oversight

Maintaining Effective Control over Employee Time and Attendance Reporting

Published by the Government Accountability Office on 2003-01-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

               United States General Accounting Office

GAO            Internal Control




January 2003
               Maintaining Effective
               Control over
               Employee Time and
               Attendance Reporting




GAO-03-352G
               a
Contents



Preface                                                                                                 1


Part I: Civilian                                                                                        4
                                 Internal Control Objectives in T&A Systems                             4
Employees                        T&A Transactions Should Be Authorized and Approved                     6
                                 T&A Information Should Be Properly and Promptly Recorded and
                                    Retained                                                           10
                                 Exception-Based Systems                                               13
                                 Transmitting T&A Information to Payroll                               14
                                 Alternative Workplace Arrangements                                    15


Part II: Military Service                                                                              16
                                 Active Military Personnel                                             16
Members                          Military Reservists                                                   17


Appendix
                   Appendix I:   GAO’s Review of Electronic Signature Applications                     18


Related GAO Products                                                                                   20




                                 Abbreviations

                                 FMFIA      Federal Managers’ Financial Integrity Act
                                 GAO        General Accounting Office
                                 GPEA       Government Paperwork Elimination Act
                                 JFMIP      Joint Financial Management Improvement Program
                                 OMB        Office of Management and Budget
                                 T&A        time and attendance


                                 Page i                                     GAO-03-352G T&A Guidance (I/C)
Contents




 This is a work of the U.S. Government and is not subject to copyright protection in the
 United States. It may be reproduced and distributed in its entirety without further
 permission from GAO. It may contain copyrighted graphics, images or other materials.
 Permission from the copyright holder may be necessary should you wish to reproduce
 copyrighted materials separately from GAO’s product.




Page ii                                                  GAO-03-352G T&A Guidance (I/C)
Preface


          Technological advances and changes in workplace habits have increasingly
          affected the operating environment for time and attendance (T&A)
          reporting in recent years. For example, trends in the government to
          streamline operations through automation and encourage more flexible
          work schedules and places have provided a major impetus for changes in
          T&A reporting. Perhaps the most significant influence on changes to T&A
          reporting, however, is advancing technology and the accelerated adoption
          of automation driven largely by the need for increased efficiency, as
          promoted by the Government Paperwork Elimination Act (GPEA).
          Although focused on electronic systems that process information obtained
          from and provided to sources outside the government, GPEA encourages
          agencies to seek internal applications of paperless systems and use of
          electronic signatures.

          We are responsible under the Federal Managers’ Financial Integrity Act of
          1982 (FMFIA) (31 U.S.C. 3512 (c), (d)), for issuing standards and guidance
          on internal control for the federal government. In order to address the
          potential impact on internal control of the above-mentioned changes in
          T&A reporting, and because of our commitment to improving financial
          management in the federal government, we are updating our guidance
          related to controls over employee T&A reporting.1 This document
          (1) provides agencies with the flexibility needed to streamline T&A
          reporting systems and reduce their costs while maintaining adequate
          internal control, (2) updates the requirements for electronic signature
          control, and (3) addresses the need for controls over alternative workplace
          arrangements. We have modified the language from our earlier exposure
          draft on this topic to emphasize (1) the link between internal control over
          T&A information and the overall objectives of the Internal Control




          1
          This documents replaces the 1996 revision to Title 6, “Pay, Leave, and Allowances,” of the
          GAO Policy and Procedures Manual for Guidance of Federal Agencies.




          Page 1                                                   GAO-03-352G T&A Guidance (I/C)
Preface




Standards,2 (2) the importance of compliance objectives,3 (3) the role of the
supervisor in ensuring proper recording of T&A information, and (4) to
address comments received on the exposure draft.

This document relates solely to internal control for a T&A reporting
system. The overall functional requirements for human resources and
payroll systems for civilian personnel are defined in the Joint Financial
Management Improvement Program’s Human Resources & Payroll
Systems Requirements, JFMIP-SR-99-5 (Washington, D.C.: April 1999),
Office of Management and Budget (OMB) Circular A-127, Financial
Management Systems (Washington, D.C.: July 23, 1993) and OMB's
implementation guidance Revised Implementation Guidance for the
Federal Financial Management Improvement Act (Washington, D.C.:
Jan. 4, 2001). Also, we have issued a checklist Human Resources and
Payroll Systems Requirements, GAO/AIMD-21.2.3 (Washington, D.C.:
March 2000) based on the JFMIP requirements document.




