This is the accessible text file for GAO report number GAO-03-352G entitled 'Maintaining Effective Control over Employee Time and Attendance Reporting' which was released on January 1, 2003. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States General Accounting Office: GAO: Internal Control: January 2003: Maintaining Effective Control over Employee Time and Attendance Reporting: GAO-03-352G: Contents: Preface: Part I: Civilian Employees: Internal Control Objectives in T&A Systems: T&A Transactions Should Be Authorized and Approved: T&A Information Should Be Properly and Promptly Recorded and Retained: Exception-Based Systems: Transmitting T&A Information to Payroll: Alternative Workplace Arrangements: Part II: Military Service Members: Active Military Personnel: Military Reservists: Appendix: Appendix I: GAO’s Review of Electronic Signature Applications: Related GAO Products: Abbreviations: FMFIA: Federal Managers’ Financial Integrity Act: GAO: General Accounting Office: GPEA: Government Paperwork Elimination Act: JFMIP: Joint Financial Management Improvement Program: OMB: Office of Management and Budget: T&A: time and attendance: [End of section] Preface: Technological advances and changes in workplace habits have increasingly affected the operating environment for time and attendance (T&A) reporting in recent years. For example, trends in the government to streamline operations through automation and encourage more flexible work schedules and places have provided a major impetus for changes in T&A reporting. Perhaps the most significant influence on changes to T&A reporting, however, is advancing technology and the accelerated adoption of automation driven largely by the need for increased efficiency, as promoted by the Government Paperwork Elimination Act (GPEA). Although focused on electronic systems that process information obtained from and provided to sources outside the government, GPEA encourages agencies to seek internal applications of paperless systems and use of electronic signatures. We are responsible under the Federal Managers’ Financial Integrity Act of 1982 (FMFIA) (31 U.S.C. 3512 (c), (d)), for issuing standards and guidance on internal control for the federal government. In order to address the potential impact on internal control of the above-mentioned changes in T&A reporting, and because of our commitment to improving financial management in the federal government, we are updating our guidance related to controls over employee T&A reporting. [Footnote 1] This document (1) provides agencies with the flexibility needed to streamline T&A reporting systems and reduce their costs while maintaining adequate internal control, (2) updates the requirements for electronic signature control, and (3) addresses the need for controls over alternative workplace arrangements. We have modified the language from our earlier exposure draft on this topic to emphasize (1) the link between internal control over T&A information and the overall objectives of the Internal Control Standards, [Footnote 2] (2) the importance of compliance objectives, [Footnote 3] (3) the role of the supervisor in ensuring proper recording of T&A information, and (4) to address comments received on the exposure draft. This document relates solely to internal control for a T&A reporting system. The overall functional requirements for human resources and payroll systems for civilian personnel are defined in the Joint Financial Management Improvement Program’s Human Resources & Payroll Systems Requirements, [hyperlink, http://www.gao.gov/cgi- bin/getrpt?JFMIP-SR-99-5] (Washington, D.C.: April 1999), Office of Management and Budget (OMB) Circular A-127, Financial Management Systems (Washington, D.C.: July 23, 1993) and OMB's implementation guidance Revised Implementation Guidance for the Federal Financial Management Improvement Act (Washington, D.C.: Jan. 4, 2001). Also, we have issued a checklist Human Resources and Payroll Systems Requirements, [hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO/AIMD-21.2.3] (Washington, D.C.: March 2000) based on the JFMIP requirements document. The work schedule followed by civilian employees differs from that generally followed by members on active duty in the armed services. Because work schedules influence internal control in T&A systems, this document contains two major parts. Part I of this guidance deals with civilian employees who typically have predetermined work schedules. Part II deals with members of the active duty armed services who are expected to be in a “duty status” and thus on call 24 hours a day. Employees who are paid regardless of their presence or absence and who do not accrue leave, such as political appointees, are exempt from the provisions of this document. [Footnote 4] Questions on or interpretations of any material in this document may be submitted to the Managing Director, Financial Management and Assurance, U.S. General Accounting Office, 441 G Street NW, Washington, D.C. 20548. Additional copies of this document can be obtained from the U.S. General Accounting Office by calling (202) 512-6000 or TDD (202) 512- 2537, or you may fax a request to (202) 512-6061. It is also available on the Internet on GAO’s Home Page [hyperlink, http://www.gao.gov] under “Other Publications.” Signed by: Jeffrey C. Steinhoff: Managing Director: Financial Management and Assurance: [End of preface] Part I: Civilian Employees: Internal Control Objectives in T&A Systems: The primary objectives of internal control in a T&A system are