What is the condition that must exist to edit the factor guidance of a published risk assessment methodology (RAM)?
- A . All assessment instance records are in the Monitor state
- B . All assessment instance records are closed
- C . All assessment instance records are deleted
- D . States of the assessment instance records are irrelevant
- E . All assessment instance records are canceled
What baseline criteria determine when notifications are triggered in relation to audit tasks? (Choose two.)
- A . Expiration
- B . At 50% completion
- C . Reassignment
- D . Due date change
Which table stored the links from Entity to Entity Types?
- A . [sn_compliance_m2m_profile_profile_type]
- B . [sn_risk_m2m_risk_profile]
- C . [sn_compliance_m2m_policy_profile]
- D . [sn_grc_m2m_profile_profile_type]
Service Level Agreements can be used for the which of the following? (Choose two.)
- A . Risk Issues
- B . Risk
- C . Risk Statement
- D . Risk Response Task
- E . Risk Framework
All of the following are PARENT tables which exist within the GRC Entities application scope EXCEPT.
- A . Item
- B . Document
- C . Content
- D . Indicator
What ensures that every time you create an Entity from a specific table, the Class of the Entity is set according to the rule?
- A . Entity class rules
- B . Entity business rules
- C . Entity class assignment
- D . Entity type rules
Entity Types are applied to which types of records? (Choose three.)
- A . Risk Statement
- B . Issue
- C . Risk
- D . Control Objective
- E . Policy
- F . Control
Which tables extend from the Task table? (Choose two.)
- A . Risk Framework
- B . Risk Response Task
- C . Risk Statement
- D . Risk Event
- E . Risk
The Tablename.config:
- A . Displays the configuration list view of the table in the browser tab
- B . Displays the table in list view within the Content Frame
- C . Displays the table in list view within a separate browser tab
- D . Displays the configuration list view of the table in the Content Frame
A
Explanation:
Reference: https://docs.servicenow.com/bundle/orlando-platform-user-interface/page/administer/navigationand-ui/task/t_NavigateDirectlyToATable.html
The advanced planning capability enables integration of Advanced Audit with PPM.
If the advanced planning capability is selected when the audit plan is created, what extra related lists display on the engagement record in addition to the related lists displayed with basic planning? (Choose three.)
- A . Time card
- B . Resource plan
- C . Entities
- D . Cost plan
- E . Milestones
Which one of the following is not a trigger for issue creation?
- A . Manual issue created by any manager or admin role as well as by audit user
- B . Indicator failure
- C . Risk assessment returns the inherent and residual risk impact as ‘Very High’
- D . Attestation returns the result as ‘Not Implemented’
- E . Control effectiveness is ‘Ineffective’ and the state of control test is ‘Closed Complete’
What table extends from Document Table?
- A . Risk
- B . Risk Framework
- C . Risk Response Task
- D . Risk Statement
A control objective has been related to a risk statement and they’ve been scoped with the same entity type.
What can we expect to occur?
- A . Risks for this risk statement will be moved back into a Review state since there are new factors impacting risk likelihood.
- B . A control for this control objective, with a matching entity, will be related to the registered risk for this risk statement as a mitigating control.
- C . The control objective will be marked as compliant since it is mitigating the related risk statement.
- D . Risk scores will automatically decrease for the risk statement’s risks since there are now mitigating controls.
As a customer reaches greater GRC maturity, what can we expect to see occurring across their organization? (Choose three.)
- A . Single Risk and Control frameworks across enterprise available to all stakeholders
- B . Reliance on spreadsheet management for risk reporting
- C . Continuous real-time monitoring of control performance
- D . Cross-functional process automation
- E . Reactive strategies for GRC activities
What dependency modeling feature can be used in the Classic UI to build relationships between Entity Classes?
- A . GRC Workbench
- B . Dependency Model Builder
- C . Data Model Designer
- D . GRC Tree Map
Which feature would you use to track completion of certain tasks?
- A . Related Lists
- B . SLAs
- C . Workflow Editor
- D . Notifications
To allow other applications to request a policy exception, you must complete the integration registry form. In addition to providing the name of the registry entry, what additional information is needed to complete the form?
- A . You must indicate the audience for requesting policy exceptions
- B . You must indicate the intended Service Portal
- C . You must indicate the policy exception target table
- D . You must indicate the allowed policy acknowledgement campaigns
Which table extends from the Content Table?
- A . Risk Record
- B . Risk Framework
- C . Risk Response Task
- D . Risk Statement
The SOX content pack includes a series of policies, control, risks.
How are all of these components linked together?
- A . Mapping File
- B . Manually
- C . Automatically
- D . Batch import
What is the minimum role required to create a risk assessment methodology (RAM)?
- A . sn_compliance.admin
- B . sn_risk.user
- C . sn_risk.manager
- D . sn_risk.admin
Policies can be automatically published after which of the following occurs?
- A . Related control objectives are marked active
- B . Policy exception is closed
- C . Policy is approved by all approvers
- D . Policy is approved by one approver
For a particular risk assessment methodology (RAM), the control effectiveness score is calculated based on an individual assessment of controls.
What are options for control identification? (Choose three.)
