What is an electronic approval process?
An approval process is the steps and tasks involved for someone with the appropriate authority to formally approve or authorise decisions and actions. An electronic approval process is one where approval is provided electronically. This may be by:
- the attachment of an electronic or digital signature or
- automated action tracking through workflow functionality and other systems-based automation.
Most approval processes can now be done electronically, without the costly and resource intensive need to print, sign and scan to ensure evidence of approval is obtained.
Government already conducts most business electronically, with some forms of electronic approvals well established. For example, approvals conducted through email with a typed signature or the use of Human Resource (HR) online systems to approve leave.
Where to start?
The following tools help with transitioning from hardcopy to electronic approval processes:
- a digitisation plan covering hardcopy records associated with the approval process
- an EDRMS or other system that has action tracking or workflow functionality and robust audit logs.
Start with an approval process that has a lot of transactions associated with it, and one that is mostly being done electronically but which has some aspects that are not. For example, something that is printed to paper for an ink signature and then scanned back in. This provides high benefit for the least amount of work and can be used to demonstrate the value of electronic approval processes to support further work.
Review the process to determine the following:
- agency specific legislation that may require records to be in specific formats or where particular conditions are to be met. Such legislation may restrict your ability to use electronic authorisation.
- points where approval may be conducted electronically and what may be needed for this to occur. For example, confirmation may be needed from the stakeholders involved that they agree to approval being conducted via email. A policy governing the process may need to be in place.
- risks involved with the proposed changes for the process to become electronic and whether they are acceptable. For example, risk will most likely be low if there is a strong forensic trail covering the identity of the people involved as well as attesting to the integrity of the record.
Obtaining senior executive / senior management approval for the electronic approval process to go ahead will help with obtaining the support needed to implement it.
Once one approval process is fully electronic, collect statistics on what this is saving the agency regarding time, resources, and cost as this can be used to strengthen a case for making more approval processes electronic.
Strengthening the approval process
Using electronic approval processes will not invalidate the resulting records as evidence. Any type of document can be admitted as evidence in its own right, provided its authenticity and reliability is unchallenged or proven sound.
Regardless of the method used, any approval process should be documented and regularly audited to ensure the records can be used as evidence, if needed.
Documentation should include:
- the approval process used
- the steps or actions involved in the approval process
- who has authority to do what when.
Audits should cover:
- system functionality
- system integrity
- user practice.
Types of electronic approval processes
An electronic signature (or e-signature) on an electronic document is intended to perform the same purpose as a handwritten signature on a paper document. Types of e-signatures include:
- typing your name at the bottom of an email
- using a generic email signature
- placing a digitised image of a handwritten signature on a scanned copy of a document or a born-digital document
- typing a name and then clicking ‘accept’ to agree to terms and conditions on a website
- handwriting a signature onto a hardcopy document and then scanning it to digital form
- using a digital pen to manually sign on an electronic device
- attaching a digital signature to a digital document.
Note that electronic signatures vary in their strength; some are very robust at associating a person with an action, others are relatively weak. The legal intention is for robustness to match the importance of the document.
A very small number of documents must have a hand written signature. There is a requirement in law for a hand written ink signature in certain circumstances, such as Wills and other documents that have to be witnessed.
A digital signature is a type of electronic signature.
A digital signature is a cryptographic technique that creates a unique and unforgeable identifier in an electronic document. This type of signature can be checked by the receiver to verify the identity of the author and that it has not been interfered with. Common forms of digital signatures use public key infrastructure (PKI), including digital certificates, for authentication purposes and to demonstrate integrity.
Note that the practical strength of a digital signature is less than its theoretical strength. This is because users must use systems to apply digital signatures. Anyone who can use the system as if they were that person (for example, logging into a computer as that person, or using an unlocked computer) can apply the digital signature.
Automated system / workflow functionality
Electronic business systems usually contain some automation functionality that enables specific data to be collected by the system in accordance with business rules. Workflow functionality is built to require authorisation steps. It is set up so that certain people are authorised to perform specific steps; and it records the identity of the person that actually performs them. Note that this identity is subject to the same limitation as a digital signature in that anyone who can log on as the person with authority to do so can perform the step.
What are the risks?
Loss of integrity: This risk relates to being unable to demonstrate that the record of approval is legitimate or accurate. This may be due to:
- the relevant information either not being recorded or not connected with the record
- lack of appropriate contextual information, such as when the approval took place or that the approval was authorised
- concerns related to fraud, such as when the legitimacy of the authorisation provided for the approval is questioned
- system malfunction, such as errors in the automation of metadata capture resulting in details of who authorised the approval not being captured as part of workflow functionality.
Integrity related risk may be mitigated by a variety of techniques, including:
- automating the collection of essential information, such as the date of the approval and what account was used to authorise it
- locking down audit logs so they can't be adjusted without a record of the adjustment being captured
- demonstrated consistency through a combination of documented processes and regular audit of practices and systems
- having clearly documented delegations of authority.
Loss of the record: This risk relates to the record of approval not being available when required. This may be due to the record of approval:
- either not being created or not captured
- not being retained for the duration of its retention period or being prematurely destroyed
- being captured by the system in a way that makes the record difficult to access or understand
- could not be verified (e.g. loss of the public keys of the person who purported to execute a digital signature).
Risk related to the loss of records may be mitigated through techniques including:
- identifying what evidence would be required to demonstrate approval and capturing that evidence as records
- determining the most appropriate formats for the records to ensure integrity and accountability can be demonstrated
- determining how long the records will need to be kept and ensuring that preservation strategies for the formats used also preserve all relevant contextual information to enable the record to be locatable and understandable.
The consequences of risks occurring will differ depending on whether the records of approval are high value or low value. Approval methods, such as using electronic signatures or action tracking workflow, may be sufficient for low to medium value records. However high value high risk records may require the use of systems with strong workflow functionality, digital signatures or the continued use of conventional hand-written signatures.
Electronic approval type and risk mitigation
|Type||Suitable for||Risk mitigation should|
|Electronic signature||Low to medium risk||
Connect the approval with key contextual information regarding who applied what signature, in accordance with what process, and when.
Link the approval clearly with what is being approved.
Conduct routine audits of the approval process to demonstrate its application is consistent.
|Digital signature||High risk||Manage the Public Key Infrastructure and digital certificate information appropriately so that secure information remains secure.|
|Automated system / workflow functionality||Low, medium and high risk||
Conduct regular audits of the system and workflow functionality.
Automate collection of essential contextual information where possible.
Lock down audit logs.
|Hardcopy signature||High risk||
Retain hardcopy to enable forensic assessment and confirmation that the signature matches the person authorised to sign (as signatures can be forged).
Connect the approval with key contextual information regarding who approved what and when, by requiring signers to write their name and or role, and to date the signature.
Initial each page as well as sign the document containing what is being approved for more serious transactions.