Every year the US Defense Contract Audit Agency audits thousands of contracts with the US government. If you have ever been part of such an audit you will know that the DCAA places a particular emphasis on verifying timesheets associated to workers working on projects that they oversee. It is not enough to have a good time and attendance record. The DCAA must validate that hours billed to government contracts were spent on those projects and not on other work. A complete task-based timesheet is required that encompasses all work.
In 2017, the DCAA audited over $281 billion in defense contract costs. The DCAA is not restricted to defense contracts alone. Their standards and audits are also used by NASA, the DoE, Homeland security and other agencies.
While the DCAA deliberately does not endorse or certify software products, and instead focuses on an auditable process, the standards they require are well known.
TimeControl has included DCAA compliant functionality for many years and has been selected by clients on numerous occasions to be used for DCAA audit compliance.
HMS maintains a resource portal with a number of useful tools and links to aid in becoming DCAA compliant when using TimeControl. The portal is free and is located at: dcaa.timecontrol.com.
Question: We now have clients sign paper timesheets to show they were approved. How would we deal with this requirement in an automated timesheet like TimeControl?
This is a great question and one faced by any organization that is shifting from paper-based timesheets to an automated system. Signature approvals are designed to have evidence that the person who signed the document actually saw the document they signed and their signature signifies their approval of the content. There are two main areas of reluctance for auditors to accept an automated version of a signature in a computer-based timesheet:
- How do we know that the person whose name is now on the timesheet is actually the person who approved it? And;
- How can we be sure that the data in the view the person approved has not been changed.
In TimeControl, both of these concerns are dealt with in the way that TimeControl deals with auditability of the movement of timesheet ownership.
When a timesheet is created. TimeControl notes in the database the user name and the date/time. Then, whenever the timesheet changes ownership through releasing it for approval, the timesheet being rejected, updated re-released, approved and ultimate posted, TimeControl creates an entry in the Timesheet Release Log.
If a user is using the Alternate User function to log into TimeControl as someone else, TimeControl accommodates this also. In this case the audit log will show both the person who had the responsibility of releasing or rejecting the timesheet as well as who the actual user was who performed the action.
Since this means that there is no reason to share one’s credentials to get into TimeControl, virtually all financial auditors HMS has encountered accept the user name entry in the audit log as equivalent to a signature on a piece of paper. This has been tested in audits by authorities such as both Revenue Canada and the US IRS for R&D Tax Credits, Defense Contract Audit Agency audits, Sarbanes-Oxley compliance audits and countless other situations where timesheet data is part of an audit.
To be certain that this functionality will pass your own auditing standards, you should consult your Finance team and, if need be, have them speak to the technical experts at HMS.