Maintaining Effective Control Over Employee Time and Attendance Reporting
(Guidance, 12/01/2000, GAO/GAO-01-186G).
GAO has updated its guidance on controls over employee time and
attendance activities to (1) provide agencies with the flexibility
needed to streamline time and attendance reporting systems, (2) allow
agencies to reduce their costs while maintaining adequate internal
control, and (3) update the requirements on electronic signature
control.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: GAO-01-186G
TITLE: Maintaining Effective Control Over Employee Time and
Attendance Reporting
DATE: 12/01/2000
SUBJECT: Internal controls
Attendance records
Auditing procedures
Personnel management
Reporting requirements
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Testimony. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-01-186G
United States General Accounting Office Washington, DC 20548
December 2000 The Federal Managers' Financial Integrity Act of 1982 (FMFIA)
(31 U. S. C. 3512( c), (d)) requires the General Accounting Office (GAO) to
issue government internal control standards and guidelines. As part of our
responsibility under FMFIA and because of our commitment to improving
financial management in government, we are updating our guidance related to
controls over employee time and attendance activities to (1) provide
agencies with the flexibility needed to streamline time and attendance (T&
A) reporting systems, (2) allow agencies to reduce their costs while
maintaining adequate internal control, and (3) update the requirements on
electronic signature control.
This document relates solely to the internal control environment for a time
and attendance reporting system. The functional requirements for human
resources and payroll systems for civilian personnel are defined in the
Joint Financial Management Improvement Program's April 1999 Human Resources
& Payroll Systems Requirements (JFMIP- SR- 99- 5), Office of Management and
Budget (OMB) Circular A- 127, Financial Management Systems, and OMB's
Implementation Guidance for the Federal Financial Management Improvement Act
(FFMIA) of 1996, issued September 9, 1997. In March 2000, GAO issued a
checklist, Human Resources
and Payroll Systems Requirements (GAO/ AIMD- 00- 21.2.3), based on the JFMIP
requirements document.
Additional copies of this document can be obtained from the U. S. General
Accounting Office, 700 4 th Street NW, Room 1100, Washington, DC 20548, or
by calling (202) 512- 6000 or TDD (202) 512- 2537. It is also available on
the Internet on GAO's Home Page (www. gao. gov) under “Other
Publications.” Please send comments by March 31, 2001, to Bruce K.
Michelson, Assistant Director at
U. S. General Accounting Office 441 G Street NW, Room 5W13 Washington, DC
20548
Jeffrey C. Steinhoff Managing Director Financial Management and Assurance
GAO United States General Accounting Office
Internal Control Exposure Draft
December 2000 Maintaining Effective Control Over Employee Time and
Attendance Reporting
GAO- 01- 186G
T& A Guidance ED GAO- 01- 186G (12/ 00) Page 1
______________________________________________________________________________
CONTENTS
______________________________________________________________________________
Introduction 3 Part I: Civilian Employees 5
Internal Control Objectives in T& A Systems 5 T& A Transactions Are Properly
Authorized and Approved 5 T& A Data Are Complete and Accurate 5
Reliance on Internal Controls in A T& A System 6 Recording and Maintaining
Complete and Accurate T& A Records 6
Required T& A Information 6 Recording T& A Data 7 Supplementary T& A Records
8 Employees Temporarily Assigned to Another Agency 8 Access to T& A
Information 8
Authorizing and Approving T& A Transactions 8 Attestations, Verifications,
and Approvals 8 Authorizing An Employee's Work Schedule 9 Approval of Leave
9 Attestation and Verification by Employees and Timekeepers 10 Approval of
T& A Reports and Related Records 10 Adjustment or Corrections After the T& A
Period Ends 10 Self- Approval of T& A Reports 10
Transmitting T& A Information to Payroll 11 Exception- Based Systems 11
Alternative Workplace Arrangements 12 Part II: Military Service Members 13
Active Military Personnel 13 Military Reservists 14 Appendix 15
Appendix I: GAO's Review of Electronic Signatures Applications 15
T& A Guidance ED GAO- 01- 186G (12/ 00) Page 2
Abbreviations
FMFIA Federal Managers' Financial Integrity Act GPEA Government Paperwork
Elimination Act OMB Office of Management and Budget OPM Office of Personnel
Management T& A time and attendance
T& A Guidance ED GAO- 01- 186G (12/ 00) Page 3
______________________________________________________________________________
INTRODUCTION
______________________________________________________________________________
In recent years significant changes in work place habits and technological
advances have affected the manner in which time and attendance (T& A)
reporting is accomplished. For example, more flexible work schedules and
places, and the trend in government to streamline operations have provided a
major impetus for changes in T& A systems. However, perhaps the most
significant influence on these changes is advancing technology and the
increased use of automation. The Government Paperwork Elimination Act (GPEA)
encourages the movement toward paperless applications and the use of
electronic signatures. Although GPEA focuses on electronic systems regarding
information obtained from and provided to sources outside the government, it
provides an additional impetus to agencies to seek further applications of
paperless systems and use of electronic signatures.