to ensure that the system complies with applicable legal requirements, supports reporting of reliable financial information, and operates effectively and efficiently. To achieve these objectives, internal control over T&A systems should be guided by GAO’s Standards for Internal Control in the Federal Government (Internal Control Standards) and control activities should provide reasonable assurance that (1) T&A transactions are authorized and approved and (2) T&A information is properly and promptly recorded and retained. Internal Control over T&A Systems Should Be Guided by the Internal Control Standards: As T&A systems evolve toward increasingly automated methods of recording and reporting employee work and leave times, it is important that agencies implement and maintain well-defined internal control activities that provide management with the confidence that the system is working as designed. GAO’s Internal Control Standards provide the criteria for federal agencies to follow in establishing internal control over their operations, including T&A reporting. Consistent with the Internal Control Standards, agency development of control activities over T&A information should give due consideration to (1) the control environment in which T&A processing occurs, (2) applicable risks, (3) the needs of users of T&A information, and (4) the results of control monitoring and evaluation. To do this the agency should: * have a well-defined organizational structure and flow of T&A information with clearly written and communicated policies and procedures setting forth the responsibilities of employees, timekeepers (if applicable), supervisors, and others regarding recording, examining, approving, and reporting on T&A information; * apply available technology and concepts to achieve efficient and effective T&A system processes and controls in accordance with applicable legal and other requirements, this guidance, associated risks, and the environment in which the agency operates; and; * review and test all aspects of the T&A systems’ processing procedures and controls with sufficient scope, depth, and frequency to provide reasonable assurance that key procedures and controls are effective in meeting legal and other requirements, and that data integrity is maintained. [Footnote 5] Authorizing, Approving, Recording, and Retaining T&A Information: The supervisor has primary responsibility for authorizing and approving T&A transactions. Supervisors and timekeepers [Footnote 6] should be aware of the work time and absence of employees for whom they are responsible. To help ensure proper recording of T&A information, completed T&A records should be reviewed and approved on an appropriate basis by the supervisor (or other equivalent official). To the extent practical, changes to an employee’s normal work schedule should generally be approved prior to the change actually occurring. Unanticipated changes should be reviewed for approval or disapproval as soon as reasonably possible. In an automated environment, system edits (such as those that check for format, omissions, and reasonableness of data) and other automated tests can assist the supervisor in his or her reviews to verify that T&A information has been properly recorded and provide a reasonable basis for making payments. The nature and extent of T&A transaction approvals and controls can vary among T&A systems. Fully automated systems, for example, may require fewer approvals than manual systems because of automated edits and controls and the use of automated signatures. Nevertheless, the nature and extent of T&A approvals should be such that management has assurance that supervisors or other authorized officials know they are accountable for the approval of an employee’s work time and absences. “Proper” recording of T&A information refers to whether the recorded information is complete, accurate, valid, and complies with applicable legal requirements. Such legal requirements may include, but are not limited to, statutes, regulations, and decisions. T&A information should also be recorded as promptly as practicable to maintain its relevance. Detailed control objectives relative to T&A information are presented later in this guidance. Most federal civilian employees are paid on an hourly basis (or fractions of an hour) and earn and charge leave on that basis. A proper record of the time an employee works should be retained as an official agency record available for review or inspection. [Footnote 7] To provide a basis for pay, leave, and benefits, the records should include aggregate hours of regular time, other time (e.g., overtime, credit hours, or compensatory time), and leave. [Footnote 8] T&A Transactions Should Be Authorized and Approved: Supervisory authorization and approval is a key part of ensuring the propriety of T&A information. The supervisor or other authorized official should review and authorize employee’s planned work schedules and applications for leave, and review and approve employee submissions of actual time worked and leave taken, as well as information in T&A reports, and any adjustments or corrections to T&A records. Employees may approve their own T&A reports when authorized in writing to do so, if they are high level managers or if it is infeasible for the supervisor to approve the T&A reports. Supervisory Approval: This subsection defines approval and discusses how approvals can be achieved in a manual or automated T&A system environment. Approval is the supervisor’s, other equivalent official’s, or