the Finding typically captured later in the audit process.

Problems

Pentana also provides a means to consolidate various Findings into one or more Problems. Multiple Problems may refer to the same Finding while each Problem can be linked to multiple Actions.

This is one way to document the overarching issues uncovered during the audit.

These problems could be included in the beginning of the audit report as part of executive summary referring to the individual findings which are included later in that same report.

Remedial actions

Actions

Findings (and optionally Problems) typically result in one or more documented remedial Actions for the auditee to implement.

One Finding can lead to multiple Actions with different deadlines and assigned to different action owners.

The Actions include properties such as Ref, Title, Description, Due date (deadline), Owner and Priority.

These actions are typically discussed with (if not suggested by) the auditee and followed up as part of the audit approach although not typically during the audit.

Automated audit reports

Auto-populated audit report

Pentana - Audit Report — Pentana – Audit Report

The draft and final Audit Report templates can be stored as Attachments to Steps, or as “Audit Deliverable” to be signed off. This could be the template already in use by the audit department.

Ideally though, Sepia Solutions would tailor your MS Word or MS Excel template to auto-populate so the report is populated automatically with information stored in Pentana. This results in extremely efficient creation of standard documents and reports.

In the illustration the template is partially visible on the left, with the populated document on the right. The PDF versions of this example are available for the more inquisitive readers:

Quality assurance

Points

The auditor proceeds with the fieldwork and signs off components (e.g. tests) while proceeding. Ideally the lead auditor or manager reviews the work before generating the draft audit report.

If necessary the reviewer documents a Point. These Points have a life cycle and also have to be approved before the audit can be marked as completed. The Owner or recipient of such a review point can see this point appearing in a Home screen tile.

Optionally, Sepia Solutions can develop an email rule to automatically send an alert informing the Owner of the Point.

SignOff

Pentana acts as gatekeeper, in that it will not allow the Audit to be marked as “Completed” until the relevant underlying components (Phases, Steps, Risks, Controls, Tests, Findings, Points, etc.) have been marked as “Approved“.

The illustration, taken from training materials developed by Sepia Solutions visualises this verification by the green icons on the cell borders on the schematic overview. The illustration also highlights which components of an audit are editable (black text) or read-only (grey text) in each of the Audit States.

We can tell you so much more!

Sepia Solutions specialises in this software and has a proven track record of successful implementations. This website documents just the tip of the iceberg. Invite us for an on-site presentation for a more interactive demonstration of the Pentana software. We can discuss your organisation, department and objectives to come to a tailored implementation plan.
No costs, no obligations, only additional insights.