[Music] hello grc community and welcome to another video tutorial to help you get started with servicenow's applications my name is eric faron in santa clara california and first i want to wish you all well in these uncertain times i hope that you're all safe and in good health today with me is anne-marie fernandez who is a principal education advisor and a grc specialist who is contracting with servicenow hello and murray i hope you are well hello eric hello everyone very happy to be here with you all today and yes thank you i am well and looking forward to this tutorial all right glad to hear this ann marie so many of you will already know anne marie since you may have taken some grc training classes with her like i did and today anne marie is with us to tell us all about audit with servicenow grc application so i'm murray why do we want to talk about audit and how we're going to approach this today so audit is essentially where everything comes together we get to see where all our hard work that we put into setting up our grc and now it's time to reap those benefits all right so here's our program today we're going to go through some quick refreshers that we always do we're going to be defining what the audits are and then anna is going to give us more details and refinements we're going to get more into into the weeds then almer is going to give us a demonstration on how to use audits and servicenow and we'll conclude with the main takeaways and as usual the things to do right now at the end of the tutorial so let me get us started quickly with a couple of refresher slides as usual this tutorial is part of the get started with grc series so really aimed at people and organizations in the early stages of implementation we want to make sure you have the knowledge and tools to quickly realize value from on the product in the future we'll also have more tutorials for the more advanced people and organizations this will come later you may have seen this rather comprehensive slide before we're not going to go into detail on this slide uh it's been published in the community forums it aims at showing the totality of the grc modules and how they are linked together so this slide really gives a useful map of your application with the most important concepts now everything of course leads sooner or later to an audit all the way on the right side here the audit engagement box and anne marie is going to show us how so this is also a slide that you've seen before we've used this conceptual format in the tutorials around controls around entities and around indicators and also about compliance scoring so this is really the the overall structure that we are creating inside of the grc application and my understanding and ammo is going to confirm this is that the audit is going to let us know whether we are doing a good job at doing what we say that we are doing and now anne marie is going to take us through exactly what an audit is in servicenow so in short an audit is an independent assessment of the evidence of whether a given entity in an organization is compliant with applicable authorities and internal policies let's break that down a little bit so the audit whether carried by an internal or external auditor should be impartial and the conclusion should be objective not being swayed by any member of the management or the organization so by being a separate scoped app in servicenow you have the compliance the risk and the audit audit is its own scoped app that ensures segregation of duty so you have roles for compliance you have roles for risk you have roles for auditors auditors will have their own roles they can see some data but not all why so as is evidence based the conclusions of the audit should be arrived at in a very rational way and should not only be reliable but reproducible so the only way that that is really possible for the audit process to be systematic and based on evidence is to use that template design so while the template approach might seem covers cumbersome in the setup process it really supports the audit in servicenow supports this this idea by design your control objectives your entities your control tests all that is templatized which makes it systematic so our goal here is not to make everybody's life miserable but to manage risk and identify the areas of operational improvement area new areas of risks keep your company out of the news or jail identify any new controls that are being published and to keep up with emerging trends so such as the big move of companies of going to the cloud it will help you understand uh whether or not you can manage the risks associated to moving to the cloud all right so really a very useful tool to stay out of trouble all right so tell us a bit more about possible best practices and how they translate into the servicenow world yeah so i wanted to give you a snippet into the mind of an auditor so there's an old iso auditor saying that says say what you do do what you say and prove that you have done it now let's try breaking that down a little bit and mirror that with the various uh functions in servicenow grc so one is everyone following the policy today right we know that everything starts from policy and also are we sure that everybody is aware right below policy is the control objective which is what are those specific things that we operationally have to do in order to support that policy so for example if your policy is manage access then we need to understand if people are following that policy at a for each system right and then for each area so this middle area is what makes servicenow so special so so different but also so effective because we take those control objectives and we scope it out to each of those entities so you have a control for hr and you have a control for finance but let's not stop there because we need to prove that we are doing what we are saying on an ongoing basis and that's why we have those indicators so lastly it's verify right in the audit area the auditor is verifying that the top two levels are running effectively so we trust that it's working well or working effectively and now we are going to verify we're going to look at the indicator results from layer 2 and we're going to run our own independent control tests so what exactly happens in an audit and service now in an audit there are some prep steps and activities in addition to looking at policies procedures and looking at evidence i want to clarify that in-servicenow and audit is also called an engagement so essentially they are synonymous and the reason why is because it's it's almost like a little project right so you're engaging as certain tasks and certain folks within this engagement or audit so there are startup activities for the team so the auditor may be asking to corroborate procedures and interview employees asked to walk through a process or any other general activities the control