Trends toward increased automation and workplace flexibility have changed
the operating environment. However, the need for good internal control
continues to exist. To keep abreast of the changes, especially those in
automation, we have revised this document to emphasize the attention that
should remain regarding effective internal control in T& A systems. This
document offers suggestions for taking advantage of the advancements in
automated T& A systems and updates the previous guidance to incorporate
guidance offered in response to agency requests. 1
As advancing technologies continue, managers have greater flexibility in
designing and implementing T& A systems best suited for their agencies. In
designing and implementing new T& A systems or components of existing
systems, management should strive for cost- beneficial systems and related
internal control.
The traditional work schedule followed by civilian employees differs from
those generally followed by members on active duty of the armed services.
Because traditional work schedules influence internal control in T& A
systems, this document contains two major parts, the first dealing with
civilian employees who are expected to be “working,” usually
during certain times and the second part dealing with members of the active
duty armed services who are expected to be in a “duty status”
and thus on call 24 hours a day. Part I, civilian employees, provides
guidance for civilian employees, and part II, military service members,
provides guidance for military service members. Employees who are paid
regardless of their presence or absence and who do not accrue leave under 5
U. S. C. 6301 et seq. (e. g., certain political appointees) are exempt from
the provisions of this document. 2
Questions on or interpretations of any material in this document may be
submitted to the Managing Director, Financial Management and Assurance, U.
S. General Accounting Office, 441 G Street NW, Washington, DC 20548.
1 When issued in final, this document will replace our 1996 revision to
Title 6, “Pay, Leave, and Allowances,” of the GAO Policy and
Procedures Manual for Guidance of Federal Agencies. 2 See Comptroller
General Decision B- 123698 (May 10, 1978).
T& A Guidance ED GAO- 01- 186G (12/ 00) Page 4 (BLANK)
T& A Guidance ED GAO- 01- 186G (12/ 00) Page 5
______________________________________________________________________________
PART I: CIVILIAN EMPLOYEES
_________________________________________________________________________________
INTERNAL CONTROL OBJECTIVES IN T& A SYSTEMS
The primary objective of a T& A system is to ensure that hours worked, hours
in pay status, and hours absent are properly reported. Reliable data are
important to accurately compute and account for computed pay, leave, and
allowances. To achieve this objective, management should have in place an
internal control system that provides reasonable assurance that (1) T& A
transactions are properly authorized and approved and (2) T& A data are
completely and accurately recorded and retained.
T& A Transactions Are Properly Authorized and Approved
The nature and extent of T& A transaction approvals and controls can vary
among T& A systems. Fully automated systems, for example, may require fewer
approvals than manual systems because of automated edits and controls, and
the use of automated signatures. Nevertheless, the nature and extent of T& A
approvals must be such that management has assurance that supervisors or
other officials know they are accountable for the approvals of an employee's
work time and absences. This helps ensure that accurate T& A information is
recorded and reported for the purposes of computing pay and allowances.
Primary responsibility for authorizing and approving T& A transactions rests
with the employee's supervisor, who approves the employee's T& A reports.
