Technological advances now enable departments to use a range of services that combine into wider technology ecosystems.
In an increasingly digitised world, the next natural step is for agencies to implement electronic approval processes (e-signing). We are seeing many agencies increase their use of electronic signatures to sign documents and to authorise transactions.
Electronic signatures, or e-Signatures, are the electronic version of manually handwritten, physical signatures (known as ‘wet signatures’). Like a wet signature, an e-Signature is a legal concept; its purpose is to bind a signatory to a document, in a way that proves the person signing is who they say they are.
There are several ways of achieving this, some of which are more reliable than others. Examples include a:
The latter technology (digital signatures) requires the signatory to prove their identity through an authentication process. This prevents tampering, making it the most secure and reliable option. It is the foundation on which almost all enterprise e-signature software is built.
Although the terms are similar, e-signatures and digital signatures are quite different.
An e-signature is a legal concept and a catch-all term for a variety of methods (see those listed above) for authenticating signers.
Digital signatures are a very specific security technology for authenticating and securing objects using public/private key cryptography. The signature is authenticated with a certificate-based digital ID, typically issued by a trusted, third party certificate authority.
A good, enterprise e-Signature platform will use digital signatures.
Section 8 and 15 in the Financial and Performance Management Standard 2009 requires departments and statutory bodies to design their control environment to suit their business needs and reduce the risk of fraud and error to an acceptable level.
As auditors, we examine whether agencies have suitably designed and implemented effective approval controls. This means that if your agency intends to use electronic means to approve documents or expenditure, we will review how you have designed your controls to reduce the risk of fraudulent approvals being accepted.
The Electronic Transactions (Queensland) Act 2001 outlines that if a person’s signature is required then three tests must be met for the signature to be valid:
A scanned image of a signature on an unsecured document fails these tests, because the document:
Enterprise e-signature platforms require a signatory to prove their identity in order to sign the document. This provides evidence of their identity, and then ‘seals’ the document to prevent it being easily edited. These controls increase its reliability and add an extra layer of security.
Most agencies have reviewed their control environment and developed policies that aim to address these three tests. But they are not always adjusting their control activities to implement their policies. This means that processing staff are inappropriately accepting documents with just pictures of signatures or email approvals.
Generally, no, because a basic email also fails these tests.
Over the last couple of years, we have seen an increased number of fraud attempts whereby fraudsters impersonate an email account holder to change bank account details for employees or vendors.
This shows that emails lack the security to evidence the identity of the account holder and the account holder’s intentions. Emails are not reliable because they can be manipulated before being sent or once received.
Agencies need to consider the risks of accepting email approvals and requests when designing their control environment and implementing control activities. This includes implementing complimentary controls to verify information, such as calling the sender from independently sourced contact details from the entity’s website rather than the footer of the email.