Electronic Approval: Another Step Toward a Paperless Office Copyright 1992 CAUSE From _CAUSE/EFFECT_ Volume 15, Number 3, Fall 1992. Permission to copy or disseminate all or part of this material is granted provided that the copies are not made or distributed for commercial advantage, the CAUSE copyright and its date appear,and notice is given that copying is by permission of CAUSE, the association for managing and using information resources in higher education. To disseminate otherwise, or to republish, requires written permission.For further information, contact CAUSE, 4840 Pearl East Circle, Suite 302E, Boulder, CO 80301, 303-449-4430, e-mail info@CAUSE.colorado.edu ELECTRONIC APPROVAL: ANOTHER STEP TOWARD A PAPERLESS OFFICE by Kenneth C. Blythe and Dennis L. Morrison ************************************************************************ Kenneth C. Blythe is Director, Office of Administrative Systems, at Penn State, responsible for coordinating the design, development, implementation, operation, and security of the University's student and business information systems, and for managing Penn State's "private" telecommunications network of 3,000 terminals. Before joining Penn State, he was the senior advisor for statistics and computing to the nation of Bahrain, a consultant to the U.S. Congress, president of Software Options, and the director of computing for the United States Information Agency and Department of Health, Education, and Welfare. He is Vice Chair of the CAUSE Board of Directors. Dennis L. Morrison has been a member of Penn State's administrative computing team for the past twenty-one years. As a system project leader, he is responsible for the design, development, and implementation of financial systems for the University's central administration. He is currently involved in the design of the Penn State's new Integrated Business Information System (IBIS). ************************************************************************ ABSTRACT: Last year, Penn State University won top honors in the NACUBO/USX Cost Reduction Incentive Awards program for their electronic approval system, called EASY. EASY allows documents to be electronically generated, approved, and updated in the University's central database. The system heralds a new paradigm for conducting campus business that is faster, cheaper, more accurate, and more secure than paper approval. Gene Roddenberry's Star Trek describes a world (or at least a starship) without paper. Interestingly enough, Star Trek viewers readily accept this fiction because they know, instinctively, that starships do not need paper. Those same viewers return to their workplaces overrun with paper without sensing a contradiction. Paper is thought to be convenient and cheap. It has a familiar touch and feel, and is a natural element of the modern bureaucratic landscape. It is so natural, in fact, that we are oblivious to the burden that it causes, physically, economically, and environmentally. To better appreciate the burden of paper, imagine the reverse scenario. Imagine yourself on the bridge of the Starship Enterprise, making the case for paper. You are explaining to Captain Kirk that paper is more durable and more easily transported than electronic documents. Your arguments include numerous facts, such as that paper can be easily retrieved from file cabinets and file cabinets can be distributed to each department of the starship with its own storage area. File drawers can be labeled and file folders can be indexed for quick retrieval. And, by the way, you argue, copying machines can make paper copies that can be cross-referenced by multiple topics in multiple departments. The more Captain Kirk challenges, the more righteous you get about the case for paper, but it is hopeless. Kirk's questions are overwhelming. What about papers that are misfiled? What about papers that are removed and not returned? What about security? What about the mindless workload of paper--the extra staff required to type, copy, index, distribute, file, track, retrieve, lick, label, sort, transport, archive, shred, burn, and dump it? In the reverse scenario, the limitations of paper are obvious. In the information age, paper is out of fashion. It is no longer a reasonable medium for storing and distributing information. Paper is most harmful to higher education because higher education is in the information business. Unlike other bureaucracies, higher education works full time at the task of creating, publishing, distributing, collecting, searching, and teaching information, and the principal instrument for doing this today is paper--in libraries, in classrooms, in publications, and in administration. Small wonder that 70 percent of university waste is paper. But someday, higher education paper mills will be as antiquated as rusting factories in Eastern Europe. Electronic approval is a paper alternative Paper forms--such as purchase orders, general stores requisitions, appointments, promotions, timecards, cash advances, and more--rank as one of the most inefficient uses of paper in higher education. Millions of these forms are shuffled about college and university campuses every day, as the uncontested standard for conducting business. In particular, paper forms are the primary means for gathering routine administrative approvals. Millions of times each day, clerks in higher education roll paper forms (one or more part) into manual typewriters to record the basis of an administrative approval. After typing, the forms are reviewed, checked, signed, transported, entered in computer databases, filed, retrieved, archived, shredded, dumped, and burned. The workload of paper forms is considerable. This article is about an alternative to paper forms--an electronic approval system that complements and enhances other electronic business methods, such as electronic mail and office automation. Known as EASY (Electronic Approval SYstem), the system has been in use at The Pennsylvania State University since 1989. With EASY, paper and the workload associated with it are reduced dramatically. EASY allows documents to be electronically generated, approved, and updated in the University's central database. The system comprises two parts: a routing system and standardized electronic forms. The routing system is controlled by predefined tables that automatically route documents through certain paths. The system directs documents, which are developed within established guidelines, to specified users, who may view, edit, and approve a document within the computer system. EASY allows for additional security for confidential data and provides a complete audit trail for each document. EASY forms are originated at the appropriate office and then automatically forwarded to individuals whose approval is required. Electronic approval has these unique features: (1) data are recorded, validated, and corrected at the data source; (2) EASY forms have mandatory/predetermined recipients for approval; (3) the mandatory recipients are defined in approval grids (paths) which are maintained apart from the form; and (4) once the form