Timekeepers 3 and supervisors must be aware of the work time and absence of
employees for whom they are responsible to ensure the reliability of T& A
data. To the extent practical, changes to an employee's normal work schedule
should generally be approved prior to the change actually occurring.
Unanticipated changes should be reviewed for approval or disapproval as soon
as reasonably possible.
T& A Data Are Complete and Accurate
Because most federal civilian employees are paid on an hourly basis (or
fractions of an hour) and earn and charge leave on that basis, a complete
and accurate record of the time an employee works must be retained as an
official agency record available for review or inspection. To provide a
basis for pay, leave, and benefits, the records must include aggregate hours
of regular time, other time (e. g., overtime, credit hours, or compensatory
time), and leave. 4 To help ensure accuracy, the completed records must be
reviewed and approved by the supervisor (or other equivalent official). In
an automated environment, system edits and other automated tests can
3 The traditional T& A system normally involved a timekeeper who was
responsible for assisting supervisors in recording and verifying employees'
work time and absences. New T& A systems can reduce or even eliminate
timekeepers' duties and shift the responsibilities to employees or
supervisors. Regardless of the changes made, recording accurate T& A
information remains the primary control objective. 4 Traditionally, daily
arrival and departure times were required to be recorded. Although it is not
required
that daily records be maintained, agency management may choose to do so by
using sign- in/ sign- out sheets or other means.
T& A Guidance ED GAO- 01- 186G (12/ 00) Page 6 assist the supervisor in his
or her review and verify that recorded work time is accurate and
allowable.
RELIANCE ON INTERNAL CONTROLS IN A T& A SYSTEM
As T& A systems evolve toward increasingly automated methods of recording
and reporting employee work and leave times, it is important to implement
and maintain a well- defined system that provides management with the
confidence that controls are working as designed. This can be done by:
� Having a well- defined organizational structure and flow of T& A data with
clearly written policies and procedures setting forth the responsibilities
of employees, timekeepers (if applicable), and supervisors regarding
recording, examining, and approving T& A transactions.
� Effectively applying available technology and concepts to achieve
efficient and effective T& A system processes in accordance with applicable
requirements and the environment in which the agency operates.
� Having the ability to record payroll costs by appropriation,
organizational code, and work activity to facilitate application of required
cost accounting for financial and program management.
� Reviewing and testing all aspects of the T& A systems' processing
procedures and controls in sufficient scope, depth, and frequency to provide
reasonable assurance that key procedures and controls are working and
effective and that data integrity is maintained.
Agencies' T& A systems are subject to periodic review under the Federal
Managers' Financial Integrity Act of 1982 (FMFIA) (31 U. S. C. 3512( c),
(d)). 5
RECORDING AND MAINTAINING COMPLETE AND ACCURATE T& A RECORDS
Required T& A Information
The following T& A information and documentation should be recorded and
maintained for each employee for each pay period:
1. employee name and unique identifying number (e. g., a social security
number), 5 Standards for Internal Control in the Federal Government( GAO/
AIMD- 00- 21.3.1) was revised in November 1999, and is available on the
Internet, GAO home page ( www. gao. gov) under “Other
Publications.” It is also available in hard copy by calling (202) 512-
6000 or at the U. S. General Accounting Office, 700 4 th Street NW, Room
1100, Washington, D. C. In addition, the Office of Management and Budget
(OMB) requirements for evaluating financial systems and controls are in OMB
Circular A- 123, Internal Control Systems (June 1995 )and OMB Circular A-
127, Financial Management Systems (July 1993 ). These OMB and GAO issuances
establish the criteria and rules for assessing and reporting annually on the
status of agency systems and controls.
T& A Guidance ED GAO- 01- 186G (12/ 00) Page 7 2. pay period number or
dates,
3. hours worked, 4. hours of premium pay, by type, to which the employee is
entitled, 5. dates and number of hours of leave (by type), credit hours, and
compensatory hours
earned and used, 6 6. evidence of approval by an authorized official
(usually the supervisor), 7. any required supporting documentation or
records for absences, and 8. other information agencies believe necessary.
