ServiceNow, Inc. (NOW) Earnings Call Transcript & Summary

All right. Hi, everyone. Thank you so much for joining us today. Good morning, good afternoon or good evening, depending on where you're joining from. Feel free to use the team chat if you want to let us know where you're dialing in from and listening. But today, we're here to present with you the Navigating Regulatory Audits with Software Asset Management Webinar, we have a lot of exciting things to get going with. So let's move on. But first, I want to start with a safe harbor notice for any forward-looking statements. Please just note that this presentation may contain forward-looking statements that are just based on our beliefs and assumptions and other information that's currently available to us. Please do not make any purchasing decisions based on this presentation. All right. And before we get started, I want to take a second to introduce all of our wonderful speakers for today. My name is Faith Chia, and I'm a product marketing specialist here at ServiceNow. I'm joined here today by Akash Mehta, who is a Senior Staff Inbound Product Manager also at ServiceNow. And then we have our wonderful customer Jeanna Murphy, who is the Manager of IT Software Asset Management at Silicon Valley Bank, which is a division of First Citizens Bank. So let me go over our agenda to kind of cover what we're going to touch upon today and what the structure of this webinar is going to look like. So first, we're just going to begin with a little introduction and kind of talk really what is regulatory auditing about, who does it affect, then we're going to transition into a customer interview with Jeanna, and you're going to learn more about how Silicon Valley Bank handles these regulatory audits. Next, you're going to see really great a demo from Akash both regulatory audit, and then you can see how ServiceNow solutions in action and what we really have available right now and in the future. And then lastly, we'll save some time at the end for any Q&A. Like the beginning video said. [Operator Instructions] All right. And with that, let's kick off our presentation for today. So what is regulatory auditing? Regulatory auditing for assets and financial institutions or other organizations involves the process of reviewing and hosting an organization's assets to ensure compliance with relevant laws, regulations and also industry standards. So these audits are conducted to verify the reliability of asset records also to assess risk management practices and to ensure the institution's financial Stability. Regulatory auditors will evaluate organizations, asset management processes, the controls, documentation to identify any weaknesses or potential noncompliance issues. So throughout all these different audits, these financial institutions can demonstrate transparency, accountability and adherence to various regulatory requirement which ultimately help safeguard investor interest and maintains public trust. Another reason why it's really important to comply with regulatory audits is because failure to comply can results in hefty fines. Just in the last couple of years, there's been a couple of different instances of companies being hit with over $500 million plus upwards in fines due to just failing these regulatory audits. So it's really important for organizations to not only protect their own financial interest but also to really think about company's reputation, public trust and how the investors are viewing them which are all the things that are impacted when these regulatory audits are not passed. So what does this audit process really look like? So there's a couple of different steps that you would go through once you see an audit letter. We're just going to do a brief little overview. There's really 4 main stages that I want to touch upon today. So the first 1 is going to be the intake and start stage. So this is just when the audit process is initiated, during the step. The audit team would gather any relevant information about auditee. Here, you would also define audit objectives and you would establish a time line and different resources that are needed for the audit. So this is really the setup phase where you're kind of just setting up the foundation through the audit and making it up a plan, you outlining everything. You're getting yourself all ready to go. Then the next stage would be to define the audit scope, which includes any different aspects of ITAM practices that you might need to assess. So this is really a big need of the process. So the scope will help you clarify boundaries of the audit and also ensures that audit objectives are met effectively. So here is a time where the audit team will determine a different criteria and standards against which audit would be evaluated. Next, the next stage is to follow up/remediate. So once the audit bill work is completed and all the different findings are documented. This is now the time where you would follow up and remediate to address any identified issues or deficiencies so the audit team will work with the auditee here to kind of help develop corrective actions, maybe recommendations or even remediation plans to resolve any issues that are identified during the actual audit. So the step is really crucial to make sure that the actual necessary changes are implemented to help improve controls and processes. And then lastly, you would finish up with the submit and close phase of the audit process. This is when during the stage, the audit team will complete the audit report, which summarizes the findings, conclusions and the new recommendations are based on the audit results. The report has been submitted to any relevant stakeholders such as the management team or regulatory bodies. And then once the report is emitted, the audit is officially closed and any follow-up actions or monitoring the process can be initiated based on the audit findings. So ServiceNow is really great, and we'll talk about this more later during Akash's demo because it's just 1 platform for all these regulatory audits to ensure that everyone is working on the same data and can therefore generate consistent answers in a timely audit process. I think I lagged there for a second, but I think I'm back now. All right. And then 1 more thing to talk about is who's really affected by these regulatory audits? So there's a couple of different personas I want to touch upon quickly. First off is those who work in finance, such as the CIO, VP of Finance, maybe the finance manager. All of these personas have to deal with any fines and increased follow-up work that can happen with regulatory audit failures. These are also the people that would be responsible for making sure that the company is aware of any negative reputational impacts and the general increased cost of doing business. Another main persona would be ITAM like be it the IT asset management, maybe asset managers, data stewards because they have to deal with responding to the regulatory audit requests from the risk team and the scope of these requests can change frequently, and which will affect the work that they're doing. And lastly, what kind of organizations are affected by regulatory audits? It can be banks, insurance companies, but really any company that has to deal with audit, so even in government health care, maybe new companies that have been developed in recent years, they would all be under audit scrutiny and they would all need to deal with regulatory audits. All right. So now that we've kind of went over what regulatory auditing is. We have a couple of poll questions for you guys. There's going to be 3 different ones. So feel free to respond, and we'll give you some time to go over them. So the first question is, which of the following aspects you find most challenging when completing a regulatory audit? And please make sure to select no more than 2 options. So you can think about it, pick your options. We really want to get a good gauge of how you all are affected by regulatory audits for our later discussions. So this is a great time to let us know your thoughts. So there could be different things that could be challenging for regulatory audits such as maybe time constrained. That's 1 option. Maybe the complexity of regulatory option -- the complexity of regulations, also the alignment of scope, gathering supportive evidence, different communication between teams, the volume of data to review, resolving data discrepancies and tracking audit progress. [Voting]

