Maintaining Effective Control over Employee Time and Attendance  
Reporting (01-JAN-03, GAO-03-352G).				 
                                                                 
Technological advances and changes in workplace habits have	 
increasingly affected the operating environment for time and	 
attendance (T&A) reporting in recent years. Perhaps the most	 
significant influence on changes to T&A reporting, however, is	 
advancing technology and the accelerated adoption of automation  
driven largely by the need for increased efficiency, as promoted 
by the Government Paperwork Elimination Act (GPEA). Although	 
focused on electronic systems that process information obtained  
from and provided to sources outside the government, GPEA	 
encourages agencies to seek internal applications of paperless	 
systems and use of electronic signatures. This document (1)	 
provides agencies with the flexibility needed to streamline T&A  
reporting systems and reduce their costs while maintaining	 
adequate internal control, (2) updates the requirements for	 
electronic signature control, and (3) addresses the need for	 
controls over alternative workplace arrangements.		 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-03-352G					        
    ACCNO:   A05845						        
  TITLE:     Maintaining Effective Control over Employee Time and     
Attendance Reporting						 
     DATE:   01/01/2003 
  SUBJECT:   Attendance records 				 
	     Electronic forms					 
	     Electronic signatures				 
	     Federal records management 			 
	     Internal controls					 
	     Office automation					 
	     Personnel management				 
	     Reporting requirements				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-03-352G

                                       A

Internal Control

January 2003 Maintaining Effective Control over Employee Time and
Attendance Reporting

GAO- 03- 352G

Preface 1 Part I: Civilian

4 Employees

Internal Control Objectives in T& A Systems 4 T& A Transactions Should Be
Authorized and Approved 6 T& A Information Should Be Properly and Promptly
Recorded and

Retained 10 Exception- Based Systems 13 Transmitting T& A Information to
Payroll 14 Alternative Workplace Arrangements 15

Part II: Military Service 16

Members Active Military Personnel 16

Military Reservists 17 Appendix

Appendix I: GAO*s Review of Electronic Signature Applications 18 Related
GAO Products 20

Abbreviations

FMFIA Federal Managers* Financial Integrity Act GAO General Accounting
Office GPEA Government Paperwork Elimination Act JFMIP Joint Financial
Management Improvement Program OMB Office of Management and Budget T& A
time and attendance

This is a work of the U. S. Government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. It may contain
copyrighted graphics, images or other materials. Permission from the
copyright holder may be necessary should you wish to reproduce copyrighted
materials separately from GAO*s product.

Preface Technological advances and changes in workplace habits have
increasingly affected the operating environment for time and attendance
(T& A) reporting in recent years. For example, trends in the government to
streamline operations through automation and encourage more flexible

work schedules and places have provided a major impetus for changes in T&
A reporting. Perhaps the most significant influence on changes to T& A
reporting, however, is advancing technology and the accelerated adoption
of automation driven largely by the need for increased efficiency, as
promoted by the Government Paperwork Elimination Act (GPEA).

Although focused on electronic systems that process information obtained
from and provided to sources outside the government, GPEA encourages
agencies to seek internal applications of paperless systems and use of
electronic signatures.

We are responsible under the Federal Managers* Financial Integrity Act of
1982 (FMFIA) (31 U. S. C. 3512 (c), (d)), for issuing standards and
guidance on internal control for the federal government. In order to
address the potential impact on internal control of the above- mentioned
changes in T& A reporting, and because of our commitment to improving
financial management in the federal government, we are updating our
guidance related to controls over employee T& A reporting. 1 This document

(1) provides agencies with the flexibility needed to streamline T& A
reporting systems and reduce their costs while maintaining adequate
internal control, (2) updates the requirements for electronic signature
control, and (3) addresses the need for controls over alternative
workplace arrangements. We have modified the language from our earlier
exposure

draft on this topic to emphasize (1) the link between internal control
over T& A information and the overall objectives of the Internal Control

1 This documents replaces the 1996 revision to Title 6, *Pay, Leave, and
Allowances,* of the GAO Policy and Procedures Manual for Guidance of
Federal Agencies.

Standards, 2 (2) the importance of compliance objectives, 3 (3) the role
of the supervisor in ensuring proper recording of T& A information, and
(4) to address comments received on the exposure draft.

This document relates solely to internal control for a T& A reporting
system. The overall functional requirements for human resources and
payroll systems for civilian personnel are defined in the Joint Financial
Management Improvement Program*s Human Resources & Payroll

Systems Requirements, JFMIP- SR- 99- 5 (Washington, D. C.: April 1999),
Office of Management and Budget (OMB) Circular A- 127, Financial
Management Systems (Washington, D. C.: July 23, 1993) and OMB's
implementation guidance Revised Implementation Guidance for the Federal
Financial Management Improvement Act (Washington, D. C.: Jan. 4, 2001).
Also, we have issued a checklist Human Resources and Payroll Systems
Requirements, GAO/ AIMD- 21. 2.3 (Washington, D. C.: March 2000) based on
the JFMIP requirements document.

