The ′sn_audit.external_auditor′ role allows external auditors to view published policies and all controls (and risks in the Monitor state), provided the Policy and Compliance Management plugin or Risk Management plugins are installed. This is the most suitable role for the described scenario.

The primary parent tables for GRC applications are Content (sn_grc_content), Item (sn_grc_item), and Document (sn_grc_document). These tables are extended by various other tables within the GRC application suite, defining the relationships and structure of the data.

Annualized Loss Expectancy (ALE) is a key component of Quantitative risk scoring. Quantitative risk assessment focuses on assigning numerical values (dollar amounts) to the components of the risk assessment (Asset Value, Exposure Factor, Single Loss Expectancy, Annualized Rate of Occurrence) to arrive at an Annualized Loss Expectancy.

The correct options are that controls are identified from a library, ad-hoc, or a combination of both. https://docs.servicenow.com/bundle/sandiego-governance-risk-compliance/page/product/grc-risk/task/configure-control-assess.html

The Acknowledgement Instance table (sn_compliance_policy_acknowledgement_instance) does not extend from any table. Source: PDI, sys_db_object, Acknowledgement[sn_compliance_policy_acknowledgement_instance] schema map.

In advanced risk assessment, multiple risk response tasks can be created to address a single risk comprehensively. Also, risk response can be skipped entirely based on defined attributes because creating a response task is optional.

An Audit Manager needs sn_grc.manager to manage GRC related functionalities. The sn_audit.user role enables the user to perform audit functions. The sn_audit.manager role contains sn_grc.manager and sn_audit.user.

A risk assessment methodology (RAM) typically includes Inherent Assessment (assessing risk before controls), Control Effectiveness (assessing the design and operational effectiveness of controls), and Residual Assessment (assessing risk after controls). See Textbook P228.

GRC uses citations to link Authority Documents to Control Objectives. When controls are tested as compliant or non-compliant, the compliance to the associated Authority Documents can be tracked. Citations are M2M mapped to Control Objectives.

Scoped applications in GRC have the following key features: all components have a namespace prefix for identification, ability to view all components from the sys_metadata table, and ability to restrict access to available data. Entitlements are not necessarily needed for all environments and global data is accessible whether or not it is GRC data.

The tables sn_grc_profile_type (Entity Type), sn_grc_indicator (Indicator) and sn_grc_profile_class (Entity Class) all reside within the GRC: Profiles application scope. The other options are either named incorrectly, or are in other application scopes such as Risk Management or Policy and Compliance Management.

The named policy owner is responsible for moving a Policy record from Review to the next state. Reviewers can add comments and move the policy back to draft. See Textbook P126 and eBook SanDiego P153.

The Risk Statement table extends from the Content table (sn_grc_content). Other tables extending from Content include Citation, Control object requirement and Control object.

When you assign an Entity Type to a Control Objective, a control is automatically generated for every Entity listed in the Entity Type. Textbook P74.

Company, Services, and Location are all common baseline tables leveraged in Entity filters. Other potential baseline tables are Department, Database Instance, Group, or Business Process (Textbook P79).

Entity classes are used to define entities like processes, business units, and assets that are subject to risk assessments and compliance evaluations. Object-based risk assessments and advanced risk assessments use entity classes to organize and structure the assessment process and efficiently manage different types of entities. Regulatory impact assessment needs Entity Classes to determine the applicability of the regulatory changes.

During an audit, an observation that indicates a deviation from standards, policies, procedures, or controls is often referred to as a ‘Finding‘. A ‘Finding‘ is a reportable issue discovered during the audit process. The textbook explicitly supports this answer.

Risk Frameworks, along with Authority Documents and Policies, extend from the Document table. Risks are part of the Item table.

The GRC Workbench Dependency Map allows customers to relate specific Entities to each other within an Entity Class. Navigation Menu > GRC Workbench > Workbench, there is a dependency model which is the Dependency Map.

The Risk Criteria Matrix is the most frequently configured feature in classic risk scoring. Customers configure the matrix to reflect their organization‘s specific risk appetite and tolerance levels, influencing how risks are categorized and prioritized.

ServiceNow supports migrating new policies through several methods. These include importing via an API (especially from content providers), manual creation within the platform, and importing from existing spreadsheets using transform maps. While content integrations with providers like UCF exist, and data may originate from regulatory websites, the direct methods are API imports, manual creation, and spreadsheet imports.

The Document table [sn_grc_document] extends to the Risk Framework [sn_risk_framework], Policy [sn_compliance_policy], and Authority document [sn_compliance_authority_document] tables. Therefore, Risk Framework, Policy, Authority, Document is the best, although slightly redundant, answer.