has passed the approval grid, it updates central administrative databases electronically (without reentry). EASY is mandatory for anyone who wants to authorize employment, issue purchase orders, reserve fleet vehicles, and perform other administrative tasks. Thus the electronic approval system is expanding the community of people using the network and bringing the entire University into the information age. How does electronic approval work? Penn State processes approximately 992,000 business forms annually that are gradually being converted to electronic approval. The conversion from paper form to electronic form involves: (1) creating the electronic format for the form, (2) preparing training materials, (3) training the entire University in the use of the form, (4) establishing approval paths for the new form and creating an approval designation table (ADT), (5) authorizing access to the approval paths through security procedures, and (6) terminating the use of the paper form. From beginning to end, this process takes approximately one year. Almost half of Penn State's business forms have been converted, with new forms being added every quarter. For an organization within the University to begin using electronic approval, it is necessary to have up to three people authorized to maintain the ADT. This authorization is accomplished with a paper form signed by the organization head (dean, vice president, etc.). Note that it takes a traditional paper form to start electronic approval because paper forms are required until the ADT is in place. The ADT is part of the security matrix surrounding EASY. It indicates the individuals in the organization who may submit, add, approve, or reject electronic forms. At Penn State, the responsibility for establishing the ADT is that of the local financial officer (or designate) as required by the University's signature authorization policy. This policy requires approval at the level of budget administrator and above. The approval paths may also extend below the level of the budget administrators as long as the approvals at that level are followed by the budget administrator at some point. Once created, the ADT becomes the authority for approving electronic documents. Individuals who appear in the table, and only those individuals, can approve electronic forms for an organization. Financial officers may create separate approval paths for each form or, if they prefer, may consolidate many forms or all forms into one path. However, each form can only appear in one path for each organization. If a form is not specified as being in a path, it will automatically default to a standard path within the organization. The standard path allows forms to be added to EASY without additional approval paths (unless specified otherwise, forms will be routed according to the standard path). In this way, the standard path reduces the number of paths that must be maintained. An ADT may have as many as nine levels of approval with nine individuals across each level. Most offices, however, use only two or three levels with two or three individuals at each level. The entries in the table are user IDs. The first user ID at each level is called the default approver. Forms will automatically route to the default approver unless the previous approver indicates another at the same level. The ADT also provides for delegated approvals or proxies. Any authorized approvers on the table may have a proxy within the organization, but once designated the proxy cannot be further delegated. This use of proxies corresponds to Penn State's signature authorization policy. Although proxies may be used at any time, the practice should be limited to instances where the responsible individual is absent. Forms flow and the approval cycle EASY forms may flow through as many as three phases of approval before they are fully approved and accepted for processing. The approval phases are established in advance. The first two phases are known as administrative approval phases (phases 1 and 2) and the third is known as the central action cycle (see Figure 1). In all three phases, the form is validated and revalidated with information from central University databases. Forms are originated in the administrative approval phase at the "source" and become permanently identified in the electronic approval database. The form's name and budget number enable EASY to determine which approval path to use. The source of origination may be in phase 1 of the approval path or in phase 2 if phase 1 does not exist (phase 1 is optional). As they are approved, forms automatically advance from phase 1 to phase 2. Forms cannot be forced past an approval level. Each approver has the opportunity to change, approve, or reject forms. If forms are changed or rejected, a "notepad" is provided to describe the reason. Forms that are changed in major ways are rerouted automatically to the previous approvers. Copies of a rejected form are sent to all approvers who originally approved it for information purposes. Encumbrance occurs at the approval level specified by the financial officer. Once through the administrative approval phases, forms are automatically passed to the central action cycle, where they are approved by central offices. Individuals in the central offices cannot change data (except in a few limited cases); forms are either approved or rejected. When forms are rejected, their encumbrances are removed automatically and messages are put in notepads, before the forms are returned to each approver to let him or her know that the form was rejected. After the central action cycle, information from the form is used to update central databases and initiate the requested administrative action. What about security? With the outcome of electronic approval being an expenditure of University funds, Penn State auditors (both internal and external) had to be convinced that electronic methods were at least as secure as the paper method that they were replacing. This assurance was possible by creating the "security matrix" of which the ADT is a part. The matrix combines access control, functional authorization, approval authorization (with the ADT), data authorization, and form processing into a security shield that discourages unauthorized access. If users attempt fraudulent actions the security matrix frustrates those attempts and maintains an audit trail for follow-up. When fraudulent actions are attempted, those actions are preserved in the electronic audit trail even if the attempts are abandoned. Even if access control is compromised, the security matrix prevents the perpetrator from operating with impunity. The security matrix places the "forged" user in an organizational and functional context. The forged user ID is inherently limited in scope and organizational context. If it happens that a criminal stumbles on a lucrative user ID, the security matrix requires accomplices who must also approve the action. The accomplices operate in their own security matrix. The likelihood of reconstructing events for a complete approval path are slim, indeed. The perpetrator