Q&A on how unauthorized signatures happen, the controls that actually prevent them, and how to design an auditable signature authority process.
For background on what authorized signatory lists are and why they go wrong, see Authorized Signatory Lists Explained.
Definition: An unauthorized signature is the execution of a binding instrument — such as a contract, banking instruction, or corporate resolution — by a person who did not have valid signing authority for that specific scope, entity, threshold, or time period.
Unauthorized signatures are rarely the result of a single "bad actor." More often, they're the predictable outcome of outdated lists, unclear rules, and weak enforcement in the places where signatures happen.
A: Any execution of an instrument by a person who did not have valid signing authority for that scope at that time. That includes: wrong entity or bank account, wrong threshold (value exceeds delegated limit), expired temporary authority, or authority revoked due to role change or termination.
A: Common scenarios include:
| Failure Mode | Root Cause | How It Creates Risk |
|---|---|---|
| Stale signatory lists | Banks or counterparties rely on outdated list versions | Individuals who no longer hold authority continue to sign |
| Role churn | People move roles faster than authority records are updated | Gap between actual role and recorded authority |
| Emergency workarounds | Signing via email approvals or verbal authorization | No formal record, no expiry, no audit evidence |
| Unclear instrument scope | Authority granted for "contracts" without entity/type specificity | Overbroad interpretation of signing rights |
| Disconnected systems | Contract approvals in one tool, signature execution in another | Neither system validates authority end-to-end |
According to the Cygnetise 2021 report on authorized signatory management, the majority of organizations still manage signatory authority through spreadsheets and manual processes — which makes every one of these failure modes more likely.
A: The strongest programs use layered controls:
Relying on training alone is not a control. It helps, but it won't catch edge cases.
Our recommendation: The single most impactful control is connecting signatory list updates to HR role change events. When a termination or role change in HRIS automatically triggers a signatory review, the most common failure mode — stale authority — is eliminated at its source.
A: E-signature improves identity verification and evidence, but it doesn't automatically ensure that the signer had appropriate authority. Many organizations have e-signature workflows that still allow "anyone with access" to sign, especially when templates or routing rules are loose. E-signature is a piece of the stack, not the whole solution.
A: Temporary coverage should be explicit, time-bound, and discoverable: the delegation has a start date and end date, scope is limited (entity/instrument/threshold), approvals are recorded, and expiration triggers automatic reversion and notifications. If temporary authority is granted via email without an expiration, it will eventually become permanent by accident.
A: Do a targeted recertification: identify all current signatories for high-risk instruments (bank accounts, large contracts), confirm employment status and role alignment, remove or time-bound any ambiguous cases, and document the recertification decision and publish the updated list to counterparties. This doesn't replace a full program, but it reduces immediate exposure.
For the audit evidence angle, see DOA and SOX/Internal Controls Q&A.
A: Aptly helps you treat signatory authority as governed data: searchable lists, controlled issuance and revocation, time-based delegations, and audit-ready history. That makes it easier to validate authority before signing — and to prove it after the fact.
Connect with our team for a discovery session to learn more about how Aptly can help within your organization. If you are already a client and need support, contact us here.
