Electronic approval system - Fraudulently made electronic approval found

[kaliko81]

Formerly, one way to give an approval was with a handwritten signature. With the arrival of new technologies, we will see electronic signatures more and more.
I made an internal audit recently and luckily I was able to show that there had been a fraudulently made electronic approval. In the case of a handwritten signature, the defrauder must be very good to imitate a signature. With an electronic signature system, one only has to penetrate the system. I maybe mistaken but I do not recall reading anything in the standards requiring a certain level of safety to ensure the integrity of the electronic signature. Am I right?

P.S. Please forgive my syntax errors, English is not my mother tongue.

Thanks

Kaliko

[Jim Wynne]

Quote:

In Reply to Parent Post by kaliko81

Formerly, one way to give an approval was with a handwritten signature. With the arrival of new technologies, we will see electronic signatures more and more.
I made an internal audit recently and luckily I was able to show that there had been a fraudulently made electronic approval. In the case of a handwritten signature, the defrauder must be very good to imitate a signature. With an electronic signature system, one only has to penetrate the system. I maybe mistaken but I do not recall reading anything in the standards requiring a certain level of safety to ensure the integrity of the electronic signature. Am I right?

P.S. Please forgive my syntax errors, English is not my mother tongue.

Thanks

Kaliko

Your English is fine. You don't mention the standard you're working under, but if it's ISO 9000 or TS 16949, there's no requirement for signature security. It's up to you to determine the level of security required and how to accomplish it. For electronic approvals security is usually established through password protection.

[Claes Gefvenberg]

Quote:

In Reply to Parent Post by kaliko81

I made an internal audit recently and luckily I was able to show that there had been a fraudulently made electronic approval.

That is interesting. How were you able to find and prove it? What damage did this cause?

Quote:

In Reply to Parent Post by kaliko81

I maybe mistaken but I do not recall reading anything in the standards requiring a certain level of safety to ensure the integrity of the electronic signature. Am I right?

Assuming that we are talking about ISO 9001, I would say that the standard aims to protect the documented information.

Quote:

In Reply to Parent Post by ISO9001:2000, clause 4.2.3

...A documented procedure shall be established to define the controls needed...

If the signature (electronic or not) is needed to ensure that this information remains safe, it must be protected.

Quote:

In Reply to Parent Post by kaliko81

P.S. Please forgive my syntax errors, English is not my mother tongue.

Nor is it mine. Pas de problème

/Claes

[CarolX]

Quote:

In Reply to Parent Post by kaliko81

I made an internal audit recently and luckily I was able to show that there had been a fraudulently made electronic approval.

Hi kaliko81,

I think you have a bigger problem on your hands. No matter how the system is set-up, if someone wants to operatre outside of the process, you will always have this proble.

I don't know about TS, but ISO does not require signature, hard copy or electronic.

[kaliko81]

Quote:

In Reply to Parent Post by Claes Gefvenberg

That is interesting. How were you able to find and prove it? What damage did this cause?/Claes

-->It was really easy: They used my signature! Since it was a pre-production approval, so if there will be any problem, it will be seen when the product will be on production.

[kaliko81]

Quote:

I think you have a bigger problem on your hands. No matter how the system is set-up, if someone wants to operatre outside of the process, you will always have this proble.

My problem is even bigger than that. My audit was actually a verification before the register audit (ISO 9001-2000 and TS 16949) that was planned 2weeks after. I first noticed that there were missing signatures in the pre-production approval system. I report it to the management. The day before the register audit, I was out for a training. My signature was used during my absence, following one of the manager request...

[Claes Gefvenberg]

Quote:

In Reply to Parent Post by kaliko81

It was really easy: They used my signature! Since it was a pre-production approval, so if there will be any problem, it will be seen when the product will be on production.

Your signature?! Ok, I see. That rather explains it...

Quote:

In Reply to Parent Post by kaliko81

I first noticed that there were missing signatures in the pre-production approval system. I report it to the management. The day before the register audit, I was out for a training. My signature was used during my absence, following one of the manager request...

Doh! I think I'm starting to grasp the magnitude of your problem. It would seem that you have two systems to deal with: One official, and one unofficial. It is unfortunate when managers choose the latter.

The big question is why?

/Claes

[kaliko81]

Quote:

In Reply to Parent Post by Claes Gefvenberg

Your signature?! Ok, I see. That rather explains it...

Doh! I think I'm starting to grasp the magnitude of your problem. It would seem that you have two systems to deal with: One official, and one unofficial. It is unfortunate when managers choose the latter.

The big question is why?

/Claes

Well the answer I got (because I did asked that question) was that it was a matter of flexibility. That manager believed that I would have given my approval anyway so there was no point to take the risk of having a nonconformal. My respond was that he should have given his own approval instead of using my signature.