Compliance & Legal

How to run an annual policy attestation cycle as Small Law and Accounting Practices

Compliance & LegalFor Small Law and Accounting Practices3 apps10 steps~20 min to set up

Once a year, someone at your firm remembers that employees, partners, and contractors are supposed to re-attest to your data security policy, conflicts-of-interest policy, and client confidentiality agreement. That 'someone' sends a batch of Outlook emails with a PDF attachment, tracks responses in a spreadsheet, chases non-responders manually, and then reconstructes the completion record weeks later when your malpractice carrier or state bar asks for proof. At a six-attorney firm, this takes two to three hours of paralegal time spread across two weeks — not because the task is hard, but because the tooling is a cobbled-together mess of email, a shared Excel file, and a scanner.

Build this on Starch → See the apps used

Compliance & LegalFor Small Law and Accounting Practices3 apps10 steps~20 min to set up

Outcome

What you'll set up

A structured attestation tracker that records who has signed, who hasn't, and which policy version each person attested to — pulling from your Outlook or Gmail contact list and logging completions in Starch

Automated reminder emails drafted and sent at configurable intervals (day 3, day 7, day 14) to anyone who hasn't responded, with escalation to the managing partner if still outstanding after two weeks

A completion report you can export or share with your malpractice carrier, bar association auditor, or firm administrator — showing attestation date, policy version, and signatory name for every covered individual

The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used

Email Agent Task Manager Knowledge Management

Data sources & config

Starch syncs your Outlook data on a schedule (messages, contacts, and calendar events) so the agent can read your inbox for incoming 'I confirm' replies and log completions automatically. Your firm's policy documents are stored in Notion, which Starch also syncs on a schedule, so the current policy version and text are always accessible. The task-manager app tracks overdue items and escalations; no outside integrations needed for that piece. If your firm roster lives in a spreadsheet or a web-based HR tool, Starch can connect it from the integration catalog — the agent queries it live when building the initial recipient list.

Prompts to copy

Build me an annual policy attestation tracker. Pull the list of attorneys, paralegals, and contractors from my Outlook contacts and firm roster. For each person, track whether they've attested to our current data security policy, conflicts-of-interest policy, and client confidentiality agreement. Show me a status board with three columns: Not Sent, Awaiting Response, Completed. Flag anyone overdue by more than 7 days in red.

Draft a policy attestation email to send to each person on the outstanding list. It should reference the specific policy name and version number, include a plain-English one-paragraph summary of what they're attesting to, and ask them to reply 'I confirm' or click a link. Tone should be professional but not alarming — this is routine annual compliance, not a disciplinary notice.

Set up automated follow-up reminders: if someone hasn't responded within 3 days of the initial send, draft a short nudge email. If still no response after 7 days, escalate with a note to the managing partner's task list and draft a firmer follow-up. Log each send attempt in the tracker.

Run these in Starch → or paste them into your favorite agent

Walkthrough

Step-by-step

1 Connect Outlook (or Gmail) as a scheduled-sync provider in Starch. This gives the agent access to your contacts list, sent mail history, and incoming replies — all of which it reads to track who has responded.

2 Connect Notion in Starch as a scheduled-sync provider. Store your current policy documents there (data security, conflicts-of-interest, client confidentiality) with a clear version number in the page title (e.g., 'Data Security Policy v2.4 — Effective 2026-01-01').

3 Tell Starch to build your attestation tracker: give it the list of people who need to attest (attorneys, paralegals, contractors, and any other covered individuals), the three policy names, and the due date for the cycle. Starch creates a status board.

4 Use the Email Agent app to draft the initial attestation email. Review and approve the draft — it will include the policy name, version, a plain summary, and a simple reply instruction. The agent sends it to each recipient on the list and logs the send date.

5 Starch monitors your Outlook inbox for replies. When someone replies 'I confirm' (or a variant you specify), the agent marks their row as Completed and timestamps the entry.

6 At day 3, the Email Agent drafts and sends a short reminder to anyone still showing 'Awaiting Response.' You can review the draft batch before it goes, or set it to auto-send if you trust the template.

7 At day 7, the agent escalates: it adds a task to the Task Manager app flagged as P1 with the overdue person's name, drafts a firmer follow-up email for your review, and sends a summary to the managing partner via Outlook.

8 At day 14, anyone still non-compliant gets a final notice. The managing partner is notified again, and the tracker marks that individual as 'Escalated — Requires Personal Follow-Up.'

9 Once the cycle closes, tell Starch: 'Generate a policy attestation completion report for cycle year 2026. Include each person's name, role, the three policies they attested to, the policy version numbers, and the date of their confirmed response. Format it as a table I can export as a PDF.' Starch assembles it from the tracker data.