2 In 1999, we revised our Standards for Internal Control in the Federal
Government

(Internal Control Standards), GAO/ AIMD- 00- 21. 3.1 (Washington, D. C.:
November 1999). This guidance provides the criteria for developing and
maintaining internal control over federal agency operations, including T&
A reporting, under 31 U. S. C. 3512 (c), (d). This document is available
on the Internet at the GAO home page (www. gao. gov) under *Other
Publications* and in hard copy by calling (202) 512- 6000.

3 While this guidance identifies some of the applicable legal and other
requirements, agency management retains the responsibility to identify all
such requirements, for example, statutes, regulations, and decisions that
apply to their T& A reporting systems in order to meet the compliance
objectives discussed in this guidance. Many of these requirements are
identified in the Joint Financial Management Improvement Program (JFMIP)
guidance,

Human Resources and Payroll Systems Requirements, JFMIP- SR- 99- 5
(Washington, D. C.: April 1999). The JFMIP guidance provides the
functional requirements for human resource and payroll systems to comply
with governmentwide and agency- specific statutes, regulations, and
guidelines for controlling and accounting for human resources, payroll
salaries, and expenses.

The work schedule followed by civilian employees differs from that
generally followed by members on active duty in the armed services.
Because work schedules influence internal control in T& A systems, this
document contains two major parts. Part I of this guidance deals with
civilian employees who typically have predetermined work schedules. Part
II deals with members of the active duty armed services who are expected
to be in a *duty status* and thus on call 24 hours a day. Employees who
are

paid regardless of their presence or absence and who do not accrue leave,
such as political appointees, are exempt from the provisions of this
document. 4

Questions on or interpretations of any material in this document may be
submitted to the Managing Director, Financial Management and Assurance, U.
S. General Accounting Office, 441 G Street NW, Washington, D. C. 20548.
Additional copies of this document can be obtained from the U. S. General

Accounting Office by calling (202) 512- 6000 or TDD (202) 512- 2537, or
you may fax a request to (202) 512- 6061. It is also available on the
Internet on GAO*s Home Page (www. gao. gov) under *Other Publications.*
Jeffrey C. Steinhoff Managing Director Financial Management and Assurance

4 See Comptroller General Decision B- 123698 (May 10, 1978).

Part I: Civilian Employees Internal Control

The primary objectives of internal control in a T& A system are to ensure
Objectives in T& A

that the system complies with applicable legal requirements, supports
reporting of reliable financial information, and operates effectively and
Systems

efficiently. To achieve these objectives, internal control over T& A
systems should be guided by GAO*s Standards for Internal Control in the
Federal Government (Internal Control Standards) and control activities
should provide reasonable assurance that (1) T& A transactions are
authorized and approved and (2) T& A information is properly and promptly
recorded and retained.

Internal Control over T& A As T& A systems evolve toward increasingly
automated methods of

Systems Should Be Guided recording and reporting employee work and leave
times, it is important

by the Internal Control that agencies implement and maintain well- defined
internal control

Standards activities that provide management with the confidence that the
system is

working as designed. GAO*s Internal Control Standards provide the criteria
for federal agencies to follow in establishing internal control over their
operations, including T& A reporting. Consistent with the Internal Control
Standards, agency development of control activities over T& A information
should give due consideration to (1) the control environment in which T& A
processing occurs, (2) applicable risks, (3) the needs of users of T& A
information, and (4) the results of control monitoring and evaluation. To
do this the agency should

 have a well- defined organizational structure and flow of T& A
information with clearly written and communicated policies and procedures
setting forth the responsibilities of employees, timekeepers (if
applicable), supervisors, and others regarding recording, examining,
approving, and reporting on T& A information;

 apply available technology and concepts to achieve efficient and
effective T& A system processes and controls in accordance with applicable
legal and other requirements, this guidance, associated risks, and the
environment in which the agency operates; and

 review and test all aspects of the T& A systems* processing procedures
and controls with sufficient scope, depth, and frequency to provide
reasonable assurance that key procedures and controls are effective in
meeting legal and other requirements, and that data integrity is
maintained. 5

Authorizing, Approving, The supervisor has primary responsibility for
authorizing and approving

Recording, and Retaining T& A transactions. Supervisors and timekeepers 6
should be aware of the

