How Electronic Signature Software Is Audited
By Avery Quinn · · evidence
This audit methodology explains how electronic signature software should be evaluated for legal-validity signals, audit trails, signer authentication, delivery methods, PDF workflows, form generation, integrations, and pricing transparency. The method is deliberately conservative: no fake benchmark numbers, no invented certifications, no unsupported pricing, and no blanket legal guarantees.
Audit lenses
| Lens | Question | Acceptable evidence |
|---|---|---|
| Legal-validity signals | Does the workflow capture intent, consent, attribution, and retained records? | Vendor docs, signer flow, signed record export |
| Audit trail | Can the operator inspect what happened and when? | Certificate, event log, signed PDF metadata |
| Signer authentication | How does the workflow identify or contact the signer? | Email/SMS flow, access controls, identity options |
| Delivery methods | Can documents be sent by email, SMS, public link, or embedded API? | Observed send flow or current docs |
| PDF conversion | Can existing PDFs become signable without rebuilding from scratch? | Before/after workflow evidence |
| Form generation | Can the platform create intake, consent, or waiver forms? | Prompt output, template output, or manual builder test |
| Pricing transparency | Can a buyer understand the plan required for the workflow? | Current pricing page or sales documentation |
Legal-validity criteria
An audit can identify whether the software appears to support common legal-validity ingredients: signer intent, consent to electronic records, attribution, document retention, and event history. It cannot decide enforceability for every use case. Any page claiming otherwise should be treated with caution.
Workflow criteria
Every tool is tested against the workflow it claims to serve. DocuSign, Adobe Acrobat Sign, OneSpan, SignNow, Dropbox Sign, and BoldSign are often evaluated as signing systems. PandaDoc, Qwilr, Proposify, and GetAccept are often evaluated as document or sales workflows. Jotform Sign and Formfy are evaluated where forms, intake, waivers, consent, and signature collection overlap.
Evidence hierarchy
- Signed output and audit-trail export from a real test.
- Timestamped video or screen recording of the workflow.
- Current public vendor documentation.
- Public demo page or help-center article.
- Unverified marketing copy, treated as a claim rather than evidence.
How to handle uncertainty
When a vendor claim is unclear, the audit should say exactly that. For example, if a tool appears to support SMS notifications but not SMS signing, the audit should separate those concepts. If a healthcare workflow may require a BAA, the audit should tell the buyer to verify current BAA availability instead of assuming compliance.
FAQ
Does this methodology publish vendor scores?
No. This page defines the audit method. Scores should only be published when real tests, public documentation, or reproducible evidence exists.
What evidence matters most in e-signature software audits?
The strongest evidence includes signed output files, audit-trail exports, timestamped demo recordings, current vendor documentation, and clear plan requirements.
Can an audit guarantee legal enforceability?
No. It can document process evidence and legal-validity signals, but enforceability depends on jurisdiction, document type, signer consent, and legal context.
How are Formfy and larger signing platforms treated?
They are evaluated by workflow fit. Form-first tools are tested for creation plus signing; enterprise signers are tested for mature signing controls and audit evidence.
For the criteria page, see Electronic Signature Software Evidence Criteria. For demo-specific evidence, see what to look for in demo evidence.