2
 In 1999, we revised our Standards for Internal Control in the Federal Government
(Internal Control Standards), GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). This
guidance provides the criteria for developing and maintaining internal control over federal
agency operations, including T&A reporting, under 31 U.S.C. 3512 (c), (d). This document is
available on the Internet at the GAO home page (www.gao.gov) under “Other Publications”
and in hard copy by calling (202) 512-6000.
3
 While this guidance identifies some of the applicable legal and other requirements, agency
management retains the responsibility to identify all such requirements, for example,
statutes, regulations, and decisions that apply to their T&A reporting systems in order to
meet the compliance objectives discussed in this guidance. Many of these requirements are
identified in the Joint Financial Management Improvement Program (JFMIP) guidance,
Human Resources and Payroll Systems Requirements, JFMIP-SR-99-5 (Washington, D.C.:
April 1999). The JFMIP guidance provides the functional requirements for human resource
and payroll systems to comply with governmentwide and agency-specific statutes,
regulations, and guidelines for controlling and accounting for human resources, payroll
salaries, and expenses.




Page 2                                                   GAO-03-352G T&A Guidance (I/C)
Preface




The work schedule followed by civilian employees differs from that
generally followed by members on active duty in the armed services.
Because work schedules influence internal control in T&A systems, this
document contains two major parts. Part I of this guidance deals with
civilian employees who typically have predetermined work schedules. Part
II deals with members of the active duty armed services who are expected
to be in a “duty status” and thus on call 24 hours a day. Employees who are
paid regardless of their presence or absence and who do not accrue leave,
such as political appointees, are exempt from the provisions of this
document.4

Questions on or interpretations of any material in this document may be
submitted to the Managing Director, Financial Management and Assurance,
U.S. General Accounting Office, 441 G Street NW, Washington, D.C. 20548.

Additional copies of this document can be obtained from the U.S. General
Accounting Office by calling (202) 512-6000 or TDD (202) 512-2537, or you
may fax a request to (202) 512-6061. It is also available on the Internet on
GAO’s Home Page (www.gao.gov) under “Other Publications.”




Jeffrey C. Steinhoff
Managing Director
Financial Management and Assurance




4
 See Comptroller General Decision B-123698 (May 10, 1978).




Page 3                                                 GAO-03-352G T&A Guidance (I/C)
Part I: Civilian Employees



Internal Control            The primary objectives of internal control in a T&A system are to ensure
                            that the system complies with applicable legal requirements, supports
Objectives in T&A           reporting of reliable financial information, and operates effectively and
Systems                     efficiently. To achieve these objectives, internal control over T&A systems
                            should be guided by GAO’s Standards for Internal Control in the Federal
                            Government (Internal Control Standards) and control activities should
                            provide reasonable assurance that (1) T&A transactions are authorized and
                            approved and (2) T&A information is properly and promptly recorded and
                            retained.



Internal Control over T&A   As T&A systems evolve toward increasingly automated methods of
Systems Should Be Guided    recording and reporting employee work and leave times, it is important
                            that agencies implement and maintain well-defined internal control
by the Internal Control     activities that provide management with the confidence that the system is
Standards                   working as designed. GAO’s Internal Control Standards provide the criteria
                            for federal agencies to follow in establishing internal control over their
                            operations, including T&A reporting. Consistent with the Internal Control
                            Standards, agency development of control activities over T&A information
                            should give due consideration to (1) the control environment in which T&A
                            processing occurs, (2) applicable risks, (3) the needs of users of T&A
                            information, and (4) the results of control monitoring and evaluation. To do
                            this the agency should

                            • have a well-defined organizational structure and flow of T&A
                              information with clearly written and communicated policies and
                              procedures setting forth the responsibilities of employees, timekeepers
                              (if applicable), supervisors, and others regarding recording, examining,
                              approving, and reporting on T&A information;

                            • apply available technology and concepts to achieve efficient and
                              effective T&A system processes and controls in accordance with
                              applicable legal and other requirements, this guidance, associated risks,
                              and the environment in which the agency operates; and




                            Page 4                                          GAO-03-352G T&A Guidance (I/C)
                           Part I: Civilian Employees




                           • review and test all aspects of the T&A systems’ processing procedures
                             and controls with sufficient scope, depth, and frequency to provide
                             reasonable assurance that key procedures and controls are effective in
                             meeting legal and other requirements, and that data integrity is
                             maintained.5



Authorizing, Approving,    The supervisor has primary responsibility for authorizing and approving
Recording, and Retaining   T&A transactions. Supervisors and timekeepers 6 should be aware of the
                           work time and absence of employees for whom they are responsible. To
T&A Information            help ensure proper recording of T&A information, completed T&A records
                           should be reviewed and approved on an appropriate basis by the supervisor
                           (or other equivalent official). To the extent practical, changes to an
                           employee’s normal work schedule should generally be approved prior to
                           the change actually occurring. Unanticipated changes should be reviewed
                           for approval or disapproval as soon as reasonably possible.

                           In an automated environment, system edits (such as those that check for
                           format, omissions, and reasonableness of data) and other automated tests
                           can assist the supervisor in his or her reviews to verify that T&A
                           information has been properly recorded and provide a reasonable basis for
                           making payments. The nature and extent of T&A transaction approvals and
                           controls can vary among T&A systems. Fully automated systems, for
                           example, may require fewer approvals than manual systems because of
                           automated edits and controls and the use of automated signatures.
                           Nevertheless, the nature and extent of T&A approvals should be such that
                           management has assurance that supervisors or other authorized officials
                           know they are accountable for the approval of an employee’s work time
                           and absences.