T& A Information work time and absence of employees for whom they are
responsible. To help ensure proper recording of T& A information,
completed T& A records

should be reviewed and approved on an appropriate basis by the supervisor
(or other equivalent official). To the extent practical, changes to an
employee*s normal work schedule should generally be approved prior to

the change actually occurring. Unanticipated changes should be reviewed
for approval or disapproval as soon as reasonably possible. In an
automated environment, system edits (such as those that check for format,
omissions, and reasonableness of data) and other automated tests can
assist the supervisor in his or her reviews to verify that T& A
information has been properly recorded and provide a reasonable basis for
making payments. The nature and extent of T& A transaction approvals and
controls can vary among T& A systems. Fully automated systems, for
example, may require fewer approvals than manual systems because of
automated edits and controls and the use of automated signatures.
Nevertheless, the nature and extent of T& A approvals should be such that
management has assurance that supervisors or other authorized officials
know they are accountable for the approval of an employee*s work time and
absences.

5 Agencies* T& A systems are subject to periodic review under FMFIA (31 U.
S. C. 3512 (c) and (d)). The Office of Management and Budget (OMB)
provides guidance to agencies for establishing, evaluating, and reporting
on controls and financial systems in OMB Circular A123,

Management Accountability and Control (Washington, D. C.: June 21, 1995)
and OMB Circular A- 127, Financial Management Systems (Washington, D. C.:
July 23, 1993).

6 The traditional T& A system normally involved a timekeeper who was
responsible for assisting supervisors in recording and verifying
employees* work time and absences. New T& A systems can reduce or even
eliminate timekeepers* duties and shift the responsibilities to employees
or supervisors. Regardless of the changes made, the control objectives in
this

guidance remain relevant.

*Proper* recording of T& A information refers to whether the recorded
information is complete, accurate, valid, and complies with applicable
legal requirements. Such legal requirements may include, but are not
limited to, statutes, regulations, and decisions. T& A information should
also be

recorded as promptly as practicable to maintain its relevance. Detailed
control objectives relative to T& A information are presented later in
this guidance.

Most federal civilian employees are paid on an hourly basis (or fractions
of an hour) and earn and charge leave on that basis. A proper record of
the time an employee works should be retained as an official agency record
available for review or inspection. 7 To provide a basis for pay, leave,
and benefits, the records should include aggregate hours of regular time,
other time (e. g., overtime, credit hours, or compensatory time), and
leave. 8 T& A Transactions

Supervisory authorization and approval is a key part of ensuring the
Should Be Authorized

propriety of T& A information. The supervisor or other authorized official
should review and authorize employee*s planned work schedules and and
Approved

applications for leave, and review and approve employee submissions of
actual time worked and leave taken, as well as information in T& A
reports, and any adjustments or corrections to T& A records. Employees may
approve their own T& A reports when authorized in writing to do so, if
they are high level managers or if it is infeasible for the supervisor to
approve the T& A reports.

Supervisory Approval This subsection defines approval and discusses how
approvals can be achieved in a manual or automated T& A system
environment. Approval is

the supervisor*s, other equivalent official*s, or higher level manager*s
agreement to, ratification of, or concurrence with (1) a planned work
schedule and leave of an employee or (2) actual T& A information. Such
approval indicates that the actual work schedule recorded is to the best
of

7 Federal records management is governed by federal law. Agency management
should develop policies for the creation, maintenance, use, and
disposition of T& A and related records in accordance with legal and other
requirements.

8 Traditionally, daily arrival and departure times were required to be
recorded. Although it is not required that daily records be maintained,
agency management may choose to do so by using sign- in/ sign- out sheets
or other means.

the approving official*s knowledge properly recorded and in accordance
with applicable legal requirements. The approving official acknowledges
awareness and understanding of his/ her responsibility when approving T& A
information.

The documentary evidence of approval will of necessity differ between
manual and automated systems. In manual systems, approval is usually
indicated by the signature or initial of an individual on a hard copy
document. Accountability is established by having the signature or initial

be traceable to the individual providing the approval. In automated
systems, approval is represented by what can be referred to generically as
an electronic signature. 9 There are many types of electronic signature
technologies offering different degrees of confidence, control, and
security. In selecting and/ or developing and implementing a particular
electronic signature technology for an automated T& A application,
management should assess the risks associated with the loss, misuse, or
compromise of the electronic T& A information and signature compared to
the benefits, costs, and effort associated with selecting and/ or
developing and managing the automated systems and electronic signature. 10
See appendix I for a further explanation of electronic signatures and
GAO*s review of such applications.

9 GPEA defines *electronic signature* as a method of signing an electronic
message that (1) identifies and authenticates a particular person as the
source of the electronic message and (2) indicates such person*s approval
of the information contained in the message.

