Control Attestation's Questions

Go to solution
kryon
Tera Contributor

a month ago

1.  Are Attestations meant to be reviewed by the Compliance team? The functionality of the Control Attest State does not allow for Compliance to followup after the Control Owner attests/adds evidence because it automatically 'completes' the attestation so we cannot have any back-and-forth conversation with the Control Owner to ask for more information, clarification etc. This leads me to believe the Attestations are not intended to be reviewed by Compliance?

2.  If we (Compliance) are supposed to review the attestation's response, what is the difference between what a Control Owner adds as evidence to the attestation and what the Control Owner would add as evidence to a Control Testing task in the Audit module?
3.  Can you do Control Tests w/o doing an Attestation first? If yes, is that recommended?

  • 563 Views
3 ACCEPTED SOLUTIONS

Go to solution
Matthew_13
Mega Sage

a month ago

Hi Buddy,

Your understanding is basically correct.

  1. Attestations aren’t designed for Compliance review or back-and-forth.
    They’re meant to capture a control owner’s self-assertion that a control is operating. Once the owner submits, the attestation completes by design. That’s why there’s no practical way for Compliance to ask follow-up questions or push it back. This strongly indicates attestations are not intended to be a collaborative review workflow.

  2. Attestation evidence vs. Control Testing evidence serve different purposes.
    Evidence attached to an attestation supports the control owner’s claim (“this control is in place”). It’s informal and self-asserted. Evidence attached to a Control Test is formal, reviewed by Compliance/Audit, evaluated against test steps, and used to determine pass/fail and deficiencies. Even if the files look similar, they are used very differently.

  3. Yes, you can do Control Tests without an attestation — and that’s common.
    Attestations are optional. Many teams either skip them entirely or use them only for low-risk controls. Testing does not require an attestation to exist first and is where Compliance validation actually happens.

So:
Attestations = owner assertion.
Control Testing = Compliance validation.
The lack of back-and-forth in attestations is intentional, and review/challenge belongs in Control Testing, not the attestation itself.

 

@kryon - Please mark Accepted Solution and Thumbs Up if you find helpful!

MJG

View solution in original post

Go to solution
VaishnaviK3009
Tera Guru

a month ago

Hi @kryon !!

 

1)Attestations are primarily designed for self-attestation by the Control Owner, not for iterative review by Compliance.

In the out-of-the-box design:

  • A Control Attestation is completed once the Control Owner submits their response and evidence

  • The Control Attest State auto-completes, which intentionally prevents back-and-forth discussion

  • This is by design and indicates that attestations are not meant to function as a review workflow

Attestations answer the question:

“Does the Control Owner confirm the control is operating as described?”

They are not meant to replace testing, validation, or Compliance follow-up.

 

2)They serve different purposes:

Attestation Evidence

  • Provided by the Control Owner

  • Informal, self-reported confirmation

  • Supports management assertion

  • Typically high-level (screenshots, short explanations, documents)

  • Not independently validated

Control Testing Evidence (Audit / Testing Tasks)

  • Collected and reviewed by Compliance / Audit

  • Formal validation of control design and operating effectiveness

  • Supports audit conclusions

  • Can involve:

    • Sampling

    • Follow-up questions

    • Multiple evidence requests

  • Designed for review, challenge, and iteration

 If Compliance needs clarification, follow-ups, or judgment, Control Testing is the correct mechanism, not Attestation.

 

3)Yes, Control Tests can be performed without an Attestation.

Whether it’s recommended depends on your process maturity:

Common and recommended patterns:

  • Low-risk / mature controls
    → Use Attestations only (lightweight confirmation)

  • Higher-risk / regulated controls
    → Skip Attestation and go straight to Control Testing

  • Hybrid approach (very common):

    • Attestation = management assertion

    • Control Testing = Compliance validation

There is no system dependency requiring an Attestation before a Test.

 

Mark this as Helpful if it clarifies the issue.
Accept the solution if this answers your question.

Regards,
Vaishnavi
Associate Technical Consultant

View solution in original post

Go to solution
yashkamde
Kilo Sage

a month ago

Hello @kryon ,

Attestations are primarily designed for Control Owners to confirm and provide evidence that a control is operating, not for Compliance to review in detail. Evidence added in an attestation is more of a self‑confirmation, while evidence in a Control Test (Audit module) is subject to independent validation by Compliance or Audit teams.

