hello this is Scott Ferguson's today what we're gonna do is review some of the content specifically around sarbanes-oxley also known as Sox as part of the content is a dashboard and this dashboard gives internal auditors or compliance teams access to and visibility into the current state of their Sox compliance activities when we look at the compliance overview tab a couple of key things to point out first the number of failed controls of four you'll also see that in the donut chart here and either one of these gives us the ability to drill into and see the controls that our Sox related that are currently non-compliant this is incredibly important for publicly traded companies in this case we can see that I've got four controls for human resources for a are for general ledger these controls are non-compliant and if I drill into any one of these controls I can see the details behind that in this case the general ledger group in the policy statement or the control around prepaid accruals the details that go with that additional information this is a mandated control by sarbanes-oxley and we can see that that's non-compliant there is a GRC attestation as and we'll see that here in just a few moments but that attestation is a questionnaire that someone would respond to to provide evidence that that control has been implemented and in this case where we've generated an issue because of something that's gone wrong and testing of that particular control going back to my dashboard you'll also see the number of controls by area so there are many controls around revenue recognition but also some around things like fixed assets or Treasury or human resources the various areas in the organization that have controls that we have to be able to monitor and report on from a compliance perspective to make sure that we are compliant with anything from way for a publicly traded company when we look at the audit overview being Sox compliant is the process that you go through to evaluate the effect given s of those controls and in many cases the control is going to have two parts the design and the operational piece design is is the control designed properly for the organization has it been implemented properly is the process of compliance well defined in the organization and then the operational part of that is are people following it an example here internally at ServiceNow would be our travel and expense policy there's a process that's built-in that says we have to submit receipts if it's over a certain dollar figure there are things that are in that policy that's part of the process that's part of the design and then whether or not I or you or any one of us actually submit the receipts is the operational side in both parts of those would be tested is part of an audit so what you see in the audit overview dashboard is the tasks of evaluating the design and the operational tests of an individual control they have to be done within a certain period of time so you see in this case different reports that say ones that are over 90 days past due or 30 to 60 days or ones that are pending things that have to be done right now and we're gonna see various ways to look at that data who has them you know who they may be assigned to in the state that those are in but I could drill into any one of those and see that particular control test and in that control test we're going to see those parts that I was talking about the design test the operational tests and in this case I could mark these as effective or ineffective and that's going to automatically update my control effectiveness for that particular control leaving the control and going back to our dashboard the next thing as we go through here is the issue overview so the compliance overview was all about the controls themselves to control themselves and whether or not they're effective the audit overview was the tasks that go in in making sure that the controls are compliant the issue overview is after the audit right if we've identified something in the environment that wasn't right I have a control that's non-compliant or something was identified or uncovered during the audit process we're going to Jen rate issues and those issues can be a lot of different things they can be audit findings that can be observations they can take on many different flavors but in this case my dashboard is gonna give me visibility and to what my open Sox issues are and I can see you know we've got some reports around closure closure rate and how quickly we're addressing these or in this case what my open issues are and in this case there's one for revenue recognition there's one for fixed assets for general ledger and in any one of these I could go into the details of that issue I can see what's being done about it the different activities you know what dates may be tied to it and when someone needs to respond as well as an SLA so there's an SLA that is tied to that particular issue the forces or escalates and notifies individuals within the organization as this issue ages over time going back to our dashboard then we also have the attestation x' so in the ongoing process of addressing controls is you have a set of at a stations that a control owner would have to complete and in this case as we go through the annual process of attesting to an individual control and at a station is where someone's going to attest or say they're going to state yes I've implemented this control here's the evidence and any other additional information that they need to provide for the auditor to know that yes this control is in place and the evidence that went with that to know that everything is being done to make sure that the control is being followed and then finally from a risk perspective as we evaluate these controls whether it's the attestation it's the control test done during audit or that's the issues after the fact all of those things impact risk if in this case in the example that we've walked through here we've had some controls that were non-compliant around revenue recognition right in revenue recognition control being at a compliant has a direct impact in our ability to accurately report numbers to the street and there's going to be a risk there that has to be identified we can we can drill into any one of these and if I look at this case revenue recognition type of risks there are going to be risks around you know it's not recorded to the proper GL account or revenue is not valued appropriately or it may not be accurate or valued to the to the street those are all risks that can be impacted by a control and are all part of the content that's part of the Sox deliverables that we're releasing as part of the Kingston so we see here with the dashboard we've got controls that are going to be managed through the compliance dashboard the audit and the audit tasks that are going to be on the audit dashboard issues that are the follow up at a stations that are being done to collect evidence for control implementation and finally how all four of those go together to impact the risks to the organization as we conclude ServiceNow uses GRC to maintain Sox compliance and we have seen savings in both time and in money improving our Sox compliance to the street that about wraps it up if you have any additional questions please don't hesitate to check out the website for additional information and I appreciate your time [Music]