Use of digital signatures instead of wet ink signatures on control documentation
Saint4805 last edited by
First post here and my apologies if this has been asked before.
I manage a business process SOX control framework within a listed company and many of our control performers have been asking if we can move from dated wet ink signatures on hardcopy documentation to digital signatures within scanned/converted PDF documents using an application called Foxit Phantom PDF. This is an ‘out of the box’ application and the functionality is standard and has not been modified by our company. Installation of this application is only possible on a individual user basis upon approval from IT. The default digital signature for each user is linked to their network User ID and it is not possible to set up a falsified signature as it would be shown to have an invalid certificate attached as well as other error messages.
Given the current COVID19 situation many of our control performers are working from home and without access to a printer or scanner. Our external auditors are pushing back on the use of digital signatures using Foxit and are adamant that wet ink signatures must be used which is obviously challenging given the current ways of working people are having to adopt. The auditors are claiming they cannot place any reliance on FoxIT application due to their global audit methodology not allowing for it even though it is an out of the box application and we have even offered to obtain a SOC1/ISAE3402 report. Note that we are only advocating the use of digital signatures for non GXP documents and also only for certain review type control activities and not pure authorisation control activities where a wet ink signature is more appropriate e.g. manual payment request form. We are also only advocating it’s use for internal working documents and not legally binding documents which are shared with third parties where something like DocuSign would be more appropriate.
Our external auditors are taking the position that if we use digital signatures instead of wet ink signatures each user will be required to complete a comprehensive and detailed written attestation listing all control instances and confirming that their digital signature is authentic for each instance which is obviously extremely time consuming and counter productive. Our feeling is that they are taking an unreasonable position and are taking the opportunity to perform additional unnecessary audit work. Do we have a case or is their position valid according to current auditing standards?
Many thanks in advance!
harrywaldron last edited by
Hi & welcome to SOX forums … I see both sides of issue – and the new concept of “digital signatures” is indeed the way to go in the future (but training & procedures & audit buy-in all need to be firmly in place).
Being in IT, I have heard of smartphone APPs that can allow users to scan & “fax” in those old-fashioned but well controlled highly LEGAL situations.
SUGGESTION do Google Search of “smartphone scanner apps”
That might be helpful to find easy-to-use & low cost solutions for now. PC Magazine has a nice evaluation in that google search also:
One list of mobile “best apps” for scanning and OCR
- FineScanner Pro (by Abbyy) Best for scanning books. …
- Microsoft OfficeLens (when used with OneDrive and Word) Best for free use. …
- Scanbot Pro. Best for organizing scans. …
- Scanner for Me + OCR. Best for speed, plus OCR in 13 languages.