Authority Document and Policy Exception are the two tables that reside within the GRC: Policy and Compliance Management application scope. Assessment and Audit Task belong to different applications within the GRC suite.

The UCF integration allows for the ingestion of Authority Documents and Citations into ServiceNow. Compliance administrators can download content from the UCF to use as GRC authority documents, citations, controls, and control objectives.

Entity Types in ServiceNow GRC can use Entity Filters to generate entities based on any table in ServiceNow. This flexibility allows you to include data from various sources and create entities that represent different types of assets or objects within your organization.

The correct answer is Entity Type. A relationship between a registered risk and a control will be automatically generated when the control objective and risk statement have the same entity type.

When creating a new assessment scheduler record for advanced risk assessments, you must select a published risk assessment methodology (RAM) and entities from the designated entity classes. These selections define the framework and scope of the assessment.

GRC: Profiles, GRC: UCF Compliance, GRC: Policy and Compliance, and GRC: Risk Management are all scoped applications directly related to the Risk and Compliance functionality within ServiceNow. GRC: Attestation Design is not a valid application and GRC: Performance Analytics is not directly associated with Risk and Compliance even if PA can be enabled.

The correct answer is Migrate to Advanced Risk Assessments property. Setting this property to true initiates a migration process that updates the Risk, Entity, and Risk Statement forms to align with advanced risk assessment functionality. This is typically used when upgrading to a version of ServiceNow GRC that supports advanced risk assessments.

The Annualized Loss Expectancy (ALE) is calculated as Single Loss Expectancy (SLE) multiplied by the Annual Rate of Occurrence (ARO). In this case, $1,000,000 (SLE) * 0.20 (ARO) = $200,000.

The Document, Content, and Indicator tables exist within the GRC: Profiles application scope. The Policy table belongs to the GRC: Policy and Compliance Management application scope, and the Risk table belongs to the GRC: Risk Management application scope.

Entity filters are responsible for automatic entities creation. Entities are locations, companies, etc.

Read more here:
– https://servicenow.com/docs/en-US/bundle/xanadu-security-management/page/product/vulnerability-response/reference/vuln-landing-page.html
– https://servicenow.com/docs/bundle/xanadu-security-management/page/product/vulnerability-config-compliance/reference/vuln-config-compl-landing-page.html

Correct: B. Review

In the Review state, designated reviewers evaluate the policy content before it progresses in the workflow.

Reviewers have two choices:

They can send the policy back to the Draft state if changes, clarifications, or edits are required.

They can move the policy forward by requesting approval, which transitions it toward the approval stage.

This is the only phase in the lifecycle where both actions—returning to Draft or forwarding for approval—are available.

Incorrect: A. Awaiting Approval

At this point, the policy has already passed the review stage and is now waiting for formal approval from approvers.

Reviewers no longer have the option to send it back to Draft.

The only actions at this stage involve approval or rejection by approvers, not reviewers.

Incorrect: C. Published

The policy is already approved, finalized, and made available for use within the organization.

No reviewer actions occur at this stage, and the policy cannot be sent back for editing unless it goes through a formal update cycle.

The lifecycle at this point is focused on compliance and visibility, not review decisions.

Incorrect: D. Retired

The policy is no longer active and has been removed from circulation.

Policies in this state cannot be edited or sent back through the Draft or Approval lifecycle.

This state is used for archival and historical reference only.

A risk is automatically generated for every Entity listed in the Entity Type

An assessment will be automatically generated to test each Entity listed in the Entity Type

Overall explanation

Docs says:

Correct: C. A risk is automatically generated for every Entity listed in the Entity Type

When an Entity Type is assigned to a Risk Statement, the system automatically creates individual Risk records for each Entity associated with that Entity Type.

This ensures that the same Risk Statement can be evaluated independently across multiple Entities.

It enables consistent risk tracking, ownership assignment, remediation, and monitoring at the Entity level.

This is the expected behavior in ServiceNow GRC to maintain risk granularity and accountability.

Incorrect: A. Nothing

Assigning an Entity Type is not a passive action. It directly triggers risk record creation for associated Entities.

The system is designed to establish relationships and generate risks without requiring additional manual steps.

Therefore, “nothing” does not accurately reflect platform behavior.

Incorrect: B. A risk assessment is automatically generated for every Entity listed in the Entity Type

The system does not automatically create risk assessments at this stage.

Risk assessments are initiated later in the process, typically through risk assessment methodologies, campaigns, or scheduled assessments.

The first action after linking an Entity Type is the creation of Risks, not Assessments.

Incorrect: D. An assessment will be automatically generated to test each Entity listed in the Entity Type

Assessments are not automatically triggered when an Entity Type is assigned.

