Manage controls

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Manage controls

    This content explains how to effectively manage controls within ServiceNow’s GRC application. Controls are specific implementations of control objectives that help organizations mitigate risks and comply with regulations. It emphasizes the importance of rationalizing, consolidating, and defining controls carefully rather than bulk uploading, to ensure controls remain relevant, efficient, and aligned with evolving business and IT environments.

    Show full answer Show less

    Key Features

    • Rationalize Controls: Evaluate each control’s impact on business objectives, its effectiveness in risk prevention or detection, and explore opportunities to replace outdated or complicated controls with simpler, more effective ones that also improve IT performance.
    • Entity Association: Every control must be linked to an entity on the Control form for reliable risk and compliance calculations. Controls without an entity, or those linked to disabled entities, should be reviewed or retired.
    • Consolidate Controls: Identify and merge common controls across multiple regulations or frameworks to avoid redundancy. This cross-mapping creates a consolidated control framework, simplifying audits and control management.
    • Define Controls and Business Rules: Establish control owners, test criteria, frequencies, and related risks upfront. Prepare attestations, assessments, and map policies to procedures, controls, and risks to build a comprehensive GRC configuration.
    • Entity Based Access (EBA): Enables granular data access management by granting users or groups permissions based on entity associations. When enabled, new controls, attestations, and related records automatically inherit EBA restrictions, enhancing security and simplifying access administration.

    Practical Benefits for ServiceNow Customers

    • Improve control effectiveness and reduce risk exposure by regularly reviewing and refining controls.
    • Ensure accurate risk calculations and reporting by maintaining proper entity associations for controls.
    • Streamline compliance efforts by consolidating redundant controls across multiple regulations into a unified framework.
    • Configure comprehensive GRC workflows by defining business rules and mappings early in the process.
    • Enhance security and ease of management through Entity Based Access, which automates access permissions consistent with organizational structure.

    Controls are specific implementations of a control objective. Retired controls do not appear in the list. Before defining controls, take time to rationalize, consolidate, and define the important controls in your organization.

    Rationalize your controls

    If you upload all your controls in bulk, you are missing the opportunity to refine and streamline your controls set. As your business changes, and your IT data, processes, and technology improve, replace outdated controls and procedures when you implement your GRC application. Consider the following:
    • How does this control affect my business objective?
    • Is this control actually preventing or detecting risk?
    • Is there a different control you can place that better protects your business?
    • Is there a control you can put in place that reduces process overhead and improves IT performance while also mitigating risk?
    • Can a complicated control be replaced with a simpler more effective control?
    Note:
    When you define controls manually or when you import them from the Unified Compliance Framework (UCF), an entity is associated with the controls. It is a mandatory field on the Control form. If, however, you import controls from a source other than the UCF, you may encounter controls that do not have associated entities. It is important that you return to the Control form and add an entity to the control. Missing entities can cause unreliable results in calculations. Also, if you encounter a control with an entity that has been disabled, the control should be retired.

    Consolidate your controls

    Look for opportunities to consolidate controls. Look for common, repeated controls across multiple regulatory authorities of frameworks (for example, SOX and GLBA and AML). Avoid operating a single control multiple times for each regulation, by cross-mapping controls and eliminating the redundant ones. This process establishes a single consolidated set of controls = control framework, performing and preserving the cross mapping of controls is critical for audits.

    Define controls and business rules

    The business rules you define up front, establish the GRC configuration settings later. Be prepared to:
    • Identify controls and control owners
    • Define control tests and expected results
    • Establish test and control frequencies
    • Identify risks: impact and likelihood
    • Prepare attestations, assessments, questionnaires, and required evidence
    • Compose likely use-cases (who needs to interact with or view the contents of the GRC system and for what purposes)
    • Map authoritative sources to policies, to procedures, to controls, and to risks

    Entity Based Access (EBA)

    The Entity Based Access feature provides a framework for more granular approach to management of data access to objects associated with an entity. Administrators can grant access to an entity's related records by adding users or user groups, or by using entity user fields for entity-based access configuration. For more information, see Entity Based Access.

    When a user is qualified based on these configurations and has the minimum required roles, they will have access to the following tables:
    • Control
    • Attestation
    • Policy exception to control

    Entity Based Access (EBA) rules

    When entity based record access rules are enabled on the Entity Based Access Configuration Properties page, any newly created controls, control attestations, indicators, and indicator tasks associated with a configured entity will automatically inherit the entity-based access (EBA) value from that entity. Previously, users had to run bulk access updates to apply EBA restrictions whenever new objects were created.

    For more information, see Entity based record access rules to secure new records.