All businesses require periodic auditing, which means managing the departments, such as finances, risks, and policies.

ServiceNow provides a great platform for documenting, monitoring, evaluating, and reporting any audits made in the organization. The recurring ones can be used and reused periodically, eliminating the need to create new records every time.

 

Audit Management in ServiceNow

ServiceNow has a very organized platform to create new or recurring policies, risks and compliance that are to be audited periodically or once. The team can leverage this to automate their repetitive task to better monitor and report their work. The objective of audit management in ServiceNow is to: 

1. Identify and quantify the compliance risk that occurs or probably can occur 

2. Create adequate controls for the identified risk 

3. Monitor the rules effectively 

4. In case of any control deficiency, identify the defect and remediate it.

This management process involves resource planning, scoping engagements, conducting audit activities, evaluating results, reporting the findings, and documenting them for reference.

ServiceNow provides roles that strictly delegate the access of users. Based on responsibility, a user can create engagements, work on the assigned tasks, delete arrangements or customize the whole configuration.

 

Read More: GRC & Its Statistical Importance for Organization

 

Start of Audit Management in ServiceNow

 

The first step to start the audit journey in ServiceNow GRC is to install GRC: Audit Management. For more features of ServiceNow GRC, you can also install the following: 

 

  • GRC: Advanced Audit 
  • GRC: Advanced Core 
  • GRC: Audit Management Analytics and Reporting

Once installed, you can leverage the use of the modules below to automate your whole journey.

 

1. Plan: Create plans to manage different kinds of audits periodically. 

2. Engagement: Engagement can be used as the workbench, i.e., to create the timeline, cost, create, or store the details of the audits.  

3. Audit Task: Create documented evidence.  

4.Milestones: Track the progress of an engagement.  

5.Observation: Document the results. 

6. Issues: Can be created automatically from observation.  

7. Remediation tasks: Can be created only for open issues.  

8. Evidence Request: Document used by the auditor to determine its opinion.

 

Roles and Responsibilities

With the plugins installed by GRC, audit management comes to the roles and delegation features provided by ServiceNow. These roles identify which user can do what on the modules.

1. Audit User (sn_audit.user): Can be assigned to audit tasks and milestones and create test plans or test templates.   

2. Audit Manager (sn_audit.manager): The audit manager inherits the role of the audit user and hence the privileges associated with the part. In addition, the manager has their own permissions granted by the position, including creating an an engagement.

3. Audit Admin (sn_audit.admin): They inherit the audit manager role. The permissions associated with the admin role are deletion of engagement, test plans, test templates, tasks etc.

4. Audit Developer (sn_audit.developer): They inherit the role of audit admin. An audit developer can create or delete audit report templates.

5. Engagement Project Manager (sn_audit_advanced.engagement_project_manager): The user inherits the audit manager role. The work of the engagement project manager is to create advanced planning of engagements, estimate resources and costs, and approve timecards.  

6. External Auditors (sn_audit.external_auditor): The user can be assigned to any audit task. He can read the closed engagements, closed tasks and work on the assigned ones.

 

Read More: Skills Required for ServiceNow Developer

 

Which Audit to Do?

Different audits are carried out in an organization that complements each other. These can be internal, external SOX, IT, performance, operational, etc. Some examples provided by ServiceNow are internal, external, continuous, and vendor audits. ServiceNow offers a bunch of categorizations in this matter according to the organization's needs. The most used audits are: 

  1. 1. Internal Audit: To check the organization's internal controls, corporate governance, and uniting processes.   

  1. 2. External Audit: Independent examination of the financial statements prepared by the organization.  

  1. 3. SOX Audit: Sarbanes Oxley (SOX) compliance risk audit measures how an organization manages its internal controls.  

  • 4. IT audit: It examines and evaluates an organization's information technology infrastructure, policies and operation.

  •  

The Audit Process

Engagements are created to carry out the entire process. The below flow shows the work done in each state of the engagement.

Conclusion


Through its partnership with ServiceNow, inMorphis provides a platform for their management, helping businesses document, monitor, evaluate, and report on their audits. The system allows for automating repetitive tasks, resource planning, and scoping engagements.

ServiceNow offers various audits, including internal, external, SOX, and IT, each with its own categorization. This process is initiated with the creation of engagements and flows through the entire process. With the roles delegated to users, ServiceNow allows for strict access control to its features.

learn more about ServiceNow GRC and how it can help your organization with audit management


Thanks for reading

Jaya