Revisions to the Requirements for Authority to Manufacture and Distribute Postage Evidencing Systems
Federal Register, Volume 79 Issue 39 (Thursday, February 27, 2014)
Federal Register Volume 79, Number 39 (Thursday, February 27, 2014)
Rules and Regulations
Pages 10994-10995
From the Federal Register Online via the Government Printing Office www.gpo.gov
FR Doc No: 2014-03539
=======================================================================
-----------------------------------------------------------------------
POSTAL SERVICE
39 CFR Part 501
Revisions to the Requirements for Authority to Manufacture and Distribute Postage Evidencing Systems
AGENCY: Postal ServiceTM.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This rule updates the security and revenue protection features of the Computerized Meter Resetting System (CMRS) and the PC postage payment methodology to reflect changes to the audit profession's reporting standards on controls at service organizations.
DATES: This rule is effective March 31, 2014.
FOR FURTHER INFORMATION CONTACT: Marlo Kay Ivey, Business Programs Specialist, Payment Technology, U.S. Postal Service, at 202-268-7613.
SUPPLEMENTARY INFORMATION: When the Postal Service was mandated to comply with Sarbanes-Oxley regulations beginning with the financial statements for the fiscal year ending September 30, 2010, the Postal Service required a Statement on Auditing Standards (SAS) 70 Type II Report from each of our providers. Subsequently, the American Institute of Certified Public Accountants (AICPA) issued new guidance to the audit profession on reporting standards for controls at service organizations, superseding the SAS 70 standards. Accordingly, the Postal Service is now requiring a Service Organization Controls SOC1 Type II report, in accordance with Statements on Standards for Attestation Engagements (SSAEs) 16, in the place of a SAS 70 Type II report, from each of our providers. We have also clarified that the expense incurred from obtaining this report will be paid by the provider.
List of Subjects in 39 CFR Part 501
Administrative practice and procedure.
Accordingly, for the reasons stated, 39 CFR part 501 is amended as follows:
PART 501--AUTHORIZATION TO MANUFACTURE AND DISTRIBUTE POSTAGE EVIDENCING SYSTEMS
0
-
The authority citation for 39 CFR part 501 continues to read as follows:
Authority: 5 U.S.C. 552(a); 39 U.S.C. 101, 401, 403, 404, 410, 2601, 2605, Inspector General Act of 1978, as amended (Pub. L. 95-
452, as amended); 5 U.S.C. App. 3.
0
-
Section 501.15 is amended by revising paragraph (i) to read as follows:
Sec. 501.15 Computerized Meter Resetting System.
* * * * *
(i) Security and Revenue Protection. To receive Postal Service approval to continue to operate systems in the CMRS environment, the RC must submit to a periodic examination of its CMRS system and any other applications and technology infrastructure that may have a material impact on Postal Service revenues, as determined by the Postal Service. The examination shall be performed by a qualified, independent audit firm and shall be conducted in accordance with the Statements on Standards for Attestation Engagements (SSAEs) No. 16, Service Organizations, developed by the American Institute of Certified Public Accountants (AICPA), as amended or superseded. Expenses associated with such examination shall be incurred by the RC. The examination
Page 10995
shall include testing of the operating effectiveness of relevant RC internal controls (SOC 1 Type II SSAE 16 Report). If the service organization uses another service organization (sub-service provider), Postal Service management should consider the nature and materiality of the transactions processed by the sub-service organization and the contribution of the sub-service organization's processes and controls in the achievement of the Postal Service's control objectives. The Postal Service should have access to the sub-service organization's SOC 1 Type II SSAE 16 report. The control objectives to be covered by the SOC 1 Type II SSAE 16 report are subject to Postal Service review and approval, and are to be provided to the Postal Service 30 days prior to the initiation of each examination period. As a result of the examination, the service auditor shall provide the RC and the Postal Service with an opinion on the design and operating effectiveness of the RC's internal controls related to the CMRS system and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the RC. Such examinations are to be conducted on no less than an annual basis, and are to be as of and for the 12 months ended June 30 of each year (except for new contracts for which the examination period will be no less than the period from the contract date to the following June 30, unless otherwise agreed to by the Postal Service). The examination reports are to be provided to the Postal Service by August 15 of each year. To the extent that internal control weaknesses are identified in a SOC 1 Type II SSAE 16 report, the Postal Service may require the remediation of such weaknesses and review working papers and engage in discussions about the work performed with the service auditor. The Postal Service requires that all remediation efforts (if applicable) are completed and reported by the RC prior to the Postal Service's fiscal year end (September 30). In addition, the RC will be responsible for performing an examination of their internal control environment related to the CMRS system and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the RC, in particular, disclosing changes to internal controls for the period of July 1 to September 30. This examination should be documented and submitted to the Postal Service by October 14. The RC will be responsible for all costs related to the examinations conducted by the service auditor and the RC.
* * * * *
0
-
Section 501.16 is amended by revising paragraph (f) to read as follows:
Sec. 501.16 PC postage payment methodology.
* * * * *
(f) Security and Revenue Protection. To receive Postal Service approval to continue to operate PC Postage systems, the provider must submit to a periodic examination of its PC Postage system and any other applications and technology infrastructure that may have a material impact on Postal Service revenues, as determined by the Postal Service. The examination shall be performed by a qualified, independent audit firm and shall be conducted in accordance with the Statements on Standards for Attestation Engagements (SSAEs) No. 16, Service Organizations, developed by the American Institute of Certified Public Accountants (AICPA), as amended or superseded. Expenses associated with such examination shall be incurred by the provider. The examination shall include testing of the operating effectiveness of relevant provider internal controls (SOC1 Type II SSAE 16 Report). If the service organization uses another service organization (sub-service provider), Postal Service management should consider the nature and materiality of the transactions processed by the sub-service organization and the contribution of the sub-service organization's processes and controls in the achievement of the Postal Service's control objectives. The Postal Service should have access to the sub-
service organization's SOC 1 Type II SSAE 16 report. The control objectives to be covered by the SOC 1 Type II SSAE 16 report are subject to Postal Service review and approval, and are to be provided to the Postal Service 30 days prior to the initiation of each examination period. As a result of the examination, the service auditor shall provide the provider and the Postal Service with an opinion on the design and operating effectiveness of the internal controls related to the PC Postage system, and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the provider. Such examinations are to be conducted on no less than an annual basis, and are to be as of and for the 12 months ended June 30 of each year (except for new contracts for which the examination period will be no less than the period from the contract date to the following June 30, unless otherwise agreed to by the Postal Service). The examination reports are to be provided to the Postal Service by August 15 of each year. To the extent that internal control weaknesses are identified in a SOC 1 Type II SSAE 16 report, the Postal Service may require the remediation of such weaknesses, and review working papers and engage in discussions about the work performed with the service auditor. The Postal Service requires that all remediation efforts (if applicable) are completed and reported by the provider prior to the Postal Service's fiscal year end (September 30). In addition, the provider will be responsible for performing an examination of their internal control environment related to the PC Postage system and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the provider, in particular, disclosing changes to internal controls for the period of July 1 to September 30. This examination should be documented and submitted to the Postal Service by October 14. The provider will be responsible for all costs related to the examinations conducted by the service auditor and the provider.
* * * * *
Stanley F. Mires,
Attorney, Legal Policy & Legislative Advice.
FR Doc. 2014-03539 Filed 2-26-14; 8:45 am
BILLING CODE 7710-P
