What is Attestation?

johnwood, 5/3/2022

Having policies and procedures published and easily accessible is just one part of creating a structured and controlled organization. You also need to ensure that your staff read those policies and procedures. This is where attestation comes in. Attestation is the process of having your staff not only read policies, but physically sign-off on both reading and understanding them so there is a legal record of this fact that can then be accessed by auditors at a later date.

This can be a very important function for several reasons:

  • If a staff member violates a policy, or doesn't follow a written procedure, they cannot claim that they didn't see or read the policy or procedure if there is a signed record of it.
  • If your organization is being audited for certain compliance or regulatory frameworks, such as SOC2 or CMMC, there will often be requirements within that framework that you ask your staff to attest to various policies and procedures. Having a record of this, and being able to supply it to an auditor, will be required to gain compliance.
  • If someone takes legal action against your organization, having records of attestation by staff can be important in determining liability.
  • If disputes arise about employment practices, if you have a record that the personnel involved in the dispute had attested to the specific policies covering that particular area, it can make it much easier to resolve the dispute.
  • Attestation can also be a great way to ensure your staff really are reading the policies and procedures, and aren't just skipping sections.

Historically companies would print out policies and procedures and then have the staff member physically sign each page. Times have changed, however, and now much of this has been automated and will now be performed digitally.

Typically the process of attestation involves sending a request, typically received through email. The staff member will then login and read the required text, and once finished reading will click a button. That will then typically provide a prompt for them to electronically sign. That signature can then be stored against the document in a record that can be easily retrieved at a later time by designated personnel.


You may think that attestation is a simple thing to do and manage, but there are several potential issues when implementing attestation that need to be taken into consideration.

Updated Articles

Firstly, what happens if a policy or a procedure is updated? If the change was just minor, without having any substantial impact on the meaning of the policy, or without any change to actual procedures, then perhaps it's not important to ensure your staff have read the changes. But if the change is more substantial, you'll likely need to send it out again to all personnel who previously acknowledged that.

This type of thing can be difficult to manage manually. But these days many automated systems are able to do this for you, sending out the attestations automatically.

Regular Attestations

When it comes to certain regulations or certifications, attestations are often required on a regular basis - usually annually, but sometimes even quarterly. It's imperative to make sure that all users complete their attestations within that period, and are then reminded to re-attest. Again, this is something that automated attestation systems can handle for you.


When a user attests to having read and understood a policy or procedure can certainly give you some legal weight, and probably some peace of mind, but you won't know for sure that they have understood what they read. Or they may even have misunderstood something that was important. This is why it can sometimes be useful to add quizzes to a policy in order to test their knowledge.

A good attestation system would require them to actually pass the quiz before they can attest - that way you know for sure that the attestation is truly meaningful.

Requesting Additional Information

Sometimes you need more than just an attestation signature, you need them to provide some information or fill out a form. A good example here would be a Conflict of Interest declaration: when the user attests to the Conflict of Interest policy, they can provide additional declarations about their relationship to competitors or customers.

New Staff Onboarding

Another important consideration is if new staff join your organization, or switch to a department that requires attestation. Usually the onboarding process will include having the staff attest to your basic policies and procedures such as the employment guide and code of conduct. 

If you have groups of users attesting on a regular basis, you will need to make sure you coordinate the attestations done for that user with the attestations sent out for the rest of the group. For example if an employee joins a month before you normally send out the attestation requests for the rest of the group, you wouldn't want to send the request out to the new employee twice within a month. This can be complex to maintain over time, which is why it's important to have software to automate this for you.

Next Topic:
Up Since 2/28/2024 11:52:41 PM