10 GPEA requires agencies to comply with the guidance issued by OMB
regarding automated systems that maintain electronic information as a
substitute for paper and use of electronic signature. OMB issued the
guidance in Memorandum M- 00- 10, dated April 25, 2000. An attachment to
the memorandum contains the details of the guidance. Also, as part of the

OMB guidance, the Department of Justice was charged with developing
practical guidance on legal considerations related to agencies* use of
electronic filing and recordkeeping. The department issued Legal
Considerations in Designing and Implementing Electronic Processes: A Guide
for Federal Agencies in November 2000.

Authorizing an Employee*s When an employee*s work schedule (1) differs
from the agencywide Work Schedule schedule established by management or
(2) reflects a flexible work

schedule, the employee*s work schedule should be approved by the
supervisor or the official most knowledgeable of the employee*s schedule
in advance of the period when the plan takes effect. If the schedule is
not approved in advance, the plan should be approved as soon after the
start of the pay period as possible. 11

When agency work schedule programs allow for credit hours 12 to be earned,
employee requests to work such hours should be reviewed by the supervisor
to determine if work demands warrant the employee working the additional
hours and, if so, approved before the work has been performed when
feasible.

Approval also should be obtained for overtime before the work has been
performed when feasible and, when not feasible, as soon as possible after
the work has been performed. Care should be taken to distinguish between
regular overtime and irregular overtime or occasional overtime (or

compensatory time in lieu of overtime, where allowed) in order for the
agency to properly document and calculate an employee*s overtime pay
entitlements.

Approval of Leave Approval of leave should be made by the employee*s
supervisor, or other designated approving official, before the leave is
taken. If leave is not

approved in advance, because of an unusual or emergency situation, it
should be reviewed for approval or disapproval as soon as reasonably
possible after it is taken.

Approval of T& A Reports All T& A reports and related supporting documents
(e. g., overtime pay

and Related Records authorizations) should be reviewed and approved by an
authorized official.

11 Generally, agencies should not allow lunch or breaks to be scheduled at
the start or end of the workday that would permit employees to arrive at
work late or leave work early. 12 Use of credit hours may be provided for
under an agency*s flexible work schedule program. Use of credit hours
permits an employee to elect to work additional hours in excess of his or
her basic work requirement (typically 80 hours in a biweekly pay period
for a full- time employee) with supervisory approval. Earned credit hours
can be used, subject to supervisory approval, in a subsequent workday,
workweek, or bi- weekly pay period.

Review and approval should be made by the official, normally the immediate
supervisor, most knowledgeable of the time worked by and absence of the
employee involved. Approval of T& A reports and related documents is based
on personal observation, work output, timekeeper

verification, information checks against other independent sources,
reliance on other controls, or a combination of these methods. The
integrity of the information recorded in the T& A reporting system depends
largely on the conscientious exercise of the supervisor (or other
official) of his or her approval authority and an appropriate basis for
such approval. Management may want to reemphasize to supervisory staff (or
other authorizing officials) the importance of this responsibility
periodically or as needed.

The official most knowledgeable of the time worked should approve any
overtime or compensatory time records. Care should be taken (1) to ensure
that the overtime was approved, preferably in advance, and (2) that the
amount and type of overtime (regular or irregular), credit hours, and
compensatory time is accurately recorded and reported.

If practical, T& A information should be approved at the end of the last
day of the pay period or later. When this is not feasible because of
payroll processing requirements to meet established paydays, T& A
information should be prepared and approved as close to the end of the pay
period as possible to allow processing of the payroll by payday.

Adjustments or Corrections Adjustments or corrections required because of
changes after T& A

after the T& A Period Ends information was approved should be processed
promptly and be traceable

to the pay period for which the correction applies. Changes should be
approved by an authorizing official.

Self- Approval of T& A In general, employees may not approve their own T&
A information.

Reports However, the head of an agency (or designee) may authorize
particular individuals to approve their own T& A information if they are
high- level

managers (such as the head of a large unit within the agency). Other
exceptions to the general prohibition against self- approval of T& A
information apply when the supervisor lacks a basis for approving the T& A
information or when it is not feasible to have T& A information approved
by a supervisor. Examples of where the supervisor may lack a basis for
approving the T& A information include, but are not necessarily limited
to,

(1) employees working alone at a remote site for long periods and (2)
employees based at the same duty station as their supervisors or
timekeepers but frequently at work sites away from the duty station. In
situations when it is not practical for the supervisor to approve T& A
information promptly, the employee may be paid and the supervisor may
subsequently review and approve the information.

In all cases, an official authorized by the agency head (or designee)
should grant advance authority in writing, and the agency should have
effective controls in place to ensure the proper reporting of T& A
information.

T& A Information Information in T& A records should be promptly and
properly recorded to Should Be Properly

meet control objectives. It should be complete, accurate, valid, and
comply with legal requirements. Agency policy should establish
accountability for and Promptly

recording T& A information and for the maintenance of and access to T& A
Recorded and Retained

records and supplementary records. Agency policy should establish how T& A
information for employees temporarily assigned to another agency will be
recorded and maintained. Management may require employees and

timekeepers, if any, to attest or verify T& A information. T& A
information that supports financial reporting or cost reporting should be
auditable.