                           5
                             Agencies’ T&A systems are subject to periodic review under FMFIA (31 U.S.C. 3512 (c) and
                           (d)). The Office of Management and Budget (OMB) provides guidance to agencies for
                           establishing, evaluating, and reporting on controls and financial systems in OMB Circular A-
                           123, Management Accountability and Control (Washington, D.C.: June 21, 1995) and OMB
                           Circular A-127, Financial Management Systems (Washington, D.C.: July 23, 1993).
                           6
                             The traditional T&A system normally involved a timekeeper who was responsible for
                           assisting supervisors in recording and verifying employees’ work time and absences. New
                           T&A systems can reduce or even eliminate timekeepers’ duties and shift the responsibilities
                           to employees or supervisors. Regardless of the changes made, the control objectives in this
                           guidance remain relevant.




                           Page 5                                                   GAO-03-352G T&A Guidance (I/C)
                       Part I: Civilian Employees




                       “Proper” recording of T&A information refers to whether the recorded
                       information is complete, accurate, valid, and complies with applicable legal
                       requirements. Such legal requirements may include, but are not limited to,
                       statutes, regulations, and decisions. T&A information should also be
                       recorded as promptly as practicable to maintain its relevance. Detailed
                       control objectives relative to T&A information are presented later in this
                       guidance.

                       Most federal civilian employees are paid on an hourly basis (or fractions of
                       an hour) and earn and charge leave on that basis. A proper record of the
                       time an employee works should be retained as an official agency record
                       available for review or inspection.7 To provide a basis for pay, leave, and
                       benefits, the records should include aggregate hours of regular time, other
                       time (e.g., overtime, credit hours, or compensatory time), and leave.8



T&A Transactions       Supervisory authorization and approval is a key part of ensuring the
                       propriety of T&A information. The supervisor or other authorized official
Should Be Authorized   should review and authorize employee’s planned work schedules and
and Approved           applications for leave, and review and approve employee submissions of
                       actual time worked and leave taken, as well as information in T&A reports,
                       and any adjustments or corrections to T&A records. Employees may
                       approve their own T&A reports when authorized in writing to do so, if they
                       are high level managers or if it is infeasible for the supervisor to approve
                       the T&A reports.



Supervisory Approval   This subsection defines approval and discusses how approvals can be
                       achieved in a manual or automated T&A system environment. Approval is
                       the supervisor’s, other equivalent official’s, or higher level manager’s
                       agreement to, ratification of, or concurrence with (1) a planned work
                       schedule and leave of an employee or (2) actual T&A information. Such
                       approval indicates that the actual work schedule recorded is to the best of


                       7
                         Federal records management is governed by federal law. Agency management should
                       develop policies for the creation, maintenance, use, and disposition of T&A and related
                       records in accordance with legal and other requirements.
                       8
                         Traditionally, daily arrival and departure times were required to be recorded. Although it is
                       not required that daily records be maintained, agency management may choose to do so by
                       using sign-in/sign-out sheets or other means.




                       Page 6                                                      GAO-03-352G T&A Guidance (I/C)
Part I: Civilian Employees




the approving official’s knowledge properly recorded and in accordance
with applicable legal requirements. The approving official acknowledges
awareness and understanding of his/her responsibility when approving
T&A information.

The documentary evidence of approval will of necessity differ between
manual and automated systems. In manual systems, approval is usually
indicated by the signature or initial of an individual on a hard copy
document. Accountability is established by having the signature or initial
be traceable to the individual providing the approval. In automated
systems, approval is represented by what can be referred to generically as
an electronic signature.9 There are many types of electronic signature
technologies offering different degrees of confidence, control, and security.
In selecting and/or developing and implementing a particular electronic
signature technology for an automated T&A application, management
should assess the risks associated with the loss, misuse, or compromise of
the electronic T&A information and signature compared to the benefits,
costs, and effort associated with selecting and/or developing and managing
the automated systems and electronic signature.10 See appendix I for a
further explanation of electronic signatures and GAO’s review of such
applications.




9
  GPEA defines “electronic signature” as a method of signing an electronic message that
(1) identifies and authenticates a particular person as the source of the electronic message
and (2) indicates such person’s approval of the information contained in the message.
10
  GPEA requires agencies to comply with the guidance issued by OMB regarding automated
systems that maintain electronic information as a substitute for paper and use of electronic
signature. OMB issued the guidance in Memorandum M-00-10, dated April 25, 2000. An
attachment to the memorandum contains the details of the guidance. Also, as part of the
OMB guidance, the Department of Justice was charged with developing practical guidance
on legal considerations related to agencies’ use of electronic filing and recordkeeping. The
department issued Legal Considerations in Designing and Implementing Electronic
Processes: A Guide for Federal Agencies in November 2000.