test is the independent test that the auditor is running then there's the evidence right so they'll want to look at past evidence this is the beauty of indicators if you had set them up on a schedule all year long on a monthly basis that data will be there that's the utopian dream that if an auditor ever stepped into your company you basically say here everything is ready for you to look at so you specify the dates that you are auditing essentially so when you set up your audit basically you're saying a date in the past in this case let's just say we are auditing q1 so when you set up those dates in the audit it will only pull in the indicator results for january february march you might have more than that because if you've had grc for a while you might have a lot of indicator results by setting your audit dates you're only pulling in those indicator results which are pertinent the period that you're auditing then when all the field work is done essentially you're going to log all your issues write down any findings or observations that came out of that audit and then you produce an audit report well thank you very much for that so this is great but i suspect things can get a little more complicated you know i'd like to start this condition about the details and refinements by showing this slide that we've uh used in previous tutorials uh the tutorials that are at the bottom of the of the slide here control tutorials the compliance coin tutorial and the indicators tutorial all these links will be available in the pdf version of the slides available in a community forum and i think anne marie you're going to tell us about the control test which is one of the five steps in the life cycle of a control is that right yes that's right all right let's move on to control tests so a control test is a test of control seems obvious but when you think about it you're performing a test to confirm the efficiency and effectiveness of the control so think of it as a test plan like test steps your team performed performs particular steps regularly but the auditor doesn't know your systems and they don't know how to necessarily verify things in your environment so you'll need to write test steps or control steps and they will go ahead and follow those steps in the test plan and see if they come up with the same result that you do in short they can't go into the systems pull access logs but if you lay out the steps on how you do it they can follow it actually run through it and see if the results are satisfactory so the question they're answering is is what you are doing reproducible this will tell them that if there is consistency in your process and that there's evidence to support that very cool so how do we generate a control test yep so we'll we'll have a demo shortly but the main thing to illustrate here is that control tests have three lines so the control test essentially follows that template approach that we've seen on policy compliance and risk so first the test is defined at the control objective layer makes sense right so that's applicable to the entire company then we will define the test plans for each of the entities or for each of the controls then when it comes time to on it we may not run every single test plan but just the ones that we want to run for that audit depending on what you're auditing at that time so we will generate control tests from those test plans we'll demo this in just a second okay let's move on to refinement number two yes so there's two main types of audits that servicenow is geared towards and that's external audits and internal audits so i just wanted to pause and talk about each one really quickly so external audits are commonly performed by certified public accounting firms and results in an auditor's opinion which is included in an audit for audits can include both financial and as well as a company's internal controls typically with external audits you want to be very careful about the information that you provide you want to answer the external auditor's question and no more that's contrasted with an internal audit so internal audits serve more as a managerial tool to make improvements catch any inconsistencies before an external auditor comes in and also confirm that the internal controls are effective before anything goes wrong just for clarification servicenow is geared more towards internal audits but they can support external audits efficiently and the last refinement for today so i just wanted to give you a flavor of some of the use cases that that we've seen with audit not all audit implementations are alike and there's not really what we say what we would call a best practice in this area but i can tell you what we've seen with customers and things that they have successfully implemented obviously there's the full internal audit where you pull in all the risks and controls you pull in all the control tests and do a full audit and end i've seen customers maybe just use a partial audit and use the audit module to facilitate maybe a resource heavy or repeatable process that can be very time consuming right so think of user access list reviews that involve several people and involves taking a lot of time tracking the evidence collection process so that's what we call sort of a partial audit then the third and more simpler version that i've seen customers do successfully maybe they did a full audit outside of servicenow but they want to use servicenow to track their findings so they'll just use the issue portion of audit and track those findings to ensure that they are making headway and resolving findings that came out of an audit all right and i think we're going to see all of this in action in a little demo just now right yep absolutely so what are we going to see in the demo assuming that you've got your control set up you've got your risk set up we've got some indicators in in play and in in the results are being collected and assume that you've got your test template set up at the control objective layer we're going to start with creating an engagement we're going to select the entities because in audit everything comes together and we start with the entities not the entity types then we're going to select the test plans and generate the control test that we want the auditors to run and then we'll add a couple control audit activities just to see what it would look like and then close the audit and then we'll take a look at what a audit report looks like out of the box okay all right guys so we're going to create an engagement or audit in servicenow we call it an engagement but first we gotta confirm that all the records have been set up right so as an auditor what you're doing is confirming that the set of internal controls is working effectively so let's take a look at um look under the hoods and see what's been set up before the auditor had shown up so here's a control objective um and