How to create Control Tests in GRC

tena1 · ‎06-24-2019

How to create COntrol Tests in GRC.

I do not see the IT GRC -> Control Tests as given in the Madrid Docs.

I believe Attestations are created to check the Control Design Effectiveness.

How to check the Control Effectiveness in GRC

Shiva Thomas · ‎06-25-2019

Hi Tena,

The Automated Tests you are looking for are located in "Automated Test Framework > Tests". You'll obviously need to be at least at Madrid version.

Another relevant link: Is anyone using Automated Test Framework in GRC?

Attestations are freely customizable questionnaires that can be used to to trigger events for your Controls, but out-of-the-box they are intended mostly for manual review: After reviewing the Assessment, the actions are taken manually by the Control's Owner. Only some question type can trigger a simple compliant/non-compliant status on the Control. Since non-admins can edit/create Attestations, any more advanced scripted automation logic could be broken by modification of the Attestation template.

To affect the Status of a Control, you can also you Indicator tasks (manual or scripted) or a simpler but custom one button attestation approach.

The effectiveness can be mesured by looking the impact of the Control's Status on the Calculated Scores of a Risk linked to your Control.

∴
Best regards from Switzerland
Shiva :¬,

If this reply assisted you, please consider marking it 👍Helpful or ✅Correct.
This enables other customers to learn from your thread.

View solution in original post

Shiva Thomas · ‎06-25-2019

Hi Tena,

The Automated Tests you are looking for are located in "Automated Test Framework > Tests". You'll obviously need to be at least at Madrid version.

Another relevant link: Is anyone using Automated Test Framework in GRC?

Attestations are freely customizable questionnaires that can be used to to trigger events for your Controls, but out-of-the-box they are intended mostly for manual review: After reviewing the Assessment, the actions are taken manually by the Control's Owner. Only some question type can trigger a simple compliant/non-compliant status on the Control. Since non-admins can edit/create Attestations, any more advanced scripted automation logic could be broken by modification of the Attestation template.

To affect the Status of a Control, you can also you Indicator tasks (manual or scripted) or a simpler but custom one button attestation approach.

The effectiveness can be mesured by looking the impact of the Control's Status on the Calculated Scores of a Risk linked to your Control.

∴
Best regards from Switzerland
Shiva :¬,

If this reply assisted you, please consider marking it 👍Helpful or ✅Correct.
This enables other customers to learn from your thread.

G Balaji · ‎06-27-2019

These links shall help,

https://docs.servicenow.com/bundle/madrid-servicenow-platform/page/product/compliance/task/t_Definin...

https://docs.servicenow.com/bundle/madrid-governance-risk-compliance/page/product/grc-audit/task/t_C...