This is the accessible text file for GAO report number GAO-03-352G 
entitled 'Maintaining Effective Control over Employee Time and 
Attendance Reporting' which was released on January 1, 2003. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States General Accounting Office: 

Internal Control: 

January 2003: 

Maintaining Effective Control over Employee Time and Attendance 




Part I: Civilian Employees: 

Internal Control Objectives in T&A Systems: 

T&A Transactions Should Be Authorized and Approved: 

T&A Information Should Be Properly and Promptly Recorded and Retained: 

Exception-Based Systems: 

Transmitting T&A Information to Payroll: 

Alternative Workplace Arrangements: 

Part II: Military Service Members: 

Active Military Personnel: 

Military Reservists: 


Appendix I: GAO’s Review of Electronic Signature Applications: 

Related GAO Products: 


FMFIA: Federal Managers’ Financial Integrity Act: 

GAO: General Accounting Office: 

GPEA: Government Paperwork Elimination Act: 

JFMIP: Joint Financial Management Improvement Program: 

OMB: Office of Management and Budget: 

T&A: time and attendance: 

[End of section] 


Technological advances and changes in workplace habits have increasingly
affected the operating environment for time and attendance (T&A) 
reporting in recent years. For example, trends in the government to 
streamline operations through automation and encourage more flexible
work schedules and places have provided a major impetus for changes in
T&A reporting. Perhaps the most significant influence on changes to T&A
reporting, however, is advancing technology and the accelerated adoption
of automation driven largely by the need for increased efficiency, as 
promoted by the Government Paperwork Elimination Act (GPEA). Although 
focused on electronic systems that process information obtained from 
and provided to sources outside the government, GPEA encourages 
agencies to seek internal applications of paperless systems and use of
electronic signatures. 

We are responsible under the Federal Managers’ Financial Integrity Act 
of 1982 (FMFIA) (31 U.S.C. 3512 (c), (d)), for issuing standards and 
guidance on internal control for the federal government. In order to 
address the potential impact on internal control of the above-mentioned 
changes in T&A reporting, and because of our commitment to improving 
financial management in the federal government, we are updating our 
guidance related to controls over employee T&A reporting. [Footnote 1] 
This document (1) provides agencies with the flexibility needed to 
streamline T&A reporting systems and reduce their costs while 
maintaining adequate internal control, (2) updates the requirements for 
electronic signature control, and (3) addresses the need for controls 
over alternative workplace arrangements. We have modified the language 
from our earlier exposure draft on this topic to emphasize (1) the link 
between internal control over T&A information and the overall 
objectives of the Internal Control Standards, [Footnote 2] (2) the 
importance of compliance objectives, [Footnote 3] (3) the role of the 
supervisor in ensuring proper recording of T&A information, and (4) to 
address comments received on the exposure draft. 

This document relates solely to internal control for a T&A reporting
system. The overall functional requirements for human resources and
payroll systems for civilian personnel are defined in the Joint 
Financial Management Improvement Program’s Human Resources & Payroll
Systems Requirements, [hyperlink,
bin/getrpt?JFMIP-SR-99-5] (Washington, D.C.: April 1999),
Office of Management and Budget (OMB) Circular A-127, Financial
Management Systems (Washington, D.C.: July 23, 1993) and OMB's
implementation guidance Revised Implementation Guidance for the
Federal Financial Management Improvement Act (Washington, D.C.:
Jan. 4, 2001). Also, we have issued a checklist Human Resources and
Payroll Systems Requirements, [hyperlink,
bin/getrpt?GAO/AIMD-21.2.3] (Washington, D.C.: March 2000) based on the 
JFMIP requirements document. 

The work schedule followed by civilian employees differs from that
generally followed by members on active duty in the armed services.
Because work schedules influence internal control in T&A systems, this
document contains two major parts. Part I of this guidance deals with
civilian employees who typically have predetermined work schedules. Part
II deals with members of the active duty armed services who are 
expected to be in a “duty status” and thus on call 24 hours a day. 
Employees who are paid regardless of their presence or absence and who 
do not accrue leave, such as political appointees, are exempt from the 
provisions of this document. [Footnote 4] 

Questions on or interpretations of any material in this document may be
submitted to the Managing Director, Financial Management and Assurance,
U.S. General Accounting Office, 441 G Street NW, Washington, D.C. 
20548. Additional copies of this document can be obtained from the U.S. 
General Accounting Office by calling (202) 512-6000 or TDD (202) 512-
2537, or you may fax a request to (202) 512-6061. It is also available 
on the Internet on GAO’s Home Page [hyperlink,] 
under “Other Publications.” 