Control Objectives Relative Controls over T& A information should provide
reasonable assurance that

to T& A Information such information (1) is recorded completely,
accurately, and as promptly as

practicable, (2) relates to authorized individuals, (3) reflects actual
work performed and leave taken or other absences during authorized
workhours and periods, (4) is sufficiently detailed to allow for
verification, (5) complies with legal requirements, and (6) is supported
by recorded evidence of supervisory review and approval. Typically, to
achieve these objectives, agencies record and maintain, for each employee
and pay period, the following information or documentation: 1. employee
name and unique identifying number,

2. pay period number or dates, 3. hours worked, 4. hours of premium pay,
by type, and overtime to which the employee is

entitled,

5. dates and number of hours of leave (by type), credit hours, and
compensatory hours earned and used, 13

6. evidence of approval by an authorized official (usually the
supervisor), and 7. supporting documentation or records for absences.
Recording T& A Information Agency policy should assign accountability for
recording T& A information and maintaining related records to support the
control objectives referred

to in the previous subsection. The information may be recorded by the
individual employee, timekeeper, supervisor, or a combination of the
three. If the employee is not recording his or her own T& A information,
several techniques can be used individually or in combination to provide
the basis for recording T& A information. The basis could be (1) the
timekeeper*s or supervisor*s observation, (2) time clocks, or other
automated timekeeping devices, where not prohibited by law, or (3) other
applicable techniques. The person recording the T& A information should
acknowledge responsibility for the propriety of the recorded information.

The point at which T& A information is recorded can vary among different
T& A systems. For example, T& A information may be recorded (1) daily, (2)
when deviations from an individual*s or agency*s established work schedule
occur, or (3) at the end of the pay period. Regardless of the timing of
recording T& A information, management should have in place control
activities that provide reasonable assurance that the recorded information
reflects time worked, leave taken, or other absences.

A T& A record can be (1) a manually completed hard copy document, (2) an
automated file retained electronically, or (3) a combination of automated
and manual records. The T& A information can be obtained using a number of
different methods, including but not limited to, preprinted or specially
designed T& A forms; other standard forms; internal memorandums; e- mails;
employee, timekeeper, or supervisor notations (that might, for example,
result from phone conversations); or other formats so long as the

13 Agency T& A records typically contain the cumulative balance of
available leave by type at the end of the pay period for each employee.
Examples of the types of leave on such T& A records include, but are not
limited to, annual, sick, and leave for family care purposes under
provisions of the Family and Medical Leave Act.

documents are controlled and retained as the official T& A record of
employees.

Attestation and Verification Attestation refers to an employee affirming
T& A information to be proper. by Employees and

Verification is a confirmation, usually by the timekeeper or supervisor,
that Timekeepers

to the best of his or her knowledge recorded information is proper. This
guidance does not require such attestations and/ or verifications.
However, if management requires such attestations and/ or verifications,
they should

be performed as close to the end of the pay period as possible. When not
possible until after the end of the pay period, a copy of the T& A report
and related documents, when applicable, should be provided to the employee
promptly for attestation and to the timekeeper promptly for verification.
The employee and/ or timekeeper should promptly disclose any discrepancies
to the supervisor for prompt resolution.

The documentary evidence of attestations and verifications differs between
manual and automated systems in the same manner that the documentary
evidence of approval differs between manual and automated systems in the
subsection *Supervisory Approval* of this guidance.

Supplementary T& A Supplementary T& A records should be completed and
maintained, as

Records necessary, to support the control objectives relative to T& A
information

described above. Examples of such records include those for establishing
(1) work schedules, 14 (2) flexi- place arrangements, (3) cumulative leave
balances available for use by type, (4) regular overtime and irregular or

occasional overtime, (5) compensatory time earned and used, (6) credit
hours earned and used under an alternative work schedule, and (7) number
of unscheduled duty hours.

14 Federal agencies can allow employees to vary their daily arrival and
departure times and, under some options, to vary the length of their
workday or workweek. In all cases, full- time employees are required to
work or otherwise account for 80 hours each biweekly pay period.

Employees Temporarily When an employee is on temporary assignment to
another agency, the

Assigned to Another Agency agency to which the employee is detailed should
record T& A information

for the employee in accordance with the guidance in this document. It
should also report the information to the employee*s home agency promptly
to facilitate disbursement of pay by the home agency. 15

Access to T& A Information Access to T& A information should be limited to
those authorized to access the information for the purpose of carrying out
their official duties.

