SecOps - GRC - Audit Process Guide - Orlando

GRC Audit Management
Process Guide
Orlando Release
Ref: 0001643
© 2020 ServiceNow, Inc. All rights reserved.
ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the United States and/or other countries. Other
company names, product names, and logos may be trademarks of the respective companies with which they are associated..
Table of Contents
Introduction.....................................................................................................................................................................3
Principles and Basic Concepts........................................................................................................................................3
Process Scope..............................................................................................................................................................3
Process Objectives.......................................................................................................................................................3
Audit Management Structure..........................................................................................................................................4
Engagements...............................................................................................................................................................4
Audit Tasks.................................................................................................................................................................4
Test Templates............................................................................................................................................................4
Roles and Responsibilities..............................................................................................................................................5
Audit Manager.............................................................................................................................................................5
Auditor/Audit Users....................................................................................................................................................5
Audit Program Administrator......................................................................................................................................5
System Administrator..................................................................................................................................................6
External Auditors........................................................................................................................................................6
Engagements Lifecycle...................................................................................................................................................7
Process Overview........................................................................................................................................................7
Process Flow: Scope....................................................................................................................................................7
Process Flow: Validate................................................................................................................................................8
Process Flow: Fieldwork.............................................................................................................................................8
Process Flow: Awaiting Approval..............................................................................................................................8
Process Flow: Follow Up............................................................................................................................................8
Process Flow: Closed..................................................................................................................................................9
Audit Process State Value Actions and Activities Table............................................................................................9
Audit Workbench..........................................................................................................................................................10
Introduction
This process guide will provide a detailed explanation on how the audit management process is enabled within the
ServiceNow platform. It is intended that this process be followed as closely as possible regardless of the level of
maturity of the customer. ServiceNow encourages simple, lean GRC processes and that is reflected in the out of the
box design. Customers may add additional functionality to that offered however this should only be in scenarios
where there is a required business outcome gained that could not be achieved using an out of the box method.
Following this approach should also ease customer upgrade paths and the ability to expand their use of the platform.
Principles and Basic Concepts

A good integrated risk management (IRM) program is defined by the requirements established by an organization’s
policies. For instance, controls may mitigate risk, but they are initially implemented to enforce policies. Therefore,
the normalization and consolidation of policies is an integral step in an organization’s strategy in order to manage
risk and meet compliance requirements across an ever-growing regulatory landscape.
Process Scope
The scope of audit management includes automation of the work streams of internal audit teams, optimizing
resources and productivity, and eliminating recurring audit findings. The on-going review of policies and
procedures, risks, and control breakdowns provide an opportunity for fixing issues before they become audit
failures. The audit management process supports the best practice of continuous monitoring leveraging its data as
well as incorporating the use of additional compliance and risk data to scope, plan, and prioritize audit engagements.
Process Objectives
The objectives of audit management are to:
 Ensure that risks are properly identified and quantified
 Ensure that controls are designed in a way that effectively reduces the identified risks
 Ensure that controls are properly monitored for operating effectiveness
 Ensure that control deficiencies are identified and remediated
Audit Management Structure
The figure below (Figure 1) shows how the Audit Management application and how its modules are associated with
one another.
Figure 1: Audit Management
Engagements
The Engagement module manages audit engagements (e.g. audits, projects, etc.) through their entire lifecycle and is
the main hub of the Audit Management solution. Here you can define and scope an audit engagement, assign team
members to it, perform and review fieldwork, manage issues, and wrap-up the audit engagement.
Audit Tasks
Audit Tasks assigned and performed by members of the audit team to provide evidence whether a particular process,
technology, or control is performing as designed. There are four types of audit tasks that are included out-of-the-
box:
1. Activity – a generic task to track other activities that occur during engagements.
2. Control Test – an audit task to perform a design and/or operation test to determine the overall effectiveness of a
control.
3. Interview – a data gathering task often used by auditors to learn a process or find and corroborate audit
evidence.
4. Walkthrough – a task to establish the reliability and/or credibility of an organization’s internal control over a
procedure or process.
Test Templates
The Test Templates module allows the audit team to pre-populate frequently used audit programs and procedures
that can be copied and used across many engagements. Audit managers can use test templates to create multiple test
plans for similar controls at one time.
Roles and Responsibilities
This table contains the responsibilities of all stakeholders involved in the Policy and Compliance application.
Audit Manager
Responsible for:
 Establishing the policies and procedures that the audit management team follows
 Ensuring that the mission of the audit management team aligns to the organizational standards, guidelines or
expectations
 Monitoring the state of overall engagement(s)
 Acting as an escalation point for remediation teams who need assistance
 Assignment of audit activities to auditors
 Creating effective reports to track audit engagement progress, control efficacy, control compliance, etc.
ServiceNow role: sn_audit.manager