Control or risk testing happens later depending on workflow, assessment schedules, or campaigns.

This option incorrectly assumes that assessments are tied directly to Entity assignment, which is not the case in the GRC process.

Correct: C. Entity

Both Risk and Control records in ServiceNow IRM reference an Entity.

This relationship allows the platform to evaluate risks and controls in the context of a specific business unit, application, process, or any other defined Entity.

By linking both Risks and Controls to Entities, the system enables consistent reporting, scoping, monitoring, and alignment with organizational structure.

Incorrect: A. Risk Statement

A Risk references a Risk Statement, but a Control does not reference it directly.

Risk Statements serve as templates or definitions of potential risks, while Controls operate independently as mitigating mechanisms.

Since Controls do not link to Risk Statements, this option is not correct.

Incorrect: B. Entity class

Entity Class is used to categorize or classify Entities but is not directly referenced by both Risks and Controls.

Risks and Controls interact at the Entity level, not the Entity Class level.

Therefore, this option does not represent a shared reference point for both record types.

Incorrect: D. Entity type

Entity Type defines the type of Entity (e.g., Business Process, Business Application), but it is not the record directly referenced by both Risks and Controls.

Only the Entity record itself is directly referenced from both Risk and Control records.

Thus, this option is not the correct common reference.

Risk and Control records are automatically generated based on the mapped entity type, associating them with the corresponding risk statement and control objective. During this generation process, the system also automatically populates the entity and entity owner fields for both the risk and control.

GDPR: General Data Protection Regulation (2016/679, “GDPR“) is a Regulation in EU law on data protection and privacy in the EU and the European Economic Area (EEA)

Entity class rules help to assign classes to the entities at the table level. Any new entity created on the table gets that entity class automatically. Entity classes are used to tag your entities.
Read more here: https://servicenow.com/docs/bundle/xanadu-governance-risk-compliance/page/product/grc-common-workspace/concept/entity-class-rules-in-risk-ws.html

Docs:
https://servicenow.com/docs/bundle/xanadu-governance-risk-compliance/page/product/grc-risk/reference/risk-hierarchy-scoring.html
https://servicenow.com/docs/bundle/xanadu-governance-risk-compliance/page/product/grc-risk/concept/risk-lifecycle-using-advanced-risk.html

Correct: D. Policy is approved by all approvers

A policy can be automatically published once all assigned approvers in the approval workflow have provided their approval.

ServiceNow supports multi-level and multi-user approval flows for policies.

Automatic publishing ensures that no policy is released prematurely and that governance requirements are fully met.

Only after every approver in the chain has approved the policy will the system transition it to the Published state.

Incorrect: A. Policy exception is closed

Closing a policy exception only indicates that a temporary deviation from the policy has ended.

This action does not trigger any automatic publishing of the policy.

Policy exceptions and the policy lifecycle operate independently.

Incorrect: B. Policy is approved by one approver

Policies often require multiple approvals, especially in regulated environments.

Approval from just one approver does not satisfy the complete governance process.

Therefore, automatic publishing cannot occur based on a single approval.

Incorrect: C. Related control objectives are marked active

Control Objective status has no impact on policy publishing.

Activating control objectives supports compliance alignment but does not drive policy workflow transitions.

Publishing is controlled strictly by the policy approval workflow, not by related records.

Exception can be created by Service Portal using record producer. Policies and controls can be stored in KB.

Correct: A. Authority document

Authority Documents are frequently imported because they originate from external regulatory sources such as GDPR, HIPAA, ISO, or SOX.

Organizations typically import these authoritative requirements to map controls, citations, and compliance activities within ServiceNow.

Importing saves time and ensures consistency when aligning with regulatory frameworks.

Correct: B. Risk statement

Risk Statements are often bulk-imported from spreadsheets or legacy GRC tools during initial implementation or migration.

Importing helps organizations quickly build their risk library with standardized risk definitions.

This supports faster enablement of risk identification, scoping, and assessments.

Correct: E. Citation

Citations are commonly imported because they reference specific clauses or sections within an Authority Document.

Since frameworks like ISO or NIST contain numerous citations, importing them ensures accuracy and efficiency.

Citations later support control mapping and compliance scoring.

Incorrect: C. Entity

Entities (such as Business Units, Applications, or Locations) may be imported in some projects, but they are not considered the most common target in standard GRC data onboarding.

Entity data is often already present in CMDB, org models, or HR systems, so it is typically integrated or referenced rather than imported for GRC purposes.

Incorrect: D. Indicator

Indicators are not commonly imported because they are usually configured within the platform based on internal metrics and data sources.