So again, please don't select more than 2. It's just going to be the order system because I don't think we were able to codify that in the system, but this is going to give us a good grasp of what are the main things that we might want to hit on today. So I'll take another moment just to wait for some more answers to come in. I think I'm seeing a couple more trickle through. Jeanna, do you have any predictions for what would be maybe the top 2 answers looking at this list?

For me, I'll give my answer, if that's okay. For me, it's time constraint, the big one. Because you're usually doing this on top of everything else that you have going on. So that's a big one. And then my other selection list is alignment on the scope. So I'm curious to see what others pick.

Those are 2 good ones, yes. I also feel...

Yes. I think the scope is a big one for customers, a big one for those that have to deal with these different regulatory audits and the various regulations. And the time constraints absolutely plays into it, but that scope. I think, it tends to be very difficult. We've also -- and just speaking with customers, how we track this overall progress and how we communicate with the other teams that tends to come up a lot as well. So -- but I agree with Jeanna, that alignment on scope should be a big one.

All right. Let's see what our attendees think. I think the answers have kind of stopped trickling in. So I'm going to transition to our results now, all right. So we have time constraints at #1, alignment of scope, surprisingly #3, but still pretty high. complexity of regulations is also really close to time constraints. So that's interesting. And then what else is high, resolving discrepancies, that's pretty high, gathering supportive evidence. All right. Good to know. Let's move on to our next poll question. So on average, how much time do you typically have to provide the final response? So we have a couple of different options here. There is under 1 week, maybe 1 to 2 weeks, month to 2 months, 2 to 6 months or even 6 plus months. So we're looking for when you're providing that final response. So not just the initial response that you would give that you received the letter, but this is kind of your final submission. Let's take a moment to wait for some more answers to trickle in. [Voting]

I think this can really depend on the kind of audit that you're getting to. This one is a little bit of a like -- it depends.

On average, Jeanna, what is -- what do you think for yourself, right? Like what turnaround time? Does it typically take for your teams to be able to help provide that overall final response?

I selected the 2 to 6 months just because I'm averaging the different kinds of responses that we have to come up with. So that's why I picked that one. So some of them we may have a little bit of a longer time frame. But we know -- but there's always an end date, right? Like we only have so much time to respond. So you're usually having to work within the time frame that you've given.

Right. That makes sense. Okay. We're kind of getting a slowdown on answers here. So I think we can reveal our results again. All right. It looks like 1 month is the winner here, but 1 to 2 weeks is pretty close, which is interesting. And then we have a pretty big spread throughout the rest. So good to know 1 month on average, but I'm also seeing some people that are taking 1 to 2 months. So it's looking like maybe a couple of weeks to 2 months on maximum seems to be the general average here. All right. And let's get into our final poll question before we hop into our customer interview for today. So on average, how many regulatory audits do you conduct in a year? So 0, If so, lucky you I guess, maybe 1, 2 to 3, 4 to 5 or if you're unlucky, you may do 6 plus. So I'll give you guys 1 more moment to start submitting your answers to this one. [Voting]

I feel like this could really vary depending on the type of companies on -- is that -- or also maybe the year that...

