Control Attestation's Questions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
1. Are Attestations meant to be reviewed by the Compliance team? The functionality of the Control Attest State does not allow for Compliance to followup after the Control Owner attests/adds evidence because it automatically 'completes' the attestation so we cannot have any back-and-forth conversation with the Control Owner to ask for more information, clarification etc. This leads me to believe the Attestations are not intended to be reviewed by Compliance?
2. If we (Compliance) are supposed to review the attestation's response, what is the difference between what a Control Owner adds as evidence to the attestation and what the Control Owner would add as evidence to a Control Testing task in the Audit module?
3. Can you do Control Tests w/o doing an Attestation first? If yes, is that recommended?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
Hi Buddy,
Your understanding is basically correct.
Attestations aren’t designed for Compliance review or back-and-forth.
They’re meant to capture a control owner’s self-assertion that a control is operating. Once the owner submits, the attestation completes by design. That’s why there’s no practical way for Compliance to ask follow-up questions or push it back. This strongly indicates attestations are not intended to be a collaborative review workflow.Attestation evidence vs. Control Testing evidence serve different purposes.
Evidence attached to an attestation supports the control owner’s claim (“this control is in place”). It’s informal and self-asserted. Evidence attached to a Control Test is formal, reviewed by Compliance/Audit, evaluated against test steps, and used to determine pass/fail and deficiencies. Even if the files look similar, they are used very differently.Yes, you can do Control Tests without an attestation — and that’s common.
Attestations are optional. Many teams either skip them entirely or use them only for low-risk controls. Testing does not require an attestation to exist first and is where Compliance validation actually happens.
So:
Attestations = owner assertion.
Control Testing = Compliance validation.
The lack of back-and-forth in attestations is intentional, and review/challenge belongs in Control Testing, not the attestation itself.
@kryon - Please mark Accepted Solution and Thumbs Up if you find helpful!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
Hello @kryon ,
Attestations are primarily designed for Control Owners to confirm and provide evidence that a control is operating, not for Compliance to review in detail. Evidence added in an attestation is more of a self‑confirmation, while evidence in a Control Test (Audit module) is subject to independent validation by Compliance or Audit teams.
Yes, you can perform Control Tests without an attestation first—attestations are optional, but using them can help streamline evidence collection before testing.
If my response helped mark as helpful and accept the solution..