A T& A record containing all required data elements can be (1) a manually
completed hard copy document, (2) an automated file retained electronically,
or (3) a combination of automated and manual records. The T& A information
can be obtained using a number of different methods, including but not
limited to preprinted or designed T& A forms; other standard forms; internal
memorandums; e- mails; employee, timekeeper, or supervisor notations (for
example, that might result from phone conversations); or other formats so
long as the documents are controlled and retained as the official T& A
record of employees. The data contained in the T& A records should be linked
to accounting records and provide the necessary support for financial
reporting and allocation of costs.
Recording T& A Data
Agency policy must affix accountability for recording the T& A data referred
to in the previous section. The data may be recorded by the
1. individual employee, 2. timekeeper, 3. supervisor, or 4. a combination of
the three.
Agency policy must assign accountability for recording and maintaining T& A
data referred to in the previous section. If the employee is not recording
his or her T& A data, the basis for recording the data could be (1) the
timekeeper's or supervisor's observation, (2) time clocks, or other
automated timekeeping devices, where not prohibited by law, or (3) other
applicable techniques. The person recording the T& A data acknowledges
responsibility for the accuracy of the recorded data.
The point at which T& A data are recorded can vary among different T& A
systems. For example, T& A data may be recorded (1) daily, (2) when
deviations occur from an individual's or agency's established work schedule,
or (3) at the end of the pay period. Regardless of the timing of recording
T& A data, management must have in place a system of control techniques that
gives reasonable assurance that the recorded information reflects time
worked, leave taken, or other absences.
6 Cumulative balances of available leave by type per employee are required
to be maintained on record. Agencies may maintain these cumulative balances
on biweekly or pay period T& A records which show the available balances for
the pay period ending. Examples of the types of leave on such T& A records
include, but are not limited to, annual, sick, and family friendly leave.
T& A Guidance ED GAO- 01- 186G (12/ 00) Page 8
Supplementary T& A Records
Supplementary T& A records, containing information not previously discussed,
shall be completed and maintained. Examples of such records include those
for establishing (1) work schedules, 7 (2) flexiplace arrangements, 8 (3)
cumulative leave balances available for use by type, (4) overtime, (5)
compensatory time earned and used, (6) credit hours earned and used under an
alternative work schedule, and (7) number of unscheduled duty hours. The
records must show (1) an employee's pay period schedules indicating planned
start and stop work times and hours per day for an established work
schedule, (2) the aggregate hours (or fractions of hours) and days the
employees worked regular hours, worked overtime, took leave, or used earned
compensatory time or credit hours, and (3) the supervisor's approval. In
order for the agency to properly document and calculate an employee's
overtime pay entitlements under 5 U. S. C. chapters 55 and 61 and 29 U. S.
C. 201 et seq., the records must distinguish between regular overtime and
irregular or occasional overtime.
Employees Temporarily Assigned to Another Agency
When an employee is on temporary assignment to another agency, the agency to
which the employee is detailed must record T& A data for the employee in
accordance with these requirements. It must also report the information to
the employee's home agency promptly to facilitate disbursement of pay by the
home agency.
Access to T& A Information
Access to T& A information should be limited to those authorized to access
the information.
AUTHORIZING AND APPROVING T& A TRANSACTIONS
Attestations, Verifications, and Approvals
This section (1) defines attestations, verifications, and approvals and (2)
discusses how attestations, verifications, and approvals can be achieved in
a manual or automated T& A system environment.
Attestation refers to an employee affirming T& A data to be true, correct,
and accurate. Verification is a confirmation, usually by the timekeeper or
supervisor, that recorded information is true, correct, and accurate to the
best of his/ her knowledge. Approval is the supervisor's, other equivalent
official's, or higher level manager's agreement, ratification, or
concurrence to (1) a planned work schedule and leave of employee or (2)
actual T& A data. Such approvals represent that the actual work schedule
recorded by the employee or timekeeper is to the best of
7 Federal agencies can allow employees to vary their daily arrival and
departure times and, under some options, to vary the length of their workday
or workweek. In all cases, full- time employees are required to work or
otherwise account for 80 hours each biweekly pay period (5 U. S. C. 6120 et
seq.). 8 See Office of Personnel Management's (OPM) Memorandum for Personnel
Directors on the subject of
Alternative Workplace Arrangements, October 21, 1993.