T& A Information That Where T& A information supports amounts appearing in
financial reports,

Supports Financial or Cost an audit trail should exist between the T& A
information and the accounting

Reporting records underlying the financial reports to allow for
verification of

reported amounts. Controls over T& A information that is used to support
cost reporting should ensure the information is captured in sufficient
detail, such as by appropriation, organizational code, work activity, or
other unit as necessary to meet the cost reporting objectives and be
auditable.

Exception- Based Exception- based T& A systems, as the name implies,
require pay period

recording of arrival and departure times only if material variances 16
from Systems

preestablished work schedules occur. Employees* schedules are established,
either through management designated work schedules or by mutual agreement
between employees and management. When employees* arrival and departure
times for a pay period are established, these schedules become the basis
for recorded T& A information unless material variances or deviations
occur. As previously noted, if no material variances

15 Agencies may supplement this minimum requirement by specifying that
documentation be forwarded to the employee*s home office, if they
determine a documentary trail is needed at the home office.

16 Unless otherwise designated by management, material variances or
deviations from an established schedule for recording purposes are those
that differ by 1 hour or more during a planned workday or flex day.
However, if leave is used, a deviation of less than 1 hour could be
considered material. For example, if an employee arrives 30 minutes late,
but works 30 minutes past the planned departure time, this would be
considered an immaterial variation and need not be recorded. On the other
hand, if the employee chooses to request annual or sick leave rather than
to work for the time absent, then a material deviation for recording

purposes has occurred.

occur, arrival and departure times and hours worked per day need not be
recorded. Material variances or deviations should be approved by the
supervisor before the change occurs, if feasible, or promptly after the
change occurs, if not feasible. As part of their approval of the change,
supervisors or designees should verify that the dates and amounts of
material changes have been recorded in the appropriate T& A record.
However, in either case (material variance or no variance), each
employee*s T& A record should be approved by the supervisor or comparable
official. 17

Several alternatives exist for recording changes to established schedules.
Changes can be noted by recording arrival and departure times directly on
an employee*s time sheet, recording arrival and departure times on a

centrally maintained time- in/ time- out log used by many employees, or
noting the number of hours and minutes of the deviation in a record that
the supervisor maintains. The method selected by management to record the
deviations should be the most efficient and effective one under the
circumstances.

Transmitting T& A T& A information should be transmitted to the payroll
system for all Information to Payroll

employees or, under exception- based systems, for employees who have
changes to their normal work schedules. While the choice of methods used
to transmit the T& A information may be based on cost effectiveness and
management information needs, the system used to transmit the information
should protect T& A information from unauthorized change or alteration and
should generate a record of any changes made. If management requires
employee attestation of T& A information, any change to previously
attested to and approved information should be reviewed and attested to by
the employee whose information was changed. In either case, the changed
information should be reviewed and approved by an authorized official.

17 In requiring supervisory review and approval for exception- based T& A
reporting systems, GAO considered the internal control implications of
omitting this requirement where there is no deviation from the employee*s
preapproved schedule. We believe that, in the absence of compensating
controls, this practice increases the risk that errors and omissions could
occur and not be detected. Agencies developing or modifying T& A reporting
systems and considering this issue should contact GAO for a specific
opinion.

Alternative Workplace Alternative workplace arrangements 18 involve
working at locations other

than the traditional government office. Locations of alternative
workplaces Arrangements are usually the employee*s home or tele- centers.
19 Although numerous benefits exist for both the agency and employees
participating in alternative workplace arrangements (such as improved
employee morale and lower commuting costs), such arrangements are a
management option,

not an employee benefit. All employees working in alternative workplaces
should sign a written agreement with their agency. The agreement should
identify, among other items, the period of time the agreement is in
effect, location of the alternative site, work schedule and tour of duty
the employee will work at the alternative site, time and attendance, and
work assignments and performance.

As a basis for approving T& A information, supervisors are required to
obtain reasonable assurance that employees working at remote sites are
working when scheduled and that T& A information accurately reflects time
worked and absences from scheduled tours of duty. Numerous techniques are
available to the supervisor to obtain this assurance including, for
example, reviewing the employee*s work output or calling or visiting the
remote work site during the employee*s scheduled tour of duty.

18 Other terms used to refer to alternative workplace arrangements or
locations of work are flexible workplace, flexi- place, tele- work and
telecommuting. 19 Tele- centers are facilities away from the traditional
government office that are equipped with workstations, telephones, and
computers among other items that are shared by employees of multiple
agencies.

