Mary Hain
- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Monday - edited 11 hours ago
What is Control Attestation with Smart Assessment Engine?
Control Attestation in ServiceNow IRM is the structured process by which control owners validate and attest their responses to the questions for the control they own.
The Smart Assessment Engine (SAE) elevates this process by replacing the traditional attestation experience with a modern, intuitive interface that provides respondents with full context before they answer a single question. Instead of navigating disconnected screens and toggling between records, control owners now attest through a unified view, with questions in the center, grouped controls on the left, and all reference data on the right. It's the difference between filling out a form and actually understanding what you're attesting to.
Watch the ServiceNow Risk’s SAE Speed learning series on YouTube to explore more. (The PDF for the YouTube presentation is attached below.)
How it Works
Configuration begins with the Questionnaire Template, where admins define the questions, set the purpose to Control Category, and configure the reference panel that respondents will see during attestation. The questionnaire must be in a Published state to be available for selection.
From the Control Objective record, Compliance Managers choose Smart Assessment Engine as the attestation method on the details page and assign the appropriate questionnaire; this selection then cascades across all controls tied to that Control Objective.
Respondents access their attestation tasks through the Employee Center. They can attest to controls individually using the single attestation method, or use the Combine feature to group multiple controls and work through them in a single session.
If a respondent can't complete everything at once, they can return to their saved progress through the Combined Assessment Tasks section and pick up right where they left off.
Why it Matters
The practical value here is significant. The Smart Assessment Engine transforms control attestation from a tedious, context-switching exercise into a streamlined, single-view experience. Control owners can see exactly what they're attesting to with all configured reference data, without leaving the response screen.
For compliance managers, the review process becomes more efficient. Responses and reference data sit side by side, eliminating the back-and-forth navigation that made the classic attestation process time-consuming and error-prone.
For organizations managing hundreds of controls across multiple entities, the Combine feature alone saves hours of repetitive effort. The result is an attestation process that's faster for respondents, easier for compliance teams to review, and cleaner for regulators to audit.
FAQ
- Can Classic and SAE attestations coexist?
Classic and SAE attestations can run side by side, allowing teams to transition incrementally without disrupting existing or in‑flight attestations. - What happens when a control objective is switched to SAE?
Switching a control objective to SAE applies the new attestation experience to all linked controls for future attestations only, while preserving all historical responses and evidence. - Why does SAE use a different record type for attestations?
SAE uses the sn_smart_asmt_instance record type to ensure audit‑safe immutability, consistent behavior across IRM workflows, and automation‑ready outcomes. - How does SAE improve response quality at scale, not just speed?
SAE improves response quality by capturing contextual reference information, enforcing conditional questions and justifications, and supporting evidence‑based responses even when attestations are run in bulk. - Why does the Combined Assessment View matter operationally?
The Combined Assessment View allows control owners to respond to multiple controls in one continuous flow, reducing fragmentation and improving completion rates and consistency. - What happens after an SAE attestation is submitted?
After submission, response automation, if configured in the SAE questionnaire, determines what actions are triggered, such as issues, tasks, or notifications, based on the responses provided. (Note: You have to configure the workflows from Workflow Studio.)
Visit the Smart Assessment Engine or join the discussion on the ServiceNow GRC Community.
Some useful resources
- Smart Assessment Engine YouTube playlist
- Control Attestation
- Exploring Smart Assessment Engine
- Creating an assessment template from legacy assessment
- Smart assessment template designer
- Responding to assessments
- Combine assessments for control attestations
- GRC: Policy and Compliance Management
- ServiceNow Community Blog on Understanding Policy & Compliance Mgmt
- Smart Assessment Engine webinar