Yes, you can perform Control Tests without an attestation first—attestations are optional, but using them can help streamline evidence collection before testing.

If my response helped mark as helpful and accept the solution..

View solution in original post

4 REPLIES 4

Go to solution
Matthew_13
Mega Sage

a month ago

Hi Buddy,

Your understanding is basically correct.

  1. Attestations aren’t designed for Compliance review or back-and-forth.
    They’re meant to capture a control owner’s self-assertion that a control is operating. Once the owner submits, the attestation completes by design. That’s why there’s no practical way for Compliance to ask follow-up questions or push it back. This strongly indicates attestations are not intended to be a collaborative review workflow.

  2. Attestation evidence vs. Control Testing evidence serve different purposes.
    Evidence attached to an attestation supports the control owner’s claim (“this control is in place”). It’s informal and self-asserted. Evidence attached to a Control Test is formal, reviewed by Compliance/Audit, evaluated against test steps, and used to determine pass/fail and deficiencies. Even if the files look similar, they are used very differently.

  3. Yes, you can do Control Tests without an attestation — and that’s common.
    Attestations are optional. Many teams either skip them entirely or use them only for low-risk controls. Testing does not require an attestation to exist first and is where Compliance validation actually happens.

So:
Attestations = owner assertion.
Control Testing = Compliance validation.
The lack of back-and-forth in attestations is intentional, and review/challenge belongs in Control Testing, not the attestation itself.

 

@kryon - Please mark Accepted Solution and Thumbs Up if you find helpful!

MJG

Go to solution
VaishnaviK3009
Tera Guru

a month ago

Hi @kryon !!

 

1)Attestations are primarily designed for self-attestation by the Control Owner, not for iterative review by Compliance.

In the out-of-the-box design:

  • A Control Attestation is completed once the Control Owner submits their response and evidence

  • The Control Attest State auto-completes, which intentionally prevents back-and-forth discussion

  • This is by design and indicates that attestations are not meant to function as a review workflow

Attestations answer the question:

“Does the Control Owner confirm the control is operating as described?”

They are not meant to replace testing, validation, or Compliance follow-up.

 

2)They serve different purposes:

Attestation Evidence

  • Provided by the Control Owner

  • Informal, self-reported confirmation

  • Supports management assertion

  • Typically high-level (screenshots, short explanations, documents)

  • Not independently validated

Control Testing Evidence (Audit / Testing Tasks)

  • Collected and reviewed by Compliance / Audit

  • Formal validation of control design and operating effectiveness

  • Supports audit conclusions

  • Can involve:

    • Sampling

    • Follow-up questions

    • Multiple evidence requests

  • Designed for review, challenge, and iteration

 If Compliance needs clarification, follow-ups, or judgment, Control Testing is the correct mechanism, not Attestation.

 

3)Yes, Control Tests can be performed without an Attestation.

Whether it’s recommended depends on your process maturity:

Common and recommended patterns:

  • Low-risk / mature controls
    → Use Attestations only (lightweight confirmation)

  • Higher-risk / regulated controls
    → Skip Attestation and go straight to Control Testing

  • Hybrid approach (very common):

    • Attestation = management assertion

    • Control Testing = Compliance validation

There is no system dependency requiring an Attestation before a Test.

 

Mark this as Helpful if it clarifies the issue.
Accept the solution if this answers your question.

Regards,
Vaishnavi
Associate Technical Consultant

Go to solution
yashkamde
Kilo Sage

a month ago

Hello @kryon ,

Attestations are primarily designed for Control Owners to confirm and provide evidence that a control is operating, not for Compliance to review in detail. Evidence added in an attestation is more of a self‑confirmation, while evidence in a Control Test (Audit module) is subject to independent validation by Compliance or Audit teams.

Yes, you can perform Control Tests without an attestation first—attestations are optional, but using them can help streamline evidence collection before testing.

If my response helped mark as helpful and accept the solution..

Go to solution
kryon
Tera Contributor

4 weeks ago

Can any of you provide a link to the appropriate training for the Control Testing module within the Integrated Risk Management tool?  To show me how to set up Engagements, Control tests, Audit tasks, Test Plans and Test templates.  Thank you,

Preview file
8 KB
0 Helpfuls