Skip to Content

Rule

Revisions to the Requirements for Authority to Manufacture and Distribute Postage Evidencing Systems

Document Details

Information about this document as published in the Federal Register.

Enhanced Content

Relevant information about this document from Regulations.gov provides additional context. This information is not part of the official Federal Register document.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Postal ServiceTM.

ACTION:

Final rule.

SUMMARY:

This rule updates the security and revenue protection features of the Computerized Meter Resetting System (CMRS) and the PC postage payment methodology to reflect changes to the audit profession's reporting standards on controls at service organizations.

DATES:

This rule is effective March 31, 2014.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Marlo Kay Ivey, Business Programs Specialist, Payment Technology, U.S. Postal Service, at 202-268-7613.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

When the Postal Service was mandated to comply with Sarbanes-Oxley regulations beginning with the financial statements for the fiscal year ending September 30, 2010, the Postal Service required a Statement on Auditing Standards (SAS) 70 Type II Report from each of our providers. Subsequently, the American Institute of Certified Public Accountants (AICPA) issued new guidance to the audit profession on reporting standards for controls at service organizations, superseding the SAS 70 standards. Accordingly, the Postal Service is now requiring a Service Organization Controls SOC1 Type II report, in accordance with Statements on Standards for Attestation Engagements (SSAEs) 16, in the place of a SAS 70 Type II report, from each of our providers. We have also clarified that the expense incurred from obtaining this report will be paid by the provider.

Start List of Subjects

List of Subjects in 39 CFR Part 501

  • Administrative practice and procedure
End List of Subjects

Accordingly, for the reasons stated, 39 CFR part 501 is amended as follows:

Start Part

PART 501—AUTHORIZATION TO MANUFACTURE AND DISTRIBUTE POSTAGE EVIDENCING SYSTEMS

End Part Start Amendment Part

1. The authority citation for 39 CFR part 501 continues to read as follows:

End Amendment Part Start Authority

Authority: 5 U.S.C. 552(a); 39 U.S.C. 101, 401, 403, 404, 410, 2601, 2605, Inspector General Act of 1978, as amended (Pub. L. 95-452, as amended); 5 U.S.C. App. 3.

End Authority Start Amendment Part

2. Section 501.15 is amended by revising paragraph (i) to read as follows:

End Amendment Part
Computerized Meter Resetting System.
* * * * *

(i) Security and Revenue Protection. To receive Postal Service approval to continue to operate systems in the CMRS environment, the RC must submit to a periodic examination of its CMRS system and any other applications and technology infrastructure that may have a material impact on Postal Service revenues, as determined by the Postal Service. The examination shall be performed by a qualified, independent audit firm and shall be conducted in accordance with the Statements on Standards for Attestation Engagements (SSAEs) No. 16, Service Organizations, developed by the American Institute of Certified Public Accountants (AICPA), as amended or superseded. Expenses associated with such examination shall be incurred by the RC. The examination Start Printed Page 10995shall include testing of the operating effectiveness of relevant RC internal controls (SOC 1 Type II SSAE 16 Report). If the service organization uses another service organization (sub-service provider), Postal Service management should consider the nature and materiality of the transactions processed by the sub-service organization and the contribution of the sub-service organization's processes and controls in the achievement of the Postal Service's control objectives. The Postal Service should have access to the sub-service organization's SOC 1 Type II SSAE 16 report. The control objectives to be covered by the SOC 1 Type II SSAE 16 report are subject to Postal Service review and approval, and are to be provided to the Postal Service 30 days prior to the initiation of each examination period. As a result of the examination, the service auditor shall provide the RC and the Postal Service with an opinion on the design and operating effectiveness of the RC's internal controls related to the CMRS system and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the RC. Such examinations are to be conducted on no less than an annual basis, and are to be as of and for the 12 months ended June 30 of each year (except for new contracts for which the examination period will be no less than the period from the contract date to the following June 30, unless otherwise agreed to by the Postal Service). The examination reports are to be provided to the Postal Service by August 15 of each year. To the extent that internal control weaknesses are identified in a SOC 1 Type II SSAE 16 report, the Postal Service may require the remediation of such weaknesses and review working papers and engage in discussions about the work performed with the service auditor. The Postal Service requires that all remediation efforts (if applicable) are completed and reported by the RC prior to the Postal Service's fiscal year end (September 30). In addition, the RC will be responsible for performing an examination of their internal control environment related to the CMRS system and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the RC, in particular, disclosing changes to internal controls for the period of July 1 to September 30. This examination should be documented and submitted to the Postal Service by October 14. The RC will be responsible for all costs related to the examinations conducted by the service auditor and the RC.

* * * * *
Start Amendment Part

3. Section 501.16 is amended by revising paragraph (f) to read as follows:

End Amendment Part
PC postage payment methodology.
* * * * *

(f) Security and Revenue Protection. To receive Postal Service approval to continue to operate PC Postage systems, the provider must submit to a periodic examination of its PC Postage system and any other applications and technology infrastructure that may have a material impact on Postal Service revenues, as determined by the Postal Service. The examination shall be performed by a qualified, independent audit firm and shall be conducted in accordance with the Statements on Standards for Attestation Engagements (SSAEs) No. 16, Service Organizations, developed by the American Institute of Certified Public Accountants (AICPA), as amended or superseded. Expenses associated with such examination shall be incurred by the provider. The examination shall include testing of the operating effectiveness of relevant provider internal controls (SOC1 Type II SSAE 16 Report). If the service organization uses another service organization (sub-service provider), Postal Service management should consider the nature and materiality of the transactions processed by the sub-service organization and the contribution of the sub-service organization's processes and controls in the achievement of the Postal Service's control objectives. The Postal Service should have access to the sub-service organization's SOC 1 Type II SSAE 16 report. The control objectives to be covered by the SOC 1 Type II SSAE 16 report are subject to Postal Service review and approval, and are to be provided to the Postal Service 30 days prior to the initiation of each examination period. As a result of the examination, the service auditor shall provide the provider and the Postal Service with an opinion on the design and operating effectiveness of the internal controls related to the PC Postage system, and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the provider. Such examinations are to be conducted on no less than an annual basis, and are to be as of and for the 12 months ended June 30 of each year (except for new contracts for which the examination period will be no less than the period from the contract date to the following June 30, unless otherwise agreed to by the Postal Service). The examination reports are to be provided to the Postal Service by August 15 of each year. To the extent that internal control weaknesses are identified in a SOC 1 Type II SSAE 16 report, the Postal Service may require the remediation of such weaknesses, and review working papers and engage in discussions about the work performed with the service auditor. The Postal Service requires that all remediation efforts (if applicable) are completed and reported by the provider prior to the Postal Service's fiscal year end (September 30). In addition, the provider will be responsible for performing an examination of their internal control environment related to the PC Postage system and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the provider, in particular, disclosing changes to internal controls for the period of July 1 to September 30. This examination should be documented and submitted to the Postal Service by October 14. The provider will be responsible for all costs related to the examinations conducted by the service auditor and the provider.

* * * * *
Start Signature

Stanley F. Mires,

Attorney, Legal Policy & Legislative Advice.

End Signature End Supplemental Information

[FR Doc. 2014-03539 Filed 2-26-14; 8:45 am]

BILLING CODE 7710-P