Electronic approval system - Fraudulently made electronic approval found

[kaliko81]

Formerly, one way to give an approval was with a handwritten signature. With the arrival of new technologies, we will see electronic signatures more and more.
I made an internal audit recently and luckily I was able to show that there had been a fraudulently made electronic approval. In the case of a handwritten signature, the defrauder must be very good to imitate a signature. With an electronic signature system, one only has to penetrate the system. I maybe mistaken but I do not recall reading anything in the standards requiring a certain level of safety to ensure the integrity of the electronic signature. Am I right?

P.S. Please forgive my syntax errors, English is not my mother tongue.

Thanks

Kaliko

 

[Jim Wynne]

Formerly, one way to give an approval was with a handwritten signature. With the arrival of new technologies, we will see electronic signatures more and more.
I made an internal audit recently and luckily I was able to show that there had been a fraudulently made electronic approval. In the case of a handwritten signature, the defrauder must be very good to imitate a signature. With an electronic signature system, one only has to penetrate the system. I maybe mistaken but I do not recall reading anything in the standards requiring a certain level of safety to ensure the integrity of the electronic signature. Am I right?

P.S. Please forgive my syntax errors, English is not my mother tongue.

Thanks

Kaliko

Your English is fine. You don't mention the standard you're working under, but if it's ISO 9000 or TS 16949, there's no requirement for signature security. It's up to you to determine the level of security required and how to accomplish it. For electronic approvals security is usually established through password protection.

 

[Claes Gefvenberg]

I made an internal audit recently and luckily I was able to show that there had been a fraudulently made electronic approval.

That is interesting. How were you able to find and prove it? What damage did this cause?

I maybe mistaken but I do not recall reading anything in the standards requiring a certain level of safety to ensure the integrity of the electronic signature. Am I right?

Assuming that we are talking about ISO 9001, I would say that the standard aims to protect the documented information.

...A documented procedure shall be established to define the controls needed...

If the signature (electronic or not) is needed to ensure that this information remains safe, it must be protected.

P.S. Please forgive my syntax errors, English is not my mother tongue.

Nor is it mine. Pas de problème

/Claes

 

[CarolX]

I made an internal audit recently and luckily I was able to show that there had been a fraudulently made electronic approval.

Hi kaliko81,

I think you have a bigger problem on your hands. No matter how the system is set-up, if someone wants to operatre outside of the process, you will always have this proble.

I don't know about TS, but ISO does not require signature, hard copy or electronic.

 

[kaliko81]

That is interesting. How were you able to find and prove it? What damage did this cause?/Claes

-->It was really easy: They used my signature! Since it was a pre-production approval, so if there will be any problem, it will be seen when the product will be on production.

 

[kaliko81]

I think you have a bigger problem on your hands. No matter how the system is set-up, if someone wants to operatre outside of the process, you will always have this proble.

My problem is even bigger than that. My audit was actually a verification before the register audit (ISO 9001-2000 and TS 16949) that was planned 2weeks after. I first noticed that there were missing signatures in the pre-production approval system. I report it to the management. The day before the register audit, I was out for a training. My signature was used during my absence, following one of the manager request...

 

[Claes Gefvenberg]

It was really easy: They used my signature! Since it was a pre-production approval, so if there will be any problem, it will be seen when the product will be on production.

Your signature?! :mg: Ok, I see. That rather explains it...

I first noticed that there were missing signatures in the pre-production approval system. I report it to the management. The day before the register audit, I was out for a training. My signature was used during my absence, following one of the manager request...

Doh! I think I'm starting to grasp the magnitude of your problem. It would seem that you have two systems to deal with: One official, and one unofficial. It is unfortunate when managers choose the latter.

The big question is why?

/Claes

 

[kaliko81]

Your signature?! :mg: Ok, I see. That rather explains it...

Doh! I think I'm starting to grasp the magnitude of your problem. It would seem that you have two systems to deal with: One official, and one unofficial. It is unfortunate when managers choose the latter.

The big question is why?

/Claes

Well the answer I got (because I did asked that question) was that it was a matter of flexibility. That manager believed that I would have given my approval anyway so there was no point to take the risk of having a nonconformal. My respond was that he should have given his own approval instead of using my signature.

 

[Wes Bucey]

Well the answer I got (because I did asked that question) was that it was a matter of flexibility. That manager believed that I would have given my approval anyway so there was no point to take the risk of having a nonconformal. My respond was that he should have given his own approval instead of using my signature.

Precisely! The superior officer is always in a position to designate who may authorize a document or an activity, including himself.

Every organization needs a mechanism like that and it is implied even if it is not explicitly written down, because the organization cannot come to a standstill merely because one employee is absent (sick, away on business, fired, or dead.)

What is NOT condoned is forgery. It breaks the chain of ownership of a process if the one whose signature is forged is subsequently called to answer for his signature.

This is nothing to quit or get mad about, though. It is an ideal opportunity to help the bosses understand the true theory underlying "ownership" of a process or activity.

It is not too late to unwind the deed and for one of two things to happen.

1. You, the ostensible owner of the process, affirm your approval by adding your signature.
2. The boss deletes your signature and replaces it with his own.

:ca: Create a specific document that outlines the fact the top executive or his designee has the power to replace any lower level employee temporarily or permanently in the event of absence of that employee for any reason, giving such replacement all the same power and authority of the person being replaced.

 

[Claes Gefvenberg]

Every organization needs a mechanism like that and it is implied even if it is not explicitly written down, because the organization cannot come to a standstill merely because one employee is absent (sick, away on business, fired, or dead.)

Right. If the official system is too rigid, people will inevitably resort to unofficial solutions. This is a good example of the need for backup in an organization.

Wes' suggestion is a good way to handle that need. As long as one or maybe even several of your coworkers or subordinates have the necessary competence, you could also allow them to step in when you are absent.

/Claes