Signed by: 

Jeffrey C. Steinhoff: 
Managing Director: 
Financial Management and Assurance: 

[End of preface] 

Part I: Civilian Employees: 

Internal Control Objectives in T&A Systems: 

The primary objectives of internal control in a T&A system are to ensure
that the system complies with applicable legal requirements, supports
reporting of reliable financial information, and operates effectively 
and efficiently. To achieve these objectives, internal control over T&A 
systems should be guided by GAO’s Standards for Internal Control in the 
Federal Government (Internal Control Standards) and control activities 
should provide reasonable assurance that (1) T&A transactions are 
authorized and approved and (2) T&A information is properly and 
promptly recorded and retained. 

Internal Control over T&A Systems Should Be Guided by the Internal 
Control Standards: 

As T&A systems evolve toward increasingly automated methods of 
recording and reporting employee work and leave times, it is important
that agencies implement and maintain well-defined internal control
activities that provide management with the confidence that the system 
is working as designed. GAO’s Internal Control Standards provide the 
criteria for federal agencies to follow in establishing internal 
control over their operations, including T&A reporting. Consistent with 
the Internal Control Standards, agency development of control 
activities over T&A information should give due consideration to (1) 
the control environment in which T&A processing occurs, (2) applicable 
risks, (3) the needs of users of T&A information, and (4) the results 
of control monitoring and evaluation. To do this the agency should: 

* have a well-defined organizational structure and flow of T&A 
information with clearly written and communicated policies and 
procedures setting forth the responsibilities of employees, timekeepers
(if applicable), supervisors, and others regarding recording, examining,
approving, and reporting on T&A information; 

* apply available technology and concepts to achieve efficient and
effective T&A system processes and controls in accordance with
applicable legal and other requirements, this guidance, associated 
risks, and the environment in which the agency operates; and; 

* review and test all aspects of the T&A systems’ processing procedures
and controls with sufficient scope, depth, and frequency to provide
reasonable assurance that key procedures and controls are effective in
meeting legal and other requirements, and that data integrity is 
maintained. [Footnote 5] 

Authorizing, Approving, Recording, and Retaining T&A Information: 

The supervisor has primary responsibility for authorizing and approving
T&A transactions. Supervisors and timekeepers [Footnote 6] should be 
aware of the work time and absence of employees for whom they are 
responsible. To help ensure proper recording of T&A information, 
completed T&A records should be reviewed and approved on an appropriate 
basis by the supervisor (or other equivalent official). To the extent 
practical, changes to an employee’s normal work schedule should 
generally be approved prior to the change actually occurring. 
Unanticipated changes should be reviewed for approval or disapproval as 
soon as reasonably possible. 

In an automated environment, system edits (such as those that check for
format, omissions, and reasonableness of data) and other automated tests
can assist the supervisor in his or her reviews to verify that T&A
information has been properly recorded and provide a reasonable basis 
for making payments. The nature and extent of T&A transaction approvals 
and controls can vary among T&A systems. Fully automated systems, for
example, may require fewer approvals than manual systems because of
automated edits and controls and the use of automated signatures.
Nevertheless, the nature and extent of T&A approvals should be such that
management has assurance that supervisors or other authorized officials
know they are accountable for the approval of an employee’s work time
and absences. 

“Proper” recording of T&A information refers to whether the recorded
information is complete, accurate, valid, and complies with applicable 
legal requirements. Such legal requirements may include, but are not 
limited to, statutes, regulations, and decisions. T&A information 
should also be recorded as promptly as practicable to maintain its 
relevance. Detailed control objectives relative to T&A information are 
presented later in this guidance. 

Most federal civilian employees are paid on an hourly basis (or 
fractions of an hour) and earn and charge leave on that basis. A proper 
record of the time an employee works should be retained as an official 
agency record available for review or inspection. [Footnote 7] To 
provide a basis for pay, leave, and benefits, the records should 
include aggregate hours of regular time, other time (e.g., overtime, 
credit hours, or compensatory time), and leave. [Footnote 8] 

T&A Transactions Should Be Authorized and Approved: 

Supervisory authorization and approval is a key part of ensuring the
propriety of T&A information. The supervisor or other authorized 
official should review and authorize employee’s planned work schedules 
and applications for leave, and review and approve employee submissions 
of actual time worked and leave taken, as well as information in T&A 
reports, and any adjustments or corrections to T&A records. Employees 
may approve their own T&A reports when authorized in writing to do so, 
if they are high level managers or if it is infeasible for the 
supervisor to approve the T&A reports. 