10 Save the completion report in your Knowledge Management app alongside the policy documents. Next year, the agent can reference last year's cycle to pre-populate the recipient list and flag any role changes.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →

Worked example

March 2026 Annual Attestation Cycle — Six-Attorney Firm

Sample numbers from a real run

Total covered individuals	11
Completed by day 7	8
Required day-7 reminder escalation	2
Required managing partner intervention	1
Paralegal hours to run cycle (prior year)	3
Paralegal hours to run cycle (with Starch)	0.5

In March 2026, the firm needs attestations from 6 attorneys, 3 paralegals, 1 part-time contract researcher, and 1 office manager — 11 people total across three policies. Previously the firm administrator spent roughly 3 hours over two weeks: drafting emails, updating a spreadsheet, chasing two attorneys who never check their inbox, and then reconstructing the full log when the malpractice carrier asked for documentation in April. With Starch, she describes the cycle once ('send attestation emails for our data security, conflicts, and confidentiality policies to this list; remind anyone who hasn't replied by day 3; escalate to me at day 7'). Eight of eleven people reply within the first week; the agent logs them automatically from their Outlook replies. Two receive the day-3 nudge and respond same day. One senior partner — predictably — ignores both emails; Starch adds a P1 task to the managing partner's Task Manager and drafts a two-line personal note. The full completion report, including policy version numbers and timestamps, is ready by March 18. Total hands-on time for the firm administrator: about 30 minutes across the whole cycle, mostly reviewing email drafts and exporting the final PDF.

Measurement

How you'll know it's working

Attestation completion rate by the firm-mandated deadline (target: 100% of covered individuals)

Average days to full-cycle close (from first send to last confirmed response)

Number of manual follow-ups required beyond automated reminders (a proxy for process compliance culture)

Policy version currency — are all attestations tied to the current version, or did someone slip through on a prior-year doc

Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Clio Manage + manual email

Clio tracks matter and contact data well but has no built-in policy attestation workflow — you're still managing the email chain and the response log outside the tool.

DocuSign or Adobe Sign

Great for getting a signature on a document, but they don't monitor your inbox for confirmations, send tiered reminders, escalate overdue items to a task list, or produce the summary compliance report — you're assembling all of that manually afterward.

Google Forms or Microsoft Forms

Free and quick to set up for collecting responses, but you still send the emails by hand, track completions in a separate spreadsheet, and write the completion report yourself — none of the workflow is automated.

Karbon or TaxDome (for accounting practices)

These tools handle client-facing workflow well and have some internal task features, but policy attestation cycles — especially with automatic reminder escalation and a carrier-ready completion report — aren't a supported use case out of the box.

On Starch RECOMMENDED

One platform — email agent, task manager, knowledge management all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →

FAQ

Frequently asked questions

We use Gmail, not Outlook. Does this work the same way?

Yes. Starch syncs Gmail on a schedule the same way it syncs Outlook — messages, labels, and contacts. The Email Agent reads incoming replies from your Gmail inbox and logs completions the same way. One note: Gmail's OAuth consent screen currently shows the name of Starch's verified connector rather than 'Starch' — this is a known cosmetic issue and is on the roadmap to fix. It doesn't affect functionality.

What if someone replies with something other than 'I confirm' — like a question about the policy?

The agent flags ambiguous replies (anything that isn't a clear confirmation) and surfaces them in your Email Agent inbox triage for your review. You won't get a false positive logged as 'Completed.' The agent drafts a suggested reply to the policy question and holds the completion status until you mark it resolved.

Can Starch actually send emails on my behalf, or does it just draft them?

It can do both — draft for your review before sending, or auto-send based on a template you've approved. For the initial attestation email, most firms want to review the first send before it goes out. For day-3 and day-7 reminders that are purely mechanical nudges, auto-send is reasonable. You control this per step when you set up the automation.

Our firm roster isn't in Outlook — it's in a spreadsheet. Can Starch read from that?

If it's a Google Sheet, Starch can connect it from the integration catalog and the agent queries it live when building the recipient list. If it's a local Excel file, the easiest path is to paste the list directly when you're setting up the attestation cycle, or upload it to Notion (which Starch syncs on a schedule) and reference it from there.

Is this secure enough for attorney-client confidentiality policy documents?

Starch is not currently SOC 2 Type II certified — that's an honest limit worth knowing if your firm has strict vendor compliance requirements. The policy documents themselves stay in Notion; Starch syncs and reads them but doesn't store copies outside your connected tools. If your malpractice carrier or bar association requires SOC 2 Type II certification from vendors with access to internal firm documents, you should flag that before connecting.

Can the completion report reference which version of each policy each person attested to?

Yes, and this is worth being deliberate about. Store your policies in Notion with the version number in the page title (e.g., 'Conflicts Policy v3.1 — Effective 2026-01-01'). When you describe the attestation cycle to Starch, reference the version. The agent logs version alongside name and date in the tracker, so the completion report is unambiguous — useful if someone later claims they attested to an outdated policy.