Well, and I agree. And sometimes this is -- it could be 1 audit, but broken down into multiple milestones that you have to deliver. So how do you quantify that? Is that 1 audit? Or is it 4 to 5 different deliverables within 1 audit. So this is a bit subjective.

That's sure. I guess it depends how you look at it.

Curious to see what others have to say about it. I would love to be in the 0 category, but that is not the [ case. ]

That's the dream. All right. It looks like our answers have kind of slowed down. So let's see -- all right. We have a couple -- 11% is in the lucky 0 category, but it looks like a lot of people are having 1, maybe even 3 audits a year. So good to know. It seems like there's not too many people that have 6 plus. So yes, it looks like 1 to 3 maybe a couple at the 4% to 5% range, but yes. All right. Thank you all so much for participating in our polls. This is great information for us to take note of for later in this presentation. And with that, I'm going to pass it over to Akash and Jeanna to a customer interview.

Great. Thank you very much, Faith, and thank you, everyone, for joining us today. And I'd also like to thank Jeanna for joining us and being part of this overall customer interview and this webinar. So Jeanna, welcome. Thank you.

Thank you. Thanks for having me today.

Yes, of course. Why don't you -- why don't we start off with just tell us a little bit about yourself, the roles you play at SVB and First Citizens and kind of how you got to where you are, right, as far as leading the team, the software asset management team, the asset teams over at SVB and First Citizens and just kind of give us a little bit of that background.

Yes, sure. So I actually joined Silicon Valley Bank in 2021 and at the time, it was supposed to be kind of a greenfield implementation of SAM which was exciting to me, having been an implementer in my previous lives. So when I joined what I didn't know was that they had just become a large financial institution and net new regulations and being under an audit. So that was a pretty -- a new-ish experience to me. I've had -- worked for a lot of other banks, large financial institutions in the past. So I wasn't unfamiliar but it was a little bit of a surprise to kind of come in and be immediately putting out buyers. When Silicon Valley Bank collapsed in 2023 First Citizen Bank purchased us. And with that acquisition, they became a large financial institution. And so they inherited all the new regulations, which meant being hit with an audit. And so for me, it's really been 4 years of dealing with regulatory audits.

So does that end up taking up more of your time than implementing SAM and the various asset processes [indiscernible] .

Yes, a little bit difficult to do both at the same time. So it feels like it's been in a bit of fire fighter mode rather than wanting to really grow the program organically. So really trying to do both at the same time is a big challenge for sure.

Sure. Sure.

But yes, as you mentioned, I manage -- when the base combined, we merged teams from both institutions, and so -- and I manage those software as I mentioned to you.

Awesome. So you mentioned when you were more on the implementation side, right, process, implementation and so on and so forth. So joining the bank kind of getting thrown into the regulatory audit world and having to respond -- be part of the process to respond to these regulatory audits based off of what you've done over the last 3, 4 years, in that time frame. What would you -- we had the complexity of challenges. I think you already answered this, but what would you consider your top 3 challenges when responding to these regulatory audits and providing evidence for these requests and so on and so forth.

Well, the first thing I want to mention is it's always completely different from anything you would ever know about SAM and what would traditionally be important for a Software Asset Management program sometimes. So you sort of have to disconnect yourself a little bit. You're going to have to get back to the focus of the SAM program, optimizing spend and license compliance and all those things. But the regulators are looking at this through a very different lens. So you really have to sort of shift gears a little bit. And I'd say the first challenge is really understanding the actual risk and what audit is really asking for us. And sometimes you have to read between the lines and really understand what it is that they're after because they're looking at it not from the same lens that maybe you're used to looking at your SAM program.

Okay. So with that said...

[indiscernible]

Yes, so kind of following up really quick on that one. How do you work? Is there a lot of individual meetings, standups or do you do this just via e-mail and Teams or Slack or some messaging app? Like what is that process look like?

Internally, we would do that. But we try to minimize any direct communication with auditors. In fact, direct communication with the auditors has probably gotten us into more trouble than not. We will really minimize what goes back to audit. It goes through multiple hands and multiple reviews before any response is given. Now we may ask clarifying questions but again, those are thoroughly vetted before they even would go directly to the auditors. So yes that's -- it's definitely a process and a lot of collaboration between our teams. So we usually have a -- like a program lead that we coordinate with an individual project managers that we're working with to streamline all those communications and meet -- and facilitate the meetings.

