The Anatomy of An Audit Trail: A Guide to Digital Signature Evidence.

Company Name Gives You Power To Create Something Beautiful

The Anatomy of An Audit Trail: A Guide to Digital Signature Evidence ...

project info


Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vestibulum maximus, tellus ut dictum luctus, sem mauris tristique orci, ac sagittis diam est vitae magna.
Client:
John Doe
Project url:
Category:
Classic

Some people are reluctant to use digital signature technology because they’re afraid that signatures created online aren’t legal. The truth is that digital signatures are just as legally binding as handwritten signatures. But that doesn’t mean that all e-signature products are on an equal footing if a signature is challenged in court.

digital signature audit trail

When someone claims “I didn’t sign that,” you need to know that your digital signature vendor has your back. Most digital signature companies use audit trails (sometimes also called an audit log or a certificate of completion) to track the steps of the signature process. The audit trail is a powerful tool that can prove who signed a document and when they signed it. 

But some e-signature companies don’t think it’s important to log every event that happens to your documents. These audit trails don’t tell the whole story of the life of your document. This lack of detail can put you at risk if your document comes under legal scrutiny. 

Inconsistent Audit Trails

Take a look at the screenshot below. You’ll notice that there are three signatures and an initial on the document, but there’s only one signature in the signature panel. This can be confusing because the number of signatures represented is different depending where you look.

digital signature audit trail

Why does this happen? E-signature vendors often use a different technology to tamper seal a document than is used to sign the document. They apply this seal only after everyone has signed. Not only does this make it difficult to find out if a document has been tampered with in transit, it also can produce inconsistencies in evidence. 

You could have a document that contains 20 signatures, but the signature panel shown above would only display one signature.

This inconsistent evidence can be confusing both for the document’s owner and for a court if the document is ever challenged. Does this represent only the last signature? Where did the other signatures go? What happens if the signer claims she signed signatures 1 and 2 but never signed signature 3? There’s no separate evidence attached to the document or the audit trail to prove the document is genuine and tamper-free.

Consistent Audit Trails

Compare that with the consistency produced by SIGNiX’s Total AuditTM. There are three digital signatures on the document and three signatures represented in the signatures panel on the left. 

digital signature audit trail2

 

Comprehensive Audit Trails

When it comes to electronic evidence, it’s always best to have as much information to deal with as possible. That means that if an electronically signed document needs to stand up to scrutiny in today’s courtrooms, it must also track and store all of the steps of the signature process, from set-up through signature to final document delivery. 

Not only does this allow users to clearly track where any document is at a given time in a transaction, but having this detailed information on hand also means that companies can better defend against claims like, “I didn’t sign that.”

Most electronic signature services capture some sort of event history while a signature process is in motion, but the level of detail captured and stored can vary quite dramatically, sometimes barely providing enough detail to reconstruct the process at all. Some services simply append this information to the document, where it could be altered, or fail to include key data points, providing an opening for an attorney to create doubt about the transaction’s authenticity.

SIGNiX logs an extraordinary amount of detail about each transaction, using a feature called TotalAudit. This goes far beyond what many of other e-signature services choose to provide, providing information about

      • Transaction creation
      • Emails and notifications sent to any signer
      • Signers consent to use digital signatures
      • User authentication
      • Documents viewed by each signer
      • Signature creation (by each signer)
      • Party agreement to/acknowledgment of document
      • Transaction completion
      • Document downloads after signing
      • Cancellations and opt outs
      • Changed party information

electronic signature authentication5

By clicking on the plus sign beside each action, you can see a lot more information about the nature of the signing credential (and associated x.509 digital certificate). 

While this might look like gibberish to many people, a technical expert can easily read this information to verify every step in the document’s lifecycle.

Since we use published cryptography and document standards to apply digital signatures to PDFs, this information (known variably as a message digest, hash or fingerprint) provides experts with the specific details needed to verify documents at any point in the transaction.

SIGNiX stores a digitally signed XML version of each audit trail (which can be fed into custom reporting solutions) and also makes them available to users in HTML and PDF formats. The information shown can be directly accessed from the transaction status tab in the MyDoX Document Center by clicking on View History.

Legal precedent over the past ten years has shown that insufficient evidence regarding the signature process and the integrity and custodianship of electronic documents can prompt the court to overturn signed agreements. And as time passes, the bar that electronic evidence has to meet will only rise.

Incomplete Audit Trails

In comparison, other e-signature vendors simplify the audit trail to such an extent that individual signatures are not listed on the audit trail, but instead a ‘signing event’ is listed which apparently consolidates all of the user’s signatures in one line.

Let’s see what this looks like in practice. Here, we’re using a document with three signatures and one initial from John Smith. Next to that, you’ll see the audit trail provided by the e-signature vendor. 

digital signature audit trail3

Notice that the individual signatures are not listed in the audit trail. If someone claims they didn’t sign three signatures, there would be no legal evidence to prove otherwise. 

Instead of the highly detailed metadata provided by the SIGNiX audit trail, this vendor provides only one line of information, including the time and date for when the transaction was started, who it was emailed to, when that person looked at it, when it was ‘signed,’ and when the finished document was sent to the recipients.

Signatures are typically challenged at the signature level, not at the document or transaction level. Arguments revolve around a person alleging they did not sign off on a particular term of a contract or particular section, rather than the entire thing. If the evidence for these signatures is not in the audit trail, imagine how difficult it will be to prove that signature took place.

With these considerations in mind, you can see how important it is to have a clear, consistent and highly detailed audit trail for every digitally signed document. To learn more about digital signature evidence and security, download our free eBook "8 Rules for E-Signature Security." 

Free e-signature security eBook

Contact Us!

No one rejects, dislikes, or avoids pleasure itself because it is pleasure.

get in touch