Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Transforming compliance and audit management with ServiceNow


Published on

Deck from a demo presented on July 24, 2018. A video archive is available at

Published in: Business
  • Be the first to comment

  • Be the first to like this

Transforming compliance and audit management with ServiceNow

  1. 1. Transforming  compliance  and     audit  management  with  ServiceNow   DEMO  WEBINAR  •  July  24,  2018    
  2. 2. Delivering Risk Intelligence David  Pearson   CTO  &  SENIOR  GRC  CONSULTANT     Travis  Giff   SENIOR  GRC  ARCHITECT     &  DEVELOPER     Today’s  presenters   About  Iceberg   ü  100%  focus  on  Governance,     Risk  Management  &  Compliance  (GRC)   ü  Staff  includes  25+  full-­‐Xme  GRC  consultants   &  cerXfied  developers   ü  Customers  include  top  financials,   insurance,  health  care,  manufacturers,   retail,  government  in  North  America.  
  3. 3. Delivering Risk Intelligence “Trusted,  aggregated  and  transparent  risk  data  enabling  organizations   to  make  more  informed,  con:ident  and  effective  business  decisions.”   Delivering  Risk  Intelligence   Disconnected  risk   &  business  data   Aggregated  &   integrated  for  context   Analyzed  &   interpreted   Be_er  business   decisions  &  acXons  
  4. 4. Delivering Risk Intelligence A  full  lifecycle  of  GRC  services   Management   Workshops   Visioning  &  Alignment   CMO/FMO   KRI/KxI   Professional   Services   ImplementaXon   &  IntegraXon   SoluXon  Lifecycle   Management   Iceberg   APS   Post-­‐ProducXon  Support   Mentoring,  Coaching     &  Skills  Development   Sandboxes     Risk  Intelligence   Academy   Case  Studies   Best  PracXces   Webinars     GRC   InnovaCon   ReporXng  /  Dashboards   Toolkits  &  Enhancements      
  5. 5. Delivering Risk Intelligence Demo  Company  Pro-ile   Ø  SaaS  for  markeXng/comms   Ø  1,000  employees   Ø  6  million  users  worldwide   Ø  75  customers  in  the  the  Fortune  100  
  6. 6. Delivering Risk Intelligence Challenges   1   ExisXng  internal  control   structure  based  on  SOC2;   need  to  leverage/adapt  to   include  FedRAMP,  GDPR,   and  other  regulaXons     2   Current  SOC2  a_estaXon   process  done  with   spreadsheets  /  email.       Time  consuming  +  lack  of   transparency     3   Poor  coordinaXon  of   acXviXes  between  Control   Owners  and  Auditors  for   collecXon  of  evidence  and   tracking  remediaXons.  
  7. 7. Delivering Risk Intelligence Project  Goals   1   Demonstrate  that   internal  controls   conform  to  regulatory   requirements     2   Simplify  the   a_estaXon  process   (make  it  easier     for  users)   3   Provide  greater   visibility  into  the   a_estaXon  process,   and  track  the  state  of   evidence  collecXon     4   Simplify  interacXon   with  external  auditor   for  collecXon  of   evidence    
  8. 8. ServiceNow  Governance,  Risk,  and  Compliance  (GRC)   Source:  Unified  Compliance  Framework   Rs   Research  Sites   Ad   Authority   Docs   Ct   CitaXons   Ac   Acronyms   Gl   Glossary   Cd   cDocs   Ro   Roles   Me   Metrics   Ce   Controls   As   Assets   Re   Rec   Examples   Ci   Config   Items   Cm   Config   Methods   Ve   Vendors   Rc   Record   Category   Ot   Org   Tasks   Of   Org   FuncXons   Au   Audit   Ev   Events   Content  Provider  (UCF)   ServiceNow  Reference  Content  Objects   Authority   Documents   CitaXons   Policy   Statements   Policies   POLICY & COMPLIANCE MANAGEMENT RISK MANAGEMENT AUDIT MANAGEMENT VENDOR RISK MANAGEMENT
  9. 9. Delivering Risk Intelligence   Key  AcCviCes   •  Manage  Authority  Documents,  CitaXons,   Policy  Statements   •  Assign  Control  Owners   •  Manage  Policy  ExcepXons   •  Set  up  Indicators  for  ConXnuous  Monitoring     Compliance  Manager       “As  a  Compliance  Manager  of  XYZ  Company  I  need  to  manage  my  organizaBons   internal  policies  and  ensure  my  organizaBon  is  compliant  with  the  various   regulatory  frameworks.”    
  10. 10. Delivering Risk Intelligence   Key  AcCviCes   •  Complete  Control  A_estaXons   •  Respond  to  Ad  Hoc  Evidence  Requests   •  Follow  up  with  any  Issues  and  RemediaXon   Tasks     Control  Owner       “As  a  Control  Owner  of  XYZ  Company  I  need  to  ensure  the  proper  controls  are  in   place  by  reviewing  the  control  guidance,  implemenBng  the  control  and  by   providing  sufficient  evidence  of  the  control  being  in  place.”    
  11. 11. Delivering Risk Intelligence   Key  AcCviCes   •  Manage  my  Audit  Engagements   •  Manage  my  team   •  Maximize  Control  TesXng  Efforts   •  Follow  up  with  any  Issues  and  RemediaXon  Tasks     Audit  Manager     “As  a  Audit  Manager  I  need  to  manage  task  assignment  to  my  internal  and   external  audit  staff,  ensure  all  controls  that  are  in  place  are  designed  and   operaBng  effecBvely,  and  follow  up  with  issues  and  remediaBon  tasks  for  non-­‐ compliant  controls.  “  
  12. 12. Delivering Risk Intelligence Demo  
  13. 13. Delivering Risk Intelligence Driving  Outcomes   1   CONSOLIDATE   MulXple  regulatory   frameworks,  control   structure  &  evidence  now   in  one  central  repository   2   MANAGE  &  AUTOMATE   Visibility  into  a_estaXon   process,  lower  burden  on   resources   3   COLLABORATE     Between  audit  and  control   owners,  and  with  external   audit    
  14. 14. Delivering Risk Intelligence Implementation  details   8-­‐week  implementaXon     Most  effort  in  implementaCon  is  NOT  configuraCon   it’s  understanding  the  structure  of  data,  roles  &  access,  reporXng   requirements,  workflows  &  lifecycle  
  15. 15. Delivering Risk Intelligence What’s  next?   ü  Use  CI’s  created  for  this  project  as  a  foundaXon  for  a  more   comprehensive  CMDB   ü  Layer  on  risk  management,  including  risk  assessments   ü  Incorporate  more  regulaXons  and  internal  policies  into  the   exisXng  framework   ü  Compliance  as  a  compeXXve  edge:  showcase  maturity  &  best   pracXces  to  customers  
  16. 16. Delivering Risk Intelligence A  foundation  for  Integrated  Risk  Management  (IRM)  
  17. 17. Delivering Risk Intelligence Q&A   David  Pearson   CTO  &  SENIOR  GRC  CONSULTANT   Travis  Giff   SENIOR  GRC  ARCHITECT     &  DEVELOPER    
  18. 18. Thank  you!   Webinar  replay: