hello everybody thank you for joining us we are very excited to be here glad to have you here too and um we're going be talking about complying with omba 1223 management responsibilities for internal controls and I'm am very excited to be joined by two of my very favorite co-workers um Matt Fischer and Tom bean Matt would you like to introduce yourself sure thanks tresa and I I know you say that for everyone I've heard you say that about other no never my name is Matt fiser I'm our DOD risk executive so Tom and I operate across a lot of different risk use cases and across the entire DOD and portions of the IC Tom oh you're on mute Tom oh there we go I did that earlier there we go Tom being here I'm glad to uh be demonstrating to you our A123 solution and uh hope you get a lot out of it look forward to working with you all in the future I think it's going to be a great a great session so I've got a couple of housekeeping tips that first I want to uh to go through you are automatically placed on mute but we really want to hear from you we want your question so please use the Q&A button at the bottom of the screen we want to make this interactive we'll be breaking in and asking questions sort of throughout um so don't be shy the session is being recorded and it will be up on our service now YouTube playlist in a couple of days so if you're looking to share it with co-workers you should be able to find it on Friday I will be putting in the chat not the Q&A but the chat the links to the YouTube channel and after the session um if you could stick around and just answer a really quick survey for us it really does help us prepare and plan other webinars that you hopefully will enjoy so with that I am going to turn it over to Matt who's going to walk you through the agenda then take you into the session hey thank you Teresa let me go ahead and grab that share can everyone see this deck yep it looks great great thanks hey so I'm just going to do a real quick um kind of overview and intro starting with sharing some of the things we hear from customers about their existing Enterprise risk and and fire and Armic programs uh as well as kind of how we do things and then Tom's going to go through and take you through a demo I'll stop sharing so I can help support questions and Q&A on the chat so we'll keep it short and brief did you wanna did you want to put it in presentation mode or did you want to keep it in the show mode yep thanks um So within service now we actually have this very large robust mature risk Suite that a lot of folks aren't really completely aware of now this this risk Suite actually goes much broader than Enterprise risk or really anything FM related I mean we have customers who are using us for all forms of Digital Risk Management um customers getting into the mission with it managing their their Coupe and and and continuity and their supply chain um but today we're really going to focus on what we're doing to help you improve your fire programs help you improve your Armic programs your Enterprise risk programs your internal controls everything related to dealing with different risks different controls audits audit results and caps and making progress and eventually improving your audit results and getting to those favorable opinions now in terms of challenges and what we hear from customers of course lots of varied challenges but it really all kind of boils down to customers dealing with lots of data and data that kind of lives all over the place and very often doesn't even necessarily live in a system or sometimes lives in multiple systems so they have a lot of manual processes where they're trying to combine this data make sure it's accurate consolidate it and give a larger view right and these challenges you know really end up creating visibility problems where the folks at the top or even the folks in the middle may not necessarily be able to get the real status of things that they want or they may have to go through an effort to do things like just say how are we doing on our caps you know do we have things that overdue how do these Rec caps really relate to different risks um and so this very manual disparate environment creates lots of different challenges and of course it's very difficult to automate when you have data living in spreadsheets and SharePoint and system a and system B right so what we do at service now is we bring all of this stuff together we bring the people the processes the data uh and that allows us to really automate and let you see exactly what was going on now we do that with our integrated risk management but really what's driving all of this is just the very unique capabilities and unique approach of the service now platform itself now if you work in Risk Management you work in ERM you've probably heard of egrc um and you've probably used egcs but you may not have had a lot of exposure to how powerful the service now platform itself is it's this low code no code environment which means means you don't have to spin up like Java developers and net developers uh you have service now administrators go in and configure things and you have tons of different little Frameworks and capabilities all over the platform that you can leverage so when we say integrated risk management we are absolutely bringing your risks your controls your audit results everything from your toe and Todd you know test plans um down to you know your evidentiary management all in a sing single platform but it's a platform enabled by the ability to build your own workflows build your own dashboards at any level right so you can have a a dashboard for maybe a financial analyst or a procurement analyst who's doing double duty um have a p a different PR dashboard for your you know your overall Armic