GRC: SOX content pack release notes

Release version: Store

Updated June 11, 2026

2 minutes to read

Summarize

Summarized using AI

Summary of GRC: SOX Content Pack Release Notes

The Governance, Risk, and Compliance (GRC) Sarbanes-Oxley (SOX) content pack is designed to support ServiceNow customers in managing SOX compliance efficiently. It includes pre-configured profiles, policies, controls, risk statements, audit templates, and dashboards tailored for SOX requirements.

Show full answer Show less

This content pack provides a structured framework connecting policies, controls, risks, indicators, and audit processes, enabling customers to streamline compliance management and reporting.

Key Features

Pre-defined SOX Content: Includes profile types, policies, policy statements, controls, control attestation templates, risk statements, indicators, audit engagement elements, test templates, and dashboards.
Established Relationships: Logical links between policy statements and policies, controls to policies, indicators to controls, risks to risk statements and profiles, and test plans to controls facilitate comprehensive compliance workflows.
Role-Based Access Control: Specific GRC roles such as Compliance Reader, Compliance Manager, Compliance Admin, Risk Reader, Risk Manager, Risk Admin, Audit User, and Audit Admin have defined permissions for accessing and editing SOX compliance and risk dashboards, processes, and audit functions.
Security Enhancements: Version 21.1.0 introduced read-only attributes for fields to enhance data security.
Query Range ACL Improvements (Version 22.3.0): Standardized query range access control lists (ACLs) across all tables ensure consistent and secure data querying for authenticated users. Automated upgrade scripts simplify deployment by handling ACL updates without administrator intervention, with a post-upgrade review recommended for customized ACLs.
Plugin Dependency Validation: Prevents ACLs from referencing roles from uninstalled optional plugins, ensuring smoother operation and reducing errors.
Content Updates: Control objective records updated with current version status and published state for accurate compliance tracking.

Key Outcomes

Enables ServiceNow customers to implement and maintain SOX compliance efficiently within the GRC framework.
Provides a secure, standardized approach to access control and data querying, enhancing platform consistency and security.
Facilitates clear role-based permissions to support segregation of duties and controlled access to compliance and risk management data.
Delivers an automated upgrade experience that minimizes administrator effort and reduces risk of disruption during content pack updates.
Ensures compliance content is current and aligned with SOX regulatory requirements through continuous content and security enhancements.

Version history for the Governance, Risk, and Compliance Sarbanes-Oxley (SOX) content pack on the ServiceNow Store.

Important:

For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

Version history

Version 22.3.0 - June 2026 (Australia)

New:
- Query range ACLs include the following enhancements:
  - Consistent access control — All tables include standardized query range security ACLs. These ACLs ensure that authenticated users with appropriate read permissions can query records consistently across the platform.
  - Seamless upgrade experience — New query ACL rules are installed automatically during upgrade, with no administrator action required. Automated upgrade scripts handle the transition, including detecting and processing previously customized ACLs to ensure existing processes continue without interruption.
- Post-upgrade review for customized ACLs:
  - If the instance includes administrator-modified query range ACLs, review those records after upgrade to confirm they align with the intended access policy.
Changed: Validated plugin dependencies to prevent ACLs from referencing roles provided by uninstalled optional plugins.

Version 22.0.1 - March 2026

Changed: Updated control objective content records with Record nature field as Current version and State as Published.

Version 21.1.0 - December 2025 (Zurich)

Fixed: Added read-only attribute to read-only fields for enhanced security

Version 5.0.2 (Kingson, London) - October 2018

The Sarbanes-Oxley (SOX) Content Pack includes the following content elements:
- Pre-defined profile type and profiles
- SOX policies
- Policy statements and controls
- SOX control attestation template
- Risk statements and risks
- Indicator templates and indicators
- SOX audit engagement
- Audit tasks
- Test templates and test plans
- Reports and dashboards
The following relationships are also established:
- Policy statements to policies
- Controls to policies (through policy statements)
- Indicators to controls
- Risks to risk statements
- Risks to profiles
- Risks to controls (mitigating controls)
- Test plans to controls for control testing
Other GRC roles:
- Compliance Reader (sn_compliance_reader) can read SOX Compliance Dashboard and SOX Processes
- Compliance Manager (sn_compliance_manager) can read SOX Compliance Dashboard, SOX Risk Dashboard, and edit SOX Processes
- Compliance Admin (sn_compliance_admin) can read SOX Risk Dashboard and edit SOX Compliance Dashboard and SOX Processes
- Risk Reader (sn_risk_reader) can read SOX Risk Dashboard and SOX Processes
- Risk Manager (sn_risk_manager) can read SOX Compliance Dashboard, SOX Risk Dashboard, and edit SOX Processes
- Risk Admin (sn_risk_admin) can read SOX Compliance Dashboard and edit SOX Risk Dashboard and SOX Processes
- Audit User (sn_audit_user) can read SOX Compliance Dashboard, SOX Risk Dashboard, and SOX Processes
- Audit Admin (sn_audit_admin) can read SOX Compliance Dashboard, SOX Risk Dashboard, and edit SOX Audit Dashboard and SOX Processes