Page 7                                                    GAO-03-352G T&A Guidance (I/C)
                            Part I: Civilian Employees




Authorizing an Employee’s   When an employee’s work schedule (1) differs from the agencywide
Work Schedule               schedule established by management or (2) reflects a flexible work
                            schedule, the employee’s work schedule should be approved by the
                            supervisor or the official most knowledgeable of the employee’s schedule
                            in advance of the period when the plan takes effect. If the schedule is not
                            approved in advance, the plan should be approved as soon after the start of
                            the pay period as possible.11

                            When agency work schedule programs allow for credit hours12 to be
                            earned, employee requests to work such hours should be reviewed by the
                            supervisor to determine if work demands warrant the employee working
                            the additional hours and, if so, approved before the work has been
                            performed when feasible.

                            Approval also should be obtained for overtime before the work has been
                            performed when feasible and, when not feasible, as soon as possible after
                            the work has been performed. Care should be taken to distinguish between
                            regular overtime and irregular overtime or occasional overtime (or
                            compensatory time in lieu of overtime, where allowed) in order for the
                            agency to properly document and calculate an employee’s overtime pay
                            entitlements.



Approval of Leave           Approval of leave should be made by the employee’s supervisor, or other
                            designated approving official, before the leave is taken. If leave is not
                            approved in advance, because of an unusual or emergency situation, it
                            should be reviewed for approval or disapproval as soon as reasonably
                            possible after it is taken.



Approval of T&A Reports     All T&A reports and related supporting documents (e.g., overtime pay
and Related Records         authorizations) should be reviewed and approved by an authorized official.


                            11
                             Generally, agencies should not allow lunch or breaks to be scheduled at the start or end of
                            the workday that would permit employees to arrive at work late or leave work early.
                            12
                             Use of credit hours may be provided for under an agency’s flexible work schedule
                            program. Use of credit hours permits an employee to elect to work additional hours in
                            excess of his or her basic work requirement (typically 80 hours in a biweekly pay period for
                            a full-time employee) with supervisory approval. Earned credit hours can be used, subject to
                            supervisory approval, in a subsequent workday, workweek, or bi-weekly pay period.




                            Page 8                                                    GAO-03-352G T&A Guidance (I/C)
                             Part I: Civilian Employees




                             Review and approval should be made by the official, normally the
                             immediate supervisor, most knowledgeable of the time worked by and
                             absence of the employee involved. Approval of T&A reports and related
                             documents is based on personal observation, work output, timekeeper
                             verification, information checks against other independent sources,
                             reliance on other controls, or a combination of these methods. The
                             integrity of the information recorded in the T&A reporting system depends
                             largely on the conscientious exercise of the supervisor (or other official) of
                             his or her approval authority and an appropriate basis for such approval.
                             Management may want to reemphasize to supervisory staff (or other
                             authorizing officials) the importance of this responsibility periodically or as
                             needed.

                             The official most knowledgeable of the time worked should approve any
                             overtime or compensatory time records. Care should be taken (1) to ensure
                             that the overtime was approved, preferably in advance, and (2) that the
                             amount and type of overtime (regular or irregular), credit hours, and
                             compensatory time is accurately recorded and reported.

                             If practical, T&A information should be approved at the end of the last day
                             of the pay period or later. When this is not feasible because of payroll
                             processing requirements to meet established paydays, T&A information
                             should be prepared and approved as close to the end of the pay period as
                             possible to allow processing of the payroll by payday.



Adjustments or Corrections   Adjustments or corrections required because of changes after T&A
after the T&A Period Ends    information was approved should be processed promptly and be traceable
                             to the pay period for which the correction applies. Changes should be
                             approved by an authorizing official.



Self-Approval of T&A         In general, employees may not approve their own T&A information.
Reports                      However, the head of an agency (or designee) may authorize particular
                             individuals to approve their own T&A information if they are high-level
                             managers (such as the head of a large unit within the agency).

                             Other exceptions to the general prohibition against self-approval of T&A
                             information apply when the supervisor lacks a basis for approving the T&A
                             information or when it is not feasible to have T&A information approved by
                             a supervisor. Examples of where the supervisor may lack a basis for
                             approving the T&A information include, but are not necessarily limited to,


                             Page 9                                           GAO-03-352G T&A Guidance (I/C)
                              Part I: Civilian Employees




                              (1) employees working alone at a remote site for long periods and
                              (2) employees based at the same duty station as their supervisors or
                              timekeepers but frequently at work sites away from the duty station. In
                              situations when it is not practical for the supervisor to approve T&A
                              information promptly, the employee may be paid and the supervisor may
                              subsequently review and approve the information.

