Skip to main content

Compliance Attestations

Overview

Compliance Attestations are formal, executive-level certifications that your organization's compliance controls are being properly implemented and monitored. An attestation is a signed statement by a senior executive (such as a Compliance Officer, CFO, or CEO) confirming that:

  • Compliance assessments have been completed for the specified period
  • Controls are operating effectively
  • Any non-compliance issues are being addressed
  • The attestation accurately represents the organization's compliance posture

What is an Attestation?

Think of an attestation as a formal "seal of approval" on your compliance work. After your teams have:

  1. ✅ Completed compliance assessments on your systems
  2. ✅ Documented evidence of control implementation
  3. ✅ Addressed any non-compliance findings
  4. ✅ Reviewed the overall compliance status

A senior executive creates an attestation to formally certify this work and take responsibility for its accuracy.

When to Use Attestations

Attestations are typically required:

  • Quarterly: For SOX compliance (CEO/CFO attestations under Section 302)
  • Annually: For year-end compliance reporting (HIPAA, PCI-DSS, ISO 27001)
  • Post-Audit: After external audits or assessments
  • Regulatory Filings: Before submitting compliance reports to regulators
  • Board Reporting: When presenting compliance status to the board of directors
  • Special Occasions: Acquisitions, major system changes, or security incidents

Understanding the Compliance Hierarchy

Before creating attestations, it's helpful to understand how they fit into the overall compliance workflow:

1. Frameworks (SOX, HIPAA, PCI-DSS)

2. Citations (Specific regulatory requirements)

3. Policies (Your organization's policies)

4. Policy Statements (Individual policy requirements)

5. Controls (Specific compliance controls)

6. Assessments (Testing controls on individual systems)

7. ATTESTATIONS (Executive certification of all the above) ← We are here

Attestations come AFTER all assessments are complete. They aggregate and certify the assessment results for a specific period.

Who Creates and Signs Attestations?

Who Creates Them?

Typically created by:

  • Compliance Officers: Prepare the attestation and gather supporting data
  • Internal Audit Teams: Review compliance status before attestation
  • GRC Managers: Coordinate the attestation process across teams

Who Signs Them?

Signatories are always senior executives:

  • CFO (Chief Financial Officer): Required for SOX attestations
  • CEO (Chief Executive Officer): Often co-signs SOX attestations (SOX 302)
  • Compliance Officer: For framework-specific attestations
  • CIO/CISO: For IT and security compliance attestations
  • Department Heads: For department-specific policy attestations

SOX 302 Special Case

For Sarbanes-Oxley compliance, Section 302 requires both the CEO and CFO to co-sign quarterly attestations certifying the accuracy of financial controls. The system supports this co-attestation requirement.

Attestation Scopes

An attestation scope defines what you are attesting to. NopeSight supports six different scope types:

1. Control Scope

Attest to a single compliance control across all assessed systems.

Example Use Case:

"I attest that the 'Access Control Review' control has been properly implemented and assessed across all 47 database servers during Q4 2025."

When to Use:

  • Focused attestations for specific controls
  • When one control is particularly critical (e.g., password policy)
  • For control-specific audit requests

2. Profile Scope

Attest to a collection of controls within a compliance profile (e.g., all database controls, all network controls).

Example Use Case:

"I attest that all 12 database security controls have been assessed across our database infrastructure for the month of October 2025."

When to Use:

  • Infrastructure-specific attestations (database, network, application)
  • Environment-specific (production systems, development systems)
  • Department-specific compliance

3. Framework Scope

Attest to an entire compliance framework (SOX, HIPAA, PCI-DSS, ISO 27001).

Example Use Case:

"I attest that our organization's SOX controls have been tested and are operating effectively for Q4 2025."

When to Use:

  • Quarterly SOX attestations
  • Annual HIPAA or PCI-DSS certifications
  • Comprehensive regulatory compliance attestations
  • Board reporting on overall compliance status

4. Policy Scope

Attest to all controls linked to an organizational policy.

Example Use Case:

"I attest that controls implementing our 'Data Classification and Handling Policy' have been assessed across all relevant systems for FY2025."

When to Use:

  • Policy compliance reviews
  • When internal audit focuses on specific policies
  • Department-level policy attestations

5. Policy Statement Scope

Attest to controls implementing a specific policy statement.

Example Use Case:

"I attest that controls implementing policy statement 'PII must be encrypted at rest' have been verified across all systems storing personal data."

When to Use:

  • Fine-grained policy attestations
  • Specific compliance requirements
  • Focused remediation verification

6. Custom Scope

Define custom criteria (CI types, tags, departments) for flexible attestations.

