All businesses require periodic auditing, which means managing the points that need auditing, such as finances, risks, and policies.

ServiceNow provides a great platform for documenting, monitoring, evaluating, and reporting any audits made in the organization. The recurring audits can be used and reused periodically, eliminating the need to create new records every time.


Audit Management in ServiceNow

ServiceNow has a very organized platform to create new or recurring policies, risks and compliance that are to be audited periodically or once. The audit team can leverage this to automate their repetitive task to better monitor and report their work. The objective of audit management in ServiceNow is to: 

1. Identify and quantify the compliance risk that occurs or probably can occur 

2. Create adequate controls for the identified risk 

3. Monitor the rules effectively 

4. In case of any control deficiency, identify the defect and remediate it.

The audit management process involves resource planning, scoping engagements, conducting audit activities, evaluating results, reporting the findings, and documenting them for reference. 

ServiceNow provides roles that strictly delegate the access of users. Based on responsibility, a user can create engagements, work on the assigned tasks, delete arrangements or customize the whole configuration.


Read More: GRC & Its Statistical Importance for Organization


Start of Audit Management in ServiceNow


The first step to start the audit journey in ServiceNow GRC is to install GRC: Audit Management. For more features of ServiceNow GRC, you can also install the following: 


  • GRC: Advanced Audit 
  • GRC: Advanced Core 
  • GRC: Audit Management Analytics and Reporting

Once installed, you can leverage the use of the modules below to automate your whole audit journey.  


1. Plan: Create audit plans to manage different kinds of audits periodically.  

2. Engagement: Engagement can be used as the workbench, i.e., to create the timeline for any audit, cost of the audit, create audit tasks, or store the details of the audits.  

3. Audit Task: Create documented evidence.  

4.Milestones: Track the progress of an engagement.  

5.Observation: Document the results of an audit. 

6. Issues: Can be created automatically from observation.  

7. Remediation tasks: Can be created only for open issues.  

8. Evidence Request: Document used by the auditor to determine audit opinion.


Roles and Responsibilities

With the plugins installed by GRC, audit management comes to the roles and delegation features provided by ServiceNow. These roles identify which user can do what on the audit modules.   

1. Audit User (sn_audit.user): Can be assigned to audit tasks and milestones and create test plans or test templates.   

2. Audit Manager (sn_audit.manager): The audit manager inherits the role of the audit user and hence the privileges associated with the part. In addition, the audit manager has their own permissions granted by the position, including creating an engagement.

3. Audit Admin (sn_audit.admin): Audit admin inherits the audit manager role. The permissions associated with the audit admin role are deletion of engagement, test plans, test templates, audit tasks etc.  

4. Audit Developer (sn_audit.developer): The audit developer inherits the role of audit admin. An audit developer can create or delete audit report templates.  

5. Engagement Project Manager (sn_audit_advanced.engagement_project_manager): The user inherits the audit manager role. The work of the engagement project manager is to create advanced planning of engagements, estimate resources and costs, and approve timecards.  

6. External Auditors (sn_audit.external_auditor): The user can be assigned to any audit task. He can read the closed engagements and closed audit tasks and work on the audit tasks assigned to him.


Read More: Skills Required for ServiceNow Developer


Which Audit to Do?

Different audits are carried out in an organization that complements each other. These audits can be internal, external, SOX, IT, performance, operational, etc. Some examples of audits provided by ServiceNow are internal audits, external audits, continuous audits, and vendor audits. ServiceNow offers a bunch of categorizations in this matter according to the organization's needs. The most used audits are: 

  1. 1. Internal Audit: To check the organization's internal controls, corporate governance, and uniting processes.   

  1. 2. External Audit: Independent examination of the financial statements prepared by the organization.  

  1. 3. SOX Audit: Sarbanes Oxley (SOX) compliance risk audit measures how an organization manages its internal controls.  

  • 4. IT audit: It examines and evaluates an organization's information technology infrastructure, policies and operation.


The Audit Process

Engagements are created to carry out the entire audit process. The below flow shows the work done in each state of the engagement.


Through its partnership with ServiceNow, inMorphis provides a platform for audit management, helping businesses document, monitor, evaluate, and report on their audits. The system allows for automating repetitive tasks, resource planning, and scoping engagements.

ServiceNow offers various audits, including internal, external, SOX, and IT, each with its own categorization. The audit process is initiated with the creation of engagements and flows through the entire audit process. With the roles delegated to users, ServiceNow allows for strict access control to audit management features.

learn more about ServiceNow GRC and how it can help your organization with audit management

Thanks for reading