In ServiceNow GRC, if you don’t attach an attestation to a control objective, the platform has no formal evidence to confirm whether that control is functioning as intended. Attestations serve as documented proof—usually provided by control owners or other responsible individuals—that a control has been reviewed, tested, and found to be compliant (or not). Without this, ServiceNow lacks the necessary input to properly assess the control’s effectiveness.

As a result, the compliance score for that control objective cannot be accurately calculated. Typically, the score will either remain blank, show as “Not Assessed,” or default to 0% because the system has no data to work with. This can skew overall compliance metrics, reports, and dashboards, potentially raising red flags during audits or internal reviews.

Not linking attestations has several impacts. Most importantly, it weakens the reliability of your compliance posture. Risk managers and auditors may question the credibility of your control environment if there’s no supporting evidence. This can also affect risk scores, regulatory reporting, and overall governance transparency.

To ensure accurate compliance scoring, it’s a best practice to always link timely and relevant attestations to control objectives. You should also schedule attestations at regular intervals (such as monthly or quarterly), and where possible, automate control testing to reduce manual work. Additionally, assigning clear responsibilities and monitoring overdue or pending attestations helps avoid gaps in documentation. Attestations should always be supported with notes or attached evidence for audit readiness.

In summary, no attestation means no proof, which can result in an inaccurate or poor compliance score. Linking attestations is essential for maintaining a strong, evidence-based compliance program in ServiceNow GRC.