higher level manager’s agreement to, ratification of, or concurrence with (1) a planned work schedule and leave of an employee or (2) actual T&A information. Such approval indicates that the actual work schedule recorded is to the best of the approving official’s knowledge properly recorded and in accordance with applicable legal requirements. The approving official acknowledges awareness and understanding of his/her responsibility when approving T&A information. The documentary evidence of approval will of necessity differ between manual and automated systems. In manual systems, approval is usually indicated by the signature or initial of an individual on a hard copy document. Accountability is established by having the signature or initial be traceable to the individual providing the approval. In automated systems, approval is represented by what can be referred to generically as an electronic signature. [Footnote 9] There are many types of electronic signature technologies offering different degrees of confidence, control, and security. In selecting and/or developing and implementing a particular electronic signature technology for an automated T&A application, management should assess the risks associated with the loss, misuse, or compromise of the electronic T&A information and signature compared to the benefits, costs, and effort associated with selecting and/or developing and managing the automated systems and electronic signature. [Footnote 10] See appendix I for a further explanation of electronic signatures and GAO’s review of such applications. Authorizing an Employee’s Work Schedule: When an employee’s work schedule (1) differs from the agencywide schedule established by management or (2) reflects a flexible work schedule, the employee’s work schedule should be approved by the supervisor or the official most knowledgeable of the employee’s schedule in advance of the period when the plan takes effect. If the schedule is not approved in advance, the plan should be approved as soon after the start of the pay period as possible. [Footnote 11] When agency work schedule programs allow for credit hours [Footnote 12] to be earned, employee requests to work such hours should be reviewed by the supervisor to determine if work demands warrant the employee working the additional hours and, if so, approved before the work has been performed when feasible. Approval also should be obtained for overtime before the work has been performed when feasible and, when not feasible, as soon as possible after the work has been performed. Care should be taken to distinguish between regular overtime and irregular overtime or occasional overtime (or compensatory time in lieu of overtime, where allowed) in order for the agency to properly document and calculate an employee’s overtime pay entitlements. Approval of Leave: Approval of leave should be made by the employee’s supervisor, or other designated approving official, before the leave is taken. If leave is not approved in advance, because of an unusual or emergency situation, it should be reviewed for approval or disapproval as soon as reasonably possible after it is taken. Approval of T&A Reports and Related Records: All T&A reports and related supporting documents (e.g., overtime pay authorizations) should be reviewed and approved by an authorized official. Review and approval should be made by the official, normally the immediate supervisor, most knowledgeable of the time worked by and absence of the employee involved. Approval of T&A reports and related documents is based on personal observation, work output, timekeeper verification, information checks against other independent sources, reliance on other controls, or a combination of these methods. The integrity of the information recorded in the T&A reporting system depends largely on the conscientious exercise of the supervisor (or other official) of his or her approval authority and an appropriate basis for such approval. Management may want to reemphasize to supervisory staff (or other authorizing officials) the importance of this responsibility periodically or as needed. The official most knowledgeable of the time worked should approve any overtime or compensatory time records. Care should be taken (1) to ensure that the overtime was approved, preferably in advance, and (2) that the amount and type of overtime (regular or irregular), credit hours, and compensatory time is accurately recorded and reported. If practical, T&A information should be approved at the end of the last day of the pay period or later. When this is not feasible because of payroll processing requirements to meet established paydays, T&A information should be prepared and approved as close to the end of the pay period as possible to allow processing of the payroll by payday. Adjustments or Corrections after the T&A Period Ends: Adjustments or corrections required because of changes after T&A information was approved should be processed promptly and be traceable to the pay period for which the correction applies. Changes should be approved by an authorizing official. Self-Approval of T&A Reports: In general, employees may not approve their own T&A information. However, the head of an agency (or designee) may authorize particular individuals to approve their own T&A information if they are high-level managers (such as the head of a large unit within the agency). Other exceptions to the general prohibition against self-approval of T&A information apply when the supervisor lacks a basis for approving