Indicator creation is a design activity, not a bulk import activity, and depends heavily on internal processes and data mappings rather than external content.

Docs: https://servicenow.com/docs/bundle/xanadu-governance-risk-compliance/page/product/grc-sox-compliance-content-pack/task/install-grc-sox-content-pack.html

Correct: A. All compliance users

When a Control is in the Draft state, it is still being authored or refined and has not yet entered the formal review or approval workflow.

In this phase, all users with compliance-related roles (such as Compliance Manager, Compliance User, or Control Owner) are allowed to edit and shape the control.

This flexibility supports collaboration and ensures the control is complete and accurate before moving to the next state.

Incorrect: B. Only the Compliance Manager

The Compliance Manager can edit the control, but they are not the only role permitted to do so.

Draft state allows broader collaboration, not a single-role restriction.

Incorrect: C. Only Control Owners

Control Owners do play a key role in the control lifecycle, especially during execution and monitoring.

However, during the Draft stage, editing is not limited only to Control Owners.

Incorrect: D. Only the person assigned the Attestation

Attestation typically occurs later in the control lifecycle, during evaluation or monitoring.

The attestation assignee would not be the sole person allowed to modify a control in the Draft state, and attestation is not even relevant at this early stage.

Entity classes
Entity classes are used to add a conceptual information about the entity or tag the entity. To understand the concept of entity class, consider an example. A company has office branches in three cities. The office space is considered as an entity and the entity class for these entities would be the location. You can create an entity class by associating it with an entity tier as shown in the following example.
Entity types
An entity type is a grouping of entities that is based on filtering. Entity types enable you to find and create entities that match a set of filter conditions. Hierarchy can be created within the entity classes.
Entity types also enable you to create risks and controls for each entity without spending much time. For example, an organization can have multiple departments, such as finance, HR, or IT. All these departments can be considered as entities and can be grouped under the entity type called Departments.

Entity Classes are NOT related to Entity Types, therefore there is no direct relationship.

The ServiceNow baseline Policy Lifecycle includes states such as Draft, Review, Awaiting Approval, Published and Retired. Therefore, ‘Review‘ and ‘Published‘ are the correct answers. Expired, Acknowledged and Verified are not typically included as baseline states in the policy lifecycle.

The Content table (sn_grc_content) extends to Citation (sn_complance_citation) and Control Objective (sn_compliance_policy_statement). Risk Statement (sn_risk_definition) and Control object (sn_compliance_policy_statement) are also extensions of Content table.

The Risk Response Task [sn_risk_response_task] and Risk Event [sn_risk_advanced_event] tables extend from the Task table. This can be confirmed by checking the schema map on a PDI.

The key drivers for adopting a GRC suite of applications are typically the desire for efficiency, integrated reporting, transparency, and workflow-driven processes to effectively manage governance, risk, and compliance activities. Customer service and custom websites are not typically core reasons for GRC suite adoption.

The Calculated Risk Factor = (Indicator failure factor + Control failure factor) / 2. Therefore, Control and Indicator Failure Factors drive the adjustments.

When the advanced planning capability is enabled, the Resource Planning, Cost Planning, Resource allocations, and Time card reporting related lists become available on the engagement record.

Based on the ServiceNow documentation, Compliance User, Audit User and External Auditor are among the roles that can create issues. https://docs.servicenow.com/bundle/tokyo-governance-risk-compliance/page/product/grc-common/task/t_CreateAnIssue.html

A workflow provides the most robust and automated solution for implementing a unique multi-step approval process, such as requiring a second layer of approval. Workflows can define the approval steps, conditions, and notifications, ensuring that policies are approved according to the customer‘s specific requirements. Modifying workflow or flow designer to accommodate 2 level approval is the appropriate solution.

The Regulatory Change Management impact assessment template is configured within the Risk Assessment Methodologies (RAM) module, often located under Advanced Risk. This module allows you to define the methodology used for assessing the impact of regulatory changes.

The correct syntax to display a table in list view within a separate browser tab is Tablename.LIST. Tablename.list displays the table in the same tab. Tablename_LIST and Tablename.List are not valid filter navigation syntaxes.

SLAs can be used for Risk Issues and Risk Response Tasks. A Risk Issue is a current problem. A Risk Response Task needs to be managed so that certain actions are completed in a specified timeframe.

Applying an Entity Type to a Control Objective results in the generation of controls specific to that entity. This allows for the tailoring of generic control objectives to the specifics of different entities within an organization, ensuring relevant and targeted control implementation. Entity Type + Control objective => entity + control

The Policy lifecycle is Draft -> Review -> Awaiting Approval -> Published -> Retired. Therefore, once all approvals are received, the policy is in the Published state.