Part II: Military Service Members Active Military

Active military personnel are considered to be on duty 24 hours a day.
Personnel Because the nature of some military assignments makes a
confirmation of the presence at duty stations difficult, if not
impossible, the recording of presence for duty and of specific hours
during which duty is performed each day is not required. This is similar
to exception- based T& A systems, explained earlier. Most active duty
military personnel follow exceptionbased systems. However, superiors are
expected to be aware of the presence and absence of service members for
whom they are responsible. When a service member is on temporary
assignment to another component of the armed services or to a civilian
agency, the entity to which the service member is detailed should provide
time and attendance recording for the service member and report the
information to his or her home component promptly to facilitate payment of
basic pay and allowances by (or through) the home component.

Absence reports should be maintained daily to indicate those service
members who are to be charged leave and those who are not present for duty
but who should be. Examples of reports that might contain such information
are *morning* or *day* reports, strength reports, unit diaries, and other
similar reports.

Information on absences that affect pay should be compiled each pay period
and transmitted to the payroll system. Without such information, the
payroll system may mistakenly pay the member for unauthorized pay and
allowances or fail to record leave used. The following guidance for review
and approval applies:

1. Reports of such information and related supporting documents should be
reviewed and approved by a designated authorizing official. The official
should be aware of the responsibilities he or she is taking

regarding the propriety of the reports. 2. Approvals of such reports will
be made at the end of the last day of the

pay period whenever possible. When this is not possible because of payroll
processing requirements to meet established paydays, documents should be
approved as close to the end of the pay period as possible.

3. Approval should be done in accordance with guidance found in the
subsection *Supervisory Approval* of section *T& A Transactions Should Be
Authorized and Approved* of this document.

4. Adjustments or corrections required because of changes in reported
absences after T& A information was approved should be processed promptly
and be traceable to the pay period for which the correction applies.

All changes should be approved by the authorizing official prior to being
entered into the payroll system. Service members may not approve their own
absence reports unless prior authority to do so is granted in writing by
an authorized official.

When feasible (as in an office setting or environment), cost effective,
and applicable, attendance reporting and related internal controls set
forth in *Part I: Civilian Employees* should be instituted for service
members to the extent management deems appropriate.

Military Reservists T& A controls for military reservists depend largely
on the nature of the work. If they have defined work schedules and are not
expected to be available for duty around the clock, the T& A requirements
for civilian

employees are operative and should be used. If, however, they are employed
in a way that is similar to those who are on active duty or are actually
on active duty, then the controls in the section *Active Military
Personnel* are operative and should be used.

Appendi xes GAO*s Review of Electronic Signature

Appendi x I

Applications GAO has been asked by several federal agencies to review
electronic signature systems used in financial management systems and to
discuss how such systems should be evaluated. Because of some of the
unique risks associated with highly automated environments, traditional
data integrity techniques, such as password- and user identification-
based systems, used to authenticate an individual may not provide the same

degree of assurance as that provided by paper- based systems. For example,
in a paper- based system, an individual's signature on the paper document
is a time- tested method of showing that an individual intended to be
bound by the terms and conditions in the paper document. However, in an
electronic world, where adequate controls have not been implemented, the
similar approach of having an individual's name appended to a data record
does not provide the same assurance because, for example, the terms and
conditions can be changed without obtaining the individual*s approval of
the changes made.

When reviewing electronic signature systems, we evaluate whether a system
generates electronic signatures that represent an individual's or an
entity's intent to be bound. To do this, we determine whether the
electronic signature system provides reasonable assurance that the
signature produced by the system is (1) unique to the signer, (2) under
the signer's

sole control, (3) capable of being verified, and (4) linked to the data so
that, if the data are changed, the signature is invalidated. Adopting
these criteria facilitates our evaluation of how well the electronic
signature system addresses its threats and helps identify vulnerabilities
that may be present in the system. We have also found these criteria
useful since they are technology neutral (can be used regardless of the
technology used to produce the signature) and allow for a variety of
implementation methods, depending on the degree of risk associated with a
given application.

When deciding on an electronic signature system for T& A data, agencies
should identify and/ or develop and document the criteria used in the
selection of the signature system and how the criteria and the selected
system comply with the GPEA definition of an electronic signature. In
addition, the agency*s risk assessment process (as called for in the OMB
guidance 20 ) should disclose the risks considered that would prevent the
system from successfully complying with the criteria selected by the
agency. Without developing the criteria that the system should meet and
then effectively assessing the risks, agencies could adopt signature
systems

that will not provide the necessary data integrity. 21 20 See footnote 10.
21 In our report, Information Security: Serious and Widespread Weaknesses
Persist at Federal Agencies, GAO/ AIMD- 00- 295 (Washington, D. C.: Sept.
6, 2000), we found that in 24 agencies, physical and logical access
controls were not effective in preventing or detecting system intrusions
or misuse. These weaknesses have a significant adverse impact on the
ability of automated systems to ensure the necessary data integrity.

