Attesting To Compliance

An Attestation is management’s internal assessment and compliance with regulatory compliance certifications. These letters are also known as Compliance Certifications, GRC Agreements and the list goes on.

Typically only the CEO and CFO are required by law to sign an attestation. But more and more corporations are including the CIO in that requirement. Primarily because IT now plays such a critical role in ensuring the corporations data is secured and properly managed to retain reliable accounting systems.

Many CIOs become very uncomfortable in signing a corporate level attestation for their organization. How does the CIO know for sure that his direct staff is properly overseeing the IT components they manage? And how do those senior IT executives know that their directors and managers are giving proper attention and accountability to the processes they manage?

Because of this, many IT organizations are implementing an IT management wide Attestation to their compliance standards. From the lowest manager up, these attestations define the responsibility of each manager to adhere to corporate standards and compliance regulations. Each one roles up into a package for the next level manager to review and certify by signing their own attestation. Until finally, all of IT’s management has attested to the oversight of controls. And the CIO now feels like his/her back is covered.

See my IT Governance section for more information about IT Audit, and Governance, Risk Management & Compliance (GRC) and Risk, Security & Compliance Assessments (RSCA).

Accountability
IT Managers, Directors, Vice Presidents, Chief Information Officer

Policy
IT Management staff is responsible for attesting in good faith, to the compliance of corporate policies, procedures, IT General Controls (key and non-key), Industry and SOx regulations on a quarterly or bi-annual basis. Some organizations implement a global attestation policy annually. My suggestion is, the larger the organization, the more frequent the IT attestations should be documented and a quarterly attestation will make your life easier over the long run.

I make this suggestion based on experience. Information technology changes quickly. With every new implementation, enhancement, data correction of even the simply day to day operations of IT, access changes and how that access is implemented changes. Not only to hardware and systems, but to applications and data. Large organizations have a tougher time managing these day to day operations and ensuring the left hand knows what the right hand is doing. So reviewing access reports, for instance, each quarter, can be a simple exercise to ensuring risk is being managed.

These attestations aren’t just legal jargon that someone signs their name to. In the IT world, they also include exceptions to policies and standards. Exceptions to standards are just part of the business of IT. This isn’t a one size fits all world, so you must allow for exceptions to keep your business running and competitive. But that also means you must be aware of what those exceptions are, so you can better determine the risks to the company over all.

Whatever your cycle for requiring Attestations, your IT compliance team should require all IT managers to review their IT General Controls and Control processes, both key and non-key. Managers, Directors and Vice Presidents will be required to provide signed attestations for the compliance of their assigned controls and report any known exceptions to the CIO. This process does not replace the Corporate Attestation process. It’s in addition to it.

Attestation Letter
There are a gazillion ways to write and word a certification letter. It doesn’t have to be long and involved or detailed to the nth degree.  The following is a simple example of an Attestation Letter that can be used as a general template for any IT organization.

 

---

ABC Company Attestation

From: Manager Name
To: IT Compliance
Date: __________

RE: Quarterly Management Attestation Letter

Attestation for group/department: __________________

”The Company” places a continuing responsibility on IT Management to diligently supervise its employees and agents in aspects of Regulatory Compliance activities. Among other functions, I am responsible for:
[indicate responsibilities].

To the best of my knowledge, the above mentioned group/department has maintained and continues to maintain IT internal controls, following processes and procedures defined for ”The Company’s” Information Technology systems, that properly support the integrity and reliability of the company’s information and data security.

This group is administered as follows:

• A listing of policies and procedures applicable to my organization is attached.
• A listing of known compliance exceptions within my organization is attached.
• A complete set of policies and procedures is prominently displayed on my organizations internal website at ___________________.
• Periodic management oversight/audits are conducted to ensure compliance with company policies and procedures.

Included in this management oversight is an assurance of:

• Protecting system security and following corporate security policies,
• Adhering to change management and segregation of duties policies.
• Adhering to the company’s SDLC policy and the implementation of [Project Methodology},
• Oversight of compliance reviews as defined in this groups IT General Control procedures (ie: quarterly, biannual, annual security, baseline, change management reviews.)

There are inherent limitations in any control, including the possibility of human error and the circumvention or overriding of internal controls. Upon occurrence of these events, I bring reportable compliance matters relating to my area of IT General Controls to the attention of the IT Compliance team. Any events that occurred during this reporting period are defined in the Breach Event attachment. During this reporting period, to my knowledge, my organization was in material compliance with all applicable federal and state laws and regulations.

__________________________ Name [Print name]

________________________________ Signature

________________ Date

A. Policies and Procedures
List the affected policies

B. Control Exceptions
List the implemented exceptions

D. Breach Events
List any and all events that were attempted to breach security and the resolutions attributed to those events.

© 1997-2019 Springwolf, D.D., Ph.D., Springwolf’s Creations. All Rights Reserved.