Supervisory Approval: 

This subsection defines approval and discusses how approvals can be
achieved in a manual or automated T&A system environment. Approval is
the supervisor’s, other equivalent official’s, or higher level manager’s
agreement to, ratification of, or concurrence with (1) a planned work
schedule and leave of an employee or (2) actual T&A information. Such
approval indicates that the actual work schedule recorded is to the 
best of the approving official’s knowledge properly recorded and in 
accordance with applicable legal requirements. The approving official 
acknowledges awareness and understanding of his/her responsibility when 
approving T&A information. 

The documentary evidence of approval will of necessity differ between
manual and automated systems. In manual systems, approval is usually
indicated by the signature or initial of an individual on a hard copy 
document. Accountability is established by having the signature or 
initial be traceable to the individual providing the approval. In 
automated systems, approval is represented by what can be referred to 
generically as an electronic signature. [Footnote 9] There are many 
types of electronic signature technologies offering different degrees 
of confidence, control, and security. In selecting and/or developing 
and implementing a particular electronic signature technology for an 
automated T&A application, management should assess the risks 
associated with the loss, misuse, or compromise of the electronic T&A 
information and signature compared to the benefits, costs, and effort 
associated with selecting and/or developing and managing the automated 
systems and electronic signature. [Footnote 10] See appendix I for a 
further explanation of electronic signatures and GAO’s review of such 

Authorizing an Employee’s Work Schedule: 

When an employee’s work schedule (1) differs from the agencywide 
schedule established by management or (2) reflects a flexible work
schedule, the employee’s work schedule should be approved by the 
supervisor or the official most knowledgeable of the employee’s schedule
in advance of the period when the plan takes effect. If the schedule is 
not approved in advance, the plan should be approved as soon after the 
start of the pay period as possible. [Footnote 11] 

When agency work schedule programs allow for credit hours [Footnote 12] 
to be earned, employee requests to work such hours should be reviewed 
by the supervisor to determine if work demands warrant the employee 
working the additional hours and, if so, approved before the work has 
been performed when feasible. 

Approval also should be obtained for overtime before the work has been
performed when feasible and, when not feasible, as soon as possible 
after the work has been performed. Care should be taken to distinguish 
between regular overtime and irregular overtime or occasional overtime 
(or compensatory time in lieu of overtime, where allowed) in order for 
the agency to properly document and calculate an employee’s overtime 
pay entitlements. 

Approval of Leave: 

Approval of leave should be made by the employee’s supervisor, or other
designated approving official, before the leave is taken. If leave is 
not approved in advance, because of an unusual or emergency situation, 
it should be reviewed for approval or disapproval as soon as reasonably
possible after it is taken. 

Approval of T&A Reports and Related Records: 

All T&A reports and related supporting documents (e.g., overtime pay
authorizations) should be reviewed and approved by an authorized 

Review and approval should be made by the official, normally the 
immediate supervisor, most knowledgeable of the time worked by and
absence of the employee involved. Approval of T&A reports and related 
documents is based on personal observation, work output, timekeeper
verification, information checks against other independent sources,
reliance on other controls, or a combination of these methods. The
integrity of the information recorded in the T&A reporting system 
depends largely on the conscientious exercise of the supervisor (or 
other official) of his or her approval authority and an appropriate 
basis for such approval. Management may want to reemphasize to 
supervisory staff (or other authorizing officials) the importance of 
this responsibility periodically or as needed. 

The official most knowledgeable of the time worked should approve any
overtime or compensatory time records. Care should be taken (1) to 
ensure that the overtime was approved, preferably in advance, and (2) 
that the amount and type of overtime (regular or irregular), credit 
hours, and compensatory time is accurately recorded and reported. 

If practical, T&A information should be approved at the end of the last 
day of the pay period or later. When this is not feasible because of 
payroll processing requirements to meet established paydays, T&A 
information should be prepared and approved as close to the end of the 
pay period as possible to allow processing of the payroll by payday. 

Adjustments or Corrections after the T&A Period Ends: 

Adjustments or corrections required because of changes after T&A 
information was approved should be processed promptly and be traceable
to the pay period for which the correction applies. Changes should be
approved by an authorizing official. 

