Believe it or not, it’s been 10 years since publicly traded companies were first required to comply with the Sarbanes Oxley act. Since then, the majority of public companies have matured their policies and processes, and gained a better understanding of the control activities that should be in place. Today, organizations are focusing their time and effort simplifying control activities, streamlining the audit process, and improving audit documentation. This is why more and more organizations are looking towards a GRC application (like the one offered by ServiceNow) to automate the process.
When clients contact us for assistance with a GRC implementation, we typically hear one of the following objectives:
- We want to automate our control activities, so that our control owners remember to complete review controls on the required schedule.
- We want to simplify and automate the audit process, in order to spend less time during the audit.
The question is, which of these objectives can ServiceNow GRC help us accomplish?
The Answer: Both!
It’s true. ServiceNow GRC has the ability to centralize and automate your organization’s control activities and automate the audit process. In order to fully realize the benefits that ServiceNow GRC offers, it’s important to understand that one of the key success factors is rethinking your current internal controls framework and control design.
Internal Controls vs. Control Test: Keeping it Simple
In ServiceNow GRC, Risk Managers have the ability to track the internal controls activity that exist within their organization. Each control then has one or more records that define who will test the control, how often they will test it, what the test steps are, and the expected results. This solves the second objective mentioned above, because we can now centralize and automate the control testing process.
However, many clients find that this may not solve the first objective – automating the internal controls activity and ensuring that periodic controls are conducted timely. This piece can be achieved multiple ways. The flexibility of the ServiceNow platform allows each organization to customize their instance to align with their own custom requirements. Be cautious though, these customizations can quickly escalate and make GRC maintenance a burden. The better option is to rethink your current process and breakdown your control framework into smaller pieces.
Example of Internal Controls
Periodic Review of System Access
Almost all organizations have a periodic control that states something like, “Access to systems is reviewed for appropriateness.” In ServiceNow, the control and control test would be configured as follows:
- Create a control record with the control requirements, control owner, frequency, etc.
- Define the control test execution steps, expected results, tester, and test frequency.
- Test that the control was successful. The test would likely require that the tester collect all of the periodic reviews that occurred for in-scope systems during the test period and verify that they were completed correctly.
The problem with this scenario, is that we also want to capture the actual review activity in the system, when it is performed. This way we do not have to manually collect evidence when it’s time to test the control. This is where some organizations want to use ServiceNow’s workflow engine to create a series of workflow tasks to capture the review activities. This may seem like a simple solution, but changes to the review process, employee turnover, and changing responsibilities can make managing these workflows a challenge, and typically require assistance from your ServiceNow platform administrator.
The Simple Solution
The fact is, there is another layer of internal controls and control testing that exists in this scenario. Often times, these controls are not captured in our clients’ current control frameworks.
The periodic review of system access is, in itself, a test of another control that may read something like, “Access to systems is restricted to appropriate personnel.” To test that control, we may compare a system access listing to a list of users who have been approved to use the system. If the tester identifies users with inappropriate access, then he/she would fail the control and a remediation task would be assigned to revoke the inappropriate access. As you can see in this scenario, the act of testing system access for appropriateness in itself becomes a corrective control that is, “Access to systems is reviewed for appropriateness.” That higher-level control would be the key control that audit is most concerned about. Ideally, this review control should never fail, as a failure in this control could result in a loss of security and data integrity.
When organizations test controls on spreadsheets, it’s very easy to lump multiple controls into a single control. This is especially true with periodic review controls. If you find that your internal controls framework contains many periodic controls, but does not include many continuous or event-driven controls, then it’s likely that there are additional controls in place that you have not identified. When you first implement your GRC application, it’s important to break your controls down into their smallest meaningful pieces:
3 Steps for Breaking down Your Internal Controls
- Identify all of your periodic review controls.
- Ask yourself, “Why are we performing this control?” This is likely the description of your new lower-level control. (e.g. “Access to systems is appropriate”, “Critical Data is Backed up”, “Applications enforce the password policy”, etc.).
- Identify the person/group performing the review, the frequency of the review, execution steps, and expected results (these will help to build the control test definitions for the lower-level controls).
If management is performing a review, it’s likely that they are testing something that is considered a control. You want to capture all of these activities in your GRC application, so that internal controls and review activities are not being maintained on local workstations and shared drives or SharePoint sites throughout your organization.
Remember: the more that you capture in ServiceNow GRC, the more evidence you have to prove that you have an effective internal controls environment!
Managing multiple internal controls is much simpler than managing complex workflows. The best part about this approach is that the business users can address changes to the process, employee turnover, and changing roles quickly, without consulting the ServiceNow platform administrator.
