Who should perform control attestation?

The attestation of controls is typically performed by Attestation Responders, who are individuals or teams designated to provide evidence of control effectiveness and compliance. These responders are often knowledgeable about the specific controls and their associated requirements, and they play a crucial role in ensuring that controls are operating as intended and within the parameters set forth by the organization.

Attestation Responders gather and validate the necessary documentation, data, and feedback related to the effectiveness of the controls they attest to. This process is fundamental in the context of risk management and compliance, as it helps ensure that controls meet regulatory standards and internal policies. By performing the attestation, these responders provide assurance to management and stakeholders that the controls are functioning properly and are effective in mitigating identified risks.

While Control Owners and Control Admins have responsibilities related to the implementation and oversight of controls, their roles do not typically encompass the independent evaluation and attestation process. Risk Managers may oversee the overall risk framework and ensure that controls align with risk appetite, but they do not generally perform the act of attestation themselves. Therefore, Attestation Responders are designated specifically for this task, making them the most appropriate choice for performing control attestation.