Okay. All right. So then -- yes, so that was your number 1 challenge, if you want to kind of continue on with what's the other 2.

Sure. So another challenge that is worth mentioning is maturity. So a lot of times, the auditors ask you for things that you might not be at a level of maturity to answer. So to give you an example, I was brought in to Silicon Valley Bank to implement SAM Pro. So then to be audited on things that like, say, software end of life. Traditionally that's something that we wouldn't look at until a higher level of maturity. So you're maybe at a 0 level of maturity, but you're being asked to address audit findings that are maybe a 4 or 5 level. So having to really step back. And I know that it's okay and that -- what you need to do is really build a plan to get there. So maybe you're not quite there yet but you're recognizing and showing here's where we are and then here's our -- so maybe here's our crawl, Here's where we are now. And here's our plan to walk and then eventually to run. So because there's no way that you can get to run from the time frames that you're usually provided. So having to really kind of take a step back and evaluate your maturity and what you can address. And then the third one along with that, I would say is scope. So you have to be really, really careful to not overcommit because you're usually given a predetermined time frame, you may not be at the level of maturity you need to be. And so you need to be really careful about what you're going to commit to the regulators because if you overcommit and then don't deliver that looks far worse.

Yes. That makes sense. And when you first get the request, and you take a look at that and you kind of break it down, is there a negotiation that you're able to do to identify like, hey, this is -- I need to be able to scope this down if you want it in this time frame, right? Like -- or chunk it out.

Absolutely. I'm chunking that out, yes. So senior leadership will kind of come to me and say, "Okay, here's the audit for your area, and how -- I'm expected to really analyze that and say, okay, here's what I think that we can deliver within this time frame. If we were to scope it down to this, will that fly? And then usually what will happen is senior leadership will take the backup and they'll say, here's what we're thinking of how we can address this. Are we on right track and then we'll get an answer 1 way or the other, usually to say, yes, and that should meet our response and then that will give us some direction on how we're going to move forward.

Okay. Awesome. The remediation plan, you talked about maturity and building out a remediation plan. How long do you have to implement? Do they come back and check in on that remediation plan? Or is that really just something that they look to maybe in the next year's audit or the next time's audit, anything around the remediation plan that you could also add some context to.

Sure. So we're going to have to turn over a response. And the formalized response is our actual answer like this is what we're delivering. And then anything beyond that because you don't ever want to give audit more than what they've asked for. So the response is exactly the response to be asked. But we may have our own internal remediation plans so that we can build -- so that when they come back, we'll be prepared. Does that -- and they may even give us some recommendations that aren't in actual audit, but something that we need to look at. And so when they come back and say, next year, then they may hit us with that, and they want to see that maturity. So that's something we're usually building internally. But we may not actually turn over to them.

Again, along those lines, when there are gaps, are you -- like do you have short-term versus long-term data sets that need to get cleaned up, let's say, before you respond to this? And then in the future, in the long term, you're looking at improving process to make sure those data gaps are not there anymore or finding additional maybe reaching out to ServiceNow and saying, hey, I need you to fill in these life cycle dates, right, that are missing and so on and forth. Whatever that looks like -- do you kind of break it up into that short term. I need to provide this data now back to the auditors versus that long term of being able to fix this from a process perspective.

Absolutely. So ultimately, we don't want to turn over anything to audit that's not in ready state if we can avoid it. So absolutely, data cleanup is a big factor here. We would rather find and fix our data discrepancies before turning them over to audit. We don't want it the other way around. So -- and we know it happens. But ideally, we will notice, okay, yes, we've got some issues here, and we want to address them before we're turning that over to audit. The other thing that we do, when we've identified gaps is, we may open a self-identified issue sort of internally and that helps to protect us to say, yes, we recognize that we have an issue in this area, and we're working to address it. It buys us a little bit more time so that we can show that we're actively aware and working on it. So those are kind of the 2 ways that we deal with it. But yes, data cleanup is definitely big.

Cool. Okay. I'm going to switch gears a little bit, and you had mentioned utilizing ServiceNow, right? And so just talk to us a little bit about some examples of improvements that you've made either through process or through tooling with ServiceNow and how that has helped you respond to these audits, what do you utilize to help respond to these audits, what various teams may be that you interact with to help with this overall process.

