Hi, Covers. :bigwave: I've not been active for a while, but hopefully getting back into the QMS over the coming weeks.

I am trying to rationalize our document authorization process and would like to accept an email from the document owner, with the soft copy document attached, as authorization in lieu of a signed piece of paper.

Has anyone got an opinion/ruling on this, please?

Thanks in anticipation !

Welcome back, mate.

I think it would be OK, if the document that is circulated is a protected PDF or a password protected word/excel document.

We use Outlook voting buttons to get documents approved.

Trish:
Welcome back! What you're proposing is fine.

If you would accept a phone confirmation of a signature, then you probably should accept an email confirmation.

The basic premise is that almost ANY electronic or paper-based confirmation system can be compromised by fraud or forgery. One of the ways you mitigate the risk of fraud or forgery is to follow the lead of accounting auditors who send out random confirmation letters to outside parties to validate records.

We who have email accounts are aware (based on incoming spam) that email return addresses are easily spoofed, but actually intercepting return correspondence to the spoofed email address is a much more difficult task. It would seem you could mitigate, but not eliminate, risk of fraudulent messages by emailing the sender back asking for confirmation. (My own IT guru snorted when I ran this by him and sniffed, "I could beat that easily!" Sure! But he's also a guy who could make a computer go out and fetch coffee without a battery or a plug connected to power!)

Thanks for your input everyone.

In this organization our network relies on "security by ignorance". The possibility of someone going to the trouble of forging an email to authorize a procedure is absolutely minimal. There might be the risk of someone using the boss's computer to send the message and there's no way around that. Knowing the people involved it's highly unlikely.

I'll go ahead and implement email authorizations.

Thanks for your input everyone.

In this organization our network relies on "security by ignorance". The possibility of someone going to the trouble of forging an email to authorize a procedure is absolutely minimal. There might be the risk of someone using the boss's computer to send the message and there's no way around that. Knowing the people involved it's highly unlikely.

I'll go ahead and implement email authorizations.

Please go ahead. Whoever said that computers are the basis of all mans ills? As if the concept of forgery and insecurity did not exist when computers were not in existance!:sarcasm: