Electronic Signatures
In the audit profession, signatures are used for a variety of reasons, including for representations from clients, signing off working papers, and signing the audit- and other reports. With the onset of COVID-19 and the ‘new normal’ of auditors working remotely from users of their documents, electronic signatures have emerged as an important issue to ensure that the form of signature is appropriate for the purpose used.
Key requirements
The IRBA has issued a request for comments on a proposed explanatory memorandum. The considerations it presents, as well as the electronic communications and transactions Act of 2002 (ECT Act), are very informative and may be reviewed in the meantime. The following salient points have been derived from both sources.
1. There are generally three potential methods available to sign an audit, review or other assurance report:
• Traditional wet-ink signature
• Ordinary electronic signature
• Advanced electronic signature.
Advanced electronic signatures are a specialised type of electronic signature that results from a process that has been accredited by the South African Accreditation Authority (SAAA).
Currently, there are two service providers of which the authentication products and services have been accredited by the SAAA:
• The South African Post Office Ltd
• Law Trust Party Services (Pty) Ltd.
2. ECT Act — Section 13 (2): Signature not without legal force purely because it is electronic.
3. ECT Act — Section 13 (1): Where a law requires a signature, but it does not specify the type of signature, an advanced electronic signature is required.
4. ECT Act — Section 13 (3): Where signature required by an electronic transaction, any method as identifies a person and indicates approval, as the circumstances dictate for reliability and appropriateness.
5. ECT Act — Section 13 (4): An advanced electronic signature is regarded as valid, unless the contrary is proven.
6. ECT Act — Section 13 (5): Where an electronic signature is not required by the parties to an electronic transaction, an expression of intent or other statement is not without legal force and effect, merely on the grounds that it is in the form of a data message or it is not evidenced by an electronic signature, but is evidenced by other means from which such person’s intent or other statement can be inferred.
The International Standards on Auditing (ISAs) and the IRBA Code, with which registered auditors must comply when performing an audit, have legal force and constitute law in the form of subordinate legislation to the Auditing Profession Act, 2005 (Act 26 of 2005) (APA).
Since ISA 700 (Revised), Forming an Opinion and Reporting on Financial Statements, read together with the IRBA Code, requires that an auditor’s report must be signed by a registered auditor, a registered auditor’s signature is thus required by law.
This means that when signing auditor’s reports electronically, an advanced electronic signature must be utilised. Any other form of electronic signature used to sign the auditor’s report is not lawful under current legislation.
It may be deduced from Section 38 of the ECT Act that an advanced electronic signature must be:
• Uniquely linked to the user;
• Capable of identifying the user;
• Created using means that can be maintained under the sole control of that user;
• Linked to the data or data message to which it relates in such a manner that any subsequent change in the data or data message is detectable; and
• Based on the face-to-face identification of the user.
Examples of ordinary electronic signatures include:
• Clicking an ‘I accept’ button on a website
• A typed name in electronic format, e.g. in an e-mail
• A manuscript signature signed manually and simultaneously captured electronically, e.g. signed on a tablet computer
• A physical manuscript signature that is scanned and transformed into digital format
• The use of various software products for more secure signatures.
Policies and procedures – Vetting electronic signature services
In making its choice, the firm might develop conditions and implement policies and procedures on:
• Who from the firm makes the decision or forms part of the decision-making process
• How to undertake the service provider selection process
• The development of criteria to rate each service provider, which includes the factors set out above.
• What level of security is required?
• Is the service provider licensed?
• Is the service provider reputable?
• Type of signatures acceptable
• The security provided. Does it meet recognised security standards (such as information security, data security standards or similar standards/certifications)?
Considerations when using an ordinary electronic signature
Threats to the use of a licensed and secure ordinary electronic signature might be created when unauthorised access to the ordinary electronic signature is obtained and it is used to sign an audit, review or other assurance report without the knowledge of the authorised owner of the ordinary electronic signature. The level of threat will be affected by how the firm responds to the factors set out above.
As set out in the exposure draft, examples of actions that might be safeguards to address such threats include:
• The registered auditor taking precautions to prevent unauthorised use of the licensed and secure ordinary electronic signature
• Obtaining assistance or training from someone with the necessary expertise on the use of licensed and secure ordinary electronic signatures
• Reporting the unauthorised use of the licensed and secure ordinary electronic signature to the Regulatory Board and taking the necessary corrective action, should the unauthorised user of the licensed and secure ordinary electronic signature be holding out to be a registered auditor.
Conclusion
It is imperative for auditors to be cognisant of the level of security provided by different types of signatures and their application in different situations. When in doubt, you are welcome to ask LEAF for guidance and practical advice.
References
1. IRBA: Exposure Draft: Proposed Amendments to Subsection 115, Professional Behaviour: Signing Conventions for Reports or Certificates, of the IRBA Code of Professional Conduct for Registered Auditors (Revised November 2018): Electronic Signatures.
2. Electronic Communications and Transactions Act, 2002 (No. 25 of 2002)
Need help?
If you need advice, guidance, assistance or training, our experienced specialists at LEAF are ready to help your firm to push above and beyond the norm.