Which role should be given to external auditors to view published policies and controls?

Providing the right access for external auditors is about giving them visibility to published policies and controls without allowing changes. In ServiceNow IRM, there is a dedicated role for this need: sn_audit.external_auditor. This role is specifically designed to let external auditors view published policies and controls and related audit artifacts, while not granting edit or admin permissions. Assigning this role enables auditors to review and report, preserving data integrity. Other roles are intended for internal users with broader responsibilities or higher privileges. The sn_risk_user role supports risk contributors, the sn_compliance_user role supports the compliance team’s activities, and the sn_audit_manager role carries management capabilities. These either don’t provide the exact view you want for policies and controls or grant more access than is appropriate for external auditors.