Control & Attestation Creation and Schedule

SanjivMeher
Kilo Patron
Kilo Patron

Hello Expert,

I am working on building the controls and attestation module for our customers.

As I understand, if I have a control, with a frequency, it keeps creating attestation based on the frequency every cycle.

My question is,

1. if an attestation is created for Q1 and not completed by end of Q1, what happens then? How do we create another attestation, without cancelling the existing attestation?

2. if I want to retire a control at the end of every year and create a new control for every year, so that it is easy to look for evidence based on year. Have you ever had such use case and how do you handle them?

3. Is there an easy way to display the evidence in the control itself, instead of showing them as a related list? Right now the control interface is not so user friendly. Also from the list view of attestation, since it lists the old evidence also, it is difficult to identify, which attestation is for which month or quarter.

 


Please mark this response as correct or helpful if it assisted you with your question.
1 ACCEPTED SOLUTION

Phil Swann
Tera Guru
Tera Guru
  1. if an attestation is created for Q1 and not completed by end of Q1, what happens then? How do we create another attestation, without cancelling the existing attestation?
    • what happens then? nothing OOTB
    • why would you create another? you cannot have two concurrently
    • one thing we have done is build a scheduled job to expire the attestation, and set control to non-compliant; this helps increase the 'pressure' on making sure it is done... the not-doing is an implication of compliance in itself
  2. if I want to retire a control at the end of every year and create a new control for every year, so that it is easy to look for evidence based on year. Have you ever had such use case and how do you handle them?
    • no, the control is the control, it is not time based (unless the entity itself is time based). if you want time based evidence you can do so using Audit Management perhaps and work on the control testing
  3. Is there an easy way to display the evidence in the control itself, instead of showing them as a related list? Right now the control interface is not so user friendly. Also from the list view of attestation, since it lists the old evidence also, it is difficult to identify, which attestation is for which month or quarter.
    • Yes SN offers a few options such as embedded lists, or embedded content/formatters. 
    • If you want to modify the view of the attestation results you can modify the sys_relationship record
    • If you want to just show the latest, you can leverage the existing 'View Users' Response' UI action and put it inside the control
    • Again, I suggest looking into Audit Management module to support these, so the control is really focusing on being a control , and the testing of the control belongs to the control test record
    • Also Consider using Indicators and leveraging supporting data 

 

 

View solution in original post

5 REPLIES 5

Eric Le Martre4
Kilo Guru

Hi Sanjiv,

First you have to understand that the Frequency field at Control level is just there for show but does not trigger anything. The correct Frequency field is the one at Entity level, meaning you cannot specify specific frequency for each controls of a single Entity.

Except if you decide to build a BR linked to this Frequency field at Control level.

At the end of a cycle the controls for a given Entity are brought back to draft and Assess, meaning all existing untaken Attestations are deleted and brand new are available. Those which have been taken are available for history on a related list at Control record level.

Retiring a control at the end of each cycle/year is not the spirit in which GRC has been built. The way GRC @Servicenow is built is to keep history over attestation cycles, so to be able to use PA to calculate Compliance trends and follow the evolution of your controls.

If you retire the controls, you cannot open new ones from the same Control Objective for the same Entity. You only can reopen the retired Control. If the objective is to keep values on a quarterly/annual basis etc, then use PA to keep series of data every quarter/year.

I agree with your last point. The way evidence is managed is not ideal. I would recommend looking at these 2 links to understand how to create a Related List based on the attachments to the asmt_assessment_instance_question table, attachments being stored into: sys_attachment table

https://snprotips.com/blog/2016/2/25/understanding-and-using-glideattachment

and

https://community.servicenow.com/community?id=community_blog&sys_id=928c2ae1dbd0dbc01dcaf3231f961927

 

 

 

First you have to understand that the Frequency field at Control level is just there for show but does not trigger anything. The correct Frequency field is the one at Entity level, meaning you cannot specify specific frequency for each controls of a single Entity.

 

I disagree with the above statement. ServiceNow used to use the frequency at entity level, but now they have made correction to use controls frequency.

Because entity can be associated to any control objective. And each control can have its own frequency. So if we use entity's frequency, that will not work when we need different frequency for different controls.

 

I also don't like the way attestation module is built. I would rather create my own table to store evidence, where I can specify the cycle for which I am collecting the evidence.


Please mark this response as correct or helpful if it assisted you with your question.

Hi sir, so in that case do we need to set frequency individually for each control? or we can do it for a control objective too? Is it a fully manual process?

Thanks

Jeevan

Phil Swann
Tera Guru
Tera Guru
  1. if an attestation is created for Q1 and not completed by end of Q1, what happens then? How do we create another attestation, without cancelling the existing attestation?
    • what happens then? nothing OOTB
    • why would you create another? you cannot have two concurrently
    • one thing we have done is build a scheduled job to expire the attestation, and set control to non-compliant; this helps increase the 'pressure' on making sure it is done... the not-doing is an implication of compliance in itself
  2. if I want to retire a control at the end of every year and create a new control for every year, so that it is easy to look for evidence based on year. Have you ever had such use case and how do you handle them?
    • no, the control is the control, it is not time based (unless the entity itself is time based). if you want time based evidence you can do so using Audit Management perhaps and work on the control testing
  3. Is there an easy way to display the evidence in the control itself, instead of showing them as a related list? Right now the control interface is not so user friendly. Also from the list view of attestation, since it lists the old evidence also, it is difficult to identify, which attestation is for which month or quarter.
    • Yes SN offers a few options such as embedded lists, or embedded content/formatters. 
    • If you want to modify the view of the attestation results you can modify the sys_relationship record
    • If you want to just show the latest, you can leverage the existing 'View Users' Response' UI action and put it inside the control
    • Again, I suggest looking into Audit Management module to support these, so the control is really focusing on being a control , and the testing of the control belongs to the control test record
    • Also Consider using Indicators and leveraging supporting data