Recurring Evidence Requests for Audit Documentation

brandoncalero · ‎10-04-2023

Hello,

My internal GRC Audit team needs to perform semi-annual audits and we need a way to make these requests recurring or to re-initiate the request. Here are some details on our use case:

- Need to collect user access lists for each application

- users provide an attachment to our audit team

- request sent to approximately 200 or so applications/IT owners

- Process needs to be able to be reproduced every 6 months to the same applications/IT owners

Is there a way to automate this process within the system?

Connor Levien · ‎10-25-2023

@brandoncalero the use case you have described is what control indicators have been designed for.

The process for creating them is:

Create a single control objective (make sure "Creates control automatically" is true)
(Optional) Create an entity type for all applicable applications with an entity filter pointed to the Business application table to automatically create controls for the applicable applications
Create an indicator template off of the Control objective. This indicator template can be manual to start off with and provide some guidance to the user of what they need to do and what you expect them to upload
(Optional) Create a test template for the control objective and click generate test plans. This will create a copy of the test template as a test plan for each control

This is a once off activity and then will then run throughout the year and send tasks to users to upload data.

When it is time to test you can do the following:

Create an engagement
Bring the applications in scope
(Optional) you can configure control tests to not require test plans by removing the mandatory flag. This will allow users to create control tests directly.
Create the control tests either from the test plans or manually create individual control tests. This can be done in bulk. You can also config this list to allow you to select all test plans if you want to make this even faster

Once you create a control test it will automatically bring in the manual indicators or the uploaded evidence in the control test for the audit user to review (see below screenshot example of an indicator result on a control test)

Once you do this once you can copy the engagement following the below guide and it can copy all the set up for you each time so you dont have to repeat these steps

https://docs.servicenow.com/en-US/bundle/vancouver-governance-risk-compliance/page/product/grc-audit...

I hope this is helpful, if you still have questions I would suggest to reach out to your ServiceNow account team and they could connect you with your local Risk Specialist to help you through the process.

View solution in original post

Connor Levien · ‎10-09-2023

@brandoncalero you can achieve this by setting up a manual indicator (or if you have a centralised access management system you can pull the data from there). Manual indicators despite their name can automatically send an indicator task at configurable intervals to gather data throughout the year.

Once you create an engagement and a control test, it will automatically pull in all indicator tasks and their results for the scope period. This makes it very easy for auditors to get access to the relevant data and means that IT doesn't have to send the data directly to you and you can automate the entire data gathering process.

brandoncalero · ‎10-11-2023

Hey Connor,

Thank you for your response.

I have tried your response, but I think this process creates too many records for my Compliance team to follow when all they need is a way to collect a spreadsheet from our users and document it in the system.

Evidence collection seems like the most straight forward way, but having to make that process repeatable for a large collection pool feels like a challenge.

Connor Levien · ‎10-17-2023

@brandoncalero are you able to elaborate on the collection pool? Do you need to request a spreadsheet for each control test instance or are you requesting a single excel that contains the evidence for multiple controls?

Additionally, are you able to elaborate on how the indicator created too many records?

brandoncalero · ‎10-18-2023

@Connor Levien

The collection pool would be IT managers of roughly 200 applications, that need to provide an export from their respective application of their User and Admin accounts, every 6 months. So it would be an export for each application instance.

As an organization, we are transitioning from a manual process into ServiceNow. When you talk about Control tests, I had to create a Control Objective, then a test plan, in order to generate Controls for my entities, and then to try and Evidence Request, so on.. I am concerned of the amount of clicks for my team.

I have also tried using engagements and importing Evidence requests, but that also proved difficult.