the T&A information or when it is not feasible to have T&A information approved by a supervisor. Examples of where the supervisor may lack a basis for approving the T&A information include, but are not necessarily limited to, (1) employees working alone at a remote site for long periods and (2) employees based at the same duty station as their supervisors or timekeepers but frequently at work sites away from the duty station. In situations when it is not practical for the supervisor to approve T&A information promptly, the employee may be paid and the supervisor may subsequently review and approve the information. In all cases, an official authorized by the agency head (or designee) should grant advance authority in writing, and the agency should have effective controls in place to ensure the proper reporting of T&A information. T&A Information Should Be Properly and Promptly Recorded and Retained: Information in T&A records should be promptly and properly recorded to meet control objectives. It should be complete, accurate, valid, and comply with legal requirements. Agency policy should establish accountability for recording T&A information and for the maintenance of and access to T&A records and supplementary records. Agency policy should establish how T&A information for employees temporarily assigned to another agency will be recorded and maintained. Management may require employees and timekeepers, if any, to attest or verify T&A information. T&A information that supports financial reporting or cost reporting should be auditable. Control Objectives Relative to T&A Information: Controls over T&A information should provide reasonable assurance that such information (1) is recorded completely, accurately, and as promptly as practicable, (2) relates to authorized individuals, (3) reflects actual work performed and leave taken or other absences during authorized work-hours and periods, (4) is sufficiently detailed to allow for verification, (5) complies with legal requirements, and (6) is supported by recorded evidence of supervisory review and approval. Typically, to achieve these objectives, agencies record and maintain, for each employee and pay period, the following information or documentation: 1. employee name and unique identifying number; 2. pay period number or dates; 3. hours worked; 4. hours of premium pay, by type, and overtime to which the employee is entitled; 5. dates and number of hours of leave (by type), credit hours, and compensatory hours earned and used; [Footnote 13] 6. evidence of approval by an authorized official (usually the supervisor), and; 7. supporting documentation or records for absences. Recording T&A Information: Agency policy should assign accountability for recording T&A information and maintaining related records to support the control objectives referred to in the previous subsection. The information may be recorded by the individual employee, timekeeper, supervisor, or a combination of the three. If the employee is not recording his or her own T&A information, several techniques can be used individually or in combination to provide the basis for recording T&A information. The basis could be (1) the timekeeper’s or supervisor’s observation, (2) time clocks, or other automated timekeeping devices, where not prohibited by law, or (3) other applicable techniques. The person recording the T&A information should acknowledge responsibility for the propriety of the recorded information. The point at which T&A information is recorded can vary among different T&A systems. For example, T&A information may be recorded (1) daily, (2) when deviations from an individual’s or agency’s established work schedule occur, or (3) at the end of the pay period. Regardless of the timing of recording T&A information, management should have in place control activities that provide reasonable assurance that the recorded information reflects time worked, leave taken, or other absences. A T&A record can be (1) a manually completed hard copy document, (2) an automated file retained electronically, or (3) a combination of automated and manual records. The T&A information can be obtained using a number of different methods, including but not limited to, preprinted or specially designed T&A forms; other standard forms; internal memorandums; e-mails; employee, timekeeper, or supervisor notations (that might, for example, result from phone conversations); or other formats so long as the documents are controlled and retained as the official T&A record of employees. Attestation and Verification by Employees and Timekeepers: Attestation refers to an employee affirming T&A information to be proper. Verification is a confirmation, usually by the timekeeper or supervisor, that to the best of his or her knowledge recorded information is proper. This guidance does not require such attestations and/or verifications. However, if management requires such attestations and/or verifications, they should be performed as close to the end of the pay period as possible. When not possible until after the end of the pay period, a copy of the T&A report and related documents, when applicable, should be provided to the employee promptly for attestation and to the timekeeper promptly for verification. The employee and/or timekeeper should promptly disclose any discrepancies to the supervisor for prompt resolution. The documentary evidence of attestations and verifications differs between manual and automated systems in the same manner that the documentary evidence of approval differs