- A . Controls are identified from library and ad-hoc
- B . Controls are identified from indicator results
- C . Controls are identified from library
- D . Controls are identified ad-hoc
- E . Controls are identified from related issues
Which table stores the links from the Entity Type to Risk Statement?
- A . [sn_risk_m2m_statement_profile_type]
- B . [sn_risk_m2m_framework_profile_type]
- C . [sn_risk_m2m_risk_definition_profile_type]
- D . [sn_risk_m2m_policy_profile_type]
Which of the following statements is true of a Risk Response task?
- A . Only one Risk Response task can be related to a Risk at a time
- B . Only users with the risk_manager role or higher can be assigned to a Risk Response task
- C . The risk admin role is required to assign the Risk Response task
- D . The Risk Response task is automatically progressed through the states using a worflow
C
Explanation:
Reference: https://docs.servicenow.com/bundle/orlando-governance-risk-compliance/page/product/grc-risk/reference/r_InstallWRisk.html
Where does a policy get published to when it is approved?
- A . Knowledge Summit
- B . ServiceNow Library
- C . Authoritative Records
- D . Knowledge Base
D
Explanation:
Reference: https://docs.servicenow.com/bundle/kingston-governance-risk-compliance/page/product/grcpolicy-and-compliance/reference/r_PoliciesAndProcedures.html
Risk criteria typically include definitions of different levels of what? (Choose two.)
- A . Impact
- B . Likelihood
- C . Criticality
- D . Importance
- E . Priority
When reviewing the Control Objective Table form with your customer, what are the most common choice lists to be configured? (Choose three.)
- A . Reference
- B . Classification
- C . Category
- D . Type
- E . Description
Which of the following relationship sets are considered a many-to-many relationship? (Choose three.)
- A . Entity Type and Entity Class
- B . Indicator Template and Entity Type
- C . Control and Risk
- D . Control Objective and Entity Type
- E . Entity Type and Entity
If you create a control manually and later decide to create them automatically, what will be the result?
- A . ServiceNow will delete the manually created control
- B . ServiceNow creates a duplicate control and notifies the control owner
- C . ServiceNow creates a duplicate control without notifying the control owner
- D . ServiceNow identifies the control and does not create a duplicate
Which GRC application would you use to determine where the organization is the most vulnerable or has the most exposure?
- A . Vendor Risk Management
- B . Audit Management
- C . Policy and Compliance Management
- D . Risk Management
Common controls from UCF import into which table in ServiceNow?
- A . sn_compliance_policy
- B . sn_compliance_policy_statement
- C . sn_compliance_policy_exception
- D . sn_complilance_authority_document
You are working with your customer to determine necessary audit management workflow configurations.
What should they know about the approval process for audit engagements? (Choose three.)
- A . If the engagement is approved and there are remaining open tasks or issues, it automatically moves into the Follow Up state.
- B . If the engagement is approved and there are no remaining open tasks or issues, it automatically moves into the Closed state.
- C . If the engagement is rejected, it automatically moves back to the Fieldwork state.
- D . If the engagement is approved and there are remaining open tasks or issues, it automatically moves into the Fieldwork state.
- E . If the engagement is rejected, it automatically moves into the Scope state.
B,C,D
Explanation:
Reference: https://docs.servicenow.com/bundle/kingston-governance-risk-compliance/page/product/grc-audit/task/approve-reject-engagement.html
How can you get the SOX content pack?
- A . ServiceNow Store
- B . Patch Update
- C . Platform Upgrade
- D . Professional Services
For classic risk assessment, indicator failure factor represents the impact of risk indicator failures on what score?
- A . Inherent ALE
- B . Calculated ALE
- C . Residual ALE
- D . Inherent SLE
What are some of the baseline tables commonly leveraged in Entity filters? (Choose three.)
- A . Company [core_company]
- B . Services [cmdb_ci_service]
- C . Location [cmn_location]
- D . Risk [sn_risk_risk]
- E . Audit Engagement [sn_audit_engagement]
Controls are generated from a Control Objective when what is applied to it?
- A . Policy
- B . Citation
- C . Indicator template
- D . Entity Type
Who can move a Policy into Review? (Choose two.)
- A . sys admin
- B . policy approver
- C . policy reviewer
- D . policy owner
A,B
Explanation:
Reference: https://developer.servicenow.com/app.do#!/event/knowledge18/LAB0296/knowledge_18_LAB0296_policy_creation
In which state is the Policy once all approvals are received?
- A . Review
- B . Published
- C . Draft
- D . Retired
- E . Awaiting Approval
For classic risk assessment, what are the risk components that apply to the Qualitative method? (Choose two.)
- A . Single Loss Expectancy (SLE)
- B . Annualized Rate of Occurrence (ARO)
- C . Impact
- D . Likelihood
Unified Compliance Framework (UCF) uses a slightly different nomenclature structure than ServiceNow.
Common controls from UCF import into which table in ServiceNow?
- A . Control Objective [sn_compliance_policy_statement]
- B . Authority Document [sn_compliance_authority_document]
- C . Control [sn_compliance_control]
- D . Citation [sn_compliance_citation]