Is this document real? Ensuring digital security and authenticity of PDFs

3 September 2020

With remote and paperless auditing becoming much more common, a number of threats and opportunities arise.

This article considers the use of Adobe DC Pro as both a great tool for authenticating and securing documents for signing, and also how it can be used maliciously to tamper with PDFs.

How safe are PDFs?

Many auditors would consider a PDF document to be less prone to tampering than say, a Word document. People tend to convert Word or Excel to PDF to try to preserve the integrity of the document. And this works to some degree.

If we request soft-copies of Minutes say from a client and they are sent in Word, there is no guarantee that the version we have is the latest, has been approved correctly, or is actually authentic. But a PDF, even if it includes a signature, while looking more convincing, may still have been tampered with.

Consider the example below:

Here is a Xero invoice, opened using Adobe DC Pro.
Edit is selected, and characters and numbers may be changed, and the document then saved.
Bank accounts, amounts, and other details on the invoice are easily updated.

How might we detect this?

One way of finding clues is to look at the PDF description and comparing the created and modified date/time. This does not guarantee with 100% accuracy that it wasn’t modified but if it was edited as above and the changes saved you will normally see a difference in the date.

If these are different then it was definitely edited. However, a really more sophisticated tamperer could work around this and modify the metadata.

What about items scanned to PDF?

It is common for clients to send us scanned documents, say signed minutes. How safe are these? Adobe DC Pro edit function can also be used to change these, (although changes may be more obvious as the updated font may look sharper or out of line).

The easiest way to detect if a file has been modified is to digitally sign the document. Reader and Acrobat will report if the document has been changed since it was signed. So if say we have an important document on file and we wish to have a client or third party confirm authenticity, we can use the digital signing feature to do this.

Secure digital signing of documents

However, there is the more obvious use for this tool – to create a document such as an engagement letter as a PDF, and add your own digital signature.

In the old context, we would print and sign a hard copy letter, mail it (or scan and email it) to the client, they would sign and mail it back (or print, scan, sign and email it back).

With digital signing tools, So we create the letter from Audit Assistant (for instance), and save as a PDF with the letterhead already inserted.

We then open the document in Adobe DC Pro, and select “Fill and Sign”. This allows us to add a facsimile of our own signature to the letter. Then we select “request signatures”. Then we add the email address of the client, a message, and to select the space where we want the client to sign.

Finally, we select “send” and the client receives an email with a link to sign digitally. They do not need to have any software installed to do this, as they complete in a web form. You will be advised automatically by email when the document has been signed by the client.

The beauty of this is not that you or they can add a facsimile of their signature without printing (signatures are becoming a quaint formality), but that the document has been controlled within a secure environment controlled by Adobe. They even append a certification as to the authenticity of the process.

Use this tool to certify other documents

There are other uses for this over and above signing letters and reports. How about we have an invoice or a contract on file, and we suspect it may have been tampered with?

We can use the “Fill and Sign” tool to securely send the document to the client or a third party to get them to approve and sign the document as authentic, thus adding another layer of assurance to our work.

Use this alongside Audit Assistant

Some audit evidence is gathered by sharing pages with clients, and they can add their comments and attachments. This is handled securely within Audit Assistant. Some parts of the audit however require documents to be passed and signed securely. Adobe DC Pro provides this with much the same feel as sharing pages within Audit Assistant. We recommend it.

The cost of an individual licence is $A22.99/month, or a team subscription is $A26.13/person/month.

News