T& A Guidance ED GAO- 01- 186G (12/ 00) Page 9 the approving official's
knowledge true, correct, and accurate, and in accordance with applicable
laws, regulations, and legal decisions. The approving official acknowledges
awareness and understanding of his/ her responsibility when approving T& A
data.
The evidence of attestations, verifications, and approvals will of necessity
differ between manual and automated systems. In manual systems,
attestations, verifications, and approvals are usually shown by a signature
or initial of an individual on a hard copy document. In automated systems,
they are represented by what can be referred to generically as electronic
signatures. 9 There are many types of electronic signature technologies
offering different degrees of confidence, control, and security. In
selecting and/ or developing, and implementing a particular electronic
signature technology for an automated T& A application, management must
assess the risks associated with the loss, misuse, or compromise of the
electronic T& A information and signatures compared to the benefits, costs,
and effort associated with selecting and/ or developing and managing the
automated systems and electronic signatures. 10 See the appendix for a
further explanation about electronic signatures and GAO's review of such
applications.
Authorizing an Employee's Work Schedule
When (1) an employee's work schedule differs from the agencywide schedule
established by management or (2) reflects a flexible work program, an
employee's work schedule should be approved by the supervisor or the
official most knowledgeable of the employee's schedule in advance of the
period when the plan takes effect. If the schedule is not approved in
advance, the plan should be approved as soon after the start of the pay
period as possible.
Approval must be granted for overtime before the work has been performed
when feasible and, when not feasible, as soon as possible after the work has
been performed. Care must be taken to distinguish between regular overtime
and irregular overtime or occasional overtime (or compensatory time in lieu
of overtime, where allowed) in order for the agency to properly document and
calculate an employee's overtime pay entitlements under 5 U. S. C. chapters
55 and 61 and 29 U. S. C. 201 et seq.
Approval of Leave
Approval of leave should be made by the employee's supervisor before the
leave is taken. If leave is not approved in advance, it should be reviewed
for approval or disapproval as soon as reasonably possible after taken.
9 The GPEA defines “electronic signature” as a method of signing
an electronic message that (1) identifies and authenticates a particular
person as the source of the electronic message and (2) indicates such
person's approval of the information contained in the message. 10 GPEA
requires agencies to comply with the guidance issued by OMB regarding
automated systems that
maintain electronic information as a substitute for paper and use of
electronic signatures. OMB issued the guidance in Memorandum M- 00- 10,
dated April 25, 2000. A 29- page attachment to the memorandum contains the
details of the guidance. Also, as part of the OMB guidance, the Department
of Justice was charged with developing practical guidance on legal
considerations related to agencies' use of electronic filing and record
keeping. The department issued Legal Considerations in Designing and
Implementing Electronic Processes: A Guide for Federal Agenciesin November
2000.
T& A Guidance ED GAO- 01- 186G (12/ 00) Page 10
Attestation and Verification by Employees and Timekeepers
The employee and timekeeper, if any, are not required to attest or verify T&
A reports and related documents. However, if management requires such
attestations and/ or verifications, they should be performed as close to the
end of the pay period as possible. When not possible until after the end of
the pay period, a copy of the T& A report and related documents, when
applicable, should be provided to the employee promptly for attestation and
to the timekeeper promptly for verification. The employee and/ or timekeeper
should promptly disclose any discrepancies to the supervisor. The supervisor
should promptly resolve such discrepancies.
Approval of T& A Reports and Related Records
All T& A reports and related supporting documents (e. g., overtime pay
authorizations) must be reviewed and approved by an authorized official.
Review and approval should be made by the official, normally the immediate
supervisor, most knowledgeable of the time worked and absence of the
employee involved. Approval of T& A reports and related documents should be
based on personal observation, work output, timekeeper verification,
checking data against other independent sources, reliance on other controls,
or a combination of these methods.