Self-Approval of T&A Reports: 

In general, employees may not approve their own T&A information. 
However, the head of an agency (or designee) may authorize particular 
individuals to approve their own T&A information if they are high-level
managers (such as the head of a large unit within the agency). 

Other exceptions to the general prohibition against self-approval of T&A
information apply when the supervisor lacks a basis for approving the 
T&A information or when it is not feasible to have T&A information 
approved by a supervisor. Examples of where the supervisor may lack a 
basis for approving the T&A information include, but are not 
necessarily limited to, (1) employees working alone at a remote site 
for long periods and (2) employees based at the same duty station as 
their supervisors or timekeepers but frequently at work sites away from 
the duty station. In situations when it is not practical for the 
supervisor to approve T&A information promptly, the employee may be 
paid and the supervisor may subsequently review and approve the 

In all cases, an official authorized by the agency head (or designee) 
should grant advance authority in writing, and the agency should have 
effective controls in place to ensure the proper reporting of T&A 

T&A Information Should Be Properly and Promptly Recorded and Retained: 

Information in T&A records should be promptly and properly recorded to 
meet control objectives. It should be complete, accurate, valid, and 
comply with legal requirements. Agency policy should establish 
accountability for recording T&A information and for the maintenance of 
and access to T&A records and supplementary records. Agency policy 
should establish how T&A information for employees temporarily assigned 
to another agency will be recorded and maintained. Management may 
require employees and timekeepers, if any, to attest or verify T&A 
information. T&A information that supports financial reporting or cost 
reporting should be auditable. 

Control Objectives Relative to T&A Information: 

Controls over T&A information should provide reasonable assurance that
such information (1) is recorded completely, accurately, and as 
promptly as practicable, (2) relates to authorized individuals, (3) 
reflects actual work performed and leave taken or other absences during 
authorized work-hours and periods, (4) is sufficiently detailed to 
allow for verification, (5) complies with legal requirements, and (6) 
is supported by recorded evidence of supervisory review and approval. 
Typically, to achieve these objectives, agencies record and maintain, 
for each employee and pay period, the following information or 

1. employee name and unique identifying number; 

2. pay period number or dates; 

3. hours worked; 

4. hours of premium pay, by type, and overtime to which the employee is

5. dates and number of hours of leave (by type), credit hours, and
compensatory hours earned and used; [Footnote 13] 

6. evidence of approval by an authorized official (usually the 
supervisor), and; 

7. supporting documentation or records for absences. 

Recording T&A Information: 

Agency policy should assign accountability for recording T&A 
information and maintaining related records to support the control 
objectives referred to in the previous subsection. The information may 
be recorded by the individual employee, timekeeper, supervisor, or a 
combination of the three. If the employee is not recording his or her 
own T&A information, several techniques can be used individually or in 
combination to provide the basis for recording T&A information. The 
basis could be (1) the timekeeper’s or supervisor’s observation, (2) 
time clocks, or other automated timekeeping devices, where not 
prohibited by law, or (3) other applicable techniques. The person 
recording the T&A information should acknowledge responsibility for the 
propriety of the recorded information. 

The point at which T&A information is recorded can vary among different 
T&A systems. For example, T&A information may be recorded (1) daily, (2)
when deviations from an individual’s or agency’s established work 
schedule occur, or (3) at the end of the pay period. Regardless of the 
timing of recording T&A information, management should have in place 
control activities that provide reasonable assurance that the recorded 
information reflects time worked, leave taken, or other absences. 

A T&A record can be (1) a manually completed hard copy document, (2) an 
automated file retained electronically, or (3) a combination of 
automated and manual records. The T&A information can be obtained using 
a number of different methods, including but not limited to, preprinted 
or specially designed T&A forms; other standard forms; internal 
memorandums; e-mails; employee, timekeeper, or supervisor notations 
(that might, for example, result from phone conversations); or other 
formats so long as the documents are controlled and retained as the 
official T&A record of employees. 

Attestation and Verification by Employees and Timekeepers: 

Attestation refers to an employee affirming T&A information to be 
proper. Verification is a confirmation, usually by the timekeeper or 
supervisor, that to the best of his or her knowledge recorded 
information is proper. This guidance does not require such attestations 
and/or verifications. However, if management requires such attestations 
and/or verifications, they should be performed as close to the end of 
the pay period as possible. When not possible until after the end of 
the pay period, a copy of the T&A report and related documents, when 
applicable, should be provided to the employee promptly for attestation 
and to the timekeeper promptly for verification. The employee and/or 
timekeeper should promptly disclose any discrepancies to the supervisor 
for prompt resolution. 

