Ideagen Internal Audit (Aura) can be configured to allow a password to expire after a certain number of days. 

The date and time that the user sets or resets their password is recorded - this timestamp is UTC, so someone in the Eastern time zone in the US will have the value set as current date/time + 5 hours.

When they next log in, Ideagen Internal Audit (Aura) will compare the current date/time with the password set/reset timestamp and if the difference exceeds the expiry threshold then the user will see an error message.

However, when doing the comparison Pentana does not take the time zone offset into account, and compares the current local time with the last password change time (which was recorded in UTC).

This can cause unexpected results.  As an example:

• User is in the US, Eastern time zone
• Server is in the US, Eastern time zone
• Password is set to expire after 90 days

In this case the password will expire at 90 days + 5 hours.

While this is a minor issue it can cause confusion if the password feature is being tested or UAT'd, when typically the expiry will be set to 1 day.  Where a user might expect to set their password at 10am on day 1 and have it expire at 10am on day 2, it would not expire until 3pm on that day.