                              In all cases, an official authorized by the agency head (or designee) should
                              grant advance authority in writing, and the agency should have effective
                              controls in place to ensure the proper reporting of T&A information.



T&A Information               Information in T&A records should be promptly and properly recorded to
                              meet control objectives. It should be complete, accurate, valid, and comply
Should Be Properly            with legal requirements. Agency policy should establish accountability for
and Promptly                  recording T&A information and for the maintenance of and access to T&A
                              records and supplementary records. Agency policy should establish how
Recorded and Retained         T&A information for employees temporarily assigned to another agency
                              will be recorded and maintained. Management may require employees and
                              timekeepers, if any, to attest or verify T&A information. T&A information
                              that supports financial reporting or cost reporting should be auditable.



Control Objectives Relative   Controls over T&A information should provide reasonable assurance that
to T&A Information            such information (1) is recorded completely, accurately, and as promptly as
                              practicable, (2) relates to authorized individuals, (3) reflects actual work
                              performed and leave taken or other absences during authorized work-
                              hours and periods, (4) is sufficiently detailed to allow for verification,
                              (5) complies with legal requirements, and (6) is supported by recorded
                              evidence of supervisory review and approval. Typically, to achieve these
                              objectives, agencies record and maintain, for each employee and pay
                              period, the following information or documentation:

                              1. employee name and unique identifying number,

                              2. pay period number or dates,

                              3. hours worked,

                              4. hours of premium pay, by type, and overtime to which the employee is
                                 entitled,



                              Page 10                                         GAO-03-352G T&A Guidance (I/C)
                            Part I: Civilian Employees




                            5. dates and number of hours of leave (by type), credit hours, and
                               compensatory hours earned and used,13

                            6. evidence of approval by an authorized official (usually the supervisor),
                               and

                            7. supporting documentation or records for absences.



Recording T&A Information   Agency policy should assign accountability for recording T&A information
                            and maintaining related records to support the control objectives referred
                            to in the previous subsection. The information may be recorded by the
                            individual employee, timekeeper, supervisor, or a combination of the three.
                            If the employee is not recording his or her own T&A information, several
                            techniques can be used individually or in combination to provide the basis
                            for recording T&A information. The basis could be (1) the timekeeper’s or
                            supervisor’s observation, (2) time clocks, or other automated timekeeping
                            devices, where not prohibited by law, or (3) other applicable techniques.
                            The person recording the T&A information should acknowledge
                            responsibility for the propriety of the recorded information.

                            The point at which T&A information is recorded can vary among different
                            T&A systems. For example, T&A information may be recorded (1) daily, (2)
                            when deviations from an individual’s or agency’s established work schedule
                            occur, or (3) at the end of the pay period. Regardless of the timing of
                            recording T&A information, management should have in place control
                            activities that provide reasonable assurance that the recorded information
                            reflects time worked, leave taken, or other absences.

                            A T&A record can be (1) a manually completed hard copy document, (2) an
                            automated file retained electronically, or (3) a combination of automated
                            and manual records. The T&A information can be obtained using a number
                            of different methods, including but not limited to, preprinted or specially
                            designed T&A forms; other standard forms; internal memorandums;
                            e-mails; employee, timekeeper, or supervisor notations (that might, for
                            example, result from phone conversations); or other formats so long as the


                            13
                             Agency T&A records typically contain the cumulative balance of available leave by type at
                            the end of the pay period for each employee. Examples of the types of leave on such T&A
                            records include, but are not limited to, annual, sick, and leave for family care purposes
                            under provisions of the Family and Medical Leave Act.




                            Page 11                                                 GAO-03-352G T&A Guidance (I/C)
                               Part I: Civilian Employees




                               documents are controlled and retained as the official T&A record of
                               employees.



Attestation and Verification   Attestation refers to an employee affirming T&A information to be proper.
by Employees and               Verification is a confirmation, usually by the timekeeper or supervisor, that
                               to the best of his or her knowledge recorded information is proper. This
Timekeepers                    guidance does not require such attestations and/or verifications. However,
                               if management requires such attestations and/or verifications, they should
                               be performed as close to the end of the pay period as possible. When not
                               possible until after the end of the pay period, a copy of the T&A report and
                               related documents, when applicable, should be provided to the employee
                               promptly for attestation and to the timekeeper promptly for verification.
                               The employee and/or timekeeper should promptly disclose any
                               discrepancies to the supervisor for prompt resolution.

                               The documentary evidence of attestations and verifications differs between
                               manual and automated systems in the same manner that the documentary
                               evidence of approval differs between manual and automated systems in the
                               subsection “Supervisory Approval” of this guidance.



Supplementary T&A              Supplementary T&A records should be completed and maintained, as
Records                        necessary, to support the control objectives relative to T&A information
                               described above. Examples of such records include those for establishing
                               (1) work schedules,14 (2) flexi-place arrangements, (3) cumulative leave
                               balances available for use by type, (4) regular overtime and irregular or
                               occasional overtime, (5) compensatory time earned and used, (6) credit
                               hours earned and used under an alternative work schedule, and (7) number
                               of unscheduled duty hours.