Sure. So absolutely, we rely heavily on ServiceNow and our processes within ServiceNow. We've build a lot of workflows to help automate and address and also provide the data -- sorry, what I'm looking for compliance check points that we need to. Sometimes we have to show controls. And so we use rhythms and SLAs and tasks to really help us evidence process and so we work flow it as much as we can. So to give you an example, for the -- you mentioned the end of life days. So we have an annual QC process where we have a rhythm that gets generated, and it basically tells us that it's time to go in and make sure that all of our critical software is properly normalized. And so we evidence all that through tasks. If there is no end-of-life date we will research whether or not it's provided by the industry, and we've been working a lot with ServiceNow to help build the content for that. If we find anything missing, then we're working with ServiceNow to get it added, and so we use that through evidence, with our rhythms and tasks, we can show audit that we completed it. that we did our analysis for all of our critical software and that we feel confident in our data reporting for end-of-life software since it's a big risk to the organization. We do something similar for unauthorized software. So we use rhythms when something new pops into our environment that is not considered authorized software we get a rhythm to identify that and it goes through a process of identifying what it is, should it be here and how we're going to remediate that. So those are some examples of the processes that we've had to build to support regulations.

Okay. That's great. That's great. It's great that you're utilizing the platform capabilities to do this. And then also, at the same time, maturing into various processes to help make this easier going forward and working with us, and we appreciate you working with us to also get some of that content in there. That's also very helpful for not just you guys, but also for other customers as well. So that feedback loop is always helpful for everybody.

I appreciate the willingness and the back and forth, it's really helpful to be able to say, hey, we're dealing with this, and we can't -- we certainly can't be the only company dealing with us. So how can we really sell through this.

Makes sense. As far as ServiceNow, ITAM processes and as you mature, any insight as to like how that's contributed to cost savings for not just regulatory audit but also from a process perspective at SVB First Citizens. And then the efficiencies and reduction of that risk when you're having to respond to these audits and so on and so forth. Over your -- you've been there for -- you said 4 years, right? Like over your 4 years, how is that gotten better, how has that improved overall? .

I think I've gotten better at responding. But it comes with practice and being able to really, like I said, read between the lines and work through what the auditors are really wanting to see. In terms of cost savings, we did have a challenge around our end of life reporting, and we were having to do a lot of that reporting manually, which was extremely labor-intensive and it involved multiple teams in order to get the reporting done in the way that the regulators wanted the data. ServiceNow, we worked really closely with ServiceNow, and they helped actually to make some changes to the product to support our effort, which meant that we were able to automate. I want to say it was about 12 different reports that we were having to do manually. And so we were able to automate those, and that was a significant time and cost savings for us. We're also reporting out of 2 different instances. So we're still operating Silicon Valley Bank and First Citizens bank instances. So everything times 2. So that automation, we're able to bring really -- I want to say it quantified to about 78 hours across multiple teams, and that was a significant cost savings for us to be able to automate those end-of-life reports.

That's awesome. And hopefully, as you continue to mature and that will just get easier and better going forward overall.

Yes. Absolutely.

I think that's it from a question from my interrogation here. I appreciate all of your responses and all the insight. Obviously, nobody likes necessarily going through these things, and it's quite painful. But whatever we can do to help customers, make sure they're going through it and providing accurate reports in an easy and efficient way is really important. So thank you for some of the insights and feedback. .

Sure. Thanks for having me.

All right, Faith I kind of turn it back over to you.

All right. We have a quick little knowledge plug. If you want to hear more from Jeanna. She's going to be at our ServiceNow Knowledge 25 on May 6 [indiscernible] session. So if you want to register, you can hit this QR code. Do you want to say anything about it, Jeanna?

Just see me. That's all, I'd love to meet everybody and hear all about your pain points. .

Yes, hear about your pain points, get her autograph. It will be a good time.

Know that you're not alone.

All right, and I'll pass it back to you, Akash.