Example Use Case:

"I attest that all production database servers in the Payment Processing department have been assessed for Q4 2025."

When to Use:

  • Special attestations for specific business units
  • Project-specific compliance (e.g., new payment system)
  • Custom regulatory requirements
  • Acquisitions or divestitures

Understanding Periods

Attestations cover specific time periods. The system dynamically generates period options based on the current date:

Quarterly Periods

  • Format: 2025-Q4, 2025-Q3, 2025-Q2, 2025-Q1
  • Coverage: 3-month quarters (Jan-Mar, Apr-Jun, Jul-Sep, Oct-Dec)
  • Use Case: SOX quarterly attestations
  • 📍 Current Period: Marked with an indicator

Monthly Periods

  • Format: 2025-10, 2025-09, 2025-08
  • Coverage: Individual calendar months
  • Use Case: Monthly compliance reviews

Fiscal Year

  • Format: FY2025, FY2024
  • Coverage: April 1 - March 31 (configurable)
  • Use Case: Annual financial compliance attestations

Calendar Year

  • Format: 2025, 2024
  • Coverage: January 1 - December 31
  • Use Case: Annual compliance certifications

Custom Period

  • Format: Custom start/end dates
  • Use Case: Special situations (e.g., "Q3 plus first 15 days of Q4", "Audit period: Aug 1 - Oct 15")

Creating an Attestation: Step-by-Step Guide

Step 1: Navigate to Attestations

  1. Go to Compliance → Attestations in the main menu
  2. Click "Create Attestation" button

Step 2: Enter Basic Information

Fill in the attestation details:

  • Title: Descriptive name (e.g., "Q4 2025 SOX 302 Attestation")
  • Description: Purpose and context (e.g., "Quarterly SOX certification for internal controls over financial reporting")
  • Attestor Name: Name of the person who will sign (e.g., "Jane Smith, CFO")
  • Attestor Title: Their official title
  • Attestor Email: Contact email

Step 3: Select Attestation Period

Choose the time period this attestation covers:

  • Select from quarterly, monthly, fiscal year, or calendar year periods
  • Or choose "Custom Period" and specify exact start/end dates
  • The system shows a 📍 indicator for the current period

Important: The period determines which assessments are included. Only completed assessments within this timeframe will be aggregated.

Step 4: Choose Attestation Scope

Select what you're attesting to:

Option A: Control Scope

  1. Select "Control" as scope type
  2. Search and select the specific control
  3. If no controls appear, click the link to create controls in the Compliance Registry

Option B: Profile Scope

  1. Select "Profile" as scope type
  2. Choose the compliance profile (e.g., "Database Security Controls")
  3. If no profiles exist, create them in Compliance Registry first

Option C: Framework Scope

  1. Select "Framework" as scope type
  2. Choose the framework (SOX, HIPAA, PCI-DSS, etc.)

Option D: Policy Scope

  1. Select "Policy" as scope type
  2. Select the organizational policy

Option E: Policy Statement Scope

  1. Select "Policy Statement" as scope type
  2. Search and select the specific policy statement

Option F: Custom Scope

  1. Select "Custom" as scope type
  2. Define criteria:
    • CI Types: Server, Database, Network Device, etc.
    • Tags: Production, Critical, Payment Processing, etc.
    • Departments: Finance, HR, Engineering, etc.

Step 5: Preview Scope

Before creating the attestation, you MUST preview the scope:

  1. Click "Preview Scope" button

  2. Review the preview details:

    • Total Assessments: Number of assessments included
    • Compliance Percentage: Overall compliance score
    • Risk Breakdown: Critical, High, Medium, Low risk counts
    • Period Dates: Confirmation of start and end dates
    • Scope Metadata: Control counts, CI counts, etc.

  3. Verify this matches your expectations

Why Preview?

  • Ensures you're attesting to the right data
  • Prevents empty attestations (no assessments in period)
  • Shows compliance score before formal attestation
  • Allows you to adjust scope or period if needed

Step 6: Create the Attestation

Once you've previewed and confirmed:

  1. Click "Create Attestation" (now enabled after preview)
  2. The system creates the attestation in "Draft" status
  3. You'll be redirected to the attestation detail page

Step 7: Review Draft

Review the draft attestation:

  • Check all included assessments
  • Review compliance summary
  • Verify period and scope are correct
  • Make any necessary edits (while still in draft status)

Step 8: Sign the Attestation

When ready to sign:

