Compliance Certification vs Attestation

What is an attestation?

An attestation is a review that involves comparing data and evidence to a control or process and determined whether it is appropriate or adequate. Some time, the term “auditing” is used to refer to the review process. In any case, the output of an attestation examination is an attestation report.

The attestation report is provided by the independent auditors and contains an opinion of the organization’s internal controls. It is not a pass or fail verdict, rather, a favorable or non-favorable opinion from the auditors on the state of your compliance program.

Attestations report can only be issued by CPA firms.

Example of attestation

SOC 1, SOC 2, SOC 3; HIPAA

What is a certification?

A certification is qualification recognized by an accredited body. The qualification comes as a of a result of an audit or assessment done by an auditor. The organization receives an audit report, as well as an official certification. The distinction here between an attestation and a certification is that the certification is provided on top of the audit report and can only be provided by accredited certified bodies.

Example of certification

ISO 27001; CMMC; PCI-DSS; GDPR, etc..

Summary

Both attestation and certification go through the same audit review process. In an attestation audit, the outcome is the auditor’s opinion in an audit report and a certification audit is a certification provided in addition to the audit report by an accredited body.