lead and one for your com controller you can use artificial intelligence machine learning robotic uh processing you can use predictive intelligence performance analytics all these capabili the platform so it really gives you the absolute maximum are of the possible of anything out there now for ERM right what we're doing is we're bringing all of this together into this kind of central Hub that not only creates tons of efficiency and visibility but it improves user experience as well like we can do things like expose your risk management and your control tasks inside the employees service center so that your teams are getting their work and responding to their work in these requests and tasks in the same place they do all of their other work without necessarily having to go learn like a whole new module or a whole new capability in its entirety we bring you visibility into everything you can imagine since all of this data all of these processes and all these teams now live in the same platform it's very easy for us to visualize any sort of metric you would like and create very uh unique configured dashboards for your needs and the result is you know we have customers whove done just done wonderful things with this of course we ourselves are our own users but we have a DOD customer who using software and some very skilled experienced Partners as well as organizational change right the desire to make changes and the ability to go through those organizational changes internally um are now able to track thousands of more risks than they were in the past and very very importantly they were able to wipe out 14,000 estimated labor hours throughout their Enterprise I mean conservatively speaking that's you know tens of millions of dollars being saved by consolidating and transforming the way they do things so I'm going to go ahead and let Tom take over and walk you through some of the product and show you some of the cool cap abilities he's not going to be able to show you the whole thing right this is very large very mature capabilities um the idea is to give you an example of what we do how things work and if you'd like to learn more and drive down into into more details we can certainly set up a follow-up call if you do have questions along the way feel free to use the Q&A feature in Zoom or use the chat and Teresa and I will help you out over chat as Tom presents right thank you Tom all right thank you Matt um very uh thorough introduction and I appreciate uh uh the kind words so um what we're seeing in front of you is is a a dashboard that I've created for um the A123 status um this is something that is not out of the box it's something that I was able to create because we have all the data that we need to you know present the data um in in a manner that would help uh your A123 uh stakeholders so uh you know we're just looking at uh what where we are within an engagement um for walkthroughs and control test and we can see what's passed through uh of course any data that I have here I can click into so we can dig dig deeper into what uh is actually going on within the data uh if as long as you have the permissions um you can configure these dashboards to your um to however you want to make them so you can add reports you can add uh HTML Fields um videos so forth it's just a matter of uh simple configuration so um you know again kind the match point this is the capability that uh you have and you know you as long as you have the data and know where to pull it um you can make these dashboards within minutes I think uh uh creating this dashboard took me maybe half an hour or so with all the reporting um so you know as we go through the tabs you know we we can go from what the engagement is to what uh is important to you as far as issues and caps deficiencies uh we can look at a calendar um as what is coming up from an engagement standpoint uh you maybe evidence request or something that uh is something that you need to track is uh historically it's been uh a bottleneck for you so now we have that visibility to look at you know where the evidence request status stands um and we can uh you know identify what is it um you know being uh needs to be reviewed so we can uh you know poke the person to make that uh uh uh approval and finally uh you know we can look at a a risk register of all your risk within an organization and give it some kind of a categorization uh you know what by any um and you know what whatever your high risk are so let stop there if uh anybody has any questions about dashboards again please use the Q&A I don't see any questions but I think this is incredible so you know this this is giving you the overview that you need to be able to identify the different areas of risk basically within your organization exactly um and and you know from an internal control standpoint uh if you're uh in a testing team uh this is a great way to you know kind of identify hey where where a bottleneck what where do we need to um you know start uh escalating some uh you know people that get their jobs completed so we don't flip on uh our schedules absolutely focus more that that's great yeah please use a Q&A panel if you have any questions excellent so as we go along um we're going to be looking at from an audit management standpoint um so we're an internal control inspection is going on um so we have this audit workspace so now we can really uh you know the engagement team leads can really understand what needs to be done uh from their standpoint uh this is just an overview so now we we've got the timeline of what engagements are um upcoming uh what's open what's overdue um if we want to follow um any cost or uh manual Manpower resources uh we can look at you know what's um over budget um and as we scroll down you