Manage engagements

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Manage engagements

    The audit engagement process in ServiceNow's Manage engagements feature enables customers to create, plan, scope, conduct, and report on audit engagements efficiently. This structured process guides audit managers through defining the scope, validating audit elements, conducting fieldwork, obtaining approvals, following up on open tasks, and closing audits. Entity-based access controls provide granular data access management for audit-related records linked to specific entities.

    Show full answer Show less

    Engagement Process States

    • Scope: Audit managers define involved entities to set the audit boundaries and include relevant business services and departments.
    • Validate: Risks, controls, test plans, and indicator results related to scoped entities are associated with the engagement. Audit managers review and can adjust scope and begin planning audit tasks.
    • Fieldwork: Auditors perform assigned tasks such as control testing, interviews, and walkthroughs. Issues found are documented and linked to the engagement. Audit managers finalize engagement results.
    • Awaiting Approval: Designated approvers review audit results and issues, then approve or reject the engagement.
    • Follow Up: If open audit tasks, issues, or milestones remain after approval, auditors work to resolve them before marking the engagement complete.
    • Closed: Engagements close either as incomplete in early states or automatically after all tasks are resolved post-approval and follow-up.

    Key Features

    • Audit Task Management: Create and track audit tasks such as control tests, interviews, walkthroughs, and other activities to document compliance evidence.
    • Reuse Engagements: Create new engagements based on previous ones to streamline scope, team, and approver setup for recurring audits.
    • Control Tests and Activities: Define control tests and related activities to periodically verify control effectiveness.
    • Communication Tools: Generate audit reports and knowledge base articles summarizing findings for executive communication.
    • Entity-Based Access: Configure granular user access to engagement data based on entity associations, enhancing data security and relevance.
    • Engagement Workbench: Use a timeline-based visual interface to manage engagements easily and navigate audit activities.

    Practical Benefits

    ServiceNow customers can leverage this engagement process to systematically manage audits, ensure comprehensive coverage of risks and controls tied to business entities, and maintain clear documentation of audit activities and findings. The structured workflow supports collaboration between auditors and approvers, facilitates timely issue resolution, and improves audit reporting and communication. Entity-based access controls enhance data security by restricting visibility to relevant audit data.

    The audit engagement process involves creating, planning, scoping, and conducting engagements as well as reporting on engagement findings.

    Engagement process

    The base system audit engagement process includes steps for scoping, validating, conducting, and approving engagement results. It also contains steps for following up on open audit tasks and issues, and finally closing out the audit engagement.
    Note:
    The Entity-based access provides a framework for a more granular approach to the management of data access to objects associated with an entity. Administrators can grant access to an entity's related records by adding users or user groups, or by using entity user fields for entity-based access configuration. For more information, see Entity Based Access. When a user is qualified based on these configurations and has the minimum required roles, they will have access to the following tables:
    • Engagement
    • Test Plan
    • Control Test
    • Observation
    • Control to Engagement
    • Test Plan to Engagement
    • Risk to Engagement
    • Issue to Engagement
    • Entity to Engagement
    Table 1. States of the engagement process
    State Description
    Scope

    During the Scope state, audit managers define which entities are involved in the audit engagement. For example, for a financial audit, one may include all business services that the finance department relies on and the finance department itself.

    See Add entities to an engagement scope.
    Validate

    After an engagement has moved to the Validate state, all the risks, controls, and test plans associated with the entities in the engagement's scope will be associated with the audit. Indicator results that were collected during the audit period of the engagement will also be associated with the audit. Audit managers can review the risks, controls, test plans, and indicator results, and update the scope of the engagement, if necessary. Audit managers can also begin creating and planning audit tasks for the engagement.

    To move an engagement into the Validate state, click Validate on any engagement currently in the Scope state.
    Fieldwork

    Auditors complete their assigned audit tasks during the Fieldwork state. These tasks include control testing, interviews, walkthroughs, and other activities. Issues that are found during control testing are associated with the engagement. Auditors can also create general issues associated with the engagement. Audit managers can create additional audit tasks as needed. When the audit is done, audit managers specify the result of the engagement, whether it's satisfactory, adequate or inadequate, and provide details on their opinion.

    To move an engagement into the Fieldwork state, click Advance to Fieldwork on any engagement currently in the Validate state.

    See Audit task management.
    Awaiting Approval

    During the "Awaiting Approval" state, the approvers specified in the Approvers field of the engagement review the results of the audit tasks conducted and the issues that were created. After reviewing the results of the engagements, approvers approve or reject the engagement.

    To move an engagement into the Awaiting Approval state, click Request approval on any engagement currently in the Fieldwork state.

    See Approve or reject an engagement.
    Follow Up After an engagement has been approved, if there are any remaining open tasks, issues or milestones, in case of GRC Advanced Audit, associated with the engagement, the engagement automatically goes into the Follow Up state. During this stage, auditors must close out all remaining issues, tasks, and milestones before the engagement are marked as complete.
    Closed
    Engagements move into the "Closed" state under one of three conditions:
    • The engagement is closed as incomplete during the Scope, Validate, or Fieldwork states.
    • There are no open audit tasks, issues, and milestones after the engagement is approved. In this case, the engagement automatically moves from the Awaiting Approval state to the Closed state.
    • All follow-up tasks, issues, and milestones are closed out. In this case, the engagement automatically moves from the Follow Up state to the Closed state.