The documentary evidence of attestations and verifications differs 
between manual and automated systems in the same manner that the 
documentary evidence of approval differs between manual and automated 
systems in the subsection “Supervisory Approval” of this guidance. 

Supplementary T&A Records: 

Supplementary T&A records should be completed and maintained, as
necessary, to support the control objectives relative to T&A information
described above. Examples of such records include those for establishing
(1) work schedules, [Footnote 14] (2) flexi-place arrangements, (3) 
cumulative leave balances available for use by type, (4) regular 
overtime and irregular or occasional overtime, (5) compensatory time 
earned and used, (6) credit hours earned and used under an alternative 
work schedule, and (7) number of unscheduled duty hours. 

Employees Temporarily Assigned to Another Agency: 

When an employee is on temporary assignment to another agency, the 
agency to which the employee is detailed should record T&A information
for the employee in accordance with the guidance in this document. It
should also report the information to the employee’s home agency 
promptly to facilitate disbursement of pay by the home agency. 
[Footnote 15] 

Access to T&A Information: 

Access to T&A information should be limited to those authorized to 
access the information for the purpose of carrying out their official 

T&A Information That Supports Financial or Cost Reporting: 

Where T&A information supports amounts appearing in financial reports,
an audit trail should exist between the T&A information and the 
accounting records underlying the financial reports to allow for 
verification of reported amounts. Controls over T&A information that is 
used to support cost reporting should ensure the information is 
captured in sufficient detail, such as by appropriation, organizational 
code, work activity, or other unit as necessary to meet the cost 
reporting objectives and be auditable. 

Exception-Based Systems: 

Exception-based T&A systems, as the name implies, require pay period
recording of arrival and departure times only if material variances 
[Footnote 16] from preestablished work schedules occur. Employees’ 
schedules are established, either through management designated work 
schedules or by mutual agreement between employees and management. When 
employees’ arrival and departure times for a pay period are 
established, these schedules become the basis for recorded T&A 
information unless material variances or deviations occur. As 
previously noted, if no material variances occur, arrival and departure 
times and hours worked per day need not be recorded. 

Material variances or deviations should be approved by the supervisor 
before the change occurs, if feasible, or promptly after the change 
occurs, if not feasible. As part of their approval of the change, 
supervisors or designees should verify that the dates and amounts of 
material changes have been recorded in the appropriate T&A record. 
However, in either case (material variance or no variance), each 
employee’s T&A record should be approved by the supervisor or 
comparable official. [Footnote 17] 

Several alternatives exist for recording changes to established 
schedules. Changes can be noted by recording arrival and departure 
times directly on an employee’s time sheet, recording arrival and 
departure times on a centrally maintained time-in/time-out log used by 
many employees, or noting the number of hours and minutes of the 
deviation in a record that the supervisor maintains. The method 
selected by management to record the deviations should be the most 
efficient and effective one under the circumstances. 

Transmitting T&A Information to Payroll: 

T&A information should be transmitted to the payroll system for all
employees or, under exception-based systems, for employees who have
changes to their normal work schedules. While the choice of methods used
to transmit the T&A information may be based on cost effectiveness and
management information needs, the system used to transmit the 
information should protect T&A information from unauthorized change or
alteration and should generate a record of any changes made. If 
management requires employee attestation of T&A information, any
change to previously attested to and approved information should be 
reviewed and attested to by the employee whose information was changed. 
In either case, the changed information should be reviewed and approved 
by an authorized official. 

Alternative Workplace Arrangements: 

Alternative workplace arrangements [Footnote 18] involve working at 
locations other than the traditional government office. Locations of 
alternative workplaces are usually the employee’s home or tele-centers. 
[Footnote 19] Although numerous benefits exist for both the agency and 
employees participating in alternative workplace arrangements (such as 
improved employee morale and lower commuting costs), such arrangements 
are a management option, not an employee benefit. All employees working 
in alternative workplaces should sign a written agreement with their 
agency. The agreement should identify, among other items, the period of 
time the agreement is in effect, location of the alternative site, work 
schedule and tour of duty the employee will work at the alternative 
site, time and attendance, and work assignments and performance. 

As a basis for approving T&A information, supervisors are required to
obtain reasonable assurance that employees working at remote sites are
working when scheduled and that T&A information accurately reflects time
worked and absences from scheduled tours of duty. Numerous techniques
are available to the supervisor to obtain this assurance including, for
example, reviewing the employee’s work output or calling or visiting 
the remote work site during the employee’s scheduled tour of duty. 