  1. Click "Sign Attestation"
  2. Enter your attestation statement (e.g., "I certify that the controls described herein are operating effectively...")
  3. Review the statement carefully
  4. Click "Sign"
  5. Your signature, timestamp, and statement are permanently recorded
  6. Status changes to "Pending Approval" (or "Approved" if no approval workflow)

Step 9: Co-Signature (SOX 302 Only)

For SOX attestations requiring CEO/CFO co-signatures:

  1. The second signatory receives notification
  2. They open the attestation
  3. Click "Co-Sign Attestation"
  4. Enter their attestation statement
  5. Click "Co-Sign"
  6. Both signatures are now recorded

Step 10: Approval (Optional)

If your organization requires approval:

  1. Designated approver receives notification
  2. They review the attestation and supporting evidence
  3. Click "Approve" or "Reject"
  4. Enter approval comments
  5. Status updates accordingly

Working with Existing Attestations

Viewing Attestations

Attestation List:

  • Shows all attestations for your tenant
  • Filter by: Period, Scope Type, Status, Framework
  • Search by title or attestor name
  • Sort by date, status, or compliance score

Attestation Detail:

  • View complete attestation information
  • See all included assessments
  • Review compliance summary and risk metrics
  • View signatures and approval history
  • Export attestation report (PDF/Excel)

Editing Attestations

Draft Attestations:

  • Can be edited freely
  • Modify scope, period, or details
  • Delete if no longer needed

Signed Attestations:

  • Cannot be edited once signed
  • Cannot be deleted (audit trail)
  • Can only be viewed and exported

Attestation Status Flow

  1. Draft → Being created/edited
  2. Pending Approval → Signed, awaiting approval
  3. Approved → Approved by designated approver
  4. Rejected → Rejected by approver (with comments)
  5. Expired → Period has passed, now historical

Common Attestation Workflows

Quarterly SOX Attestation

Scenario: You need to create a quarterly SOX 302 attestation signed by both CEO and CFO.

Steps:

  1. Wait until all Q4 assessments are completed
  2. Navigate to Compliance → Attestations
  3. Click "Create Attestation"
  4. Title: "Q4 2025 SOX 302 Certification"
  5. Scope: Framework → "SOX (Sarbanes-Oxley)"
  6. Period: "2025-Q4"
  7. Attestor: CFO information
  8. Preview scope → Verify all SOX controls included
  9. Create attestation
  10. CFO signs with formal statement
  11. CEO co-signs
  12. Submit for approval (if required)
  13. Export and file with regulatory documentation

Timeline: Usually due within 90 days of quarter end.

Annual HIPAA Compliance Attestation

Scenario: Year-end HIPAA compliance certification for the board.

Steps:

  1. Ensure all annual HIPAA assessments are complete
  2. Create new attestation
  3. Title: "2025 Annual HIPAA Compliance Certification"
  4. Scope: Framework → "HIPAA"
  5. Period: "2025" (calendar year)
  6. Attestor: Compliance Officer or Privacy Officer
  7. Preview scope → Review compliance percentage
  8. Create and review all included assessments
  9. Sign with formal certification statement
  10. Export comprehensive report for board presentation

Department-Specific Policy Attestation

Scenario: Finance department head needs to attest that all finance systems comply with the Data Classification Policy.

Steps:

  1. Create new attestation
  2. Title: "Finance Department Data Classification Compliance - Q4 2025"
  3. Scope: Custom Scope
    • Department: "Finance"
    • Tags: "Financial Data"
  4. Period: "2025-Q4"
  5. Attestor: VP Finance
  6. Preview → Confirm only finance systems included
  7. Create and review
  8. Sign attestation
  9. Share with compliance team

Emergency Attestation After Security Incident

Scenario: After remediating a security incident, attest that specific controls are now working properly.

Steps:

  1. Complete re-assessments on affected systems
  2. Create custom period attestation
  3. Title: "Post-Incident Control Verification - Payment System"
  4. Scope: Custom Scope
    • Tags: "Payment Processing"
    • CI Types: "Server", "Database"
  5. Period: Custom → Incident date to remediation completion date
  6. Preview → Verify 100% compliance (all issues remediated)
  7. Create attestation
  8. CISO signs
  9. Include in incident response documentation

Best Practices

Before Creating Attestations

Complete All Assessments First

  • Ensure all required assessments for the period are finished
  • Review assessment results for accuracy
  • Address any pending findings or non-compliance issues

Use Consistent Naming

  • Include period in title: "Q4 2025...", "FY2025...", "October 2025..."
  • Include scope type: "SOX Attestation", "Database Controls Attestation"
  • Be specific and descriptive

Always Preview Scope

  • Never skip the preview step
  • Verify assessment counts match expectations
  • Check compliance percentages are reasonable

Document Context

  • Use description field to explain purpose
  • Note any special circumstances or exceptions
  • Reference related audits or reports

During Attestation

Write Clear Attestation Statements

  • Use formal, professional language
  • Be specific about what you're certifying
  • Include any caveats or qualifications
  • Example: "I certify that, to the best of my knowledge, the SOX controls described herein were operating effectively during Q4 2025, and any identified deficiencies have been disclosed to the audit committee."

