What is Attestation?
A formal confirmation that something is true - often an auditor asserting your controls meet a standard.
Attestation: definition
Attestation appears at two levels. Externally, a SOC 2 or SOC 1 report is an attestation: an independent auditor formally asserts, based on evidence, that your controls are designed and (for Type II) operating as described. Internally, attestations are the sign-offs that a control ran - a manager confirming an access review was completed, for example. Both create accountable, on-the-record confirmations that underpin compliance.
- External: an auditor’s formal report (e.g., SOC 2) on your controls
- Internal: a named sign-off that a control or task was performed
- Creates on-the-record, accountable confirmation
- Stronger than self-assertion when independent
How Fintra handles it
Fintra captures internal attestations as first-class evidence: when a person signs off that a control ran - an access review, a reconciliation, a policy acknowledgment - it is recorded in the trust ledger with the named attester and timestamp. That record feeds the external attestation (the auditor’s report) by proving the controls operated, tamper-evidently, across the period.
Worked example
Frequently asked questions
What is the difference between attestation and certification?
A certification (like ISO 27001) is a pass/fail credential issued against a standard by an accredited body. An attestation (like SOC 2) is an auditor’s formal report expressing an opinion, based on evidence, about your controls. Attestations describe; certifications certify.
What is a self-attestation?
A self-attestation is your own formal declaration that something is true - for example, completing a security questionnaire or confirming a control ran. It is useful but weaker than an independent attestation, because no third party has verified it.
How do internal attestations support external ones?
Internal sign-offs that controls operated (access reviews, reconciliations) are the evidence an external auditor tests to produce their attestation report. Reliable, tamper-evident internal attestations make the external attestation smoother and more credible.
How does Fintra handle attestations?
Fintra records internal attestations as first-class, tamper-evident evidence in the trust ledger - capturing the named attester and timestamp - which then supports the external auditor’s attestation by proving controls operated across the period.
Stay in the loop
One practical finance briefing a week - new guides, checklists, and benchmarks.
See how Fintra handles the numbers behind this term
Fintra is the AI Finance Operating System for SMBs - accounting, planning, payroll, equity, and AI governance on one shared data model, with a named human approving anything consequential. Free to start, no card required.
Talk to us