[End of Part I] 

Part II: Military Service Members: 

Active Military Personnel: 

Active military personnel are considered to be on duty 24 hours a day. 
Because the nature of some military assignments makes a confirmation of
the presence at duty stations difficult, if not impossible, the 
recording of presence for duty and of specific hours during which duty 
is performed each day is not required. This is similar to exception-
based T&A systems, explained earlier. Most active duty military 
personnel follow exception-based systems. However, superiors are 
expected to be aware of the presence and absence of service members for 
whom they are responsible. When a service member is on temporary 
assignment to another component of the armed services or to a civilian 
agency, the entity to which the service member is detailed should 
provide time and attendance recording for the service member and report 
the information to his or her home component promptly to facilitate 
payment of basic pay and allowances by (or through) the home component. 

Absence reports should be maintained daily to indicate those service
members who are to be charged leave and those who are not present for
duty but who should be. Examples of reports that might contain such
information are “morning” or “day” reports, strength reports, unit 
diaries, and other similar reports. 

Information on absences that affect pay should be compiled each pay
period and transmitted to the payroll system. Without such information, 
the payroll system may mistakenly pay the member for unauthorized pay 
and allowances or fail to record leave used. The following guidance for 
review and approval applies: 

1. Reports of such information and related supporting documents should
be reviewed and approved by a designated authorizing official. The 
official should be aware of the responsibilities he or she is taking
regarding the propriety of the reports. 

2. Approvals of such reports will be made at the end of the last day of 
the pay period whenever possible. When this is not possible because of
payroll processing requirements to meet established paydays, documents 
should be approved as close to the end of the pay period as possible. 

3. Approval should be done in accordance with guidance found in the 
subsection “Supervisory Approval” of section “T&A Transactions Should 
Be Authorized and Approved” of this document. 

4. Adjustments or corrections required because of changes in reported 
absences after T&A information was approved should be processed 
promptly and be traceable to the pay period for which the correction

All changes should be approved by the authorizing official prior to 
being entered into the payroll system. Service members may not approve 
their own absence reports unless prior authority to do so is granted in 
writing by an authorized official. 

When feasible (as in an office setting or environment), cost effective, 
and applicable, attendance reporting and related internal controls set 
forth in “Part I: Civilian Employees” should be instituted for service 
members to the extent management deems appropriate. 

Military Reservists: 

T&A controls for military reservists depend largely on the nature of the
work. If they have defined work schedules and are not expected to be 
available for duty around the clock, the T&A requirements for civilian
employees are operative and should be used. If, however, they are
employed in a way that is similar to those who are on active duty or are
actually on active duty, then the controls in the section “Active 
Military Personnel” are operative and should be used. 

[End of Part II] 

Appendix I: GAO’s Review of Electronic Signature Applications: 

GAO has been asked by several federal agencies to review electronic
signature systems used in financial management systems and to discuss
how such systems should be evaluated. Because of some of the unique
risks associated with highly automated environments, traditional data
integrity techniques, such as password- and user identification-based 
systems, used to authenticate an individual may not provide the same
degree of assurance as that provided by paper-based systems. For 
example, in a paper-based system, an individual's signature on the 
paper document is a time-tested method of showing that an individual 
intended to be bound by the terms and conditions in the paper document. 
However, in an electronic world, where adequate controls have not been 
implemented, the similar approach of having an individual's name 
appended to a data record does not provide the same assurance because, 
for example, the terms and conditions can be changed without obtaining 
the individual’s approval of the changes made. 

When reviewing electronic signature systems, we evaluate whether a
system generates electronic signatures that represent an individual's 
or an entity's intent to be bound. To do this, we determine whether the 
electronic signature system provides reasonable assurance that the 
signature produced by the system is (1) unique to the signer, (2) under 
the signer's sole control, (3) capable of being verified, and (4) 
linked to the data so that, if the data are changed, the signature is 
invalidated. Adopting these criteria facilitates our evaluation of how 
well the electronic signature system addresses its threats and helps 
identify vulnerabilities that may be present in the system. We have 
also found these criteria useful since they are technology neutral (can 
be used regardless of the technology used to produce the signature) and 
allow for a variety of implementation methods, depending on the degree 
of risk associated with a given application. 

