The Uncomfortable Truth About Attestation
Most governance programs have an attestation process. Few have an attestation problem they are willing to admit.
Here is how it typically works. Once a quarter, or maybe once a year, an email goes out. It asks someone, usually a vice president or a director, to affirm that the data under their domain is accurate, complete, fit for purpose, and compliant with policy. The person clicks a box, types their name, and moves on. The governance office records the response, ticks a box of its own, and tells the regulators that accountability is alive and well.
Nobody reads the policy they are attesting to. Nobody verified the data lineage before signing. Nobody could, because the tools to do so do not exist in most organizations. Attestation has become ceremony, not accountability.
What attestation is supposed to be
Attestation was designed as a pressure valve. The idea is simple: if someone with authority puts their name on a claim, they have incentive to make sure the claim is true. It transfers governance from a back-office function to the front line. It makes data quality someone's actual job, not just the data team's hobby horse.
Done right, attestation is one of the most powerful governance mechanisms available. It creates a chain of custody for trust. It forces decision-makers to look at their data landscape and answer a question that matters: if this data is wrong, who is on the hook?
When that question has a real answer, governance works. When it does not, governance is theater.
What attestation has actually become
In practice, attestation in most organizations is a form of compliance performance art. The form arrives in January. The deadline is end of January. The attester has a day job that does not involve data quality. They have no dashboard, no lineage map, no automated alerts telling them whether their data is actually in good shape. They have a spreadsheet someone sent them last month, maybe, if they are lucky.
So they sign. They sign because not signing means escalation, which means meetings, which means explaining to their boss why they are the holdup on a governance deliverable. They sign because the last person in the role signed. They sign because the governance team assured them it is mostly procedural.
They sign because the system makes it easier to sign than to investigate.
This is not accountability. This is liability distribution without the accountability part. The organization gets a signature on file. The regulator sees a completed control. The attester gets plausible deniability. Nobody gets what they actually need: confidence that the data is sound.
Why this breaks under regulatory pressure
Regulators are getting sharper about this. BCBS 239 was explicit about the need for accurate, complete, and timely risk data. OCC guidance on operational risk emphasizes management accountability. The FDIC has been escalating its expectations around data integrity at community and regional banks.
These are not abstract frameworks. They are asking a direct question: who is responsible for this data, and can they prove it works?
If your attestation process produces signatures but cannot produce evidence, you do not have a control. You have a document. Regulators are increasingly trained to tell the difference. During an examination, they will ask the attester what they actually verified. When the answer is "I reviewed the summary report," the follow-up is immediate: what was in the report? How did you validate it? What would have happened if the data was wrong? Would you have known?
Most attesters cannot answer these questions. Not because they are negligent, but because the system gave them no way to do so.
The cost of attestation without substance
The downstream damage is real. When attestation is hollow, three things happen.
First, defects accumulate silently. If the person signing off has no real visibility, errors go undetected. They compound. They show up in regulatory reports, in model inputs, in customer-facing decisions. By the time anyone notices, the correction cost is exponentially higher than the prevention cost would have been.
Second, trust erodes. Once an attester realizes their signature is ceremonial, they stop treating governance as something real. The entire framework loses credibility. When the next control fails, the organizational reflex is to add another attestation layer rather than fix the underlying visibility gap. This is how you end up with three levels of sign-off and zero levels of actual verification.
Third, accountability becomes untraceable. When everyone attests and nobody verifies, the accountability chain collapses on itself. If a critical data element is wrong, and three people signed off on it, who is responsible? The honest answer is nobody, which is the same as everyone, which is the same as no governance at all.
What genuine attestation looks like
Real attestation has three prerequisites that most organizations skip.
First, the attester needs visibility. Not a summary. Not a dashboard someone else built. Actual, direct visibility into the state of the data they are responsible for. This means data quality metrics tied to critical data elements. It means lineage that shows where the data came from and what transformations it passed through. It means automated alerts when thresholds are breached, so the attester finds out about problems before the regulator does.
Second, the attester needs consequences. If an attester signs off on data that turns out to be materially wrong, there should be a documented, enforced escalation path. Not a punitive one designed to scare people, but a structured one that creates transparency. The point is not punishment. The point is that accountability without teeth is suggestion.
Third, attestation needs to be continuous, not periodic. Quarterly sign-offs are a snapshot. Data moves daily. A quarterly attestation certifies a moment that is already past by the time the ink dries. The organizations getting this right are moving toward ongoing certification, where data quality is measured against thresholds in real time and attestation is the confirmation of a continuous state, not a point-in-time declaration.
The right approach
Start by identifying who actually makes decisions with the data. That person should be the attester, not whoever sits in the right box on the org chart. Decision-makers have skin in the game. They are the ones who suffer when the data is wrong. Aligning the attester role with decision authority is the single most impactful change you can make.
Next, build the evidence base before you ask anyone to sign. This is where most programs fail: they set up the attestation process first and then try to retrofit the evidence. Invert it. Deploy data quality monitoring, lineage tracking, and threshold alerting first. Then ask people to attest, but ask them to attest against something they can actually see.
Then make the attestation visible internally. Not buried in a governance tool nobody opens. Published, so that LOB heads, risk managers, and auditors can see the state of attestation across the organization. Transparency is its own enforcement mechanism.
Finally, track the gap between attestation and evidence. If someone attests but the evidence shows breaches, that should surface immediately, not at the next audit. This is where automation matters most. You cannot scale manual attestation review, and you should not try.
The CoComply angle
At CoComply, we believe attestation should be the natural output of a system that works, not a manual process layered on top of one that does not. Certification, done right, makes attestation redundant because the data quality state is continuously verified and continuously visible. The signature becomes a confirmation of what the system already proves, which is how trust infrastructure should work.
If your attestation process requires someone to trust without verifying, it is not a control. It is a risk.
The closing test
Ask your data governance lead for the last time an attester flagged a data quality issue during the attestation process itself. Not after. Not because an auditor found it. During. If the answer is silence, your attestation is a signature, not a safeguard. The question is not whether your people are willing to sign. It is whether your systems give them any reason not to.