Professional Documents
Culture Documents
SecOps - GRC - Audit Process Guide - Orlando
SecOps - GRC - Audit Process Guide - Orlando
SecOps - GRC - Audit Process Guide - Orlando
Process Guide
Orlando Release
Ref: 0001643
ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the United States and/or other countries. Other
company names, product names, and logos may be trademarks of the respective companies with which they are associated..
Table of Contents
Introduction.....................................................................................................................................................................3
Principles and Basic Concepts........................................................................................................................................3
Process Scope..............................................................................................................................................................3
Process Objectives.......................................................................................................................................................3
Audit Management Structure..........................................................................................................................................4
Engagements...............................................................................................................................................................4
Audit Tasks.................................................................................................................................................................4
Test Templates............................................................................................................................................................4
Roles and Responsibilities..............................................................................................................................................5
Audit Manager.............................................................................................................................................................5
Auditor/Audit Users....................................................................................................................................................5
Audit Program Administrator......................................................................................................................................5
System Administrator..................................................................................................................................................6
External Auditors........................................................................................................................................................6
Engagements Lifecycle...................................................................................................................................................7
Process Overview........................................................................................................................................................7
Process Flow: Scope....................................................................................................................................................7
Process Flow: Validate................................................................................................................................................8
Process Flow: Fieldwork.............................................................................................................................................8
Process Flow: Awaiting Approval..............................................................................................................................8
Process Flow: Follow Up............................................................................................................................................8
Process Flow: Closed..................................................................................................................................................9
Audit Process State Value Actions and Activities Table............................................................................................9
Audit Workbench..........................................................................................................................................................10
ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the United States and/or other countries. Other
company names, product names, and logos may be trademarks of the respective companies with which they are associated..
Introduction
This process guide will provide a detailed explanation on how the audit management process is enabled within the
ServiceNow platform. It is intended that this process be followed as closely as possible regardless of the level of
maturity of the customer. ServiceNow encourages simple, lean GRC processes and that is reflected in the out of the
box design. Customers may add additional functionality to that offered however this should only be in scenarios
where there is a required business outcome gained that could not be achieved using an out of the box method.
Following this approach should also ease customer upgrade paths and the ability to expand their use of the platform.
Process Scope
The scope of audit management includes automation of the work streams of internal audit teams, optimizing
resources and productivity, and eliminating recurring audit findings. The on-going review of policies and
procedures, risks, and control breakdowns provide an opportunity for fixing issues before they become audit
failures. The audit management process supports the best practice of continuous monitoring leveraging its data as
well as incorporating the use of additional compliance and risk data to scope, plan, and prioritize audit engagements.
Process Objectives
The objectives of audit management are to:
Ensure that risks are properly identified and quantified
Ensure that controls are designed in a way that effectively reduces the identified risks
Ensure that controls are properly monitored for operating effectiveness
Ensure that control deficiencies are identified and remediated
ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the United States and/or other countries. Other
company names, product names, and logos may be trademarks of the respective companies with which they are associated..
Audit Management Structure
The figure below (Figure 1) shows how the Audit Management application and how its modules are associated with
one another.
Engagements
The Engagement module manages audit engagements (e.g. audits, projects, etc.) through their entire lifecycle and is
the main hub of the Audit Management solution. Here you can define and scope an audit engagement, assign team
members to it, perform and review fieldwork, manage issues, and wrap-up the audit engagement.
Audit Tasks
Audit Tasks assigned and performed by members of the audit team to provide evidence whether a particular process,
technology, or control is performing as designed. There are four types of audit tasks that are included out-of-the-
box:
1. Activity – a generic task to track other activities that occur during engagements.
2. Control Test – an audit task to perform a design and/or operation test to determine the overall effectiveness of a
control.
3. Interview – a data gathering task often used by auditors to learn a process or find and corroborate audit
evidence.
4. Walkthrough – a task to establish the reliability and/or credibility of an organization’s internal control over a
procedure or process.
Test Templates
The Test Templates module allows the audit team to pre-populate frequently used audit programs and procedures
that can be copied and used across many engagements. Audit managers can use test templates to create multiple test
plans for similar controls at one time.
ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the United States and/or other countries. Other
company names, product names, and logos may be trademarks of the respective companies with which they are associated..