The official most knowledgeable of the time worked should approve any
overtime or compensatory time. Care should be taken (1) to ensure that the
overtime was approved, preferably in advance, and (2) that the amount and
type of overtime (regular or irregular), credit hours, and compensatory time
is accurately recorded.
If practical, T& A data must be approved at the end of the last day of the
pay period or later. When this is not feasible because of payroll processing
requirements to meet established paydays, T& A data must be prepared and
approved as close to the end of the pay period as possible to still allow
processing of the payroll by payday.
Adjustment or Corrections After the T& A Period Ends
Adjustments or corrections required because of changes after T& A data were
approved must be made in the payroll system and reflected in pay for the pay
period to which the changes apply, when possible. When not possible,
adjustments must be made as soon after discovery as practical. Any changes
must be approved by an authorizing official before being entered into the
payroll system.
Self- Approval of T& A Reports
In general, employees may not approve their own T& A data. However, the head
of an agency (or designee) may authorize particular individuals to approve
their own T& A data in certain situations or if the individual is a high
level manager (such as the head of a large unit within the agency). In these
situations, an official authorized by the agency head (or designee) must
grant advance authority in writing, and the agency must ensure that
effective controls are in place to ensure the proper reporting of T& A data.
Exceptions to the general prohibition of employees approving their own T& A
data are intended to apply when it is not feasible to have T& A data
approved by a supervisor. These exceptions
T& A Guidance ED GAO- 01- 186G (12/ 00) Page 11 include but are not
necessarily limited to (1) employees working alone at a remote site for long
periods and (2) employees based at the same duty station as their
supervisors or timekeepers but frequently at work sites away from the duty
station. In other situations when it is not practical for the supervisor to
approve T& A data promptly, the employee may be paid and the supervisor may
subsequently review and approve the data.
TRANSMITTING T& A INFORMATION TO PAYROLL
T& A information must be transmitted to the payroll system for all employees
or, under exception- based systems, for employees who have changes to their
normal work schedules. While the choice of methods used to transmit the T& A
data may be based on cost- effectiveness and management information needs,
the system used to transmit the information must protect T& A data from
unauthorized change or alteration and must generate a record of any change
made. Any change to previously attested to and approved data must be
reviewed by and attested to by the employee whose data was changed. The
changed data must also be reviewed by and approved by an authorized
official.
EXCEPTION- BASED SYSTEMS
Exception- based T& A systems, as the name implies, require pay period
recording of arrival and departure times only if material variances 11 from
pre- established work schedules occur. Employees' schedules are established,
either through management designated work schedules or by mutual agreement
between employees and management. When employees' arrival and departure
times for a pay period are established, these schedules become the basis for
recorded T& A data unless material variances or deviations occur. As
previously noted, if no material variances occur, arrival and departure
times and hours worked per day need not be recorded.
Material variances or deviations must be approved by the supervisor before
the change occurs, if feasible, or promptly after occurring, if not
feasible. As part of their approval of the change, supervisors or designees
must verify that the dates and amounts of material changes have been
recorded in the appropriate T& A record. However, in either case (material
variance or no variance) each employee's T& A record must be approved by the
supervisor or comparable official.
Several alternatives exist for recording changes to established schedules.
Changes can be noted by recording arrival and departure times directly on an
employee's time sheet, recording arrival and departure times on a centrally
maintained time- in/ time- out log used by many employees, or noting the
number of hours and minutes of the deviation in a record that the supervisor
maintains. The method selected by management to record the deviations should
be the most efficient and effective one under the circumstances.
11 Unless otherwise designated by management, material variances or
deviations from an established schedule for recording purposes are those
that differ by 1 hour or more during a planned workday or flex day. However,
if leave is used, a deviation of less than 1 hour could be considered
material. For example, if an employee arrives 30 minutes late, but works 30
minutes past the planned departure time, this would be considered an
immaterial variation and need not be recorded. On the other hand, if the
employee chooses to request annual or sick leave rather than to work for the
time absent, then a material deviation for recording purposes has occurred.