Yes. I know that we were supposed to do a demo, and I apologize, there are some technical difficulties that we experienced today. But what I did want to do, there's a couple of things. One, there is a white paper that is out that we around gathering evidence for regulatory audits. It will be available as well as part of this webinar is something that you can download also. But it's really a white paper to kind of walk through how to leverage ServiceNow for SAM and HAM data to help with responding to financial regulatory audits. In there, you'll have certain recommendations as far as utilization of things like the success portal, which you'll see here on the screen to -- first off, if you are starting to manage that inside of ServiceNow, as of today, you can use the successful portal and identify success activities associated to a success goal to help with that process and at least be able to manage what activities are being done and who's assigned those particular activities and what you're providing from an evidence perspective, right? . The other thing that it will go through is a series of reports, and this is 1 of the reports that's out there, but a series of reports that can either be built or they're pre-built reports as well. This 1 is around discovery models. The main fields here, things like install count that's been added. Current phase and current phase start date, upcoming phase and upcoming phase start date to be able to identify those discovery models and how many installs you have and where they are in a phase perspective. Again, without the ability to truly demo. We have also added some codes if there are research that's been done for certain types of models and products. . And that research has turned up to not produce -- the publisher doesn't have an end-of-life date published just yet or something like that. We have a new life cycle code table also associated to this data set. So you can see that information if there is any particular data that -- where we have not produced or we have not gotten that information from the vendor or something or it's been calculated or something, there are codes there that give you some more insight as to the information around the start date and end dates or the start dates of the various phases and the data surrounding it, right, that is used to populate it. So just a few different examples and a few different helpful tips and tricks of how to create those reports and how to utilize ServiceNow to help with responding to these audits. One other thing to add is in upcoming release in the Zurich release, we are also introducing a new capability around the audit response and speaking with customers, and we've heard -- we've seen it from some of the poll questions. We've seen it -- we've heard it from Jeanna as well. and we've heard it from a number of customers that we've talked to, it is -- regulatory audit, it's critical from a pincer perspective. customers are looking for guidance, they're looking for automation and they're looking for management capabilities. So with our new feature coming in Zurich, Asset Audit Response. We tend -- we are going to be trying to help customers in those critical areas. The Asset Audit Response will include a GRC light application which will have audit management and control and control objectives and authority documents and so on and so forth that will help customers from a compliance management perspective, enter in audit engagements and be able to track it from that standpoint? The other thing that we will allow is the automatic creation or the creation of evidence request from the GRC side directly to asset managers. So you can manage and you can kind of see what evidence requests you're asking for and a new asset governance workspace on the -- for asset managers to track and see where they are from an evidence request perspective, right? And so this will be for both HAM and SAM customers will have the ability to have this new workspace for asset governance and be able to track evidence request and what is coming in from various audit engagements from your compliance teams and be able to walk you through big portion of this is a guided experience to be able to walk customers through the process of gathering that evidence, creating remediation rules. So if you have gaps in data, you can find that -- those apps as well as create remediation tasks. So 1 thing that Jeanna had mentioned was being able to clean that data, not having gaps before you send the final review, the final data sets out, the remediation rules and the remediation tasks that we generate will help you do that and help you identify like a mediation plan, if necessary, if you have to get that information out quicker. So at least you have a plan in place to clean that up. So this is a -- it's a Zurich release. It's something that will be available in August, and we look forward to bringing that to our customers. We'll be talking about it more at Knowledge as well. So if you are at Knowledge or if there's something you'd like to reach to us out about and if you're interested in something like this, please let us know. And that is from my side. That's about it.

All right. Thanks Akash. Thanks for walking us through all that before we hop into the Q&A session then. We just have a couple of housekeeping slides I know we've already been beating the dead horse a little bit. But if you missed it before, Knowledge 2025, May 6 to May 8, you can register here, using this QR code. I think there's also a link in the Resources page but we'd love to see there. It's a really great opportunity to really get a closer look at our products, talk to people like Jeanna, Akash. So this will be a great time. If you're able to come, we'd love to see you there. And 1 more plug really quick. If you have the time and you love our products, we'd love to see you write a G2 review for ServiceNow. If you haven't heard of G2 before, it's peer-to-peer review site and software marketplace platform where users can share their experiences about different softwares and services. You can kind of think of it like a Yelp for businesses so if you're interested, you can scan this QR code, and you can have a chance to earn a $25 Amazon gift card for just a few minutes of your time. So we really love to see your reviews and read them all to see what aspects of your products -- what aspects of our products that you're enjoying there a feedback that you may have -- so if you're interested, go ahead and scan this QR code, you can also look up for page manually. But if you're not scanning the QR code, then you won't have the chance to earn the gift card. So I do recommend going through the specific portal. But yes, and with that, I think we can get into our Q&A session. It looks like we have a good amount of questions to go through. So let me start tossing so now and whoever wants to answer, Akash, Jeanna, feel free to jump in whenever.