                               14
                                Federal agencies can allow employees to vary their daily arrival and departure times and,
                               under some options, to vary the length of their workday or workweek. In all cases, full-time
                               employees are required to work or otherwise account for 80 hours each biweekly pay
                               period.




                               Page 12                                                   GAO-03-352G T&A Guidance (I/C)
                             Part I: Civilian Employees




Employees Temporarily        When an employee is on temporary assignment to another agency, the
Assigned to Another Agency   agency to which the employee is detailed should record T&A information
                             for the employee in accordance with the guidance in this document. It
                             should also report the information to the employee’s home agency
                             promptly to facilitate disbursement of pay by the home agency.15



Access to T&A Information    Access to T&A information should be limited to those authorized to access
                             the information for the purpose of carrying out their official duties.



T&A Information That         Where T&A information supports amounts appearing in financial reports,
Supports Financial or Cost   an audit trail should exist between the T&A information and the accounting
                             records underlying the financial reports to allow for verification of
Reporting                    reported amounts. Controls over T&A information that is used to support
                             cost reporting should ensure the information is captured in sufficient
                             detail, such as by appropriation, organizational code, work activity, or
                             other unit as necessary to meet the cost reporting objectives and be
                             auditable.



Exception-Based              Exception-based T&A systems, as the name implies, require pay period
                             recording of arrival and departure times only if material variances16 from
Systems                      preestablished work schedules occur. Employees’ schedules are
                             established, either through management designated work schedules or by
                             mutual agreement between employees and management. When employees’
                             arrival and departure times for a pay period are established, these
                             schedules become the basis for recorded T&A information unless material
                             variances or deviations occur. As previously noted, if no material variances

                             15
                                Agencies may supplement this minimum requirement by specifying that documentation be
                             forwarded to the employee’s home office, if they determine a documentary trail is needed at
                             the home office.
                             16
                               Unless otherwise designated by management, material variances or deviations from an
                             established schedule for recording purposes are those that differ by 1 hour or more during a
                             planned workday or flex day. However, if leave is used, a deviation of less than 1 hour could
                             be considered material. For example, if an employee arrives 30 minutes late, but works 30
                             minutes past the planned departure time, this would be considered an immaterial variation
                             and need not be recorded. On the other hand, if the employee chooses to request annual or
                             sick leave rather than to work for the time absent, then a material deviation for recording
                             purposes has occurred.




                             Page 13                                                   GAO-03-352G T&A Guidance (I/C)
                         Part I: Civilian Employees




                         occur, arrival and departure times and hours worked per day need not be
                         recorded.

                         Material variances or deviations should be approved by the supervisor
                         before the change occurs, if feasible, or promptly after the change occurs,
                         if not feasible. As part of their approval of the change, supervisors or
                         designees should verify that the dates and amounts of material changes
                         have been recorded in the appropriate T&A record. However, in either case
                         (material variance or no variance), each employee’s T&A record should be
                         approved by the supervisor or comparable official.17

                         Several alternatives exist for recording changes to established schedules.
                         Changes can be noted by recording arrival and departure times directly on
                         an employee’s time sheet, recording arrival and departure times on a
                         centrally maintained time-in/time-out log used by many employees, or
                         noting the number of hours and minutes of the deviation in a record that
                         the supervisor maintains. The method selected by management to record
                         the deviations should be the most efficient and effective one under the
                         circumstances.



Transmitting T&A         T&A information should be transmitted to the payroll system for all
                         employees or, under exception-based systems, for employees who have
Information to Payroll   changes to their normal work schedules. While the choice of methods used
                         to transmit the T&A information may be based on cost effectiveness and
                         management information needs, the system used to transmit the
                         information should protect T&A information from unauthorized change or
                         alteration and should generate a record of any changes made. If
                         management requires employee attestation of T&A information, any
                         change to previously attested to and approved information should be
                         reviewed and attested to by the employee whose information was changed.
                         In either case, the changed information should be reviewed and approved
                         by an authorized official.




                         17
                           In requiring supervisory review and approval for exception-based T&A reporting systems,
                         GAO considered the internal control implications of omitting this requirement where there
                         is no deviation from the employee’s preapproved schedule. We believe that, in the absence
                         of compensating controls, this practice increases the risk that errors and omissions could
                         occur and not be detected. Agencies developing or modifying T&A reporting systems and
                         considering this issue should contact GAO for a specific opinion.




