Supporting compliance audits with Approval Server

You can use the audit and logging capabilities of AR System with Approval Server to support any compliance audit that requires proof of signatures by responsible parties. Use this information to understand the key AR System functionality that can help support audits.

Business rule enforcement with approval processes

An approval indicates agreement or rejection of a request or a decision. In business, approvals represent the signature or acknowledgment of individuals in a business process. Approvals often must be recorded to provide an audit trail and proof of authenticity associated with an approval or signature.

Using well-defined processes and rules consistently is key to a successful compliance audit. Because Approval Server uses defined processes and rules to gather approvals from the appropriate decision-makers, you can ensure that the processes and rules of the business are always followed when gathering signatures.

By using Approval Server and applications based on it to implement business processes, you can create operational checks to ensure that approval steps take place in the order and according to the conditions specified by your business rules.

Electronic signatures

In general, an electronic signature is stored data that reflects the intent of the individual to indicate his or her signature. It must include the name of the signer, the date and time the signature was executed, and the meaning of the signature.

Approval Server provides this functionality for AR System based applications. Any application that uses Approval Server to generate signatures, such as Change Management or a custom approval application, automatically uses the Approval Server functionality to permanently store each electronic signature along with a set of related information.

Important

Many national and state governments have enacted laws that specifically define the term "electronic signature". Companies using Approval Server to support compliance audits, where this term carries a specific meaning, should use the information in this section together with appropriate legal advice.

Many audit guidelines also require that the approver's identity be verified at the time the signature is entered. With Approval Server, you can apply several types of control to ensure that the approver has signature authority and to verify the approver's identity.

The approver's signature authority can be controlled by maintaining a list of authorized approvers, and configuring the application to verify the approver.
The approver's identity and authentication is verified by AR System access control at the time the user logs on. AR System access control is robust, and administrators can configure the system to restrict access at many levels, including access to records, field contents, and application functionality.
Access is controlled based on the user, user groups, and roles.
Finally, you can make approvers re-enter their password at the time of approval, so that an unauthorized user cannot execute an approval by using an unattended console.
For more information about configuring the system to re-enter the password for approval, see AP-Process Definition form.

A digital signature is not same as an electronic signature. A digital signature is a specific type of electronic signature that uses cryptographic methods to ensure both the content of a message and the authenticity of the signer. AR System provides electronic signatures but not digital signatures.

For more information about access control in AR System, see Assigning-permissions-to-access-objects-and-requests.

Elements of auditable processes

An auditable process must contain a written log, physical or electronic, of the process actions, and the physical or electronic signatures of the decision-makers or approvers.

Written logs

To support a process audit, a log of the process actions must contain information sufficient to answer the following questions:

Meaning of the signature - What was the action taken or decision made?
Date and time of the signature - When was the action taken or decision made?
Signature - Who took the action or made the decision?

In a manual system, this information is kept by storing the relevant paper documents in a filing system. When you use Approval Server to implement a process, AR System stores the answers to these three questions in the Approval Audit Trail field, which is associated with every request.

For information about how Approval Server uses the Audit Trail Field, see Form-to-view-all-data-about-an-approval-request.

You can also use the Audit form property to track changes to data in any form. If this property is configured, AR System tracks changes to audited fields in the form according to settings you specify. You can selectively audit entries by providing an audit qualification, or audit all changes to the specified fields.

You can also track supporting data in the Approval Server and AR System log files. For information about using these log files, see Enabling-and-analyzing-logs.

Signatures of approvers

In a manual system for approving requests, such as expense or change requests, the approver's signature is a physical signature on a document that signifies approval of the decision, expenditure, or change. The document must describe the request, and the signer must also date the request. The approver's physical signature is verified by human recognition of the approver's handwritten signature.

In an automated process implemented by Approval Server, the approver selects an option to Approve or Reject a request. This action records the decision as the approver's electronic signature in the Signature form, along with the date, time, and all information contained in the request.

For more information about Approval Server signatures, forms, and handling approval requests, see Configuring-the-Approval-Server.