know we can start tracking what tasks are um outstanding so uh you know obviously we want to focus on these overdue um but uh you know we can look at um any observations that have been created um and any issues and and issues are going to be your defici efficiencies that can uh lead into uh corrective action plans or maybe even a sign significant deficiency and we go down we just can look at um all your um outstanding plans that you have for the year um and and any engagements that will um U that are out are in progress and we're going to look at an engagement a little more closely here in a moment and there one other thing I just want to show with the workspace um if there's anything that you need from within uh from a data standpoint we have the listing and this will uh provide you with every piece of data that you really need uh either from a compliance standpoint from a risk standpoint um or from uh your your um audit execution standpoint so all your data is here uh you can even make your own list so if you have a a filter that you can continually complete over and over you can save it uh right here and you'll just be one click and and give you that uh data um instantly so I'm going to stop there uh I don't see any open questions um you have anything Teresa no I don't uh I don't see anything right now excellent I think you're good to go great everyone's just unpressed [Laughter] are so uh Ju Just to start off with um we're just looking at a uh a plan that we've created for the annual um so you can start uh you know looking at your uh you know what resources you want to extend as far as man maybe manpow so that you're not uh overloading all of your inspectors um and they they can start planning what they need to do um in the future so this is just another uh piece that's got to have its own workflow from uh if we just go here we can go you know from drafted which is just uh filling out the form to approving it um uh and then once it's approved uh we put the plan into place and then you can see all the engagements that um are attached to this plan um and again we're just you know um from an A123 standpoint we're just going to be looking at um their FY 24 C pay engagement and so the engagement um is really just uh a uh a lens as to what you need to do to get your internal control testing uh completed and uh from an overview standpoint you can see exactly where you are within the process uh from scoping it out so you you can understand what uh what you're going to be testing uh to validating and and making the plan to how you're going to test what you're going to test um what risk what controls and then um the actual field work where the inspectors will go and and perform their testing uh make their observations and then uh if if need be you can have an approval process uh for the engagement or you can just go right to followup and and close out any outstanding uh observations deficiencies and issues and once those are closed out then then the whole um engagement will be closed out and again with with just with every overview that we'll have we we're going to have the details of what's going on within uh the engagement just give you a quick uh uh you know look at to what uh where where you stand within the engagement uh what you're tracking as far as your tasks observations issues and then any Milestones that you may have identified and one other kind of neat thing is is over here you can actually see exactly what you're going to be uh testing against What policies what uh regulations and and then you know if you have a plan that you're uh going against details are are exactly going to be that um you you understand who is assigned to this engagement uh you'll always have a lead and then um the inspectors that are going to be doing the testing and again you can have an approver if uh if need be uh you've schedule it out um you you can identify what um when the engagement actually starts uh at what phase and when it ends um and as you um progress into the fields uh the the actual dates um will be filled out um as you go through your phases and again if you want to um you know start budgeting resources this is a where you can do that so again just track you know who's who's doing what and and they're not being overloaded uh you can put your final results in and um finally add a uh report template so that upon the completion you can publish the report put it out of a a knowledge based article uh so that uh everyone will have access um that that has permissions to access it uh can view it from uh the knowledge base so Tom we have a question um so how difficult is it to to track the expenses you were just showing is that is that a very manual process or is there any sort of automation that that helps us along the way so that's um just with what you're seeing right now is going to be manual but if you do integrate it with our um SPM our strategic portfolio management um then then you can start pulling that data in uh integrated and it becomes much more automated process that's awesome thank you sure all right so that integration is out of the box and it also includes um like actual time card management as well doesn't it Tom yeah um that the advanced audit does have time card uh keeping and again it will track it against the SPM project that uh B been assigned to so yeah and that's I mean to me obviously if you're billable then you probably do have to kind of punch at least a virtual time card right and track your hours on the project but even if you aren't tracking the actual billable state of folks in billable hours I think it that's really useful just for tracking total labor on the effort right whether it it actually goes to charge code or not it's a great way to actually track how many hours what is our