Smoother Control Re-Attestation

Arnaud Bretz1 · ‎10-18-2023

Greetings to all,

I find myself confronted with a business requirement regarding the re-attestation of compliant controls. The business has expressed some frustration over the need to re-attest controls on an annual basis, especially when they are confident that the control environment remains unchanged, and the control will remain compliant.

While ServiceNow recommends using indicators to monitor controls, I'm not entirely convinced of their added value, as indicators would likely involve manual efforts and impose a similar burden on control owners in responding to indicator tasks regularly.

I'm keen to gather insights and recommendations on how we can streamline and simplify the lives of control owners. What customizations or solutions would you propose to address this situation more efficiently?

Looking forward to your thoughts and suggestions.

Jan Spurlin · ‎10-21-2023

This is probably not a complete answer - and also coming from a trainer and not an end user customer.

In ServiceNow, there is a difference between attesting to a control and monitoring a control. Attesting involves confirming that there is a METHOD to measure the control. And some organizations want that method documented and stored. ServiceNow's baseline assumes that if there is no way to measure the control then it is non-compliant. If there is a method, then the control is compliant - until the use of that METHOD via an indicator says otherwise.

Indicators are what ServiceNow wants customer to use to measure the ongoing compliance status of a control.

The BEST way to reduce the manual effort is to automate the indicators. For example - find a condition that can be measured with a BASIC indicator that confirms that the control environment has not changed. Or find some data that will support the method without having to ask users to manually respond to an indicator task.