T& A Guidance ED GAO- 01- 186G (12/ 00) Page 12
ALTERNATIVE WORKPLACE ARRANGEMENTS
Alternative workplace arrangements 12 involve working at locations other
than the traditional government office. Locations of alternative workplaces
are usually the employee's home or telecenters. 13 Although numerous
benefits exist for both the agency and employees participating in
alternative workplaces (such as employee moral and lower commuting costs),
flexible workplace is a management option, not an employee benefit.
Employees who work at alternative work sites should have a written agreement
with their supervisors stipulating, among other items, the period of time
the agreement is in effect, days in which the employee will work at the
alternative site, work assignments and performance, work schedule, and time
and attendance.
As a basis for approving T& A data, supervisors are required to obtain
reasonable assurance that employees working at remote sites are working when
scheduled and that T& A information accurately reflects time worked and
absences from scheduled tours of duty. Numerous techniques are available to
the supervisor to obtain this assurance. For example, reviewing the work
output of the employee and occasional phone call or visits to the employee.
12 Other terms used to refer to alternative workplace arrangements or
locations of work are “flexible workplace,”
“flexiplace,” and “telecommuting.” 13 Telecenters
are facilities away from the traditional government office that are equipped
with
workstations, telephones, and computers among other items that are shared by
employees of multiple agencies.
T& A Guidance ED GAO- 01- 186G (12/ 00) Page 13
_____________________________________________________________________________________
PART II: MILITARY SERVICE MEMBERS
_____________________________________________________________________________________
ACTIVE MILITARY PERSONNEL
Active military personnel are considered to be on duty 24 hours a day.
Because the nature of some military assignments makes a confirmation of the
presence at duty stations difficult, if not impossible, the recording of
presence for duty and of specific hours during which duty is performed each
day is not required. This is similar to exception- based T& A systems
explained earlier in this document. Most active duty military personnel
follow exception- based systems. However, superiors are expected to be aware
of the presence and absence of service members for whom they are
responsible. When a service member is on temporary assignment to another
component of the armed services or to a civilian agency, the entity to which
the service member is detailed must provide time and attendance recording
for the service member and report the information to his or her home
component promptly to facilitate payment of basic pay and allowances by (or
through) the home component.
Absence reports must be maintained daily to indicate those service members
who are to be charged leave and those who are not present for duty but who
should be. Examples of reports that might contain such data are
"morning” or “day” reports, strength reports, unit
diaries, and other similar reports.
Information on absences which affect pay should be compiled each pay period
and be transmitted to the payroll system. Without such information, the
payroll system may mistakenly pay the member for unauthorized pay and
allowances. The following requirements for review and approval must be met:
1. Reports of such information and related supporting documents must be
reviewed and approved by a designated authorizing official. The official
must be aware of the responsibilities he or she is taking regarding the
accuracy of the reports.
2. Approvals of such reports will be made at the end of the last day of the
pay period whenever possible. When this is not possible because of payroll
processing requirements to meet established paydays, documents must be
approved as close to the end of the pay period as possible.
3. Approval must be done in accordance with guidance found in the subsection
“Attestations, Verifications, and Approvals” of section
“Authorizing and Approving T& A Transactions” of this document.
4. Any adjustments required because of changes in reported absences after
the reports were approved and transmitted to the payroll system must be made
and reflected in the pay period to which the changes apply, when possible,
or when not possible, adjusted as soon as possible, preferably in the next
pay period.
Any changes must be approved by the authorizing official prior to being
entered into the payroll system. Service members may not approve their own
absence reports unless prior authority to do so is granted in writing by an
authorized official.
T& A Guidance ED GAO- 01- 186G (12/ 00) Page 14 When feasible (as in an
office setting or environment), cost- effective, and applicable, attendance
reporting and related internal controls set forth in “Part I: Civilian
Employees” should be instituted for service members to the extent
management deems appropriate.
