Digital Signatures Are More Just a Scribble on a PDF

You’ve probably seen it: someone scans their signature, pastes it onto a PDF, and sends it off like it’s ironclad. Looks official. Feels efficient. Except it’s neither secure nor legally reliable if challenged.

In a business world where approvals, contracts, and compliance are under constant scrutiny, not all “signatures” are equal – and some can come back to bite you.

What Counts as an Electronic Signature?

Electronic signatures cover a broad range of actions – and yes, some of them are legitimate.

Typing your name? Yes.

Tapping “I agree”? Yes.

Drawing your signature on a screen? Yes.

Pasting a scanned image? Technically yes – but context is everything.

The defining factor is intent. If the signer clearly intended to agree to the contents, it may qualify. But without verification, it’s hard to prove who signed, when they did, or whether the document was altered afterwards.

Where Things Go Wrong: Common Misconceptions

Many organisations assume they’re covered because they got “something” that looks like a signature.

• “We signed it, so it’s legally binding.” Not necessarily. If the signature can’t be linked to the signer in a verifiable way, it can be disputed.
• “We emailed it, so that’s proof.” Not really. Shared email accounts, spoofed addresses, and lack of access control make this a weak defence.
• “We store it on the server.” That’s great – until an auditor asks when it was signed, who had access, and how you can prove it wasn’t altered. GULP!

Real-World Failures: What Happens When It Goes Wrong

• In Williams Group Australia v Crocker [2016], the court ruled against the company because it could not prove that the electronic signature on key documents had been placed by the authorised person. A scanned signature and unsecured email weren’t enough.
• In South Africa, provincial audits frequently identify procurement irregularities, including unsigned or improperly signed documents. These are considered non-compliant with the Public Financial Management Act (PFMA), which holds accounting officers responsible for preventing irregular expenditure. Consequences may include disciplinary action, recovery of losses, and contract cancellation.

These issues are often the result of poor process management: weak signature practices, inadequate access control, lack of verification procedures, and missing audit trails. Without structured workflows or role-based authorisation, organisations expose themselves to both operational and legal risks.

Enter Digital Signatures: A Step Above

Digital signatures go beyond appearance. They use cryptographic technology to:

• Verify the identity of the signer using a digital certificate
• Timestamp the signature
• Seal the document to prevent tampering
• Log each action in an auditable trail

Think of it like this:

An electronic signature is a handshake. A digital signature is a fingerprint scan, on camera, with a notary in the room.

It’s not just about looking signed – it’s about proving it beyond doubt.

How It Works: The Technical Bit

Think of a digital signature as an electronic version of your handwritten signature – but with extra security. It includes a digital certificate (often a Class 3 certificate) issued by a trusted organisation called a Certification Authority (CA).

When a document is signed with this type of certificate, it becomes tamper-evident. Each signed document includes embedded data that ensures the chain of custody can be traced back – by cryptographic lineage – to a certificate on Adobe’s Approved Trust List (AATL).

So, what’s AATL?

Adobe’s Approved Trust List is a global programme that allows digital signatures to be automatically trusted when a document is opened in Adobe Acrobat or Reader. These programs regularly download a list of trusted certificate providers. If your signature traces back to one of those providers, Adobe trusts it.

Companies like GlobalSign act as certificate authorities. In our case, we partner with GlobalSign to issue trusted digital certificates. Adobe has verified their credentials, included them on the AATL, and signed the list with its own digital ID.

The result?

If someone receives a document signed with one of these certificates, Acrobat or Reader will trust it automatically – no pop-ups, no red flags. It’s a smoother, safer experience that helps your business meet legal obligations under the ECT Act, GDPR, and eIDAS.

When the Difference Matters

Let’s look at real examples:

• Procurement: A supplier agreement, worth millions, needs clear authorisation. Can you prove who signed and when – or will you end up in a dispute?
• Finance approvals: Did the CFO approve the spend with proper authorisation, or did someone else use their laptop?

In industries like mining, logistics, and manufacturing – where dispersed teams and strict compliance are the norm – this level of assurance isn’t optional.

When Simple Isn’t Safe

A signature pasted into a PDF is easy to fake, impossible to verify, and leaves no trail.

Regulations like POPIA, GDPR, and sector-specific compliance laws require that access controls, signer identity, and tamper-evident records be in place – or you risk hefty penalties and reputational damage.

Where RealSign and FlowCentric Add Confidence

RealSign supports both electronic and digital signatures, allowing businesses to apply the right level of security for each type of document.

When paired with FlowCentric Processware, these signatures don’t float around in inboxes or sit on unsecured drives. They’re embedded in secure, auditable workflows.

Here’s how FlowCentric + RealSign help mitigate the risks:

• Identity Binding: Digital certificates and user authentication link each action to a verified individual.
• Role-Based Controls: Only authorised individuals can initiate or complete signature steps, according to structured workflow logic.
• Tamper Prevention: Documents are sealed with encryption and logged with uneditable metadata.
• Audit Confidence: Every action is recorded – with timestamp, identity, and status – so auditors don’t need to dig through emails or guess who approved what.
• Social Engineering Defence: Built-in controls prevent documents from being rerouted or signed by impersonators. No emails with attachments to spoof – just secure internal workflows.

Example: A procurement manager initiates an approval. The document is securely routed to the CFO, who signs using their digital certificate. The system records the entire process – no guesswork, no paper trail panic.

A Scribble on a PDF Might Seem Like a Shortcut

But shortcuts don’t hold up in audits or legal disputes. If your business handles sensitive documents, digital signatures offer the certainty, compliance, and traceability that electronic scribbles simply don’t.

FlowCentric helps you take control of the administrative chaos caused by weak signature processes by embedding secure, structured workflows through FlowCentric Processware. Signatures are managed by RealSign, within the process, ensuring that approvals are captured in a secure, compliant, and auditable manner, every time.

Want Help Untangling Your Signature Processes?

Let’s chat. We’ll help you spot the risks, fix the gaps, and protect your business – one signed document at a time.