actual effort doing this stuff and and there going to be maybe even the cost um just um you know making sure that they're within their budget to uh you know any expenses that they're incurring um they're um making sure that they're within their budget of their um expenses that they're supposed to be tracking so again it's just another uh great way of of understanding where you stand within the engagement and that you're not um you know going o over allocating your resources I don't no more questions okay now excellent so as you can see we um you know from here we're going to go through these tabs um and then we'll do a deep dive into each of these um as we go along so uh the first thing will be the entity and uh really an entity is going to be defined as um some now that you are actually in U going to be inspecting so it can be a process it can be a facility it can be an application uh it can be down to the server if you want um so in this case we're just going to be looking at the civilian pay system and the process you for this particular uh uh engagement and as you uh validate the uh entities that you are going to uh uh do you know perform the control inspection against it will automatically pull in the risk controls and test plans um from those entities so now you can understand exactly uh you know the scope of of this engagement and you can you know you you can go through and and uh you know remove any risk and controls there not going to be in scope for this risk uh or for this engagement as we go through um you can you know you'll see uh all the risks that are identified for this particular engagement um you know where they are stand with their status uh and what their assessment scores have been uh same for controls you can uh you know you can pull in uh either uh you know from the system it's going to be looking at uh specifically NY SP sp850 3 controls um and from the process it's going to be more A123 related controls and then uh the test plans are going to be you know what you know how the inspectors are going to look at the controls and identify um if this control has been designed correctly and if it's operating in an effective Manner and It ultimately leads to uh the task what you know what needs to be on to make the the engagement complete uh it can be uh either control test um it can be an interview it could be walkthroughs um combination of all three and if you need to add any more um you can um just add you know do it from here uh if you have the test plan those control tests will automatically be U generated and um you just you know just again just start allocating you know who will be uh assign TR to um and give you a plan start and end date and then finally um we can start also tracking all the evidence that have been requested for um your control test or maybe an interview um it'll bubble up into this particular tab right here um so you can now look at you know exactly what um you know where you stand with the control test and how uh uh what what the evidence is designed for so um Tom I think it's really interesting on the right hand side the highlighted details under scope you're actually looking at multiple regul multiple regulations here controls for multiple regulations so do you have a a a test once compli a many process absolutely so these controls um if you if you put the control in um and you do the testing against it uh and if that control is tied to any of these regulations you can test it once and it'll comply to you know however many other the regulations that that control is um part of or or policies so um you know again you can look at uh you you just control you test it once you can comply to many different policies um if the control is added to multiple policies and I Know It service now working with our team it's a huge Time Savings being able to do that that's and then you can also um you can automate that also I'm assuming you'll talk about some of our continuous control monitoring as we get along here too yep um we'll we'll talk a little bit about that and when we get to the control but yeah absolutely um once you get into the monitor State um you can start adding in what we call control indicators so we can pull data from either within the platform or from a third party and we can understand what that control is um operating in an effective manner based on the data that um is being pulled in and um you know setting The Benchmark uh and making sure that it it gets over that Benchmark fantastic okay yeah let's see here but we're going to just dive in a little bit into um what the what an entity would look like um so we're just going to look at the civilian pay process and again you know we every uh page is going to have an overview of exactly where they kind of stand within from a compliance standpoint from a risk standpoint uh and so you can see over time what the trend is for your compliance uh you can see what um your Downstream entities which um non- compliant Downstream entities are so you can now look at you know exactly why uh you know what's going on and and and dig a Little Deeper um and then you can also just really look at uh the hierarchy so uh from the process you can see what um you know what we got benefits civilian pay HR travel expense are all Downstream and from a risk standpoint we can see what methodology we're using for um to establish this risk uh we can see that if a U Been low and and we can see a trend against it um and understand uh what controls are um contributing to that risk rating and if there are any open assessments we would see those here and if we have any risk with no controls we would see that as well and just continue on uh you know for the entity we can see what uh what open issues we have what's overdue any policy exceptions