AudItable Units association to PoIicies

User9806 · 3 weeks ago

I am seeking additional clarification regarding Auditable Units. I understand that they can consist of combinations of different entities such as business units, products, services, and policies.

My main question concerns the concept of an Auditable Unit consisting predominantly of policies. From an IRM perspective, policies are linked to the wider control library. This means that when policies are associated with an Auditable Unit, the relevant controls should either be automatically inherited, or the control landscape should be inherited when the Auditable Unit is associated with an engagement.

Is there functionality in ServiceNow that captures this requirement?

Connor Levien · 3 weeks ago

Out of the box when an auditable unit is mapped to a policy it doenst automatically bring in the related controls when that auditable unit is added to an audit engagement. However, this can easily be configured via a flow so that when an auditable unit is brought into scope for an engagement, you can look if any policies are related to it and in turn look for all control objectives and in turn controls that relate to the policy. Using this you can then automatically add the controls to the scope of the engagement. This cal all be done without the need for coding but a flow would need to be set up in flow designer