Corporate & Human Resources

Within many organisations there are legal, regulatory and compliance requirements for data to be accurately documented and signed by one or more people responsible.

Businesses often use desktop software such as Microsoft Office or Open Office to create documents and then often convert these to PDF once finalised. Policies and procedures, monthly reports, project management documents, compliance statements and other data are often output as PDF files. This is generally done for good reasons including (a) to make the document harder to change, (b) to make it easier to view (render) on almost any system (including mobile devices) and increasingly (c) to take advantage of the stronger controls and handling of digital signatures within PDFs.

Many larger organisations also use document management systems to store and workflow the documents for collaboration purposes. However very often this drive to cut out paper by using e-documents draws to an abrupt halt at the stage where document approval is needed, leading to documents being printed to gather approval digital signatures and then re-scanned. An effective end-to-end document workflow system needs an electronic approval capability.

Digital certificates can be used to identify internal users and allows access via IAM systems. They can also enable documents to be digitally signed as part of the approval process within document management systems. Such digital signatures provide excellent authenticity, integrity and traceability for documents such as purchase requests, expenses, HR reports, compliance and quality reports, acceptance of new policies and procedures, project management and delivery acceptance. Handling all this information on-line and signed by key individuals ensures that an effective audit trail exists to meet internal controls needs, plus any external regulatory or legal requirements.

Legal Compliance

Internally electronic or digital identities are often issued from internal Certificate Authorities – in many cases these are produced using a Windows CA. Digital Signatures produced by these are trusted for internal use but they have little value outside the organisation since there is no trusted third party confirmation of the organisation’s identity.

Ascertia has observed the successful use of internal keys and certificates to authorise the signing in of one or more (including batch) of documents on a server which uses a high-trust or Qualified Certificates held with an HSM or smartcard to sign the document. Evidence of the user’s wilful act of requesting a server-side digital signature is retained within the log records. German digital signature law solutions can also be provided where there is a legal requirement for such digital signatures.

Ascertia’s products have been designed to be compliant with a range of digital signature legislation and regulatory frameworks, including EU law (EU Directive for Electronic Signatures), EU Directive for E-Invoicing, IdenTrust, US Electronic Signatures in Global and National Commerce Act (E-Sign), The Health Insurance Portability and Accountability Act (HIPAA), 21 CFR Part 11 (a regulation governing the use of electronic signatures within the pharmaceutical industry), Sarbanes-Oxley Act (SOX) and others.