between manual and automated systems in the subsection “Supervisory Approval” of this guidance. Supplementary T&A Records: Supplementary T&A records should be completed and maintained, as necessary, to support the control objectives relative to T&A information described above. Examples of such records include those for establishing (1) work schedules, [Footnote 14] (2) flexi-place arrangements, (3) cumulative leave balances available for use by type, (4) regular overtime and irregular or occasional overtime, (5) compensatory time earned and used, (6) credit hours earned and used under an alternative work schedule, and (7) number of unscheduled duty hours. Employees Temporarily Assigned to Another Agency: When an employee is on temporary assignment to another agency, the agency to which the employee is detailed should record T&A information for the employee in accordance with the guidance in this document. It should also report the information to the employee’s home agency promptly to facilitate disbursement of pay by the home agency. [Footnote 15] Access to T&A Information: Access to T&A information should be limited to those authorized to access the information for the purpose of carrying out their official duties. T&A Information That Supports Financial or Cost Reporting: Where T&A information supports amounts appearing in financial reports, an audit trail should exist between the T&A information and the accounting records underlying the financial reports to allow for verification of reported amounts. Controls over T&A information that is used to support cost reporting should ensure the information is captured in sufficient detail, such as by appropriation, organizational code, work activity, or other unit as necessary to meet the cost reporting objectives and be auditable. Exception-Based Systems: Exception-based T&A systems, as the name implies, require pay period recording of arrival and departure times only if material variances [Footnote 16] from preestablished work schedules occur. Employees’ schedules are established, either through management designated work schedules or by mutual agreement between employees and management. When employees’ arrival and departure times for a pay period are established, these schedules become the basis for recorded T&A information unless material variances or deviations occur. As previously noted, if no material variances occur, arrival and departure times and hours worked per day need not be recorded. Material variances or deviations should be approved by the supervisor before the change occurs, if feasible, or promptly after the change occurs, if not feasible. As part of their approval of the change, supervisors or designees should verify that the dates and amounts of material changes have been recorded in the appropriate T&A record. However, in either case (material variance or no variance), each employee’s T&A record should be approved by the supervisor or comparable official. [Footnote 17] Several alternatives exist for recording changes to established schedules. Changes can be noted by recording arrival and departure times directly on an employee’s time sheet, recording arrival and departure times on a centrally maintained time-in/time-out log used by many employees, or noting the number of hours and minutes of the deviation in a record that the supervisor maintains. The method selected by management to record the deviations should be the most efficient and effective one under the circumstances. Transmitting T&A Information to Payroll: T&A information should be transmitted to the payroll system for all employees or, under exception-based systems, for employees who have changes to their normal work schedules. While the choice of methods used to transmit the T&A information may be based on cost effectiveness and management information needs, the system used to transmit the information should protect T&A information from unauthorized change or alteration and should generate a record of any changes made. If management requires employee attestation of T&A information, any change to previously attested to and approved information should be reviewed and attested to by the employee whose information was changed. In either case, the changed information should be reviewed and approved by an authorized official. Alternative Workplace Arrangements: Alternative workplace arrangements [Footnote 18] involve working at locations other than the traditional government office. Locations of alternative workplaces are usually the employee’s home or tele-centers. [Footnote 19] Although numerous benefits exist for both the agency and employees participating in alternative workplace arrangements (such as improved employee morale and lower commuting costs), such arrangements are a management option, not an employee benefit. All employees working in alternative workplaces should sign a written agreement with their agency. The agreement should identify, among other items, the period of time the agreement is in effect, location of the alternative site, work schedule and tour of duty the employee will work at the alternative site, time and attendance, and work assignments and performance. As a basis for approving T&A information, supervisors are required to obtain reasonable assurance that employees working at remote sites are working when scheduled and that T&A information accurately reflects time worked and absences from scheduled tours of duty. Numerous techniques are available to the supervisor to obtain this assurance including, for