would have to steal the user ID and passwords of three to ten individuals. The chances of doing this are much smaller than chances of forging signatures with traditional paper forms. With paper forms and manual signatures, it is infinitely easier to commit fraud than with electronic forms. Anyone can type a form. Anyone can forge signatures. The interesting thing is that people do not often forge signatures because they know that it is against the law. With electronic approval, the legal implications are compounded. There is a set of computer laws governing computer activities beyond the traditional laws which cover fraud. People are not encouraged to commit crimes electronically any more than they are with paper forms. Benefits of electronic approval As a practitioner of information age communication, Captain Kirk knows, instinctively, the benefits of electronic approval. He knows that the most important benefit of electronic approval is source data automation, meaning that data are captured one time at their source. Source data automation improves organizational relationships. Paper forms have an extended check-and-reject cycle, starting with typing right through until the forms are keypunched and checked with central computers. This check-and-reject cycle, which may last days or weeks, results in conflict. When forms are checked by central offices with the help of central computers, errors are detected. The central offices blame the originating offices for the errors. This is natural. Central offices develop an attitude of superiority and distributed offices reinforce that attitude by depending on central office checking. At Penn State, error rates of more than 30 percent were reported with paper forms. Source data automation empowers distributed offices by teaching them to fish rather than giving them fish. It gives distributed staffs the tools to check their own data. Source data automation includes validation of data as they are entered--not after they are processed centrally. In other words, electronic approval checks are made at the beginning of the approval cycle rather than at the end. Not only are errors thus detected at the point of origination, but they are detected in the privacy of the originator's office without public humiliation. Originators have the privacy and system support required to learn from their mistakes. Another benefit of capturing data at the source is that it reduces the rate of error and increases the quality of the data. As distributed offices become more proficient with electronic approval, they take greater pride in ownership in their work and make fewer mistakes. The irony of paper forms is that central offices do not "own" the intent of the paper form; their goal is to merely validate the rules so that the form can be processed. Electronic approval is far superior because the originator of the form becomes the checker also. At Penn State, the results have been dramatic. The rate of errors has declined by a factor of 10 along with the workload associated with correcting those errors. Electronic forms are processed correctly the first time and do not have to be processed again. In addition to easy correction at the source and reduced error rates, here are some other important benefits of electronic approval: * Electronic forms are preloaded with many relevant items of data which saves retyping or reentering that data. This is true, for example, with personnel forms where the employee's name, birth date, educational attainment, salary, etc., can be preloaded from previous forms. * Electronic forms can be typed only once. To appreciate this savings, it is helpful to understand that before electronic forms at Penn State, there were many instances of typing, retyping, entering, and reentering the same data from the same forms into multiple data bases. With electronic approval, these retypings have been reduced, saving workload and time. * Electronic forms save the cost of filing because they are automatically filed. As soon as the form is added it is permanently filed in electronic file folders. One image of a form can be retrieved in multiple file folders at the same time. * Electronic forms eliminate the considerable expense of paper forms. * Electronic forms save the cost of office space, file cabinets, and file folders. * Electronic forms are self-distributing. They do not have to be stapled, folded, or addressed to get to the next approver. The originator or approver merely indicates his or her approval of the form and it is automatically forwarded to the next approver. * Since electronic forms are transported electronically, they do not require mail carriers. * Copies of forms are sent to offices electronically for notification rather than approval; these notification copies are generated automatically. In each of these important ways, electronic approval is streamlining the workflow and reducing costs at Penn State. As shown in Table 1, the cost savings and cost avoidance of EASY will increase as more forms are added and as offices change their work habits to rely more on the system. When it is fully implemented at Penn State (scheduled for Fiscal Year 1994-95), electronic approval will save more than $740,000 per year. [TABLE 1 NOT AVAILABLE IN ASCII TEXT VERSION] Even though EASY is now being used throughout the University, unfortunately many offices are reluctant to give up their old ways of doing business to adopt the simplified EASY procedures. These offices have maintained paper files for so long that they believe they are still required. Even though they do not have to, they are printing electronic actions and filing them in paper file folders as they have always done. In response, the University is working with each office on a case-by- case basis to encourage alternatives to paper. Some situations require quality improvement teams to examine underlying business processes so that they can be changed along with the movement to eliminate paper. Process changes such as these take time. In conclusion Although it uses many of the techniques of electronic mail, electronic funds transfer (EFT), and electronic data interchange (EDI), electronic approval is a new breed of business automation. Electronic approval is a business management system that facilitates day-to-day flow of internal business documents. With this system, internal business data are recorded directly at the source, providing all of the known benefits of source data automation and validation. Furthermore, electronic approval provides the ability to set up self-sufficient business units (campuses, offices, or departments) removed in rank and geography from the dean's office or president. As long as there is an electronic link, remote offices with electronic approval have the same logical proximity as that enjoyed by offices next door. Electronic approval is a new paradigm for conducting University business that is faster, cheaper, more accurate, and more secure than paper approval. ************************************************************************ Electronic Approval: Another Step Toward a Paperless Office