in this case we're going to be doing a audit a partial audit so so this case we're going to be looking at elevated admin world review across the company so what that means is we're going to be looking at all the sox processes for this company we have 20 areas that need to we need to ensure are compliant so there's the general in-scope application and all these various processes here there are 20 sox processes so there are 20 controls um so the other thing that we want to take a look at is what other things have been set up here so the two of the key things that i want to point out here is one that it supports an internal policy i'm not going to go there right now but you can see that it supports a policy then you can also see that you've got your indicator templates here indicator templates these are you're going to be your these are going to be your evidence collection helpers so there are two templates two types of tasks that are created and their templates what that means is that these are tasks that can be reused by any one of these entities down here we'll take a look at that in just a second so this is collecting evidence on an ongoing basis then there's these test templates now test templates remember we said that control tests in an audit has three lives well the first time you'll see it here is at the control objective layer so you'll see one test template that can be run during an audit now so this is for preparing for the audit and these indicator templates are creating tasks like evidence on an ongoing basis let's take a look at this control here for so basically sorry this control objective at the accounts payable area so for the accounts payable area you can see that they've got the two indicators that were created and they are actually running so two tasks are being sent out to manny mcdonald in order to support this control objective and there is not yet a test plan but since it was created at the template level i can go ahead and add it here so simply by adding it like that now the reason why you choose to add it instead of automatically adding it is because maybe not area would have the same test plan so you may have two or three flavors available but only run the ones that are applicable for your particular area all right so you've got your indicators running and you can see let's pull one up so this indicator as i mentioned will be sending out tasks um in this case you can see it sending out tasks on a semi-annual basis and i ran this one i manually executed it just a little bit ago so you can see there's an indicator task so theoretically manny mcdonald would get this task two times a year and she would see the instructions here follow it and you can see it's been passed and closed so this is all data that's been collected ahead of time all right so that's the indicator the tasks that are running here and then the results so this is the result of when this task closed it it created a result so in this case it was a pass result all right so indicators are collecting data and then test plans are created at the template level let's take a look at them at this control level we they're called test plans right test templates at control objective test plans at each of the controls so if we go to another area um so let's take a look at revenue recognition stocks process you can see that the two indicators are also running for their area which means andy mcdonald's the owner here as well so she'll be getting the same two tasks but for revenue recognition not accounts payable and then we're also going to bring a test plan in here so there's one set up and we're we're going to say yep this test plan makes sense but when i get audited this is a test plan that the auditor can run all right so you've got your controls remember for the controls you could also have risks associated with it so let's just go ahead and add a couple risks this control is intended to mitigate these two risks here um so let's just that's just how you add it now let's go and actually create an engagement now that we have all that set up so now let's go to audit here you'll see the workbench you can see all the audits that are in play but let's just go ahead and create a new one so in this case let's just say we're going to do partial partial socks on it and we're going to say elevated access review or i would just you could say for the three entities so let's just say three entities all right so we're gonna assign it to man and mcdonald um i already know that manny mcdonald has the right audit roles now these two fields here are really key so this is the audit period and end date these should always be dates in the past because you're going to be auditing a period in the past so the system does not enforce it but essentially these dates are what is going to define the indicator results that will be shown let me show that for you in just a second so let me just go ahead and save that information there and then now you can see that you've got a couple things you'll see entities risks controls test plans indicator results audit tasks and so on and so forth so one of the things that i like to call out is that um all that work that you had done in the beginning so pre-audit so during in the policy appliance and risk area the first thing that you're going to do is select your entities here so not your entity ties but the individual entities which are associated to a particular control and risk so once you select the entities all the risks and controls associated to the entity will come will be brought in any test plans that we had that had been associated to those entities will also be brought in and the indicator results for those entities in this period will be brought in just like we saw in this line earlier now the audit essentially starts here so these are the audit tasks that are going to be run and then these are any issues so if any of the control tasks fail those issues would show here but you can also create additional issues as well or findings as a result of conducting this audit all right so let's go ahead and start the audit so it starts in scope we're going to select the entities so we're scoping it out right so let's pick accounts payable we also will pick the in scope apps because we know that that that control objective uh those are one of the sox processes um and then uh so no we'll just stick with that all right so that's what we call scoping it out now what we want to do is validate so we'll hit validate so it what we're going to be seeing is immediately it will bring in all the risks and controls associated to these two entities so there are a lot um and we can see the one that we were looking at um as well so the control we were looking at was sox um iso four isaf four um and then you can see there's test plans created here as well um and then indicator results so we picked in a period in time um that these results were created so i