Okay. So let's see -- I like this question. So what are some trigger points for regulatory audits? What are the things to look out for?

Do you want me to take that? Or do you want to take that Akash?

Sure. Let's start with you and then I'll jump in.

If you're a financial institution, the FFIEC is your backbone. So you need to be looking at that because they will audit you against that. And there are sections that you can read where -- I mean word for word sometimes, they'll pull the wording right out of there and with an audit against I did not write the FFIEC, I don't align with everything that's in it, but you need to be able to answer and know how your process aligns to it. That's specific to banks.

Yes. No, I think that makes sense.

All right. Let's see. We also have I think this is more for Jeanna potentially when you're auditing audit questions, what are -- what internal departments are involved in those discussions? .

If it goes outside of my scope, like usually, it's -- we're usually getting things from an ITAM level. So whether something is HAM, SAM [indiscernible] business apps. And then if it involves anybody outside, like maybe I'm thinking through like for authorized software, we work with U.S. or other departments. So if the process crosses outside of our scope, then we would need to involve those teams, make sure that they're on board with the process that we're building so that we don't deliver something that we're not going to be able to support.

[indiscernible] alignment. Yes. For sure. Okay. I think this one could be for either, how big are the software and hardware management teams typically that support the audit process.

I don't know, Jeanna for you -- how many folks is it for you guys?

I have 3 FTEs and 2 contractors on my team, and I'm actually hiring a fourth FTE that's going to be more of a developer role, not to plug or anything. But yes, so we have -- currently, we have 5 total people, and it just seems like it's never enough [indiscernible] there's several people...

Yes, go ahead.

I think we have more on the HAM team, actually they're a little bit larger on the HAM team.

Yes. I would say like if you're talking about just supporting this process from a software and a hardware perspective, it really kind of depends on, one, how large of an organization you are and how mature you are, right? Like the less mature and the more manual effort that you have to do to produce these reports, the more people you're probably going to need depending on how quickly you have to turn that around. So I think with process and with maturity throughout your organization, the amount of people that you need to help support these regulatory audits tend to be less than the folks that are maybe not as mature or don't have the necessary data in a place where you can report off of it easy and so on and so forth. Those tend to require more people involved and larger teams to help with that.

Right. That makes sense. So I guess kind of jumping off of that besides the internal teams that are involved are any third-party audit companies ever contacted for help are involved in your process Jeanna? .

We have brought in consultants to help us, but not really an audit company per se.

And we've talked to a number of different partners that are involved. I think it depends on organization. So absolutely, we like to have certain partners come in and be able to vet the data that they're producing, maybe look at some of your processes on how you're producing that data, and then to interpret the scope and interpret the regulations themselves and what should be provided. We've heard from customers where they utilize a third party to do some of that. So it's not necessarily to actually run and produce the data, but it may be more of kind of providing oversight and knowledge of those specific regulations and what they've produced in the past as well.

Great. Okay. I'm seeing a couple of questions with the theme of globalization. So do you have any regulatory audits that are outside of North America, maybe any in APAC or in different languages. Or is it mostly just in North America where these audits are occurring? .

Currently it's North America.

It's North America, right? But we've talked to -- yes, we've talked to a lot of different customers throughout. So we've had discussions with customers in Canada, discussions with customers in EMEA, Australia and APAC as well. So absolutely, these regulatory audits, especially if you're a large bank, you span multiple countries, multiple geo regions and so on and so forth. You're going to have different regulations in different areas that you need to deal with. So I don't know what that pain feels like in having to do that. But yes, we've had conversations with customers that have to deal with that. And we may need to deep dive into that with those customers and maybe have another webinar to kind of talk about that sort of overall concept.

All right. I'm going to jump around a little bit. We have a question here that says, what do your IT asset audits typically consist of? For example, questionnaires, dataset assessment, surveys, things like that, you're able to share? Or if not, we can just keep it general.

So I'm just looking at that. So what is your IT asset that's typically consist of? So I know there are -- there will be questionnaires and basically, assessments or request for evidence, right? Like the evidence can be all sorts of things. It could be screenshots of process, right? Process diagrams. Possibly, it could be show me evidence that these assets went through a disposal process and identify the -- or shows screenshots or identify the ticket numbers that they went through, certificate of destruction so on and so forth. I've heard a lot of that, not just simple -- that you have to generate filtered reports or something like that. I don't know, Jeanna, if you have any other thoughts around that question.

