Risk-based audit planning in Pentana

April 7, 2018 Pentana
Pentana - Suggested areas for audit plan
Pentana - Suggested areas for audit plan

This page details how Ideagen Pentana can support your audit scheduling or “risk-based planning” efforts, illustrating following concepts:

Planning periods

Defining planning periods

Pentana - Planning periods
Pentana – Planning periods

To start planning, the user must first define the Planning Period which represents the timeframe for which the planning is applicable (e.g. next year). Pentana allows for overlapping periods, or duplicates of periods so that updates to the planning (e.g. six months into the year) can be properly processed and documented.

The GRC universe can be in constant flux; audits are conducted, the organisation acquires new entities or develops new processes, etc. Yet, Pentana provides a means of working on a stable basis throughout the planning exercise or review thereof.

Planning risks

Documenting planning risks

Pentana - Planning risks
Pentana – Planning risks

Planning Risks are used to represent high-level risks, topics or themes (that can optionally be linked to particular Entity Types or Process Types).

These risks get copied into all the appropriate EntityProcesses of a Planning Period so they can be assessed within the context of that part of the GRC Universe.

Several fields are available for Planning Risks, including Name, Description, Guidance, Weight, and Active State. The latter allows the user to define new risks or disable old risks; particularly useful if these records are used to represent audit priorities or themes that vary from year to year.

Planning risk assessments

Performing planning risk assessments

Pentana - Performing planning risk assessments
Pentana – Performing planning risk assessments

Once the Planning Risks are replicated into all applicable EntityProcesses, the user(s) can start assessing them in scope of the related entity and process. The two-dimensional overview is helpful in navigating through this potentially large list of records.

Unlike entity-level or audit-level risks, Planning Risks are not assessed using Likelihood and Impact but based on a simple Segmentation instead.

Note that the assessments can be assigned to different users, for example to get input from different regions by the local expert.

Scheduling factors

Employing scheduling factors

Pentana - Scheduling factors
Pentana – Scheduling factors

Assist in the creation if the audit plan, Pentana can take following Factors into account:

  • Fixed audit frequency
  • Last audit rating
  • Planning risk rating
  • Entity risk rating

The result of enabling/disabling these factors is that Pentana takes that factor into account (or not) in suggesting where to plan an Audit during this Planning Period.

Suggested areas for audit plan

Pentana - Suggested areas for audit plan
Pentana – Suggested areas for audit plan

Pentana does not create the audit plan as that would circumvent professional judgement. Instead, Pentana highlights areas (EntityProcesses) in the GRC Universe that, according to the employed Factors and underlying algorithms, should be audited during the defined Planning Period.

The user can create Candidate Audits either cell by cell or for all Red cells at once. When the user hovers over a cell in the matrix, a pop-up shows the last audit date and the different factors and scores, clarifying why Pentana suggests including this area into the audit plan (or not).

Colours in the overview mean the following:

  • Red: An audit should be planned here.
  • Yellow: No audit should be planned here, yet an Audit Candidate has been created.
  • Green: No audit is required and no Audit Candidate has been created.

Candidate (potential) audits

Candidate audits

Pentana - Candidate audits
Pentana – Candidate audits

The records created in the previously discussed screen are not “Audits” but “Candidate Audits“, so basically a potential audit plan that under perfect circumstances would be ideal.

The Audit Manager can estimate the required budget for each of the candidates and compare this total with the available audit resources/time for that period.

Again the professional judgement aspect comes into play as the CAE can decide to “Confirm” (i.e. create a real Audit) certain candidates and not perform other potential audits (documenting the motivation for that choice).

We can tell you so much more!

Sepia Solutions specialises in this software and has a proven track record of successful implementations. This website documents just the tip of the iceberg. Invite us for an on-site presentation for a more interactive demonstration of the Pentana software. We can discuss your organisation, department and objectives to come to a tailored implementation plan.
No costs, no obligations, only additional insights.

    Fill out this form to request an on-site presentation/demonstration.

    Related Articles