Now Audit Management

Complete list of ServiceNow GRC modules, covering everything end-to-end:

---

1. Policy and Compliance Management (PCM)

• Policy management

• Compliance management

• Control attestations

2. Risk Management

• Risk registers

• Risk assessments

• Risk scoring & dashboards

• Risk treatment & mitigation

3. Control Management

• Control library

• Control assessments

• Evidence collection & testing

• Automated control monitoring

4. Audit Management

• Audit planning

• Audit execution

• Audit findings & recommendations

• Audit reporting

5. Vendor / Third-Party Risk Management (TPRM)

• Vendor onboarding & registration

• Vendor risk assessment

• Compliance and regulatory checks

• Vendor monitoring & performance tracking

6. Regulatory Compliance

• Regulatory requirements mapping

• Compliance framework alignment

• Regulatory reporting & dashboards

7. Issues & Remediation

• Issue tracking & logging

• Remediation plan assignment

• Status monitoring & reporting

8. Continuous Monitoring

• Automated control monitoring

• Real-time risk & compliance alerts

• Integration with external feeds (SIEM, GRC tools)

9. Policy Exceptions

• Manage deviations from standard policies

• Approval workflows for exceptions

10. Key Risk Indicators (KRI)

• Track metrics that indicate potential risks

• Dashboard visualizations

11. Key Performance Indicators (KPI)

• Track effectiveness of controls, policies, and processes

12. Risk and Compliance Analytics

• Reports, dashboards, and trend analysis for GRC

---

Summary Table for Quick Reference:

Module	Purpose
PCM	Policies & compliance tracking
Risk	Identify, assess, mitigate risks
Control	Define & test controls
Audit	Plan & track audits
TPRM	Manage third-party/vendor risks
Regulatory Compliance	Track regulatory adherence
Issues & Remediation	Track & fix issues
Continuous Monitoring	Automated monitoring of risks & controls
Policy Exceptions	Approve deviations from policies
KRI	Monitor key risk indicators
KPI	Measure effectiveness of processes
Analytics	Dashboards & reports for decision-making

---

 

CHAPTER-1

1.The objectives of audit management are to ensure that:

• Risks are appropriately identified and quantified
• Controls are designed in a way that effectively reduces the identified risks
• Controls are properly monitored for operating effectiveness
• Control deficiencies are identified and remediated

HIPAA (Health Insurance Portability and Accountability Act): U.S. law that protects the privacy and security of individuals’ health information.

PCI DSS (Payment Card Industry Data Security Standard): A global standard for securing credit and debit card transactions and data.

SOX (Sarbanes-Oxley Act): U.S. legislation aimed at ensuring accurate financial reporting and preventing corporate fraud.

GDPR (General Data Protection Regulation): European Union regulation that protects personal data and privacy of individuals within the EU.

========================================================================

Since entities are aggregators of GRC information, scoping engagements associates related records. Selecting an entity automatically associates all:

• Risks related to the entity with the engagement
• Controls related to the entity with the engagement
• Test plans related to the controls with the engagement
• Indicator results related to the controls with the engagement

• A control test’s parent task is always an engagement.
• A control test can have activity sub-tasks, but a control test cannot be a child of another control test.
• An interview’s parent task is always an engagement.
• An interview can have activity sub-tasks, but an interview cannot be a child of another interview.
• A walkthrough’s parent task is always an engagement.
• A walkthrough can have activity sub-tasks, but a walkthrough cannot be a child of another walkthrough.
• An activity’s parent task can be an engagement, control test, interview, walkthrough, or another activity.
• An engagement cannot be a child of another engagement.

============================================================

CHAPTER-2 THE AUDIT PLAN

1.

2.

3.

4.

AUDIT TASK

✅ 1. Review Scope and Objectives

• Understand what is being audited (systems, processes, departments).

• Align with audit objectives and compliance requirements (e.g., PCI, SOX, GDPR).