                         Page 14                                                  GAO-03-352G T&A Guidance (I/C)
                        Part I: Civilian Employees




Alternative Workplace   Alternative workplace arrangements18 involve working at locations other
                        than the traditional government office. Locations of alternative workplaces
Arrangements            are usually the employee’s home or tele-centers.19 Although numerous
                        benefits exist for both the agency and employees participating in
                        alternative workplace arrangements (such as improved employee morale
                        and lower commuting costs), such arrangements are a management option,
                        not an employee benefit. All employees working in alternative workplaces
                        should sign a written agreement with their agency. The agreement should
                        identify, among other items, the period of time the agreement is in effect,
                        location of the alternative site, work schedule and tour of duty the
                        employee will work at the alternative site, time and attendance, and work
                        assignments and performance.

                        As a basis for approving T&A information, supervisors are required to
                        obtain reasonable assurance that employees working at remote sites are
                        working when scheduled and that T&A information accurately reflects time
                        worked and absences from scheduled tours of duty. Numerous techniques
                        are available to the supervisor to obtain this assurance including, for
                        example, reviewing the employee’s work output or calling or visiting the
                        remote work site during the employee’s scheduled tour of duty.




                        18
                          Other terms used to refer to alternative workplace arrangements or locations of work are
                        flexible workplace, flexi-place, tele-work and telecommuting.
                        19
                         Tele-centers are facilities away from the traditional government office that are equipped
                        with workstations, telephones, and computers among other items that are shared by
                        employees of multiple agencies.




                        Page 15                                                   GAO-03-352G T&A Guidance (I/C)
Part II: Military Service Members



Active Military   Active military personnel are considered to be on duty 24 hours a day.
                  Because the nature of some military assignments makes a confirmation of
Personnel         the presence at duty stations difficult, if not impossible, the recording of
                  presence for duty and of specific hours during which duty is performed
                  each day is not required. This is similar to exception-based T&A systems,
                  explained earlier. Most active duty military personnel follow exception-
                  based systems. However, superiors are expected to be aware of the
                  presence and absence of service members for whom they are responsible.
                  When a service member is on temporary assignment to another component
                  of the armed services or to a civilian agency, the entity to which the service
                  member is detailed should provide time and attendance recording for the
                  service member and report the information to his or her home component
                  promptly to facilitate payment of basic pay and allowances by (or through)
                  the home component.

                  Absence reports should be maintained daily to indicate those service
                  members who are to be charged leave and those who are not present for
                  duty but who should be. Examples of reports that might contain such
                  information are “morning” or “day” reports, strength reports, unit diaries,
                  and other similar reports.

                  Information on absences that affect pay should be compiled each pay
                  period and transmitted to the payroll system. Without such information, the
                  payroll system may mistakenly pay the member for unauthorized pay and
                  allowances or fail to record leave used. The following guidance for review
                  and approval applies:

                  1. Reports of such information and related supporting documents should
                     be reviewed and approved by a designated authorizing official. The
                     official should be aware of the responsibilities he or she is taking
                     regarding the propriety of the reports.

                  2. Approvals of such reports will be made at the end of the last day of the
                     pay period whenever possible. When this is not possible because of
                     payroll processing requirements to meet established paydays,
                     documents should be approved as close to the end of the pay period as
                     possible.

                  3. Approval should be done in accordance with guidance found in the
                     subsection “Supervisory Approval” of section “T&A Transactions
                     Should Be Authorized and Approved” of this document.



                  Page 16                                          GAO-03-352G T&A Guidance (I/C)
                      Part II: Military Service Members




                      4. Adjustments or corrections required because of changes in reported
                         absences after T&A information was approved should be processed
                         promptly and be traceable to the pay period for which the correction
                         applies.

                      All changes should be approved by the authorizing official prior to being
                      entered into the payroll system. Service members may not approve their
                      own absence reports unless prior authority to do so is granted in writing by
                      an authorized official.

                      When feasible (as in an office setting or environment), cost effective, and
                      applicable, attendance reporting and related internal controls set forth in
                      “Part I: Civilian Employees” should be instituted for service members to the
                      extent management deems appropriate.



Military Reservists   T&A controls for military reservists depend largely on the nature of the
                      work. If they have defined work schedules and are not expected to be
                      available for duty around the clock, the T&A requirements for civilian
                      employees are operative and should be used. If, however, they are
                      employed in a way that is similar to those who are on active duty or are
                      actually on active duty, then the controls in the section “Active Military
                      Personnel” are operative and should be used.




                      Page 17                                         GAO-03-352G T&A Guidance (I/C)
Appendix I

GAO’s Review of Electronic Signature                                                         Appendx
                                                                                                   ies




Applications                                                                                  Append
                                                                                                   x
                                                                                                   Ii




              GAO has been asked by several federal agencies to review electronic
              signature systems used in financial management systems and to discuss
              how such systems should be evaluated. Because of some of the unique
              risks associated with highly automated environments, traditional data
              integrity techniques, such as password- and user identification-based
              systems, used to authenticate an individual may not provide the same
              degree of assurance as that provided by paper-based systems. For example,
              in a paper-based system, an individual's signature on the paper document is
              a time-tested method of showing that an individual intended to be bound by
              the terms and conditions in the paper document. However, in an electronic
              world, where adequate controls have not been implemented, the similar
              approach of having an individual's name appended to a data record does
              not provide the same assurance because, for example, the terms and
              conditions can be changed without obtaining the individual’s approval of
              the changes made.

