Control Attestation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
7 hours ago
How can we configure attestations to run automatically at a defined frequency and trigger email notifications to the control owner for assessment?
For example, if we create an attestation for access reviews that needs to run quarterly, how can we ensure it is automatically initiated each quarter without manual intervention? Currently, once an attestation is created, the control moves to the Attest state. After the control owner completes the assessment, it transitions to Review and then Monitor.
For the next review cycle, how will a new attestation be created automatically so the control owner is notified again and the control re-enters the attestation workflow?
The main objective is to set up separate attestations for different periodic activities (e.g., quarterly access reviews, annual policy reviews, monthly reconciliations) and have the system automatically generate these attestations and notify the respective control owners at the defined frequency—without requiring manual attestation creation each time.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
an hour ago
Hello Risha,
Here is below detailed response of your question.
✅ How Automatic, Periodic Attestations Work in ServiceNow IRM
ServiceNow IRM does not require manual creation of a new attestation record for every cycle (quarterly, monthly, annually, etc.).
Instead, attestations are automatically re‑initiated based on frequency, driven by control configuration and a scheduled job implemented through the ControlAttestationUtilsBase utility.
1️⃣ Configure the Control with an Attestation Frequency
Each control is configured with an attestation frequency, such as:
- Monthly
- Quarterly
- Annually
- Semi‑annually
This frequency defines how often the control must be re‑attested (e.g., quarterly access reviews).
This frequency is stored on the control and evaluated automatically by the platform.
2️⃣ Control Lifecycle After Initial Attestation
Your current flow is correct and expected:
Attest → Review → Monitor
After the control owner completes the assessment:
- The control exits Attest
- Moves through Review
- Settles in Monitor
✅ Nothing is wrong here—this is intentional.
3️⃣ How the Next Attestation Is Triggered Automatically
This is where ControlAttestationUtilsBase Script Include comes in.
What the Script Does (Key Points)
- Runs on a scheduled basis (background job)
- Finds controls that are in Review or Monitor
- Checks whether they have a periodic attestation frequency
- Determines the last attestation completion date
- Calculates when the next attestation is due
- When due, it moves the control back to the Attest state
if (now >= nextDueDate) {
control.state = 'attest';
control.update();
}✅ This automatically re‑enters the attestation workflow.
4️⃣ How a New Attestation Is Created (Important Clarification)
The script does not directly create a new attestation record.
Instead:
- The script moves the control back to Attest
- The control workflow is triggered
- ServiceNow automatically generates a new assessment (attestation) instance
- The new assessment is linked to the control
- Previous attestations remain as historical evidence
This ensures:
- Each review cycle has a separate attestation record
- Full audit trail is maintained
5️⃣ How Email Notifications Are Triggered Each Cycle
Email notifications are tied to the assessment lifecycle, not to the script itself.
When the control re‑enters Attest and a new assessment is created:
- The assessment workflow fires
- Notifications are triggered for:
- Assessment creation
- Assessment due
- Assessment overdue
- Emails are sent automatically to the Control Owner
✅ The control owner is notified every time the attestation is re‑generated, for every cycle.
6️⃣ Supporting Multiple Periodic Activities (Your Main Objective)
You can support different periodic compliance activities by configuring separate attestation setups, each with its own frequency.
Example
| Access Reviews | Quarterly | Control re‑enters Attest every 3 months |
| Policy Reviews | Annually | Attestation created once per year |
| Reconciliations | Monthly | Monthly attestation cycle |
The script:
- Evaluates each control independently
- Re‑initiates attestations only when they are due
- No manual intervention is required
7️⃣ End‑to‑End Cycle Example (Quarterly Access Review)
First Cycle
Control created → Attest → Review → Monitor
After 3 Months (Automatically)
Monitor → Attest → Review → Monitor
Each quarter:
- A new attestation is generated
- Control owner receives a notification
- Control history is preserved