---

✅ 2. Assess Controls

• Evaluate the design and operational effectiveness of existing controls.

• Verify if controls align with regulatory and internal standards.

---

✅ 3. Collect and Review Evidence

• Gather logs, reports, access records, configurations, policies, and procedures.

• Ensure evidence is valid, relevant, and supports the audit objective.

---

✅ 4. Conduct Interviews and Observations

• Engage stakeholders and process owners.

• Observe operations to validate compliance in real-time.

---

✅ 5. Identify Gaps or Non-Conformities

• Compare findings with requirements and best practices.

• Note control failures, process weaknesses, or compliance issues.

---

✅ 6. Document Findings

• Record detailed observations, supporting evidence, and risk implications.

• Categorize findings by severity or impact.

---

✅ 7. Recommend Remediation

• Suggest corrective actions to address issues found.

• Include timelines, responsible parties, and expected outcomes.

---

✅ 8. Assign and Track Tasks

• Create follow-up tasks for remediation.

• Monitor progress and ensure timely resolution.

---

✅ 9. Review and Approve

• Submit findings for internal review and approval.

• Validate completeness and accuracy of audit task results.

---

✅ 10. Close Audit Task

• Ensure all steps are completed and documented.

• Officially mark the task as closed in the system.

5.Approval Process

🔄 Approval Process – Key Points (Short Version):

1. Initiate Request – Submit item (e.g., audit, change, risk) for approval.

2. Identify Approvers – Determine who needs to approve (based on roles/rules).

3. Send Notification – Notify approvers via system/email.

4. Review Details – Approvers examine the request and attached documentation.

5. Approve or Reject – Decision is made with optional comments.

6. Track Status – Monitor progress and approvals in the system.

7. Escalate if Needed – Alert higher authority if delay or rejection.

8. Finalize Process – Update status and trigger next steps or closure.

6.Observations and Issues

7. REPORTS

8.Working with Test Templates

9.Create an Engagement

10 Conduct Fieldwork and Evaluate Findings

11.PPM

12.  Integration with cloud providers

Summary 

Topic	Description
Risk and Compliance Teams Working Together	Explores how risk and compliance teams collaborate effectively.
Audit Process	Outlines the complete lifecycle of an audit from start to finish.
Planning an Audit and Auditable Units	Focuses on defining the scope and identifying the specific units to be audited.
Working with Audit Tasks and Milestones	Covers managing individual tasks and tracking key milestones within an audit.
Approval Process	Details the steps and roles involved in getting an audit plan or report approved.
Observations and Issues	Describes how to document and track findings and problems discovered during an audit.
Reports	Explains the creation and presentation of audit findings in a formal report format.
Working with Test Templates	Involves using standardized templates to perform and record audit tests.
Create an Engagement	Covers the initial setup of an audit project or "engagement."
Conduct Fieldwork and Evaluate Findings	Describes the on-site work of gathering evidence and analyzing the results.
Integration with PPM	Explains how the audit process connects with Project Portfolio Management (PPM) systems.
Integration with Cloud Providers	Addresses how auditing processes can be integrated with cloud-based services and platforms.

CHAPTER-3

Implement Audit Manager

Topic	Definition
Store Applications and Plugins	Involves installing required audit-related applications and plugins from the ServiceNow Store.
Tables, Properties, and Navigation	Defines the core tables, configuration properties, and navigation elements used in Audit Management.
Roles and Groups	Explains user roles and group assignments for managing access and responsibilities.
Additional Work with Milestones	Covers how to manage and track milestone tasks within audit engagements.
Reports Needed	Details the types of audit reports that can be generated for insights and compliance.
Record Confidentiality	Explains how audit records are protected and managed to ensure confidentiality.