When deciding on an electronic signature system for T&A data, agencies
should identify and/or develop and document the criteria used in the
selection of the signature system and how the criteria and the selected
system comply with the GPEA definition of an electronic signature. In
addition, the agency’s risk assessment process (as called for in the OMB
guidance [Footnote 20]) should disclose the risks considered that would 
prevent the system from successfully complying with the criteria 
selected by the agency. Without developing the criteria that the system 
should meet and then effectively assessing the risks, agencies could 
adopt signature systems that will not provide the necessary data 
integrity. [Footnote 21] 

[End of section] 

Related GAO Products: 

These related products address three main categories: internal control,
financial management systems, and financial reporting (accounting 
standards). We have developed these guidelines and tools to assist 
agencies in improving or maintaining effective operations and financial

Internal Control: 

Internal Control Management and Evaluation Tool. [hyperlink,]. Washington, D.C.: 
August 2001. 

Determining Performance and Accountability Challenges and High Risks.
Washington, D.C.: November 2000. 

Streamlining the Payment Process While Maintaining Effective Internal
Control. [hyperlink,
21.3.2]. Washington, D.C.: May 2000. 

Standards for Internal Control in the Federal Government. [hyperlink,]. Washington, 
D.C.: November 1999. 

Financial Management Systems: 

Property Management Systems Requirements Checklist. [hyperlink,]. Washington, D.C.: 
December 2001. 

Grant Financial System Requirements Checklist. [hyperlink,]. Washington, D.C.: 
September 2001. 

Guaranteed Loan System Requirements Checklist. [hyperlink,]. Washington, D.C.: 
March 2001. 

Seized Property and Forfeited Assets Requirements Checklist. 
Washington, D.C.: October 2000. 

Travel System Requirements Checklist. [hyperlink,]. Washington,
D.C.: April 2000. 

Direct Loan System Requirements Checklist. [hyperlink,]. Washington, 
D.C.: April 2000. 

Human Resources and Payroll Systems Requirements Checklist. 
Washington, D.C.: March 2000. 

Core Financial System Requirements Checklist. [hyperlink,].
Washington, D.C.: February 2000. 

System Requirements for Managerial Cost Accounting Checklist. 
Washington, D.C.: January 1999. 

Inventory System Checklist. [hyperlink,
bin/getrpt?GAO/AIMD-98-21.2.4]. Washington, D.C.: May

Framework for Federal Financial Management System Checklist. 
Washington, D.C.: May 1998. 

Financial Reporting (Accounting Standards): 

Checklist for Reports Prepared Under the CFO Act (Section 1004 of the 
GAO/PCIE Financial Audit Manual). Washington, D.C.: July 2001. Title 2 
Standards Not Superceded by FASAB Issuances. [hyperlink,]. Washington, D.C.: 
November 2001. 

[End of section] 


[1] This documents replaces the 1996 revision to Title 6, “Pay, Leave, 
and Allowances,” of the GAO Policy and Procedures Manual for Guidance 
of Federal Agencies. 

[2] In 1999, we revised our Standards for Internal Control in the 
Federal Government (Internal Control Standards), [hyperlink,] (Washington, 
D.C.: November 1999). This guidance provides the criteria for 
developing and maintaining internal control over federal agency 
operations, including T&A reporting, under 31 U.S.C. 3512 (c), (d). 
This document is available on the Internet at the GAO home page 
[hyperlink,] under “Other Publications” and in hard 
copy by calling (202) 512-6000. 

[3] While this guidance identifies some of the applicable legal and 
other requirements, agency management retains the responsibility to 
identify all such requirements, for example, statutes, regulations, and 
decisions that apply to their T&A reporting systems in order to meet 
the compliance objectives discussed in this guidance. Many of these 
requirements are identified in the Joint Financial Management 
Improvement Program (JFMIP) guidance, Human Resources and Payroll 
Systems Requirements, [hyperlink,
bin/getrpt?JFMIP-SR-99-5] (Washington, D.C.: April 1999). The JFMIP 
guidance provides the functional requirements for human resource
and payroll systems to comply with governmentwide and agency-specific 
statutes, regulations, and guidelines for controlling and accounting 
for human resources, payroll salaries, and expenses. 

[4] See Comptroller General Decision B-123698 (May 10, 1978). 

[5] Agencies’ T&A systems are subject to periodic review under FMFIA 
(31 U.S.C. 3512 (c) and (d)). The Office of Management and Budget (OMB) 
provides guidance to agencies for establishing, evaluating, and 
reporting on controls and financial systems in OMB Circular A-123, 
Management Accountability and Control (Washington, D.C.: June 21, 1995) 
and OMB Circular A-127, Financial Management Systems (Washington, D.C.: 
July 23, 1993). 