Roles and Responsibilities
This table contains the responsibilities of all stakeholders involved in the Policy and Compliance application.
Audit Manager
Responsible for:
Establishing the policies and procedures that the audit management team follows
Ensuring that the mission of the audit management team aligns to the organizational standards, guidelines or
expectations
Monitoring the state of overall engagement(s)
Acting as an escalation point for remediation teams who need assistance
Assignment of audit activities to auditors
Creating effective reports to track audit engagement progress, control efficacy, control compliance, etc.
Auditor/Audit Users
Responsible for:
Acknowledging and managing the audit tasks and activities that are assigned to them
Monitoring reports as needed, that reflect current state of audit tasks and activities
ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the United States and/or other countries. Other
company names, product names, and logos may be trademarks of the respective companies with which they are associated..
System Administrator
Responsible for:
Administering the Audit Management application, but is also responsible for maintaining other aspects of the
platform such as creating workflows, reports, dashboards, additional modules, and other platform-specific
content that may enrich the application.
External Auditors
Responsible for:
Read-only access to certain records within the Audit Management application. Typically for users who need to
see completed audit engagements and their associated results.
ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the United States and/or other countries. Other
company names, product names, and logos may be trademarks of the respective companies with which they are associated..
Engagements Lifecycle
States in any ServiceNow application serve a specific purpose. They are designed to make it clear where in a
process a particular record currently resides and to display progress. States should represent a unique phase in a
process where a specific set of related activities are grouped together designed to achieve a particular outcome in
order to move to the next phase of the process. Out of the box, Audit Management has the following state model:
Scope
Validate
Fieldwork
Awaiting Approval
Follow Up
Closed
Process Overview
The Audit Management application involves processing a set of activities related to planning audit engagements,
executing engagements, and reporting findings to an audit audience and/or executive board. Engagement reporting
assures key stakeholders that the organization's risk and compliance management strategy is effective.
ServiceNow allows users to schedule internal audits, conduct resource planning, scope engagements, conduct audit
activities, review continuous monitoring results, and report findings.
Awaiting
Scope Validate Fieldwork Follow Up Closed
Approval
Process Flow: Scope
Creating a new engagement starts with determining basic information such as the engagement description, dates,
scope, and the objectives of this engagement.
Scoping an engagement is when the audit team will define each component of the business that they are responsible
for reviewing. In other words, scoping will drive what testing the audit team will perform as part of the fieldwork.
Schedule
The audit team can fill in estimated dates on the left and actual dates on the right. The actual start date is
automatically populated once the first task is started.
Entities
In this tab, the audit team will catalog the different parts of the organization that need to be reviewed. By selecting
the entities that have been defined either as part of the Policy and Compliance or Risk Management applications, the
audit team can automatically gain visibility into the risks and controls that are tied to the different entities that they
have selected.
ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the United States and/or other countries. Other
company names, product names, and logos may be trademarks of the respective companies with which they are associated..
Process Flow: Validate
During this phase, the system automatically populates risk register items and controls that have been pre-mapped to
those entities. Members of the audit team are expected to demonstrate a holistic understanding of the organization
and the risk it faces. The different risks and controls that get populated give the audit team one-click access to view
management’s evaluations of risk and controls. Once the scope has been reviewed, along with all of the different
things associated with it, the audit team can begin performing and completing the engagement by moving it to the
Fieldwork stage.
ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the United States and/or other countries. Other
company names, product names, and logos may be trademarks of the respective companies with which they are associated..
Process Flow: Closed
Engagements move into the Closed state under one of three conditions:
1. The engagement is closed as incomplete during the Scope, Validate, or Fieldwork stages.
8. There are no open audit tasks or issues after the engagement is approved. In this case, the engagement
automatically moves from the Awaiting Approval stage to the Closed stage.
9. All of the follow up issues and tasks are closed out. In this case, the engagement automatically moves from the
Follow Up state to the Closed stage.
ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the United States and/or other countries. Other
company names, product names, and logos may be trademarks of the respective companies with which they are associated..
Audit Workbench
The Engagement Workbench provides a timeline view from which you can select an audit engagement to view
details or create a new engagement.
ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the United States and/or other countries. Other
company names, product names, and logos may be trademarks of the respective companies with which they are associated..