 Contains roles: sn_grc.manager, sn_audit.user
Auditor/Audit Users
Responsible for:
 Acknowledging and managing the audit tasks and activities that are assigned to them
 Monitoring reports as needed, that reflect current state of audit tasks and activities
ServiceNow role: sn_audit.user

 Contains roles: sn_grc.user, sn_compliance.reader, sn_risk.reader
Audit Program Administrator

Responsible for:
 Administration and configuration of the ServiceNow Audit application
 Ensuring applicable integration points are working as expected
 Making adjustments to the ServiceNow Audit application and configuration
 Setting up specific configurations (workflows, SLAs, notifications, grouping rules, etc.)
 Adding and/or deleting audit report templates
ServiceNow role: sn_audit.admin
System Administrator
Responsible for:
 Administering the Audit Management application, but is also responsible for maintaining other aspects of the
platform such as creating workflows, reports, dashboards, additional modules, and other platform-specific
content that may enrich the application.
ServiceNow roles: sn_audit.developer
External Auditors
Responsible for:
 Read-only access to certain records within the Audit Management application. Typically for users who need to
see completed audit engagements and their associated results.
ServiceNow roles: sn_audit.external_auditor
Engagements Lifecycle
States in any ServiceNow application serve a specific purpose. They are designed to make it clear where in a
process a particular record currently resides and to display progress. States should represent a unique phase in a
process where a specific set of related activities are grouped together designed to achieve a particular outcome in
order to move to the next phase of the process. Out of the box, Audit Management has the following state model:
 Scope
 Validate
 Fieldwork
 Awaiting Approval
 Follow Up
 Closed
Process Overview
The Audit Management application involves processing a set of activities related to planning audit engagements,
executing engagements, and reporting findings to an audit audience and/or executive board. Engagement reporting
assures key stakeholders that the organization's risk and compliance management strategy is effective.
ServiceNow allows users to schedule internal audits, conduct resource planning, scope engagements, conduct audit
activities, review continuous monitoring results, and report findings.
Awaiting
Scope Validate Fieldwork Follow Up Closed
Approval
Process Flow: Scope
Creating a new engagement starts with determining basic information such as the engagement description, dates,
scope, and the objectives of this engagement.
Scoping an engagement is when the audit team will define each component of the business that they are responsible
for reviewing. In other words, scoping will drive what testing the audit team will perform as part of the fieldwork.
Schedule
The audit team can fill in estimated dates on the left and actual dates on the right. The actual start date is
automatically populated once the first task is started.
Entities
In this tab, the audit team will catalog the different parts of the organization that need to be reviewed. By selecting
the entities that have been defined either as part of the Policy and Compliance or Risk Management applications, the
audit team can automatically gain visibility into the risks and controls that are tied to the different entities that they
have selected.
Process Flow: Validate
During this phase, the system automatically populates risk register items and controls that have been pre-mapped to
those entities. Members of the audit team are expected to demonstrate a holistic understanding of the organization
and the risk it faces. The different risks and controls that get populated give the audit team one-click access to view
management’s evaluations of risk and controls. Once the scope has been reviewed, along with all of the different
things associated with it, the audit team can begin performing and completing the engagement by moving it to the
Fieldwork stage.
Process Flow: Fieldwork