MILITARY RESERVISTS
T& A controls for military reservists depend largely on the nature of the
work. If they have defined work schedules and are not expected to be
available for duty on a round- the- clock basis, the T& A requirements for
civilian employees are operative and should be used. If however they are
employed similar to those who are on active duty or are actually on active
duty, then the controls in the subsection “Active Military
Personnel” are operative and should be used.
T& A Guidance ED GAO- 01- 186G (12/ 00) Page 15
_____________________________________________________________________________________
APPENDIX I: GAO'S REVIEW OF ELECTRONIC SIGNATURES APPLICATIONS
_____________________________________________________________________________________
GAO has been asked by several federal agencies to review electronic
signature systems used in financial management systems and to discuss how
such systems should be evaluated. Because of some of the unique risks
associated with highly automated environments, traditional data integrity
techniques, such as password and user identification based systems, used to
authenticate an individual may not provide the same degree of assurance as
that provided by paper- based systems. For example, in a paper- based
system, an individual's signature on the paper document is a time- tested
method of showing that an individual intended to be bound by the terms and
conditions in the paper document. However, in an electronic world, where
adequate controls have not been implemented, the similar approach of having
an individual's name appended to a data record does not provide the same
assurance because, for example, the terms and conditions can be changed
without obtaining the individual's approval of the changes made.
When reviewing electronic signature systems, we evaluate whether a system
generates electronic signatures that represent an individual's or an
entity's intent to be bound. To do this, we determine whether the electronic
signature system provides reasonable assurance that the signature produced
by the system is (1) unique to the signer, (2) under the signer's sole
control, (3) capable of being verified, and (4) linked to the data in such a
manner that, if the data are changed, the signature is invalidated. Adopting
these criteria facilitates our evaluation of how well the electronic
signature system addresses its threats and helps identify vulnerabilities
that may be present in the system. We have also found these criteria useful
since they are technology neutral (can be used regardless of the technology
used to produce the signature) and allow for a variety of implementation
methods, depending of the degree of risk associated with a given
application.
When deciding on an electronic signature system for T& A data, agencies
should identify and/ or develop and document the criteria used in the
selection of the signature system and how the criteria and the selected
system complies with the GPEA definition of an electronic signature. In
addition, the agency's risk assessment process (as called for in the OMB
guidance 14 ) should disclose the risks considered that would prevent the
system from successfully complying with the criteria selected by the agency.
Without developing the criteria that the system should meet and then
effectively assessing the risks, agencies could adopt signature systems that
will not provide the necessary data integrity. 15
(922289) 14 See footnote 10. 15 A recently issued GAO report ( Information
Security: Serious and Widespread Weaknesses Persist at
Federal Agencies. GAO/ AIMD- 00- 295, September 6, 2000) showed that in 24
agencies, physical and logical access controls were not effective in
preventing or detecting system intrusions or misuse. These weaknesses have a
significant adverse impact on the ability of automated systems to ensure the
necessary data integrity.
Ordering Information The first copy of each GAO report is free. Additional
copies of reports are $2 each. A check or money order should be made out to
the Superintendent of Documents. VISA and MasterCard credit cards are
accepted, also.
Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.
Orders by mail: U. S. General Accounting Office P. O. Box 37050 Washington,
DC 20013
Orders by visiting: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW)
U. S. General Accounting Office Washington, DC
Orders by phone: (202) 512- 6000 fax: (202) 512- 6061 TDD (202) 512- 2537
Each day, GAO issues a list of newly available reports and testimony. To
receive facsimile copies of the daily list or any list from the past 30
days, please call (202) 512- 6000 using a touchtone phone. A recorded menu
will provide information on how to obtain these lists.
Orders by Internet: For information on how to access GAO reports on the
Internet, send an e- mail message with “info” in the body to:
info@ www. gao. gov or visit GAO's World Wide Web home page at: http:// www.
gao. gov
To Report Fraud, Waste, or Abuse in Federal Programs
Contact one: Web site: http:// www. gao. gov/ fraudnet/ fraudnet. htm e-
mail: fraudnet@ gao. gov 1- 800- 424- 5454 (automated answering system)
*** End of document. ***