              When reviewing electronic signature systems, we evaluate whether a
              system generates electronic signatures that represent an individual's or an
              entity's intent to be bound. To do this, we determine whether the electronic
              signature system provides reasonable assurance that the signature
              produced by the system is (1) unique to the signer, (2) under the signer's
              sole control, (3) capable of being verified, and (4) linked to the data so that,
              if the data are changed, the signature is invalidated. Adopting these criteria
              facilitates our evaluation of how well the electronic signature system
              addresses its threats and helps identify vulnerabilities that may be present
              in the system. We have also found these criteria useful since they are
              technology neutral (can be used regardless of the technology used to
              produce the signature) and allow for a variety of implementation methods,
              depending on the degree of risk associated with a given application.




              Page 18                                           GAO-03-352G T&A Guidance (I/C)
Appendix I
GAO’s Review of Electronic Signature
Applications




When deciding on an electronic signature system for T&A data, agencies
should identify and/or develop and document the criteria used in the
selection of the signature system and how the criteria and the selected
system comply with the GPEA definition of an electronic signature. In
addition, the agency’s risk assessment process (as called for in the OMB
guidance20) should disclose the risks considered that would prevent the
system from successfully complying with the criteria selected by the
agency. Without developing the criteria that the system should meet and
then effectively assessing the risks, agencies could adopt signature systems
that will not provide the necessary data integrity.21




20
     See footnote 10.
21
 In our report, Information Security: Serious and Widespread Weaknesses Persist at
Federal Agencies, GAO/AIMD-00-295 (Washington, D.C.: Sept. 6, 2000), we found that in 24
agencies, physical and logical access controls were not effective in preventing or detecting
system intrusions or misuse. These weaknesses have a significant adverse impact on the
ability of automated systems to ensure the necessary data integrity.




Page 19                                                   GAO-03-352G T&A Guidance (I/C)
Related GAO Products


                       These related products address three main categories: internal control,
                       financial management systems, and financial reporting (accounting
                       standards). We have developed these guidelines and tools to assist agencies
                       in improving or maintaining effective operations and financial
                       management.



Internal Control       Internal Control Management and Evaluation Tool. GAO-01-1008G.
                       Washington, D.C.: August 2001.

                       Determining Performance and Accountability Challenges and High Risks.
                       GAO-01-159SP. Washington, D.C.:November 2000.

                       Streamlining the Payment Process While Maintaining Effective Internal
                       Control. GAO/AIMD-00-21.3.2. Washington, D.C.: May 2000.

                       Standards for Internal Control in the Federal Government. GAO/AIMD-00-
                       21.3.1. Washington, D.C.: November 1999.



Financial Management   Property Management Systems Requirements Checklist. GAO-02-171G.
                       Washington, D.C.: December 2001.
Systems
                       Grant Financial System Requirements Checklist. GAO-01-911G.
                       Washington, D.C.: September 2001.

                       Guaranteed Loan System Requirements Checklist. GAO-010-371G.
                       Washington, D.C.: March 2001.

                       Seized Property and Forfeited Assets Requirements Checklist. GAO-01-99G.
                       Washington, D.C.: October 2000.

                       Travel System Requirements Checklist. GAO/AIMD-00-21.2.8. Washington,
                       D.C.: April 2000.

                       Direct Loan System Requirements Checklist. GAO/AIMD-00-21.2.6.
                       Washington, D.C.: April 2000.

                       Human Resources and Payroll Systems Requirements Checklist.
                       GAO/AIMD-00-21.2.3. Washington, D.C.: March 2000.




                       Page 20                                        GAO-03-352G T&A Guidance (I/C)
                      Related GAO Products




                      Core Financial System Requirements Checklist. GAO/AIMD-00-21.2.6.
                      Washington, D.C.: February 2000.

                      System Requirements for Managerial Cost Accounting Checklist.
                      GAO/AIMD-99-21.2.9. Washington, D.C.: January 1999.

                      Inventory System Checklist. GAO/AIMD-98-21.2.4. Washington, D.C.: May
                      1998.

                      Framework for Federal Financial Management System Checklist.
                      GAO/AIMD-98-21.2.1. Washington, D.C.: May 1998.



Financial Reporting   Checklist for Reports Prepared Under the CFO Act (Section 1004 of the
                      GAO/PCIE Financial Audit Manual). Washington, D.C.: July 2001.
(Accounting
Standards)            Title 2 Standards Not Superceded by FASAB Issuances. GAO-02-248G.
                      Washington, D.C.: November 2001.




(190057)              Page 21                                       GAO-03-352G T&A Guidance (I/C)
United States                  Presorted Standard
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300

Address Service Requested