example, reviewing the employee’s work output or calling or visiting the remote work site during the employee’s scheduled tour of duty. [End of Part I] Part II: Military Service Members: Active Military Personnel: Active military personnel are considered to be on duty 24 hours a day. Because the nature of some military assignments makes a confirmation of the presence at duty stations difficult, if not impossible, the recording of presence for duty and of specific hours during which duty is performed each day is not required. This is similar to exception- based T&A systems, explained earlier. Most active duty military personnel follow exception-based systems. However, superiors are expected to be aware of the presence and absence of service members for whom they are responsible. When a service member is on temporary assignment to another component of the armed services or to a civilian agency, the entity to which the service member is detailed should provide time and attendance recording for the service member and report the information to his or her home component promptly to facilitate payment of basic pay and allowances by (or through) the home component. Absence reports should be maintained daily to indicate those service members who are to be charged leave and those who are not present for duty but who should be. Examples of reports that might contain such information are “morning” or “day” reports, strength reports, unit diaries, and other similar reports. Information on absences that affect pay should be compiled each pay period and transmitted to the payroll system. Without such information, the payroll system may mistakenly pay the member for unauthorized pay and allowances or fail to record leave used. The following guidance for review and approval applies: 1. Reports of such information and related supporting documents should be reviewed and approved by a designated authorizing official. The official should be aware of the responsibilities he or she is taking regarding the propriety of the reports. 2. Approvals of such reports will be made at the end of the last day of the pay period whenever possible. When this is not possible because of payroll processing requirements to meet established paydays, documents should be approved as close to the end of the pay period as possible. 3. Approval should be done in accordance with guidance found in the subsection “Supervisory Approval” of section “T&A Transactions Should Be Authorized and Approved” of this document. 4. Adjustments or corrections required because of changes in reported absences after T&A information was approved should be processed promptly and be traceable to the pay period for which the correction applies. All changes should be approved by the authorizing official prior to being entered into the payroll system. Service members may not approve their own absence reports unless prior authority to do so is granted in writing by an authorized official. When feasible (as in an office setting or environment), cost effective, and applicable, attendance reporting and related internal controls set forth in “Part I: Civilian Employees” should be instituted for service members to the extent management deems appropriate. Military Reservists: T&A controls for military reservists depend largely on the nature of the work. If they have defined work schedules and are not expected to be available for duty around the clock, the T&A requirements for civilian employees are operative and should be used. If, however, they are employed in a way that is similar to those who are on active duty or are actually on active duty, then the controls in the section “Active Military Personnel” are operative and should be used. [End of Part II] Appendix I: GAO’s Review of Electronic Signature Applications: GAO has been asked by several federal agencies to review electronic signature systems used in financial management systems and to discuss how such systems should be evaluated. Because of some of the unique risks associated with highly automated environments, traditional data integrity techniques, such as password- and user identification-based systems, used to authenticate an individual may not provide the same degree of assurance as that provided by paper-based systems. For example, in a paper-based system, an individual's signature on the paper document is a time-tested method of showing that an individual intended to be bound by the terms and conditions in the paper document. However, in an electronic world, where adequate controls have not been implemented, the similar approach of having an individual's name appended to a data record does not provide the same assurance because, for example, the terms and conditions can be changed without obtaining the individual’s approval of the changes made. When reviewing electronic signature systems, we evaluate whether a system generates electronic signatures that represent an individual's or an entity's intent to be bound. To do this, we determine whether the electronic signature system provides reasonable assurance that the signature produced by the system is (1) unique to the signer, (2) under the signer's sole control, (3) capable of being verified, and (4) linked to the data so that, if the data are changed, the signature is invalidated. Adopting these criteria facilitates our evaluation of how well the electronic signature system addresses its threats and helps identify vulnerabilities that may be present in the system. We have also found these criteria useful since they are technology