um and then all the controls that are tied to this particular particular um entity and then uh you know I think this is kind of neat we can see the hierarchy so we can see what's upstream and what's Downstream so we you know understand where this process stands and uh you know what um uh you know what how this process would affect the Upstream uh what we're inheriting from uh what um uh aggregated risk scores that we are accumulating based on your Downstream and I'm going to show you the hierarchy right here so now this is how you can build out uh what that uh you know how you can build out the hierarchy and how everything would flow up so uh you know from your lowest level we can look at a server in databases that go up to a system which go up to your process which go up to an end and end process um you know all the way up to your agency so uh your data is just flowing from down down all the way up um so you can get the aggregated score and and understand you know where where your agency stands from the risk and compliance standpoint I'm going to stop there for the entities that um are there any questions any outstanding questions or no I think entities are super important and I think it's always it's always good to understand them because they are the key to to how service now works we've got other this going to be the building block for irm right and and um this is where all your risk and control stand you you know or storage so you have to have some kind of sense of where your hierarchy is and understand what entities you that you do want to track yeah absolutely yeah exactly exactly cool okay so the next thing we're going to look at is just a um a risk that um came from uh The Entity uh and again you know uh with the overview you can see where you stand within the workflow um so uh you know from draft up to monitor uh ultimately to retired I can look at the hierarchy of this risk so you can uh start creating a taxonomy of the risk so um you know and um at at the lower level you can push up um to get a a full understanding of what that risk is from an Enterprise level um and then uh you just look at uh you know who the owner is what your residual risk is um the effectiveness of your mitigating controls and then you know anything that need um to be attended to and we were talking a little bit about monitoring so so you know again we can look at uh you know what control testing we have outstanding and then also um any indicators that um you know key risk indicators that we've identified for this risk and then um just kind of from a uh housekeeping standpoint we can see what assessments have been completed on this particular risk and then um what the mitigating controls are um for this risk in in their state and I'll stop there I think you're good to go on I think the controls again the controls are are important this the next part here yep is going to be really enlightening with audit yep so um and then kind of set segue um so we can now look at a u control um and again you know we're we're looking at uh you know what where we stand from in the overview where we stand um for the status of this control from drafting it out to um implementing and attesting against it um ultimately to monitoring uh we see that this is a non-compliant control um because it's noncompliant we do have an outstanding issue um against it um and we can see that um you know a couple of tests that are um have been are uh in progress uh the details again we we just uh you know we see who is uh you know what what the objective is uh who the owner is um in what adaptation we're using to um uh attest to the controls Effectiveness any issues that have been opened up uh will be displayed here uh and I'm going to do a little deeper dive here uh after we show the control test um we can look at um the any outstanding adapations or or previous adest stations that have been completed U and then uh we can look at the um test plan um that the uh Inspection Team will be using for this particular um uh control and then any uh tests that have been completed and just like we at the uh from the risk we can see what controls um are mitigating from here we can see which risk this control is mitigating so we're um this is only have one risk attached to it a little deeper dive into the a control test um you know again uh with the overview we're just looking at where we stand within the process itself uh but the details um will show you you know what what engagement we're looking at what control we're uh looking at What entity we're looking at and who is performing the test um and scheduling um and then ultimately we can look at the design uh whether it's been uh effective um or and the operational uh test um and this one has been deemed as ineffective the when it's in ineffective then the overall control Effectiveness will be automatically uh lifted the ineffective and when we close out the control um the issue will be generated automatically and then like I showed on the engagement now we can look at um the evidence for the this specific control test and we um so the uh the inspector can you know have a a quick reference to what the evidence is and if we look into the evidence record itself you know we can see who um collected it and exactly what they collected so all the attachments can be uh stored within this one record I'm going to stop there for just a moment for the control test yeah I think the interesting thing we tend to to glaze over it fair quickly but I think we we don't really give issues management the the the respect that it's due I'm gonna give it some love here are you gonna give some love because fact it's so timing for PE so so time consuming for people and you know the fact that we're automatically generating issues and you're