Review Before Signing

  • Read all included assessments
  • Verify compliance summary
  • Check for any surprises or unexpected results
  • Ensure you're comfortable taking responsibility

Don't Rush

  • Attestations are legal certifications
  • Take time to review thoroughly
  • Consult with audit/compliance teams if uncertain

After Attestation

Export and Archive

  • Export PDF report immediately after signing
  • Store in compliance documentation repository
  • Include in audit work papers

Track Deadlines

  • Note when next attestation is due
  • Set calendar reminders
  • Plan assessment schedules accordingly

Monitor Compliance

  • Use attestation dashboard to track trends
  • Compare compliance percentages quarter-over-quarter
  • Identify controls that consistently show issues

Troubleshooting

"No data found" when creating attestation

Cause: No assessments exist for the selected scope and period.

Solution:

  • First, create and complete compliance assessments
  • Ensure assessments are marked as "Completed" status
  • Verify assessments fall within the selected period
  • Check that controls are linked to the selected scope (profile, framework, policy)

Empty scope type dropdowns

Cause: Compliance registry is not yet populated.

Solution:

  • Navigate to Compliance Registry
  • Create frameworks, policies, controls, or profiles first
  • Attestations require existing compliance data to attest to
  • See the Compliance Registry documentation for setup instructions

"Preview Scope" shows 0 assessments

Possible Causes:

  1. Wrong Period: Assessments completed in different period
  2. Wrong Scope: Selected control/profile doesn't match assessments
  3. Assessment Status: Assessments not marked as "Completed"
  4. Tenant Mismatch: Assessments belong to different tenant

Solution:

  • Verify assessment dates match selected period
  • Check that assessments link to correct controls
  • Confirm assessments have "Completed" status
  • Ensure you're in the correct tenant context

Cannot sign attestation

Possible Causes:

  1. Still in Draft: Must review and finalize first
  2. Already Signed: Can't sign twice
  3. Permissions: User doesn't have signing permissions
  4. Empty Attestation: No assessments included

Solution:

  • Check attestation status
  • Verify you have appropriate role/permissions
  • Ensure attestation contains assessment data
  • Contact system administrator for permission issues

FAQs

Q: How often should we create attestations?

A: It depends on your compliance requirements:

  • SOX: Quarterly (required by law)
  • HIPAA: Annually (recommended)
  • PCI-DSS: Quarterly or annually
  • ISO 27001: Annually
  • Internal policies: As defined by your organization

Q: Can I delete an attestation after signing?

A: No. Signed attestations cannot be deleted to maintain audit trail integrity. They become permanent records. Only draft attestations can be deleted.

Q: What's the difference between signing and approving?

A:

  • Signing: The attestor (executive) certifies the accuracy of the attestation
  • Approving: A designated reviewer (e.g., internal audit) approves the attestation for filing

Some organizations require both; others only require signing.

Q: Can I create an attestation with some non-compliant assessments?

A: Yes. Attestations show the actual compliance status, which may include non-compliance. The attestation statement should acknowledge any deficiencies and explain remediation plans.

Q: How far back can I attest?

A: You can attest to any period that has completed assessments. However, attestations should ideally be created soon after the period ends (typically within 30-90 days for regulatory compliance).

Q: Can multiple people sign the same attestation?

A: Yes, through co-signing (primarily for SOX 302). The first person signs, then the second person co-signs. Both signatures are recorded.

Q: What happens if our compliance score is low?

A: You can still create and sign an attestation, but you should:

  1. Document the non-compliance issues
  2. Include remediation plans in your attestation statement
  3. Disclose material weaknesses to auditors/regulators
  4. Never falsely attest to compliance you don't have

Q: Can I edit the period after creating an attestation?

A: No, once created, the period is fixed. If you need a different period, delete the draft attestation and create a new one with the correct period.

Need Help?

If you have questions about attestations or need assistance:

  1. Review the compliance workflow documentation
  2. Consult with your organization's compliance team
  3. Contact your internal audit department
  4. Reach out to NopeSight support

Remember: Attestations are formal legal certifications. When in doubt, consult with legal counsel or compliance professionals before signing.