Control Attestation outcome - required help

ImranHasan · ‎07-04-2025

In ServiceNow IRM, if we have a control and want to perform an attestation with a control owner, the current outcome we receive based on their inputs is either 'Compliant' or 'Non-Compliant.' I was wondering how I can change the outcome to 'Effective,' 'Partially Effective,' 'Ineffective,' or 'Not Assessed' based on the control owner's inputs.

Simon Hendery · ‎07-04-2025

Hi @ImranHasan

What is your reason for wanting to make this change? Attestations are kind of binary, I.e., a pass/fail assessment, so I'm keen to understand what you are looking to achieve by introducing a 'Partially Effective' option?

ImranHasan · ‎07-04-2025

Hi Simon, thanks for your message. It's an option for our manual control assessment (effective, partial effective, non-effective, not assessed). We're currently trying to move to ServiceNow IRM, but we're not sure how to align SNOW IRM control attestation with our manual process. At the same time, control status such as effective or non-effective, or partially effective should be reflected in the workspaces.

HenkHeath · ‎07-06-2025

Hi @ImranHasan

I agree with @Simon Hendery. Clients often ask for something without understanding the full risk and compliance picture.

Obligations /Policies

eg. - Publish Audited Financial Results annually to the stock exchange (Why - because of regulations and the company's financial obligations to the respective regulators and governing bodies)

Risk Statements (Risks) - these manifest when I do not meet my obligations

Eg. Loss of reputation, Financial Losses...etc. If we do not submit the financials we will be suspended from trading, have reputational issues ...etc.

To mitigate these risks we have Controls (Control Objectives) and these are statements of intent.

eg.

1. Submit audited financial statements on or before the 30 June annually

2. Annual statements are to be audited by an external registered auditing firm.

For the Control and the Attestation portion of your question:

Did a registered auditor audit the financial statements - Yes/No

Did you submit on or before 30 June - Yes/No

Your control objectives should not be open for interpretation. You are compliant to what you set out to do, or you are not. It is Black or White......no grey area.

(you may have been non-compliant before, and compliant now, or visa versa - but you are never partially compliant)

For the Effective, Partially Effective...these are in relation to what? The Risk.

How effective is my control in mitigating the risk (this is evaluated in your risk assessment).

Remember the control may be effective in mitigating one risk, but ineffective in mitigating another - so this evaluation cannot sit on the control itself.

Keep these 2 assessment activities separate.

The third aspect is how well did you design the control (design Effectiveness), and how effective is it operating (Operational Effectiveness) - these are covered by the 3rd line in your Audit module as control testing.

Simon Hendery · ‎07-05-2025

Hi @ImranHasan

I appreciate this is an easy thing for me to say, whereas in practical terms it's not easy ... but I suspect the best option is going to be to go back to the drawing board and redesign your current manual attestation processes so they align with ServiceNow best practice, rather than trying to shoehorn the old processes into the new solution, which is just asking for problems and unnecessary complexity.