Five ways to automate control testing with ServiceNow
Security & RiskBlog Post

Five ways to automate control testing with ServiceNow

Five ways to automate control testing with ServiceNow

Organizations, especially those operating in heavily regulated industries, find it tedious to abide by specific regulations, standards, frameworks and audit guidelines from authoritative sources.

This time consuming challenge of staying compliant can be addressed by automating  business critical processes of measuring and managing adherence to legislative policies. It’s imperative that these process controls are aligned to organizational risks and corporate policies.

ServiceNow GRC is an application that leverages process, risk, and policy alignment to automate the audit process by: managing controls, assigning control testing tasks, managing evidence collection, and assigning remediation activities.

With ServiceNow, you can free your bandwidth, as you automate control testing for your organization. Here are 5 ways you can automate:

Control Indicators

Identifying and creating key risk control indicators is an integral part of continuous monitoring. Indicators collect data to monitor controls and risks, and collect audit evidence. With indicator templates, you can also create multiple indicators for similar controls or risks.

Steps to create a Control Indicator:

  • Navigate to one of the following locations:
    • Policy and Compliance > Indicators > Indicators.
    • Risk > Indicators > Indicators.
    • Audit > Indicators > Indicators.
  • Select New.
  • Fill in the fields on the form, as appropriate.
  • Click Submit to create the control indicator.

You can also create a GRC indicator template by navigating to indicator templates.

Indicator results can be gathered manually using task assignment or automatically using basic filter conditions, Performance Analytics, or a script. These are then used to create issues for controls, update risk scores, and provide supporting information for audit activities and control testing.

PA Indicators

Policy and Compliance Management content can be linked to Performance Analytics indicators, breakdowns and thresholds. The risks and controls associated with a PA indicator or PA indicator/breakdown automatically monitor the PA threshold with the same relationship. Any PA threshold breach is reported at the risk or control and Performance Analytics indicators relationship level within a breach counter.

PA indicators


  • Associate a PA indicator with a risk statement or policy statement
    • Open a risk statement or policy statement.
    • Add new to the PA indicators list.
  • Associate a PA indicator with risks and controls
    • Open a risk or control and add new to the PA indicators.
    • Select the breakdown and the breakdown element to view a particular trend and scorecard.

What you get:

Associate Performance Analytics indicators with policy statements and controls enable you to view scorecards and trends, and analyze current conditions and trends.

Data certification

The information in the CMDB may need to be checked for accuracy and certified. This validation of CMDB data can be managed by defining what information should be verified and the verification schedule. Based on the schedule, tasks can be automatically created and assigned. The schedule generates a checklist for verifying the data. Individuals assigned to certification tasks answer questions to verify the data.

A Certification Audit Instance is a single execution of a collection of certification schedules that can be run at once.


  • Set up certification tasks
  • Create certification schedule
  • Create schedule definitions
  • Create an audit definition (first time)
  • Create an audit instance
  • Review results

What you get:

The data certification overview module provides different gauges for reporting. Clicking on any of the colored bars in the bar (see Figure) leads to a detailed information page.

Data certification 5Data certification 4

Data certification

Data certification 2

Data certification 3


Instead of the legacy surveys, you can send out customer questionnaires called Assessments that can be generated on demand or on schedule and sent to a defined set of users.

Trigger conditions enable you to send Assessments automatically when certain actions occur, and properties enable the customization of assessment appearance. Users receiving the Assessment can easily view and complete assessments in “My Assessments & Surveys.”


  • Create Metric Types (set of records to be evaluated, ex. Vendors)
  • Set Schedule Type: On Demand or Scheduled
  • Generate Assessable Records (links records you want evaluated to a metric type, ex. Company records to a Vendor)
  • Create Metric Categories (Themes for “Questions”)
  • Create Metrics (“Questions”)
  • Publish Assessments

What you get:

Scorecards and Bubble charts provide an enhanced way to view assessment results (see Figure). Assessments can be exported and imported as XML files.



Attestations are surveys administered to users and groups to evaluate compliance to a control or policy. These are sent when the control test definition is executed, either manually or on a schedule.
Attestations are defined in the Control Test Definition form as part of the evidence gathering phase. The administrator creates the questions, data types, and distribution lists to suit the control.


  • In the Control Test Definition tab, check “Collect Supporting Data.” Choose the condition type “Attestation”
  • Set up questions
  • Select recipient
  • Set state to “Active”
  • Execute when ready

What you get:

ServiceNow prepares printable scorecards for GRC attestations. Users can examine ratings over time, and compare question ratings (see Figure). All ratings are averages for the time range selected. The system dynamically updates a scorecard each time you view it, so the ratings reflect recently completed attestations. 


Automate compliance now

With rising internal and external threats to your organization’s security, you must have a solid GRC program in place. Through an efficient implementation of ServiceNow GRC, you can build that solid program. The power of ServiceNow GRC lies in the ability to integrate GRC with Service Management, and giving you the capability to automate evidence collection.

INRY has implemented multiple ServiceNow GRC deployments to a range of industries including: manufacturing & food manufacturing, insurance, audit, service, retail, and state government.

We can help you harness ServiceNow GRC to:

  • Document policies, define the risks of failing to comply, and to design controls to enforce policies and mitigate risks.
  • Schedule control tests to collect compliance evidence and identify failures that need remediation.
  • Automatically extract information from service management processes as evidence for compliance audits.
  • Create and assign remediation tasks in real-time to control test failures.

Schedule a free consultation with us now to explore how you can streamline compliance in your organization.

Related Insights