[6] The traditional T&A system normally involved a timekeeper who was 
responsible for assisting supervisors in recording and verifying 
employees’ work time and absences. New T&A systems can reduce or even 
eliminate timekeepers’ duties and shift the responsibilities to 
employees or supervisors. Regardless of the changes made, the control 
objectives in this guidance remain relevant. 

[7] Federal records management is governed by federal law. Agency 
management should develop policies for the creation, maintenance, use, 
and disposition of T&A and related records in accordance with legal and 
other requirements. 

[8] Traditionally, daily arrival and departure times were required to 
be recorded. Although it is not required that daily records be 
maintained, agency management may choose to do so by using sign-in/sign-
out sheets or other means. 

[9] GPEA defines “electronic signature” as a method of signing an 
electronic message that (1) identifies and authenticates a particular 
person as the source of the electronic message and (2) indicates such 
person’s approval of the information contained in the message. 

[10] GPEA requires agencies to comply with the guidance issued by OMB 
regarding automated systems that maintain electronic information as a 
substitute for paper and use of electronic signature. OMB issued the 
guidance in Memorandum M-00-10, dated April 25, 2000. An attachment to 
the memorandum contains the details of the guidance. Also, as part of 
the OMB guidance, the Department of Justice was charged with developing 
practical guidance on legal considerations related to agencies’ use of 
electronic filing and recordkeeping. The department issued Legal 
Considerations in Designing and Implementing Electronic Processes: A 
Guide for Federal Agencies in November 2000. 

[11] Generally, agencies should not allow lunch or breaks to be 
scheduled at the start or end of the workday that would permit 
employees to arrive at work late or leave work early. 

[12] Use of credit hours may be provided for under an agency’s flexible 
work schedule program. Use of credit hours permits an employee to elect 
to work additional hours in excess of his or her basic work requirement 
(typically 80 hours in a biweekly pay period for a full-time employee) 
with supervisory approval. Earned credit hours can be used, subject to 
supervisory approval, in a subsequent workday, workweek, or bi-weekly 
pay period. 

[13] Agency T&A records typically contain the cumulative balance of 
available leave by type at the end of the pay period for each employee. 
Examples of the types of leave on such T&A records include, but are not 
limited to, annual, sick, and leave for family care purposes under 
provisions of the Family and Medical Leave Act. 

[14] Federal agencies can allow employees to vary their daily arrival 
and departure times and, under some options, to vary the length of 
their workday or workweek. In all cases, full-time employees are 
required to work or otherwise account for 80 hours each biweekly pay

[15] Agencies may supplement this minimum requirement by specifying 
that documentation be forwarded to the employee’s home office, if they 
determine a documentary trail is needed at the home office. 

[16] Unless otherwise designated by management, material variances or 
deviations from an established schedule for recording purposes are 
those that differ by 1 hour or more during a planned workday or flex 
day. However, if leave is used, a deviation of less than 1 hour could 
be considered material. For example, if an employee arrives 30 minutes 
late, but works 30 minutes past the planned departure time, this would 
be considered an immaterial variation and need not be recorded. On the 
other hand, if the employee chooses to request annual or sick leave 
rather than to work for the time absent, then a material deviation for 
recording purposes has occurred. 

[17] In requiring supervisory review and approval for exception-based 
T&A reporting systems, GAO considered the internal control implications 
of omitting this requirement where there is no deviation from the 
employee’s preapproved schedule. We believe that, in the absence of 
compensating controls, this practice increases the risk that errors and 
omissions could occur and not be detected. Agencies developing or 
modifying T&A reporting systems and considering this issue should 
contact GAO for a specific opinion. 

[18] Other terms used to refer to alternative workplace arrangements or 
locations of work are flexible workplace, flexi-place, tele-work and 

[19] Tele-centers are facilities away from the traditional government 
office that are equipped with workstations, telephones, and computers 
among other items that are shared by employees of multiple agencies. 

[20] See footnote 10. 

[21] In our report, Information Security: Serious and Widespread 
Weaknesses Persist at Federal Agencies, [hyperlink,] (Washington, D.C.: 
Sept. 6, 2000), we found that in 24 agencies, physical and logical 
access controls were not effective in preventing or detecting
system intrusions or misuse. These weaknesses have a significant 
adverse impact on the ability of automated systems to ensure the 
necessary data integrity. 

[End of section]