QA vs UAT: The Difference, and Who Is Actually Accountable
Most enterprises can recite the textbook difference between QA and UAT. Far fewer can name the person accountable for each. That second question is where releases actually fail, and it is the one this article answers.
Quality assurance verifies that software behaves as specified. It is owned by the delivery organization, executed by engineers and testers, and grounded in requirements: functional tests, regression suites, integration checks, performance baselines. When QA passes, it means the system does what the specification says it should do.
User acceptance testing answers a different question: is this what the business actually needs? UAT is performed by the people who will live with the system, against real workflows, real data shapes, and the unwritten rules that never made it into a requirements document. A release can pass QA completely and still fail UAT, because the specification itself was wrong, incomplete, or quietly out of date. The two disciplines are not stages of the same test. They are different tests of different things, and treating UAT as a second pass of QA is the first mistake most programs make.
In practice, the boundary erodes from both sides. Delivery teams under schedule pressure hand QA-style scripts to business users and call the walkthrough UAT. Business users, unsure what they are meant to contribute, re-execute the same happy paths QA already covered and sign whatever is put in front of them. The result is two rounds of the same test and zero rounds of genuine acceptance.
The symptoms are recognizable in any enterprise program. UAT windows are compressed into the final days before a fixed go-live date. Defects found in UAT are reclassified as change requests because the specification technically permits the behavior. Sign-off arrives by email from someone who attended one demo. None of this is a failure of effort. It is a failure of definition: no one has stated what UAT must prove that QA cannot, so UAT proves nothing at all.
Who is actually accountable
Accountability follows the question being answered. QA is accountable to the delivery leader: if the system does not match the specification, engineering owns the gap, and the QA lead owns the evidence that the gap was found or missed. This accountability is usually healthy, because it lives inside one management line with one budget and one definition of done.
UAT accountability belongs to the business, and this is where most organizations go vague. The person who signs UAT is accepting the system on behalf of everyone who will use it, and accepting the residual risk of everything UAT did not cover. That signature should come from a named business owner with the authority to say no, a documented scope of what was tested, and a listed set of open items they are consciously accepting. When UAT sign-off is treated as a courtesy step, the enterprise has not shortened its release process. It has moved risk acceptance from a named executive to nobody, and the gap only becomes visible after production breaks. In regulated sectors, that gap is also an audit finding: SOX and DORA both expect evidence of who accepted a change and on what basis, a point we develop in our release governance framework for regulated enterprises.
A simple accountability test
A quick diagnostic works in almost any organization. Ask three questions of the last major release. Who signed QA closure, and against which specification version? Who signed UAT acceptance, and what open items did that signature consciously accept? If the release had failed in production in its first week, whose decision would the post-incident review have examined?
Healthy programs answer all three with names in seconds. Struggling programs answer with team names, meeting references, or silence. Team names are the tell: a committee cannot accept risk, because acceptance means being answerable afterwards, and afterwards there is no committee, only individuals explaining what they knew at the time. The same logic drives regulatory expectations. An auditor tracing a defective change does not want to know which teams were involved. They want the decision record: who approved, what they saw, and what they accepted. If that record does not exist, the distinction between QA and UAT was never real, however well both were staffed.
Separating the two on purpose
Distinct entry and exit criteria
UAT does not begin until QA has formally closed, with results published. UAT exit requires a decision, not a date: the business owner signs, defers with reasons, or rejects. A calendar reaching its end is not an exit criterion, yet in most struggling programs it is the only one being applied.
Scenarios owned by the business
UAT scripts are written by the people who run the process, drawn from real cases: month-end close, a disputed transaction, a customer with three accounts and one expired mandate. If delivery writes the UAT scenarios, the business is auditing the delivery team's imagination rather than testing its own reality.
A named signature with content behind it
The sign-off record states what was tested, what was not, which defects remain open, and who accepts them. One name, one date, one decision. This is the same evidence discipline that separates governed releases from hopeful ones, and it is the artifact an auditor will ask for first.
Why the separation pays for itself
On a regulated digital banking program, RNVATE rebuilt the acceptance chain along exactly these lines: QA closed against specification, UAT ran business-owned scenarios, and every go decision carried a named signature with open risks listed. Post-release defects fell by 35 percent, not because testing hours increased, but because defects stopped slipping through the undefined space between two teams who each assumed the other had looked. The full story is in our digital banking CX transformation case study.
The pattern generalizes. When QA and UAT are blurred, every escaped defect triggers the same circular argument about whose test should have caught it. When they are separated, with distinct questions and named owners, escapes become traceable to a decision that can be examined and improved. That is the practical difference between quality as an activity and quality as a governed outcome, and it is the foundation on which our Release & QA Governance practice is built.
Let's build something
transformative.
Tell us about your goals and our experts will map a path from where you are to where you need to be.
Let's Talk