Last updated:

What is an electronic approval process?

An approval process is the steps and tasks involved for someone with the appropriate authority to formally approve or authorise decisions and actions. An electronic approval process is one where approval is provided electronically. For example, using systems workflow functionality.

Using electronic approval processes will not invalidate the resulting records as evidence. Any record can be admitted as evidence, provided its authenticity and reliability is unchallenged or proven sound.

The following tools help with developing electronic approval processes:

  • workflow software that may include automation, machine learning or other AI functionality
  • audit processes to determine where the challenge points are
  • work process analysis to determine the points at which records need to be created and what they need to include
  • if transitioning away from hardcopy processes, a digitisation plan covering the hardcopy records associated with the approval process.

Public offices should verify with their legal team that their management of approval process records comply with their business needs and legal obligations.
 

Where to start?

Start with an approval process that is relatively simple and for which the approval is straight forward. Once you have identified a relevant approval process, review the process to determine the following:

  • legislation and regulations that may require records to be in specific formats or where particular conditions are to be met, especially where that impacts the approval
  • points at which records need to be captured, their content and the metadata required, and what is needed for approval to be 'authorised'
  • risks with the proposed process and their mitigation
  • the level of approval required for the approval process to commence and whether senior executive/senior management support will be needed to implement it.

Regardless of the method used, any approval process should be documented and regularly audited to ensure the records can be used as evidence, if needed.

Types of approval

Electronic business systems usually contain some automation or machine learning functionality that enables specific data to be collected by the system in accordance with business rules.

Workflow functionality is built to require authorisation, where certain people are authorised to perform specific steps and the workflow captures the identity of the person that performs them. Note that this form of identity authorisation to perform the action is limited as anyone who can log on as the person with authority to do so can perform the step.

Where the approval process is conducted through artificial intelligence (AI) functionality, two additional elements will need to be addressed: accuracy and bias. 

AI technologies are known to perpetuate bias in the data used and are known to create 'fictional' responses called 'hallucinations'. Without the means to confirm that the approval was based on accurate information that was free from bias, the approval and any resulting decision may be contested.

The level of work and detail required to demonstrate accuracy and address questions of bias should be based on the results of a value and risk assessment in accordance with the AI Technologies and Recordkeeping Policy

An electronic signature (or e-signature) is intended to perform the same purpose as a handwritten signature on a paper document. Types of e-signatures include:

  • typing your name at the bottom of an email
  • using a generic email signature
  • placing a digitised image of a handwritten signature on a document
  • typing a name and then clicking 'accept' to agree to terms and conditions on a website
  • handwriting a signature onto a hardcopy document and then scanning it to digital form
  • using a digital pen to manually sign on an electronic device.

Note that electronic signatures vary in their strength. The legal intention is for robustness to match the importance of the document.

A digital signature is a cryptographic technique, which is a method to codify information to keep it secure. It creates a unique identifier in an electronic document that can be checked by the receiver to verify the identity of the author and confirm it has not been interfered with. Common forms of digital signatures use public key infrastructure (PKI), including digital certificates, for authentication purposes and to demonstrate integrity.

Note that the practical strength of a digital signature is less than its theoretical strength. This is because users must use systems to apply digital signatures. Anyone who can use the system as if they were that person (for example, logging into a computer as that person, or using an unlocked computer) can apply the digital signature.

Digital by design

A human being is usually needed to authorise approval decisions or actions that involve a high level of risk or that have major consequences if an incorrect decision or action is made. Often this is a point where a value judgement or complex decision or action is required. Providing justification for when approval by a human is required at what points helps to flesh out what the approver needs to consider and why. 

Automation, machine learning or other AI functionality may be used to assist with the decision-making process that will be undertaken by a human being but not to action the approval (i.e., it is not the approver). Inferences made by AI technologies or statistical decision tree models are recommendations only, and not actual approvals or authorisations. The human will need to consider whether the information provided by the technology is accurate and free from bias. 

Measures used to determine good governance should be appropriate to the type of approval as well as to its value and level of risk. Stringent quality assurance should be applied to high value high risk areas. Processes where the likelihood that the accuracy or basis of a decision will be questioned is high will require rigorous and well documented governance.

