CommunityPay produces formal governance attestations through a three-stage pipeline: continuous data collection, periodic aggregation, and formal attestation generation. This page describes each stage, the artifacts produced, and how the system generates provable effectiveness assessments.
The Three Stages
Stage 1: Continuous Data Collection
Governance data is collected continuously as a byproduct of normal operations. Every enforcement decision, exclusion event, escalation, notification, and override produces an immutable record.
Key data sources:
| Source | What It Records |
|---|---|
| EnforcementDecision | Every guard evaluation: which guards ran, what they found, what the outcome was |
| ExclusionTriggerHit | Every time a risk trigger fired: signals evaluated, conditions met |
| ExclusionStatusHistory | Every exclusion status change: created, acknowledged, resolved, expired |
| EscalationEvent | Every escalation: who was notified, when, whether they acknowledged |
| ExclusionNotificationEvent | Every notification: delivery method, success/failure, timestamp |
| AuditOverride | Every override: scope, authorization type, reason, usage count |
None of these records are created specifically for attestation — they are operational artifacts that happen to provide complete governance evidence. The attestation system reads from them; it does not modify them.
Stage 2: Periodic Aggregation (Governance Digest)
The GovernanceDigest is a periodic aggregation of governance metrics. It computes:
Exclusion Statistics - Total exclusions evaluated - Active exclusions currently in effect - Exclusions pending resolution - Exclusions resolved (with resolution breakdown) - Exclusions expired
Escalation Statistics - Total escalations triggered - Escalations acknowledged (and acknowledgment rate) - Escalations that chained to next level - Escalations resolved - Escalations unacknowledged (potential governance gap)
SLA Compliance - Exclusions resolved within SLA - SLA breaches (resolved but late) - Critical SLA breaches (severity HIGH or CRITICAL, resolved late) - Overall SLA compliance rate
Notification Coverage - Notifications sent - Notifications failed - Notification coverage rate (percentage of exclusions with successful notification)
Control Coverage - Exclusions with associated notification events (no silent failures) - Control coverage rate
Stage 3: Formal Attestation (GCA)
The Governance Controls Attestation (GCA) is the formal output. It consumes digest data and control effectiveness metrics to produce a structured attestation with quantified assessment.
GCA Structure
Each GCA contains five sections:
Controls Summary
| Metric | Description |
|---|---|
| Total enforcement evaluations | How many financial decisions were evaluated |
| Pass rate | Percentage of evaluations that passed all guards |
| Blocked amount | Total dollar value of blocked transactions |
| Escalated amount | Total dollar value of transactions requiring review |
| Average evaluation time | Mean execution time per evaluation |
Override Summary
| Metric | Description |
|---|---|
| Total overrides issued | How many AuditOverrides were created |
| Override rate | Overrides / total evaluations |
| Scope breakdown | Distribution across SINGLE, BATCH, TEMPORAL, CATEGORICAL |
| Authorization breakdown | Distribution across BOARD, ADMIN, MIGRATION, CORRECTION |
| Most common override reason | The most frequently cited justification |
Exclusion Summary
| Metric | Description |
|---|---|
| Total exclusions evaluated | How many exclusion triggers were evaluated |
| Active blocks | Currently enforced exclusions |
| Trigger breakdown | Which triggers fired and how often |
| Resolution rate | Percentage resolved within SLA |
Vendor Compliance
| Metric | Description |
|---|---|
| Vendors monitored | Total vendors with BuildRated links |
| Compliance rate | Percentage with all credentials current |
| Active alerts | Outstanding compliance alerts by severity |
| Per-vendor status | Individual vendor compliance posture |
SLA Compliance
| Metric | Description |
|---|---|
| Acknowledgment rate | Percentage of alerts acknowledged |
| Mean resolution time | Average time to resolve exclusions |
| SLA compliance rate | Percentage resolved within expected timeframe |
| Critical breaches | HIGH/CRITICAL severity SLA breaches |
Overall Assessment
The GCA produces an overall assessment using a deterministic decision tree:
| Assessment | Criteria |
|---|---|
| STRONG | Pass rate > 95%, SLA compliance > 95%, override rate within expected range |
| ADEQUATE | Pass rate > 85%, SLA compliance > 85% |
| NEEDS_IMPROVEMENT | Pass rate > 70%, or SLA compliance between 70-85% |
| DEFICIENT | Pass rate < 70%, or SLA compliance < 70% |
The assessment includes a narrative explanation of the factors that contributed to the determination. The narrative is generated from the metrics — not written by a human.
Exception Register
The exception register is a structured list of governance exceptions detected during the attestation period. Auditors typically build exception registers manually from disparate sources. CommunityPay generates them automatically from source data.
Each exception entry contains:
| Field | Description |
|---|---|
| Exception type | EXCLUSION, ESCALATION, SLA_BREACH, OVERRIDE |
| Detection date | When the exception was first identified |
| Entity | Which HOA or vendor is affected |
| Severity | LOW, MEDIUM, HIGH, CRITICAL |
| Status | OPEN, ACKNOWLEDGED, RESOLVED |
| Resolution date | When resolved (if applicable) |
| Resolution notes | Documentation of resolution action |
| SLA tracking | Whether resolution met expected timeframe |
The register is generated by querying immutable source records (exclusions, escalation events, override records) and transforming them into a uniform exception format. No manual data entry is required.
Attestation Artifact
The completed GCA is stored as an InstitutionalPacket with:
- evidence_snapshot: The complete JSON containing all sections, metrics, and the exception register
- content_hash: SHA-256 of the canonical JSON evidence snapshot
- previous_packet_hash: Link to the prior GCA for the same HOA/period (chain continuity)
- reference_number: Human-readable identifier (e.g.,
GCA-142-2025Q1-20250401-v1)
The GCA is tamper-evident through the same content hashing and chain continuity mechanisms described in Evidence Packs & Verification.
What This System Proves
The governance attestation lifecycle converts operational data into institutional-grade evidence:
- Controls operate continuously — Not tested once per audit, but measured from every enforcement decision
- Governance is quantified — Effectiveness is a number, not an opinion
- Exceptions are captured automatically — The exception register requires no manual compilation
- Assessment criteria are deterministic — The same metrics always produce the same assessment
- The entire chain is verifiable — From individual enforcement decisions through digests to formal attestation, every link in the chain references immutable source data
CARI Integration
Governance attestation artifacts — GCA, FADR, and VECR — and their timeliness are direct inputs to the CARI Governance sub-score. Board attestation currency is a required eligibility signal: an HOA without a current attestation on file cannot achieve a passing Governance component. The recency, completeness, and exception count of governance attestation cycles are weighted signals in CARI score computation.
For published methodology and component weights, see CARI Methodology and Scoring Framework.
How CommunityPay Enforces This
- Weekly GovernanceDigest aggregates exclusion, escalation, SLA, and notification metrics from source data
- Exception register auto-generated from exclusion events, escalation events, and SLA breaches — auditors typically build these manually
- GCA (Governance Controls Attestation) produces a quantified effectiveness assessment: STRONG, ADEQUATE, NEEDS_IMPROVEMENT, or DEFICIENT
- Assessment derived from measurable criteria — not subjective judgment
- All attestation data traceable to immutable source records: EnforcementDecisions, EscalationEvents, ExclusionStatusHistory
- Content hash (SHA-256) computed from canonical JSON snapshot for tamper detection