automatically assigning it to the appropriate person is just it's a it's a huge it's a huge time saer but it's also significantly reduces is the number of Errors I think and and gaps that you've got exactly yep so that that's a great Segway so the issue um let's see let's go back here again with the overview really an issue is is from a DOD and and the government standpoint it's going to be your deficiencies um maybe a crac of action plan maybe even a significant deficiency that's been identified uh during an inspection process um so the the issue does have its own uh workflow uh from you know a new creation all the way up to you know closing it out and um you can really understand uh you know from the details what the issue is all about uh you can um you know I I've added in a couple check boxes to identify that this is part of a corrective action plan uh we could even make it a material weakness and you know again we're just looking at who's going to be assigned um to this um and because it's a c a cap you know maybe we do want a um you know manager to be reviewing and making sure that uh uh the cap has been closed out correctly and again we can look at you know scheduling how long we anticipate this um issue to be open uh and and before it gets resolved uh you can start putting your action plans in um and ultimately you know what what activities you've uh going to be completed but the the cool thing is now we can start breaking out the this um issue into remediation tasks so that uh you know we now we can really you know kind of focus on what needs to be done to close out this issue um and these remediation tasks can be uh you know as simple as you know maybe a kickoff uh you know get uh requirements uh do the implementation and do do an after action plan um Lessons Learned uh with that uh we can start putting in service level agreement um so we can you know make sure we're staying on uh time with the completion of uh your task um and then you way we can see what um generated this particular um issue so there is there is a question um the you showed the the end or the planned end date and you talked about slas um the question is do are there notifications that go out to the appropriate people to try to keep everybody on task and on time and then if not is there an escalation path if something is is significantly delayed over a certain period of time yeah um so that that's that's absolutely part of the platform capabilities is to put in notifications um either you can uh make the notifications through uh uh a what we call the um the flow designer um or you can just make a notification within the record itself uh just but but you kind of identify what would trigger that notification uh who would receive it what the content of the of the notification would be um and as part of the flow designer uh if you want to do an escalation prior to the FL being breached um you can add that in as well so that the flow designer is kind of where a lot of the magic happens within service now it's really how you can start automating a lot of your tasks um put you know make uh pull data in from a third party uh maybe create a record if need be um and uh you know uh you know create your notifications or um even you know put it out to a team's Channel um if if need be perfect I think that answered the question and there's no more questions right now okay and the final thing I have is just again you know um just show another dashboard from a different perspective um you know may maybe from a uh you know a higher level audit um standpoint um again it's just some more way to visualize data um and you this is more of an outof the box type of dashboard so with that um I don't have anything else to show wonderful I don't think we have any questions right now but um if you do have questions please pop them in you know we're going to be around here for a couple more seconds while I close it out for us we really appreciate you guys joining us um and hanging in there this a fantastic demo um Tom and great information Matt you know please you know visit us at um service now. risk join us on the community um the YouTube in the chat I've put the YouTube um playlist I've also put the link to the registration page um so so please join us for further f further webinars and but again on Friday you should be seeing the recording of This webinar and and we have um blog posts that hopefully you all are getting and our sales folks are sharing it with you our partner people are sharing it with you that lists all the webinars all the um activities that we have that are upcoming including additional demos from our demo Center this is a QR code you can use to go ahead and get that um and again we have I guess one question here before we close it out is it possible to build to bulk download attachments from indicators once posted to review it looks like the bulk attachments can be uploaded but not downloaded on indicator tasks that get closed once closed um that's a great question I'll have to follow up with that okay um I'm not sure if we can do the bulk attachment or not that that's a that's a great question yeah you know what it might be a great enhancement if we can't do it yeah ex we have we have your name um and we will reach out to you after this um to answer that question but yeah thank you for the you know really really thoughtful um really thoughtful question um and I'm sure if you've been struggling with it a lot of people have been struggling with it so anyway um again thank you very much Tom and Matt really appreciate all your time and effort wonderful webinar and we look forward to hearing and seeing and joining all you that have just joined us in future webinars yeah thank you everyone appreciate uh your your attention thank you