1st line control testing

Go to solution
Rutger2
Tera Contributor

‎02-12-2025 04:53 AM

Good afternoon,


We have implemented IRM including Audit management and we are wondering what functionality other organizations use for '1st line control testing'. At the start of our implementation we used 'Audit control tests' but a few years back we switched to indicator (tasks). To us it seems 'Control tests' fit better if you want a qualitative test on a control but indicators facilitates planning & organization better. It would be very helpful if you can state why you use a specific module for these processes. Examples of controls at our organization are: 

- 4 eyes principle controls for different (business) processes

- manual data quality checks controls

- identity & authorization controls

  • 884 Views
1 ACCEPTED SOLUTION

Go to solution
Priscilla Muiua
ServiceNow Employee
ServiceNow Employee

‎05-05-2025 11:53 AM - edited ‎05-05-2025 01:59 PM

Hi @Rutger2 ,

 

Here is my proposed solution:

Organizations using ServiceNow Audit Management for 1st line control testing typically leverage Control Tests for qualitative validation and Indicators for operational planning, depending on the control type and testing objectives. Here is a simplified table to distinguish control tests and indicators

 

Feature

Control tests

Indicators

Purpose

Qualitative validation of control effectiveness

Continuous monitoring/metrics tracking

Workflow integration

Part of audit engagements

Used for periodic checks or compliance KPIs

Evidence collection

Requires documented proof (e.g., screenshots, logs)

Focuses on quantitative thresholds. Evidence can be attached to indicator tasks.

Automation

Manual or semi-automated via audit workflows

Fully automated via scheduled tasks or can be manual and responded to by the end users. 

 

Indicators: are the continuous monitoring perspective and how organizations decide to continue tracking that controls are in place (so this is moreso control enforcement). For the control test: the auditor comes in and confirms that the enforcement of the control works as intended.

 

Use control tests to do validation of design and operating effectiveness by the compliance of internal audit team. Control tests is the access of completing an audit before the external auditors/regulators come in.

 

I found a great video on YouTube you can learn more about control and indicator tests here - timestamp: 2:44 – 16:43(this is an old video from 2017 but still has relevant information): https://www.youtube.com/watch?v=m4IwW-IukIc

 

View solution in original post

Controls: Attestations, Indicators and Control Tests explained
Controls: Attestations, Indicators and Control Tests explained
youtube.com/watch?v=m4IwW-IukIc
17 minutes to clarify and disambiguate once and for all the concepts and terminology around Controls, Attestations and Tests. These are so important to make the best of ServiceNow's GRC solution.This video tutorial is essential before GRC Fundamentals training, after training, before ...
1 REPLY 1

Go to solution
Priscilla Muiua
ServiceNow Employee
ServiceNow Employee

‎05-05-2025 11:53 AM - edited ‎05-05-2025 01:59 PM

Hi @Rutger2 ,

 

Here is my proposed solution:

Organizations using ServiceNow Audit Management for 1st line control testing typically leverage Control Tests for qualitative validation and Indicators for operational planning, depending on the control type and testing objectives. Here is a simplified table to distinguish control tests and indicators

 

Feature

Control tests

Indicators

Purpose

Qualitative validation of control effectiveness

Continuous monitoring/metrics tracking

Workflow integration

Part of audit engagements

Used for periodic checks or compliance KPIs

Evidence collection

Requires documented proof (e.g., screenshots, logs)

Focuses on quantitative thresholds. Evidence can be attached to indicator tasks.

Automation

Manual or semi-automated via audit workflows

Fully automated via scheduled tasks or can be manual and responded to by the end users. 

 

Indicators: are the continuous monitoring perspective and how organizations decide to continue tracking that controls are in place (so this is moreso control enforcement). For the control test: the auditor comes in and confirms that the enforcement of the control works as intended.

 

Use control tests to do validation of design and operating effectiveness by the compliance of internal audit team. Control tests is the access of completing an audit before the external auditors/regulators come in.

 

I found a great video on YouTube you can learn more about control and indicator tests here - timestamp: 2:44 – 16:43(this is an old video from 2017 but still has relevant information): https://www.youtube.com/watch?v=m4IwW-IukIc

 

Controls: Attestations, Indicators and Control Tests explained
Controls: Attestations, Indicators and Control Tests explained
youtube.com/watch?v=m4IwW-IukIc
17 minutes to clarify and disambiguate once and for all the concepts and terminology around Controls, Attestations and Tests. These are so important to make the best of ServiceNow's GRC solution.This video tutorial is essential before GRC Fundamentals training, after training, before ...