[Federal Register Volume 77, Number 178 (Thursday, September 13, 2012)]
[Rules and Regulations]
[Pages 56554-56555]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2012-22510]


-----------------------------------------------------------------------

POSTAL SERVICE

39 CFR Part 501


Revisions to the Requirements for Authority to Manufacture and 
Distribute Postage Evidencing Systems

AGENCY: Postal Service\TM\.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This rule updates the security and revenue protection features 
of the Computerized Meter Resetting System (CMRS) to reflect 
recommended changes in Sarbanes-Oxley compliance procedures.

DATES: This rule is effective October 15, 2012.

FOR FURTHER INFORMATION CONTACT: Marlo Kay Ivey, Business Programs 
Specialist, Payment Technology, U.S. Postal Service, at 202-268-7613.

SUPPLEMENTARY INFORMATION: When the Postal Service was mandated to 
comply with Sarbanes-Oxley regulations, the Postal Service required a 
Statement on Auditing Standards (SAS) 70 Type II Report from each of 
our providers. As the American Institute of Certified Public 
Accountants (AICPA) guidance has changed, the Postal Service is now 
requiring a Statements on Standards for Attestation Engagements (SSAEs) 
No. 16 Type II Report from each of our providers. We have also 
clarified that the expense incurred from obtaining this report will be 
paid by the resetting companies (RCs).

List of Subjects in 39 CFR Part 501

    Administrative practice and procedure.

    Accordingly, for the reasons stated, 39 CFR part 501 is amended as 
follows:

PART 501--AUTHORIZATION TO MANUFACTURE AND DISTRIBUTE POSTAGE 
EVIDENCING SYSTEMS

0
1. The authority citation for 39 CFR part 501 continues to read as 
follows:

    Authority: 5 U.S.C. 552(a); 39 U.S.C. 101, 401, 403, 404, 410, 
2601, 2605, Inspector General Act of 1978, as amended (Pub. L. 95-
452, as amended); 5 U.S.C. App. 3.

0
2. Section 501.15 is amended by revising paragraph (i) as follows:


Sec.  501.15  Computerized Meter Resetting System.

* * * * *
    (i) Security and Revenue Protection. To receive Postal Service 
approval to continue to operate systems in the CMRS environment, the RC 
must submit to a periodic examination of its CMRS system and any other 
applications and technology infrastructure that may have a material 
impact on Postal Service revenues, as determined by the Postal Service. 
The examination shall be performed by a qualified, independent audit 
firm and shall be conducted in accordance with the Statements on 
Standards for Attestation Engagements (SSAEs) No. 16, Service 
Organizations, developed by the American Institute of Certified Public 
Accountants (AICPA), as amended or superseded. Expenses associated with 
such examination shall be incurred by the RC. The examination shall 
include testing of the operating effectiveness of relevant RC internal 
controls (Type II SSAE 16 Report). If the service organization uses 
another service organization (sub-service provider), Postal Service 
management should consider the nature and materiality of the 
transactions processed by the sub-service organization and the 
contribution of the sub-service organization's processes and controls 
in the achievement of the Postal Service's

[[Page 56555]]

control objectives. The Postal Service should have access to the sub-
service organization's SSAE 16 report. The control objectives to be 
covered by the SSAE 16 report are subject to Postal Service review and 
approval and are to be provided to the Postal Service 30 days prior to 
the initiation of each examination period. As a result of the 
examination, the service auditor shall provide the RC and the Postal 
Service with an opinion on the design and operating effectiveness of 
the RC's internal controls related to the CMRS system and any other 
applications and technology infrastructure considered material to the 
services provided to the Postal Service by the RC. Such examinations 
are to be conducted on no less than an annual basis, and are to be as 
of and for the 12 months ended June 30 of each year (except for new 
contracts for which the examination period will be no less than the 
period from the contract date to the following June 30, unless 
otherwise agreed to by the Postal Service). The examination reports are 
to be provided to the Postal Service by August 15 of each year. To the 
extent that internal control weaknesses are identified in a Type II 
SSAE 16 report, the Postal Service may require the remediation of such 
weaknesses and review working papers and engage in discussions about 
the work performed with the service auditor. The Postal Service 
requires that all remediation efforts (if applicable) are completed and 
reported by the RC prior to the Postal Service's fiscal year end 
(September 30). In addition, the RC will be responsible for performing 
an examination of their internal control environment related to the 
CMRS system and any other applications and technology infrastructure 
considered material to the services provided to the Postal Service by 
the RC, in particular disclosing changes to internal controls, for the 
period of July 1 to September 30. This examination should be documented 
and submitted to the Postal Service by October 14. The RC will be 
responsible for all costs related to the examinations conducted by the 
service auditor and the RC.
* * * * *

Stanley F. Mires,
Attorney, Legal Policy & Legislative Advice.
[FR Doc. 2012-22510 Filed 9-12-12; 8:45 am]
BILLING CODE 7710-12-P