Auditors complete their assigned audit tasks during the Fieldwork state. These tasks include control testing,
interviews, walkthroughs, and other activities. Issues that are found during control testing are associated with the
engagement. Auditors can also create general issues associated with the engagement. Audit managers can create
additional audit tasks as needed. When the audit is done, audit managers specify the result of the engagement,
whether it's satisfactory, adequate or inadequate, and provide details on their opinion.
Audit Tasks
All audit tasks related to this engagement, whether automatically or manually generated, are generally performed in
this stage. The auditors have a consolidated view of the established audit tasks as well as who is assigned to perform
them and their current status.
Automated audit tasks are generated through Test Plans, but auditors also have the ability to create manual tasks.
The four type of audit tasks that are offered out-of-the-box are:
1. Activity – a generic task to track other activities that occur during engagements.
5. Control Test – an audit task to perform a design and/or operation test to determine the overall effectiveness of a
control.
6. Interview – a data gathering task often used by auditors to learn a process or find and corroborate audit
evidence.
7. Walkthrough – a task to establish the reliability and/or credibility of an organization’s internal control over a
procedure or process.
To move an engagement into the Awaiting Approval stage, click Request approval on any engagement currently in
the Fieldwork stage.
Process Flow: Awaiting Approval

During the Awaiting Approval stage, the approvers specified in the engagement's Approvers field review the results
of the audit tasks conducted and the issues that were created. After reviewing the results of the engagements, they
can either approve or reject the engagement.
Process Flow: Follow Up

Once an engagement has been approved, if there are any remaining open tasks or issues associated with the
engagement, the engagement automatically goes into the Follow Up stage. During this stage, auditors must close out
all remaining issues and tasks before the engagement can be considered to be completed. Audit managers can
generate audit report that summarizes the findings of an engagement so report findings can be communicated to
executives.
Process Flow: Closed
Engagements move into the Closed state under one of three conditions:
1. The engagement is closed as incomplete during the Scope, Validate, or Fieldwork stages.
8. There are no open audit tasks or issues after the engagement is approved. In this case, the engagement
automatically moves from the Awaiting Approval stage to the Closed stage.
9. All of the follow up issues and tasks are closed out. In this case, the engagement automatically moves from the
Follow Up state to the Closed stage.
Audit Process State Value Actions and Activities Table
State Value Available Actions from State State Activity
Set parameters of the engagement

[Validate]
Add profiles
[Close Incomplete] [Delete]
Scope Set the report template and KB article template
Review engagement details

[Advance to Fieldwork] [Close
Validate Generate Control Tests and assign
Incomplete] [Delete]
Create other applicable audit tasks and assign
Completion of audit tasks by auditors

Fieldwork
[Close Incomplete] [Request
Approval] [Delete] Engagement results determination by the audit manager
(engagement assigned to user)
Awaiting Review of audit results and approval/rejection determination

[Delete]
Approval by audit approver(s)
Generate preliminary audit report

Follow Up [Generate Report] [Delete]
Resolve audit issues (findings/observations)
Closed [Generate Report] [Delete] Generate final audit report
Audit Workbench
The Engagement Workbench provides a timeline view from which you can select an audit engagement to view
details or create a new engagement.

SecOps - GRC - Audit Process Guide - Orlando

Uploaded by

Copyright:

Available Formats

You might also like

SecOps - GRC - Audit Process Guide - Orlando

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SecOps - GRC - Audit Process Guide - Orlando

Uploaded by

Copyright:

Available Formats

GRC Audit Management

© 2020 ServiceNow, Inc. All rights reserved.

© 2020 ServiceNow, Inc. All rights reserved.

Principles and Basic Concepts

© 2020 ServiceNow, Inc. All rights reserved.

Figure 1: Audit Management

© 2020 ServiceNow, Inc. All rights reserved.

ServiceNow role: sn_audit.manager

ServiceNow role: sn_audit.user

Audit Program Administrator

ServiceNow role: sn_audit.admin

© 2020 ServiceNow, Inc. All rights reserved.

ServiceNow roles: sn_audit.developer

ServiceNow roles: sn_audit.external_auditor

© 2020 ServiceNow, Inc. All rights reserved.

© 2020 ServiceNow, Inc. All rights reserved.

Process Flow: Fieldwork

Process Flow: Awaiting Approval

Process Flow: Follow Up

© 2020 ServiceNow, Inc. All rights reserved.

Audit Process State Value Actions and Activities Table

State Value Available Actions from State State Activity

Set parameters of the engagement

Review engagement details

Completion of audit tasks by auditors

Awaiting Review of audit results and approval/rejection determination

Generate preliminary audit report

Closed [Generate Report] [Delete] Generate final audit report

© 2020 ServiceNow, Inc. All rights reserved.

© 2020 ServiceNow, Inc. All rights reserved.

You might also like