Control assessment based on GRC attestation template

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Control Assessment Based on GRC Attestation Template

    The Control Assessment based on the GRC Attestation Template provides an alternative assessment method utilizing ServiceNow's AI platform. This enables customers to manage control assessments more efficiently within the Policy and Compliance Management framework.

    Show full answer Show less

    Key Features

    • Smart Assessment Requirements: To enable smart assessments, the GRC: Policy and Compliance Management plugin must be installed, along with several scoped applications including Smart Assessment core, Migration tools, Connected, and Designer.
    • System Property Configuration: Customers must set the "Enable smart assessments on control" system property to true to utilize the GRC attestation template for control assessments.
    • User Role Access: Different roles have specific permissions; for example, business users can respond to attestations, while compliance managers can view and edit templates.
    • Control Objective Configuration: When the attestation method is set to "Attestation," controls generated inherit relevant values from the control objective, streamlining the assessment process.
    • Notification System: Email notifications are sent to control owners and respondents once controls reach the attest state, detailing the attestation requirements.

    Key Outcomes

    Implementing the GRC attestation template allows for:

    • Streamlined control assessments, resulting in more efficient compliance management.
    • Automatic updates to controls based on changes in control objectives, ensuring consistency and accuracy.
    • Improved compliance tracking, with automatic issue creation for non-compliance and closure upon successful attestations.
    • Access to attestations across multiple platforms including Employee Center, Risk Portal, and Compliance Workspace.

    You can select the option to attest controls using an assessment method. This assessment is an alternative method to the classic assessment that is based on ServiceNow AI Platform method of assessment.

    Pre-requisites to enable smart assessment in Policy and Compliance Management

    Smart assessment scoped applications
    The base system ships the GRC smart assessment template to the users when the GRC: Policy and Compliance Management (sn_compliance) plugin is installed. However, the following scoped applications are required:
    1. Smart Assessment core (sn_smart_asmt)
    2. Smart assessment Migration tools (sn_smart_asmt_mig). For more information, see Migrate a legacy metric type to an assessment template
    3. Smart Assessment Connected (sn_smart_asmt_conn)
    4. Smart Assessment Designer (sn_smart_asmt_desg). For more information, see Using the template designer
    Enable smart assessments system property
    The Enable smart assessments on control system property must be set to true if you want to assess the controls using the assessment method based on GRC attestation template. For more information on the system property, see Enable smart assessments on control.
    Migrate the template
    Create a new template in Smart Assessment Engine. For more information, see Creating an assessment template from legacy assessment metric types.

    Access control limitations for smart assessment user roles

    sn_grc.business_user and sn_grc.business_user_lite
    As logged in users they can respond to attestations in My Attestations on the Task page of Compliance Workspace, Risk Portal, and Employee Center.
    sn_compliance_ws.corporate_compliance_manager and sn_compliance_ws.it_compliance_manager
    Can view and edit the templates.
    sn_compliance.attestation_creator
    Can create template category and template migration.
    sn_compliance.user
    Can read all the assessments related to control category.

    Assessment template category and migration tables

    Assessment template categories [sn_smart_asmt_template_category]
    The Category role field has the configuration of the minimum reader role required to read the template of this category. The role must contain sn_smart_asmt.template_reader role.
    Assessment template migrations [sn_smart_asmt_mig_template_migration]
    Used to migrate the existing source metric type and template category to the new assessment template format.

    Impact of attestation method on control objective and control generation

    When the Enable smart assessments on control system property is set to true and the Control objective record has the value Attestation in the Attestation method field, then all the controls that are generated for this control objective record after attestation has values defaulted from the control objective. The Attestation method field value defaults to Attestation.

    Note:
    The old control objectives will have default assessment method as classic assessment. If you would like to explore smart assessment method, then you should make necessary changes to either the control objective or the control. The control can be updated only if it does not have any control objective. After you create a new record, you can either opt the classic attestation or attestation as your attestation method.
    • If the control objective is associated with the control, then the generated control inherits the Attestation method and Attestation field values.
    • If a control is created from a control objective, the Attestation method and the Attestation fields are pre-populated, if the control objective has values in these fields.
      Note:
      The controls are automatically created if the Create controls automatically option is enabled for the control objective.

      The Attestation method field is read only. However, you can edit the Attestation field and select a different template for attestation. Any changes done to the control objective are automatically updated in the associated controls.

    • After the control is saved and attested, the Attestations related list appears in the Control record. This related list displays all Assessment instances that are in Open and Completed states.

      If the assessment method is changed from Classic attestation to Attestation in the control objective record, then the changes are reflected in all the control records generated for the control objective. Up until the control moves to the Attest state, the Attestation method and Attestation field values can be updated.

    • If the control was previously generated opting the classic attestation method, then the Classic attestation related list has the details of all completed attestations.
    • If the control is moved to the Draft state by selecting the Return to Draft button, all the assessments that were active are canceled. Similarly, if the control retires, all related assessments are canceled as well.
    • If the control is marked Exempt owing to a policy exception, all the associated assessments are canceled. However, if the Exempt option is cleared for the control and if the control is in the Attest state, then the assessments are re-triggered. And, all the fields in the Attestation section of the control becomes read only.
    • If a policy is associated to the control objective, and the policy is published, then all the fields of the control objective form become read only.
    • When the control moves to the Attest state, the assessments are triggered. An email notification is sent to the control owner and the attestation respondents of the control, with the subject line referencing the new attestation name of the control number and the due date by which the attestation must be completed.
    • If an attestation fails for one of the controls generated from a control objective, then the control becomes non-compliant and an issue is created. Or, if the control has an issue that already exists, then the Issue source field is updated. If the control moves to the Attest state and if the attestation passes, then the existing issues are closed, and the control becomes compliant.