Yes, if they're asking for evidence and they want the specifics of that evidence. So we're providing rhythm numbers or links to tasks. They are in our system. So we're often providing them the links to the -- and then also sometimes it's screenshots that goes into the closure packages and things like that.

Got it. So is there a recommended best way to enable discovery of service data and ServiceNow SAM Pro, more of a user question.

Let's see, what was -- sorry, what was that question again?

Yes, let me read it 1 more time. Is there a recommended best way or maybe any chat we have to enable discovery of server data in SAM Pro?

Yes, exactly. So the recommended, right, the best practice there is ServiceNow discovery purpose built, we have a lot of tie-in with our ITOM team when it comes to the data that they produce and the patterns that they go out and discover data, a lot of that is going to help support the activities that we need, the reconciliation processes that we need to be able to do within SAM Pro that would be kind of my answer to that. But that is definitely a question. Outside of this, that's probably better with your account teams and your SEs that you work with SAM Pro or your ITOM SEs to kind of help with that overall effort.

Right. That sounds good. I think we have another SAM Pro question here. Does that Jeanna, they're saying you were brought in to implement it. So they're wondering -- are you using any out-of-the-box reports or dashboards and ServiceNow to respond to any audits that you're getting. .

We built our own dashboards to -- in response to the audits and our metrics. So we're using dashboard functionality, but they're not the -- the out-of-the-box lens, we needed to go especially for end of life, we had to go a little deeper than out of the box. So I think the out of the box is a good starting point. Unfortunately, we were being asked for a much more granular level of detail. So we just created our own dashboards.

Makes sense.

And we definitely, as part of our Zurich release, we're looking to produce more out-of-box type of reporting to help support with some of these efforts. So absolutely. .

All right. I think we have time for just a few more. Let me look through and see, okay, we have a pretty long one here. Let's get to this. So in preventing software sprawl and unsanctioned software, how do you balance the anatomy that IT teams and business lines want when bringing in new software titles with the centralized controls that centralized IT-led software acquisition processes offer. Have you experienced any resistance? Any process centralization? And how do you influence these stakeholders, the long one.

That is a long one. It's very loaded, so thank you for that. Yes. Centralizing software acquisition, right? How do you stop this sprawl, it's a huge challenge. We have a policy that says you're not allowed to purchase software outside of our sanctioned processes. But what's to stop somebody from putting something on their P-card, right? Like that's the challenge. So we have a lot of controls in place trying to prevent that. And then there is sort of this negotiation that has to happen between SAM and procurement because procurement ultimately holds the key there with the actual -- whether or not that actual purchase happens we have had issue that where things have been purchased that were not on the approved software list. And then at the end of the day, they were not allowed to install it. So yes, it can be a challenge, for sure, to get all those processes aligned and on the same page. And we're -- I'd say we're still working through that. We're getting better. And it's always a work in progress.

Yes. Software asset management, IT asset management. Everything starts with process at the very beginning, right, processing people and having those policies in place to enforce. That's number one. right? You can -- and then on top of that, providing great tools to help support your processes. So ServiceNow, all I can say is we do have a tool that will help support those kind of processes so procurement plug-ins or utilizing [ SPO ] or something like that to help with that process, but also we have things like software spend detection to help identify things that are purchased off of P-cards and software that is not necessarily going through the regulatory process, procurement process, things like [ desks ] that will help discover the SaaS type of software that's being used that we may not have integration to and under control yet. So -- and then obviously, from a software asset management, the restricted software capabilities and the ability to identify discovery models that you have coming in through your discovery processes and things like that can help support. But it all starts with your process and all starts with your policies that you have in place within your organization.

All right. I think that would be all the time we have for today. But thank you so much. I just want to thank you again, Jeanna, for joining us today. Gold Star customer would really appreciate. You've taken the time to share your insights with us and all of our attendees here in the presentation. And also thank you for Akash, you couldn't do your full demo. It's really helpful to see you kind of run through what we have available now and give us a sneak peak of what we're going to display in Zurich. With that, thank you so much, everyone, for attending our webinar today. Sorry if we didn't get to your question, we did have a lot, but we'll try to follow up with you at a later time. Take a look at our resources that we have available. We have that great white paper that Akash mentioned. I really recommend that you download that. That was a lot of really good information and kind of goes through the audit process. We also have a couple of data sheets for you and a couple more links. But yes, that's everything for today. So thank you so much for joining, and I hope you all have a great day. Thank you. Love to see all...

Thank you Jeanna, thank you Faith.

Thank you.