Related GAO Products These related products address three main categories:
internal control, financial management systems, and financial reporting
(accounting standards). We have developed these guidelines and tools to
assist agencies in improving or maintaining effective operations and
financial

management. Internal Control Internal Control Management and Evaluation
Tool. GAO- 01- 1008G. Washington, D. C.: August 2001.

Determining Performance and Accountability Challenges and High Risks.

GAO- 01- 159SP. Washington, D. C.: November 2000.

Streamlining the Payment Process While Maintaining Effective Internal
Control. GAO/ AIMD- 00- 21. 3.2. Washington, D. C.: May 2000.

Standards for Internal Control in the Federal Government. GAO/ AIMD- 00-
21. 3.1. Washington, D. C.: November 1999.

Financial Management

Property Management Systems Requirements Checklist. GAO- 02- 171G. Systems

Washington, D. C.: December 2001.

Grant Financial System Requirements Checklist. GAO- 01- 911G.

Washington, D. C.: September 2001.

Guaranteed Loan System Requirements Checklist. GAO- 010- 371G.

Was hi ngt on, D. C.: March 2001.

Seized Property and Forfeited Assets Requirements Checklist. GAO- 01- 99G.
Washington, D. C.: October 2000.

Travel System Requirements Checklist. GAO/ AIMD- 00- 21.2. 8. Washington,
D. C.: April 2000.

Direct Loan System Requirements Checklist. GAO/ AIMD- 00- 21. 2. 6.
Washington, D. C.: April 2000.

Human Resources and Payroll Systems Requirements Checklist.

GAO/ AIMD- 00- 21. 2.3. Washington, D. C.: March 2000.

Core Financial System Requirements Checklist. GAO/ AIMD- 00- 21.2.6.
Washington, D. C.: February 2000.

System Requirements for Managerial Cost Accounting Checklist.

GAO/ AIMD- 99- 21. 2.9. Washington, D. C.: January 1999.

Inventory System Checklist. GAO/ AIMD- 98- 21.2. 4. Washington, D. C.: May
1998.

Framework for Federal Financial Management System Checklist.

GAO/ AIMD- 98- 21. 2.1. Washington, D. C.: May 1998. Financial Reporting

Checklist for Reports Prepared Under the CFO Act (Section 1004 of the

(Accounting GAO/ PCIE Financial Audit Manual). Washington, D. C.: July
2001.

Standards)

Title 2 Standards Not Superceded by FASAB Issuances. GAO- 02- 248G.
Washington, D. C.: November 2001.

(190057)

a

GAO United States General Accounting Office

Page i GAO- 03- 352G T& A Guidance (I/ C)

Contents

Contents

Page ii GAO- 03- 352G T& A Guidance (I/ C)

Page 1 GAO- 03- 352G T& A Guidance (I/ C)

Preface Page 2 GAO- 03- 352G T& A Guidance (I/ C)

Preface Page 3 GAO- 03- 352G T& A Guidance (I/ C)

Page 4 GAO- 03- 352G T& A Guidance (I/ C)

Part I: Civilian Employees Page 5 GAO- 03- 352G T& A Guidance (I/ C)

Part I: Civilian Employees Page 6 GAO- 03- 352G T& A Guidance (I/ C)

Part I: Civilian Employees Page 7 GAO- 03- 352G T& A Guidance (I/ C)

Part I: Civilian Employees Page 8 GAO- 03- 352G T& A Guidance (I/ C)

Part I: Civilian Employees Page 9 GAO- 03- 352G T& A Guidance (I/ C)

Part I: Civilian Employees Page 10 GAO- 03- 352G T& A Guidance (I/ C)

Part I: Civilian Employees Page 11 GAO- 03- 352G T& A Guidance (I/ C)

Part I: Civilian Employees Page 12 GAO- 03- 352G T& A Guidance (I/ C)

Part I: Civilian Employees Page 13 GAO- 03- 352G T& A Guidance (I/ C)

Part I: Civilian Employees Page 14 GAO- 03- 352G T& A Guidance (I/ C)

Part I: Civilian Employees Page 15 GAO- 03- 352G T& A Guidance (I/ C)

Page 16 GAO- 03- 352G T& A Guidance (I/ C)

Part II: Military Service Members Page 17 GAO- 03- 352G T& A Guidance (I/
C)

Page 18 GAO- 03- 352G T& A Guidance (I/ C)

Appendix I

Appendix I GAO*s Review of Electronic Signature Applications

Page 19 GAO- 03- 352G T& A Guidance (I/ C)

Page 20 GAO- 03- 352G T& A Guidance (I/ C)

Related GAO Products Page 21 GAO- 03- 352G T& A Guidance (I/ C)

United States General Accounting Office Washington, D. C. 20548- 0001
Official Business Penalty for Private Use $300 Address Service Requested

Presorted Standard Postage & Fees Paid

GAO Permit No. GI00
*** End of document. ***