neutral (can be used regardless of the technology used to produce the signature) and allow for a variety of implementation methods, depending on the degree of risk associated with a given application. When deciding on an electronic signature system for T&A data, agencies should identify and/or develop and document the criteria used in the selection of the signature system and how the criteria and the selected system comply with the GPEA definition of an electronic signature. In addition, the agency’s risk assessment process (as called for in the OMB guidance [Footnote 20]) should disclose the risks considered that would prevent the system from successfully complying with the criteria selected by the agency. Without developing the criteria that the system should meet and then effectively assessing the risks, agencies could adopt signature systems that will not provide the necessary data integrity. [Footnote 21] [End of section] Related GAO Products: These related products address three main categories: internal control, financial management systems, and financial reporting (accounting standards). We have developed these guidelines and tools to assist agencies in improving or maintaining effective operations and financial management. Internal Control: Internal Control Management and Evaluation Tool. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-1008G]. Washington, D.C.: August 2001. Determining Performance and Accountability Challenges and High Risks. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-159SP]. Washington, D.C.: November 2000. Streamlining the Payment Process While Maintaining Effective Internal Control. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00- 21.3.2]. Washington, D.C.: May 2000. Standards for Internal Control in the Federal Government. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.3.1]. Washington, D.C.: November 1999. Financial Management Systems: Property Management Systems Requirements Checklist. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-171G]. Washington, D.C.: December 2001. Grant Financial System Requirements Checklist. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-911G]. Washington, D.C.: September 2001. Guaranteed Loan System Requirements Checklist. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-010-371G]. Washington, D.C.: March 2001. Seized Property and Forfeited Assets Requirements Checklist. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-99G]. Washington, D.C.: October 2000. Travel System Requirements Checklist. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.2.8]. Washington, D.C.: April 2000. Direct Loan System Requirements Checklist. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.2.6]. Washington, D.C.: April 2000. Human Resources and Payroll Systems Requirements Checklist. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.2.3]. Washington, D.C.: March 2000. Core Financial System Requirements Checklist. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.2.6]. Washington, D.C.: February 2000. System Requirements for Managerial Cost Accounting Checklist. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-99-21.2.9]. Washington, D.C.: January 1999. Inventory System Checklist. [hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO/AIMD-98-21.2.4]. Washington, D.C.: May 1998. Framework for Federal Financial Management System Checklist. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-98-21.2.1]. Washington, D.C.: May 1998. Financial Reporting (Accounting Standards): Checklist for Reports Prepared Under the CFO Act (Section 1004 of the GAO/PCIE Financial Audit Manual). Washington, D.C.: July 2001. Title 2 Standards Not Superceded by FASAB Issuances. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-248G]. Washington, D.C.: November 2001. [End of section] Footnotes: [1] This documents replaces the 1996 revision to Title 6, “Pay, Leave, and Allowances,” of the GAO Policy and Procedures Manual for Guidance of Federal Agencies. [2] In 1999, we revised our Standards for Internal Control in the Federal Government (Internal Control Standards), [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). This guidance provides the criteria for developing and maintaining internal control over federal agency operations, including T&A reporting, under 31 U.S.C. 3512 (c), (d). This document is available on the Internet at the GAO home page [hyperlink, http://www.gao.gov] under “Other Publications” and in hard copy by calling (202) 512-6000. [3] While this guidance identifies some of the applicable legal and other requirements, agency management retains the responsibility to identify all such requirements, for example, statutes, regulations, and decisions that apply to their T&A reporting systems in order to meet the compliance objectives discussed in this guidance. Many of these requirements are identified in the Joint Financial Management Improvement Program (JFMIP) guidance, Human Resources and Payroll Systems Requirements, [hyperlink, http://www.gao.gov/cgi- bin/getrpt?JFMIP-SR-99-5] (Washington, D.C.: April 1999). The JFMIP guidance provides the functional requirements for human resource and payroll systems to comply with governmentwide and agency-specific statutes, regulations, and guidelines for controlling and accounting for human resources, payroll salaries, and expenses. [4] See Comptroller General Decision B-123698 (May 10, 1978). [5] Agencies’ T&A systems are subject to periodic review under FMFIA (31 U.S.C. 3512 (c) and (d)). The Office of Management