Factors to consider when determining appropriate levels of governance include:

  • the value of the approval to the business and broader community
  • the consequences of a risk not being mitigated
  • the functionality and capability of the system being used including possible configuration and metadata and whether additional software is required to achieve an appropriate level of governance
  • budget, system constraints and other factors that impact on the governance that can be applied to the approval process and what work-arounds might be needed
  • sensitivity of information held as part of the approval process.

The criteria for appropriate governance are listed in PROV Standards, including:

  • Strategic Management Standard
  • Operational Management Standard
  • Create, Capture and Control Standard.

 

Recordkeeping requirements for the approval process should be identified and included during the design and implementation phases so that any controls, configuration settings and all metadata elements required are known and set. Documentation may include:

  • who approved what, when, and under what level of authority
  • the purpose of the approval process
  • the steps or actions involved in the approval process
  • whether the process is conducted internally or via a third party and the impact that may have on the record of the approval 
  • triggers for human intervention in automated, machine learning or other AI generated workflows
  • the impact a failure in the process will have on the business and broader community
  • any delegated authority for the approval
  • relevant legislative and regulatory requirements
  • monitoring and auditing cycles, including frequency
  • access restrictions.

Access restrictions to records will change over time. While some records may always be open for members of the public to view, others may have access limited to authorised people only. Where restrictions to access are applied, the reason for the restriction (such as 'required under X Act, section Y') should also be included, where this is practical.

Changes cannot be permitted once the point of approval is complete. This is because any changes will cast doubt on the authenticity and integrity of the approval. This does not prevent approvals to be rescinded or for authorised amendments to be made. Records of both the rescinded approval and its amended version will need to be kept.

What are the risks?

The consequences of risks occurring will differ depending on whether the records of approval are high value or low value. Approval methods used should be appropriate for the level of risk identified and be able to address mitigation required.

For high risk, mitigation may include actions such as:

  • manage the Public Key Infrastructure and digital certificate information appropriately so that secure information remains secure
  • conduct regular audits of the system and workflow functionality and lock down audit logs
  • automate collection of essential contextual information where possible
  • connect the approval with key contextual information regarding who approved what and when
  • for hardcopy approvals, retain the hardcopy approval record to enable assessment and confirmation that the signature matches the person authorised to sign, ensure the signature includes date of approval and name and role of the approver, and ensure the approver initialled each page.

For low to medium risk, mitigation may include actions such as:

  • connect the approval with key contextual information about the level of approval, date and process
  • link the approval clearly with what is being approved
  • conduct routine audits of the approval process to demonstrate its application is consistent
  • conduct regular audits of the system and workflow functionality 
  • automate collection of essential contextual information where possible
  • lock down audit logs.

This risk relates to being unable to demonstrate that the record of approval is legitimate or accurate. This may be due to:

  • the relevant information either not being recorded or not connected with the record
  • lack of appropriate contextual information, such as when the approval took place or that the approval was authorised
  • concerns related to fraud, such as when the legitimacy of the authorisation is questioned
  • system malfunction, such as errors in the automation of metadata capture.

Integrity related risk may be mitigated by a variety of techniques, including:

  • automating the collection of essential information, such as what account was used when
  • locking down audit logs so they can't be adjusted without the adjustment being recorded
  • demonstrated consistency through a combination of documented processes and regular audit of practices and systems
  • having clearly documented delegations of authority.

This risk relates to the record of approval not being available when required. The risk may be due to the record of approval:

  • either not being created or not captured
  • not being retained for the duration of its retention period or being prematurely destroyed
  • being captured by the system in a way that is difficult to access or understand
  • not being verified, or not being able to be verified (e.g. loss of the public keys of the person who digitally signed).

Risks related to the loss of records may be mitigated through techniques including:

  • identifying what evidence would be required to demonstrate approval and capturing that
  • determining the most appropriate formats for the records to ensure integrity and accountability can be demonstrated
  • determining how long the records will need to be kept and ensuring that relevant preservation strategies are implemented so records remain readable and accessible.

Material in the Public Record Office Victoria archival collection contains words and descriptions that reflect attitudes and government policies at different times which may be insensitive and upsetting

Aboriginal and Torres Strait Islander Peoples should be aware the collection and website may contain images, voices and names of deceased persons.

PROV provides advice to researchers wishing to access, publish or re-use records about Aboriginal Peoples

Learn more