Attestations are an important part of the governance process. This feature gives you the ability to capture signatures from your team demonstrating that policies have been acknowledged.
Notably, gathering attestations comes with it's share of logistical issues. We've carefully addressed a number of edge cases in order to satisfy the need for an audit trail. We've included a list of these edge cases at the end of this document.
Create an Attestation
Attestations are intended for released policies only. Once you have released a policy, click on the attestations tab to begin. From this tab, click Create Attestation.
From the open dialog, set the following values:
Recipients - You may select Departments or Individuals. We recommend selecting departments since this will account for users who are added and removed over time. If you need to collect attestations from everyone in your organization, select each department in you organization. We will automatically resolve situations where your users may be in more than one department.
Author - Set yourself as the author.
Start Date - This date is the first date where users will be notified about the attestation. If you set this to today, or in the past, users will be notified as soon as you click save.
Due Date - This is the due date for the signed attestation. Users receive a sequence of emails leading up to and past this due date with notifications informing of their obligation to sign.
Recurrence - Some policies need to be signed on a recurring schedule. Keep in mind that if you create a new version of a policy, you must create a new attestation for that new version. We have created the system so that attestations for a new policy version may not overlap and may not co-exist.
Click Save. This attestation is now active and will notify your intended audience immediately or upon start date.
Attestation Template Status
Scheduled | The attestation template has been created but hasn't reached the start date yet. |
Active | This attestation is currently active and is eligible for gathering signatures. |
Superseded | The attestation template is no longer active because a newer one was activated. |
Archived | The attestation template was manually archived by the author. |
Notifications
Notifications are delivered via email to each user. Only members of your organization can be added to an attestation. Learn how to add users.
Emails are delivered on the schedule shown below. At this time, we do not have custom scheduling. Emails will not be delivered prior to the start date defined in the attestation.
Schedule
Immediately If the start date is set to today or in the past, notifications will go out immediately, otherwise the first notification will be delivered on the future start date.
One week prior a notification will go to all users who have not yet signed one week prior to the due date.
One day prior a notification will go to all users who have not yet signed the day before the due date.
Due Date a notification will go to all users who have not yet signed on the due date.
Past Due a notification will go to all users who have not yet signed every 7 days for as long as the attestation remains active.
User Attestation Status
Department | A user leaves a department A and joins department B. It's possible that a user in department A is moved to department B prior to signing an attestation. When this move occurs, we will note the attestation record as "department" rather than "signed". This will be shown on reporting and audit logs. If the user is subsequently added back into the department we will remove the department status as long as the attestation is still active. |
Revoked | A user is revoked from PolicyCo for some reason. If a user is revoked, they cannot login to PolicyCo and therefore cannot sign an attestation. We will mark this attestation record for the user as "revoked". If the user is subsequently added back into the organization we will remove this revoked status as long as the attestation is still active. |
Attestation Archived | An attestation is archived before the user has signed. |
Policy Archived | A policy is archived before the user has signed. |
Failed | The user did not sign the attestation by the time a new attestation was created. For example, a user received notifications to sign Version 1 of a policy and they do not complete the task by the due date. Your organization releases a new version of the Policy (Version 2) and sets up a new attestation. If the new attestation start date becomes effective and the user never signed the previous attestation, their record will be marked as failed. |
Incomplete | The attestation is active and in effect, but the user has not yet signed the document. Note the difference between Failed and Incomplete. |
Signed | The user signed the attestation. |
Reporting
Owners can see attestation from the Home Dashboard and from the Attestations tab in Settings: Policies. Both function the same, however, the dashboard view will show all attestations across all policies.
Policy Managers can see attestations in Settings: Policy under the Attestations tab.
Each row of the attestations grid displays an attestation ruleset as described earlier in this document. This ruleset defines the policy, users and timeframe for a given attestation. Clicking on a row will open a detail grid displaying each user and their signing status. The various statuses are explained above.
We are planning to add export control to this soon, but for now, you can filter and sort by status and date.
Signing
Users sign attestations from the PolicyCo Viewer. New attestations appear in the Inbox on the left side panel. The signature line is located at the bottom of the document. Once signed, we capture the user id, name, timestamp and ip address. These values are displayed below the signature line.
Signed documents are moved to the Archive for future reference.
FAQ
We will add to the FAQ as we receive more questions, however, most of the nuances of how we account for attestations are covered above in the various attestation status table.
Q: What happens if I archive a policy while there is an active attestation?
A: The attestation will be archived. All attestation records for users who have not yet signed will be marked as Policy Archived.