generated these earlier so it picked those up all right so that's all set up that's brought up in the engagement so the auditor has that information ready for them to look at now what's actually run in an audit so remember i said it starts here um all right so those test plans were set up remember at the control objective layer and we we want the auditor to run the test plans now the auditor might not run all of them it's a partial audit so they're just going to be running the ones associated to the control objective we were just looking at so let's just see if we can find it it was um o4 and so those are the the test plans that are created one for accounts payable and one for in-scope apps so this is where the magic happens so you're gonna select those test plans we're not running them all we're only doing a partial audit so we're going to hit generate control test because the order is going to be looking at this tab on i'm going to hit generate control tests so we'll give it a second and so now we can see the audit tasks generated from those test plans so the auditor can go in here and run those control tests so in the control test essentially what the auditor has to do is look at the design of the test and specify is the way that they design this test effective or not effective or when they actually run through the operational steps did they get the same result um that the uh that the control owners did right or yeah so they can mark it as effective or ineffective there all right so essentially i'm just going to say the operation is effective and the design was also effective um and when i close this this will mark it as a pass so let me just assign someone here and update that all right so that's really what happens in an audit so remember the control uh the if the control tests are what's run in an audit they're generated from test plans the test plans were initially associated to particular controls right so we set them up at the control objective layer alright so i was just kind of reviewing that again all right so that's really it um you can see you know how the control objective turned into test plan and then a control test let's go back to that engagement so when you want the auditor to start so you may continue to add additional test plans for the auditor to run when they're running them you could just move it to field work all right now remember i also had mentioned that on audit is sort of like a mini project so you can add additional tasks so you may want to schedule just a generic control test here you may schedule an interview or walk through let's just go ahead and select a walkthrough so you you can see they'll have who they want to observe a process right who is going to be leading them through that what the steps are you may put in the sop or standard operation operating procedure that you're verifying and you would assign it to someone that will be participating in that um all right so i'm just going to go ahead and submit that task and here is where you just start to build out under this tab here essentially are all the tasks that need to happen in this audit thus called the audit tasks now if one of the control tests fail so we've got one control test here let's assign it to mandy as well and maybe she said the design of this control test was fine but when she actually ran this test it didn't pass right so there were folks that had access but didn't look like they should have so she's just going to mark it as ineffective and we're going to go ahead and close this and update that task there so because that failed there was a control test issue generated here and you can see it basically says that the in-scope application had has a indicator failure so if we take a look at that there you can see that the control test failed all right so now that field work is done um you can rest request approval i'm not going to add an approval here so go straight to follow up i'm going to skip that state and then you can see here you can select a report template so there's a default report template obviously you can go and edit that and create your own and you can also publish it to a specific database so i'm just going to pick a grc database now once you add those in and hit save you'll see that there's now a button called generate report so let's go ahead and hit that and now you can see the audit report there so obviously this can be modified it's just pulling in all the data and all the issues the objectives um here all right so there we go that's it i hope you enjoyed that demo let me know if you have any questions well thank you for this anne marie so if you were to try to summarize what are the main takeaways from this tutorial yeah so remember everything starts with entities not entity type we already have our controls and risks associated to entities so now we're going to pick the entities and the system will bring in all the controls and risks associated to that and then the other key thing is that audits are always looking at a period in the past and that period that we define in our audit will select the specific indicators that will be available for review so that in essence should make your job a lot easier come audit time all right so we're now coming to the end of this tutorial and marie what would you recommend our audience people who are viewing this tutorial do right now like in the next hour after they finished watching this tutorial yeah so in the next hour i recommend that you take the free audit class on now learning so it's got a lot of good information in terms of the tables the class structure just some really good implementation level information then go ahead and create an engagement in either your company instance or in a developer instance if you have one create an engagement and generate a control test definitely ask questions on the community it's a great place to get information and see what other folks have asked as well all right well we are now at the end of the tutorial and marie thank you very much for your time and for your expertise just a couple of reminders before we close off so of course the pdf version of the slide will be available in the forum you will have questions and as i'm marie save the community forums are there to provide provide answers and they are open 24 7 and they are free everybody loves the free free answer and the very very last slide we've seen it in other tutorials i want to bring it here but to make sure that people know that it exists and they can print it out we're not going to go through this slide this is really meant to be printed out of the pdf version the slides this slide captures all or most of the very important concepts for grc and it indicates with a little red arrow where audit sits in this in this overall universe and on these words anne marie once again thank you very much thank you and to our audience thank you very much and we talk to you next time