Audit Alert Correlations – Unique Audit Messages

By installing the Data Content Manager (DCM) application into your ServiceNow environment, you can audit your service data against best practise blueprints or blueprints you have created yourself.

Because the same data is audited by several, sometimes scheduled and repetitive blueprint audits, a single error in your data can cause multiple audit alerts. By removing the error’s root cause, all alerts related to those multiple blueprints can be resolved at once.

So, instead of analysing all audit alerts one-by-one, wouldn’t it be nice, if audit logic could recognize the error root cause automatically for you?

This is now a reality. DCM audit functionality can analyse all detected audit messages and create a unique audit message for every detected “root cause”. Original audit messages are linked with the unique audit message and therefore it is easy to resolve all caused audit messages by one click. And this, of course, saves your time, resources and money but what is even more important, shortens your data error resolving time.

“Instead of analysing all audit alerts one-by-one, wouldn’t it be nice, if audit logic could recognize the error root cause automatically for you?”

In this blog, I will explain how all this works and show you some examples of Unique Audit Messages. First, let’s have a look at a User data model (blueprint) that is then used for auditing User records.

Example data model for Users

User data model connecting single users to managers and organization structures.

In the example data model, we have:

  • Users connected to Departments
  • Departments should have Managers (department head)
  • And the Department Heads should be connected to a Company
  • Users are also connected to their Managers
  • And Managers connected to Companies
  • And finally, Users also connected directly to Companies

So, we have three different “User to Company” connections in the data model. Next, we will run an audit against this data model.

Example data for our audit

Let’s imagine we have a very simple and symmetric organization with:

  • 100 people (Users)
  • 10 Departments
  • 10 Teams with a manager and 9 other people
  • One of the teams is a management team that manages all departments and other teams
  • And all these people should belong to three different Companies (as different legal entities)

At this point, the Company connections are missing for all users, so let’s see how the data could look like on top of the blueprint.

Audit results

Next, let’s start looking at audit results for some of the audited root records. We will increase audited records as examples move forward, but let’s start with one.

Single User record on top of the blueprint.

In the previous picture, we have a single user “MJ” who is connected to “DEV” Department and has another User “AL” as his manager. The “DEV” Department has a manager called “JP” and all these Users are missing their connection to Company.

When auditing this single user record “MJ”, we get three audit messages about missing company links:

  • MJ is missing Company
  • AL is missing Company
  • JP is missing Company

Also worth noting is that the link between User and Company is actually the same Blueprint element, even though used in different parts of the blueprint. The concept of Blueprint elements is part of figuring out which audit messages are unique.

Now, we add another root record (another User) to the audit.

Two User records audited against the same blueprint.

For “MJ” we have the same audit messages as before and when auditing a new User “AB” we get these new non-compliant audit messages:

  • AB is missing Company
  • HU is missing Company
  • JP is missing Company

Because both “MJ” and “AB” belong to same the Department, the missing manager for “DEV” Department is reported twice. This is a simple example of a Unique Audit Message. The same deviation has been found twice since two different users belong to the same Department that has a Department Head “JP” without a Company.

Next, we add two more users as root records “AL” and “JP”. Note that we have already come across these records as Manager for “MJ” and Department Head for “DEV”.

More users to be audited, more duplicated audit messages

We already discovered earlier that “JP” and “AL” as missing the Company connection. Now when those records are used as root, the same audit messages are created again. In this example, “JP” and “AL” belong to the same department “MG” that is missing a department head. And “JP” is also missing a manager.

Without listing all the new audit messages, we have now discovered the same issues several times and we want to avoid flooding reports and task creation engine with repeating “events” so to say. Instead of filling reports with duplicate messages, we use the duplication information a “weight” value on each unique audit message. To give some example:

  • “MJ” missing Company reference has been found once, so weight value is 1. Same thing for “AB”
  • “JP” missing Company reference has been found already four times, so weight is 4.
  • “AL” is “MJs” manager and therefore missing company info discovered twice etc…
  • Two users are connected to the “MG” department which doesn’t have a manager, so this deviation has a weight of 2.

Now imagine that you have an organization of 100 people and two of the departments don’t have a manager or the selected manager is no longer working for the company. Impact of related missing information can be bigger than single reference missing from the root record.

The point of the Unique Audit Message is to give real-time information about the data quality with a weight value to help to prioritize corrective actions. In DCM application, the Unique Audit Messages also have a lifecycle meaning that messages can be marked as Fixed or Approved depending on the case. And the status may change according to future audit results.

Better view of your data quality and what to focus on next

The blueprint-based audit and using blueprint elements to define which audit messages are unique and what is their impact, we can easily come up with reports showing what you should fix first in order the get the biggest impact to our overall data quality.

Top10 Blueprint Elements and actual records with most weight from bad data.

From the charts above, we can see that the Department called “Sales” has the most weight from bad data. Maybe we should check that Department record first. When Unique Audit Messages are grouped by Blueprint Element, we can see that most weight is put on Business Units missing the Company relationship. So, that another good candidate for getting your overall data quality into better shape.

In the next image, we can see an example of an actual audit result and list of Unique Audit Messages based on User data audit with DCM.

Actual DCM audit messages for a single audit instance.

Compliant messages (6) has been filtered out from the previous image and you can see that in order to get “Henrik” User record fully compliant with the blueprint, you should add Business Unit to “Consulting” Department, make sure that new Business Unit is connected to a Company and to fix the optional deviation also link “Henrik” user record directly to a company.

Creating remediation tasks from unique audit messages

Now that we have Unique Audit Messages that also include a lifecycle (or status), we can use these records to create tasks to responsible persons or groups to fix the issues.

Task creation can happen automatically based on certain rules or manually from audit results. In the previous image, you might have noticed a “Create Task” button. That would create a single task to fix all the non-compliant messages identified for “Henrik” user record which are not connected to a task yet. This ad-hoc task creation will assign the task to the current user, but he or she can, of course, reassign it to another person or a group.

These remediation tasks are a very efficient way to keep track of required data fixes, get more people involved into data management activities and do it as a continuous process instead of twice per year data clean-up projects.

I will write another story about automatic task creation a little later.

Mikko Juola

Mikko Juola

Mikko is the Product Manager for Data Content Manager, a NowCertified ServiceNow application.

Want to know more?

Check out YouTube channel

Now Certified application

Leave a Comment