and Budget (OMB) provides guidance to agencies for establishing, evaluating, and reporting on controls and financial systems in OMB Circular A-123, Management Accountability and Control (Washington, D.C.: June 21, 1995) and OMB Circular A-127, Financial Management Systems (Washington, D.C.: July 23, 1993). [6] The traditional T&A system normally involved a timekeeper who was responsible for assisting supervisors in recording and verifying employees’ work time and absences. New T&A systems can reduce or even eliminate timekeepers’ duties and shift the responsibilities to employees or supervisors. Regardless of the changes made, the control objectives in this guidance remain relevant. [7] Federal records management is governed by federal law. Agency management should develop policies for the creation, maintenance, use, and disposition of T&A and related records in accordance with legal and other requirements. [8] Traditionally, daily arrival and departure times were required to be recorded. Although it is not required that daily records be maintained, agency management may choose to do so by using sign-in/sign- out sheets or other means. [9] GPEA defines “electronic signature” as a method of signing an electronic message that (1) identifies and authenticates a particular person as the source of the electronic message and (2) indicates such person’s approval of the information contained in the message. [10] GPEA requires agencies to comply with the guidance issued by OMB regarding automated systems that maintain electronic information as a substitute for paper and use of electronic signature. OMB issued the guidance in Memorandum M-00-10, dated April 25, 2000. An attachment to the memorandum contains the details of the guidance. Also, as part of the OMB guidance, the Department of Justice was charged with developing practical guidance on legal considerations related to agencies’ use of electronic filing and recordkeeping. The department issued Legal Considerations in Designing and Implementing Electronic Processes: A Guide for Federal Agencies in November 2000. [11] Generally, agencies should not allow lunch or breaks to be scheduled at the start or end of the workday that would permit employees to arrive at work late or leave work early. [12] Use of credit hours may be provided for under an agency’s flexible work schedule program. Use of credit hours permits an employee to elect to work additional hours in excess of his or her basic work requirement (typically 80 hours in a biweekly pay period for a full-time employee) with supervisory approval. Earned credit hours can be used, subject to supervisory approval, in a subsequent workday, workweek, or bi-weekly pay period. [13] Agency T&A records typically contain the cumulative balance of available leave by type at the end of the pay period for each employee. Examples of the types of leave on such T&A records include, but are not limited to, annual, sick, and leave for family care purposes under provisions of the Family and Medical Leave Act. [14] Federal agencies can allow employees to vary their daily arrival and departure times and, under some options, to vary the length of their workday or workweek. In all cases, full-time employees are required to work or otherwise account for 80 hours each biweekly pay period. [15] Agencies may supplement this minimum requirement by specifying that documentation be forwarded to the employee’s home office, if they determine a documentary trail is needed at the home office. [16] Unless otherwise designated by management, material variances or deviations from an established schedule for recording purposes are those that differ by 1 hour or more during a planned workday or flex day. However, if leave is used, a deviation of less than 1 hour could be considered material. For example, if an employee arrives 30 minutes late, but works 30 minutes past the planned departure time, this would be considered an immaterial variation and need not be recorded. On the other hand, if the employee chooses to request annual or sick leave rather than to work for the time absent, then a material deviation for recording purposes has occurred. [17] In requiring supervisory review and approval for exception-based T&A reporting systems, GAO considered the internal control implications of omitting this requirement where there is no deviation from the employee’s preapproved schedule. We believe that, in the absence of compensating controls, this practice increases the risk that errors and omissions could occur and not be detected. Agencies developing or modifying T&A reporting systems and considering this issue should contact GAO for a specific opinion. [18] Other terms used to refer to alternative workplace arrangements or locations of work are flexible workplace, flexi-place, tele-work and telecommuting. [19] Tele-centers are facilities away from the traditional government office that are equipped with workstations, telephones, and computers among other items that are shared by employees of multiple agencies. [20] See footnote 10. [21] In our report, Information Security: Serious and Widespread Weaknesses Persist at Federal Agencies, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-295] (Washington, D.C.: Sept. 6, 2000), we found that in 24 agencies, physical and logical access controls were not effective in preventing or detecting system intrusions or misuse. These weaknesses have a significant adverse impact on the ability of automated systems to ensure the necessary data integrity. [End of section]