Evidence request workflow and users

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Evidence Request Workflow and Users

    The evidence request workflow in ServiceNow enables customers to electronically request and collect audit-related information from first and second line defense users. This process streamlines evidence submission by allowing users to upload documents directly, reducing manual handling and improving efficiency in audit and compliance activities.

    Show full answer Show less

    Workflow Process

    • An audit user with the snaudit.user role initiates an evidence request, either for themselves or on behalf of another audit or GRC user.
    • Requests can be canceled by the requester while in the Draft or any state before Review.
    • After creating an evidence request, evidence collection records are created, specifying instructions, assignees, and groups.
    • Clicking Request Evidence generates evidence request tasks assigned to users or groups, who receive email notifications with links to submit evidence.
    • Only the assigned individual can view and act on the request, ensuring confidentiality.
    • Assignees can upload evidence files or provide URLs/locations and may add approvers for sensitive evidence.
    • Approvers review evidence and can approve, request revisions, or ask for more details.
    • Once approved, the requester reviews and can accept, request further review, ask for more details, cancel, or delete the request.
    • When all evidence tasks are accepted, the overall request is closed.

    User Roles and Responsibilities

    User Responsibilities Requirements
    Internal Auditor
    • Perform and request audit testing.
    • Review audit findings and collected evidence.
    • Track and monitor audit activities and findings.
    • Visibility into compliance and risk activities.
    • Access to job queue for planning team efforts.
    Compliance Manager / Audit Manager
    • Request evidence for compliance tests.
    • Review compliance findings and evidence.
    • Monitor compliance activities.
    • Visibility into compliance activities.
    • Job queue for managing pending, current, upcoming tasks.
    Compliance User / Control Owner
    • Ensure implementation and testing of controls.
    • Provide requested audit evidence.
    • Manage and complete assigned tasks and requests.
    • Job queue to manage daily activities.
    • Track time and performance on owned tasks.
    • Fulfill additional auditor requests efficiently.

    Practical Benefits for ServiceNow Customers

    • Streamlines the collection and review of audit evidence electronically, reducing manual processing time.
    • Maintains confidentiality by restricting evidence request visibility to assigned users only.
    • Facilitates collaboration among auditors, compliance managers, and control owners with clear role-based responsibilities.
    • Supports evidence approval workflows to ensure sensitive information is properly vetted before acceptance.
    • Provides visibility and task management tools to help users plan, track, and complete audit and compliance activities efficiently.

    Evidence request helps customers to electronically request the information that they need from the first and second line of defense. The individuals being audited can then immediately upload their documents to the system, significantly reducing manual processing time.

    The evidence request workflow is as follows:
    1. An audit user with the sn_audit.user role requests evidence and assigns the request to another user. This requester can either request the evidence for themselves or raise a request on behalf of another audit user or GRC user. If the requester determines that an evidence task has been created erroneously, then the requester can cancel that particular evidence task. The ability to cancel the evidence request is available when the request is in Draft state. A requester can cancel the evidence request tasks any time until the tasks reach the Review state.
    2. After you create an evidence request, you must create evidence collection records and then the requester must request evidence. Evidence Collection records contain the evidence collection instructions, assigned to, and assignment group. On clicking Request Evidence, evidence request tasks are generated and they are assigned to a group or user.
    3. The assignee then receives an email with the link to provide the requested evidence.
      Note:
      If the requester changes the assignee after requesting evidence, then the original assignee can no longer view the request. Only the person who is assigned the request can view the request. This feature ensures confidentiality.
    4. The assignee can either attach the requested evidence or provide a URL or location that contains the required evidence.
    5. The assignee can also add an approver for verifying and approving the evidence. Adding approvers is necessary if the evidence is sensitive and confidential in nature.
    6. The approver can then review the evidence and either approve it, request revision, or request further details about the evidence.
    7. If the approver approves the evidence, the requester receives the evidence and can process it further.
    8. The requester can then review the evidence and do one of the following:
      • accept the evidence.
      • request for its review.
      • request further details about the evidence.
      • cancel the evidence request if it is not required anymore.
      • delete the request.
    9. If the requester accepts all the evidence tasks, the request is closed.
    The evidence request workflow is shown in the following figure:Workflow of evidence request
    The following table describes the roles and their responsibilities during the evidence request workflow:
    Table 1. Evidence request users, responsibilities, and requirements
    User Responsibilities Requirements
    Internal auditor
    • Perform audit testing.
    • Request audit testing.
    • Review all audit findings and the evidence collected.
    • Visibility into compliance and risk activity.
    • A job queue (pending, current, upcoming) to plan their team efforts.
    • Track and monitor audit findings.
    • Track and monitor audit activities.
    Compliance manager, Audit manager
    • Can request evidence.
    • Request compliance test evidence.
    • Review all findings and evidence collected.
    • Visibility into compliance activities.
    • A job queue (pending, current, upcoming) to plan their team efforts.
    • Track and monitor compliance findings.
    Compliance user, Control owner
    • Ensure that the controls are implemented.
    • Attest to the controls.
    • Test the controls.
    • Provide audit evidence requested by the auditor.
    • A job queue to direct their day-to-day activities.
    • Track the time spent and performance of activities and tasks they own.
    • Ensures the task they own and additional request from the auditor is fulfilled.