Electronic Signature Audit

April 20, 2017 isec No Comments

Your business need

E-signature refers to data in electronic form, logically linked with other data in electronic format; it is used by the signatory to sign a document, therefore provides the same legal standing as a handwritten signature.

In Europe, eIDAS is the specific regulation for electronic signatures. eIDAS is effective starting with July 2016, therefore previous local legislation no longer apply.

Article 25 of the REgulation maintains the fundamental legal rule that all electronic signatures and verification services shall be admissible as evidence in legal proceedings. This inlcudes electronic signatures, seals, time stamps, registered delivery services and certificates for website authentication.

Our approach

When conducting audit mission, we are following ETSI set of standards for electronic signature, ISACA’s standards, guidelines and tools on IT Audit and Assurance. We are also using COBIT control objectives, as electronic signature is mostly a business strategically service relaying on IT, and the ISO 27002 as best practice recommendations.

Before accepting the engagement, the auditor ensures that it has objective approach on the review, and is independent on the solution design, development, implementation or testing stages.

Your benefits

As you receive independent opinion on security of electronic signature services, you are fulfilling requirements for periodic verification by the regulator. The approach of our auditors offers you real value and simplifies further planning for improvement, actions and measurement.

Our expertise

isec has a team of valuable and experienced auditors affiliated to a solid code of ethics. They all have delivered quality audit services to major signature providers. Our auditors are trusted for their objectivity and sense of business in the actual economic context.

There are three types of basic electronic signatures defined in eIDAS: basic, advanced and qualified electronic signatures.

Qualified Trust Service Providers (TSPs) shall be audited at their own expense at least every 24 months by a Conformity Assessment Body (CAB). The purpose of the audit shall be to confirm that the qualified TSPs and the qualified trust services provided by them fulfil the requirements of the Regulation. The qualified TSPs shall submit the resulting conformity assessment report to the supervisory body within the period of 3 working days after receiving it.

Currently, isec is in the process of becoming a CAB.

The audit shall consist in Documentation assessment (stage 1 audit), On site assessment (stage 2 audit) and delivery of Conformity assessment report.

The audit report contains the formal opinion of the external independent and certified CISA auditor resulting from the evaluation of the audit scope. The report is delivered in the detailed form, for our customer and in the executive form, for the supervising authority.

The structure of the detailed audit report aligns with the legal requirements and comprises of an Executive summary, Scope and objective, Methodology, Conclusion of the audit mission and a detailed Annex with Findings and recommendations for the auditee.

The audit is based on the procedures necessary for the collection of sufficient and appropriate evidence, therefore the audit opinion should provide a reasonable level of assurance on the effectiveness of control procedures.