1. Store Application & Experience

• GRC Advanced Audit plugin (com.sn_audit_advanced)
• GRC Profiles
• GRC Policy and Compliance Management
• GRC Risk Management
• GRC Advanced Core
• GRC Advanced Risk
• GRC Audit Management
• Project Portfolio Management Standard

2. Table Navigation

3. Roles & Group

Role/Group	Purpose
sn_audit.admin	Full admin access to configure and manage Audit Management.
sn_audit.user	Can perform audit-related tasks like creating audits and assessments.
sn_audit.external_auditor	Limited access for external auditors to view relevant data.
sn_grc.audit.manager	Manages audit engagements and tasks.
sys_admin	Overall platform administrator with access to all modules.

4. Workflow

Stage	Description	Responsible Role
1. Create Engagement	Set up audit project, define scope and objectives.	sn_audit.admin, sn_grc.audit.manager
2. Plan Audit	Identify auditable units, assign team, define test plans.	sn_audit.admin, sn_audit.user
3. Fieldwork	Perform audit tasks, collect evidence, test controls.	sn_audit.user, sn_audit.external_auditor
4. Record Observations	Document findings, risks, and issues.	sn_audit.user
5. Review & Approve	Review findings and approve audit results.	sn_grc.audit.manager, sn_audit.admin
6. Report	Generate and share final audit report.	sn_audit.user, sn_audit.admin
7. Close Engagement	Ensure all tasks/issues resolved; formally close audit.	sn_grc.audit.manager, sn_audit.admin

5. Reports

📊 Audit Management Reports (Short Overview)

Report Type	Description
Engagement Report	Summarizes audit scope, objectives, findings, and status of an engagement.
Observation Report	Lists all observations, associated risks, and their statuses.
Issue Report	Tracks open/closed issues and their remediation progress.
Audit Task Report	Details assigned tasks, due dates, and completion status.
Compliance Summary	Shows control effectiveness and overall compliance status.
Test Result Report	Displays outcomes of control tests and related evidence.

🔒6. Record Confidentiality

Record Confidentiality ensures that sensitive audit data (e.g., findings, issues, or evidence) is only accessible to authorized users, protecting the integrity and privacy of audit information.

---

This is typically managed through roles, access controls, and data classification.

CHAPTER-4 

AUDIT MANAGEMENT SUMMARY FOR IMPLEMENTERS

ere are some very important points for Audit Management:

1. Define Clear Scope – Establish what areas, processes, or controls will be audited to focus efforts effectively.

2. Assign Roles and Responsibilities – Ensure auditors, managers, and stakeholders know their tasks and access levels.

3. Use Standardized Test Plans – Apply consistent testing procedures to improve audit quality and comparability.

4. Track Audit Tasks and Milestones – Monitor progress and deadlines to keep the audit on schedule.

5. Document Findings Thoroughly – Capture observations, risks, and issues with evidence for transparency.

6. Automate Issue and Remediation Tracking – Link findings to remediation tasks to ensure timely resolution.

7. Leverage Reports and Dashboards – Use reports to communicate audit status and results to stakeholders.

8. Maintain Record Confidentiality – Protect sensitive audit data by restricting access based on roles.

9. Integrate with Risk and Compliance – Align audits with risk management and regulatory compliance frameworks.

10. Plan for Continuous Improvement – Use audit outcomes to refine controls and processes over time.

NEXT

1. Audit Planning

• Define Scope

• Identify Auditable Units

• Assign Roles

2. Audit Execution

• Create and Assign Audit Tasks

• Perform Control Testing

• Collect Evidence

3. Observations & Issues

• Document Findings

• Convert Observations to Issues

• Track Remediation Tasks

4. Reporting

• Generate Audit Reports

• Use Report Templates

• Share with Stakeholders

5. Workflow & Tracking

• Monitor Milestones

• Track Task Completion

• Manage Approvals

6. Security & Access

• Role-based Access Control

• Record Confidentiality

7. Integration & Automation

• Link with Risk and Compliance

• Automate Issue Creation and Notifications