[Federal Register Volume 79, Number 39 (Thursday, February 27, 2014)]
[Rules and Regulations]
[Pages 10994-10995]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-03539]


=======================================================================
-----------------------------------------------------------------------

POSTAL SERVICE

39 CFR Part 501


Revisions to the Requirements for Authority to Manufacture and 
Distribute Postage Evidencing Systems

AGENCY: Postal ServiceTM.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This rule updates the security and revenue protection features 
of the Computerized Meter Resetting System (CMRS) and the PC postage 
payment methodology to reflect changes to the audit profession's 
reporting standards on controls at service organizations.

DATES: This rule is effective March 31, 2014.

FOR FURTHER INFORMATION CONTACT: Marlo Kay Ivey, Business Programs 
Specialist, Payment Technology, U.S. Postal Service, at 202-268-7613.

SUPPLEMENTARY INFORMATION: When the Postal Service was mandated to 
comply with Sarbanes-Oxley regulations beginning with the financial 
statements for the fiscal year ending September 30, 2010, the Postal 
Service required a Statement on Auditing Standards (SAS) 70 Type II 
Report from each of our providers. Subsequently, the American Institute 
of Certified Public Accountants (AICPA) issued new guidance to the 
audit profession on reporting standards for controls at service 
organizations, superseding the SAS 70 standards. Accordingly, the 
Postal Service is now requiring a Service Organization Controls SOC1 
Type II report, in accordance with Statements on Standards for 
Attestation Engagements (SSAEs) 16, in the place of a SAS 70 Type II 
report, from each of our providers. We have also clarified that the 
expense incurred from obtaining this report will be paid by the 
provider.

List of Subjects in 39 CFR Part 501

    Administrative practice and procedure.

    Accordingly, for the reasons stated, 39 CFR part 501 is amended as 
follows:

PART 501--AUTHORIZATION TO MANUFACTURE AND DISTRIBUTE POSTAGE 
EVIDENCING SYSTEMS

0
1. The authority citation for 39 CFR part 501 continues to read as 
follows:

    Authority:  5 U.S.C. 552(a); 39 U.S.C. 101, 401, 403, 404, 410, 
2601, 2605, Inspector General Act of 1978, as amended (Pub. L. 95-
452, as amended); 5 U.S.C. App. 3.

0
2. Section 501.15 is amended by revising paragraph (i) to read as 
follows:


Sec.  501.15  Computerized Meter Resetting System.

* * * * *
    (i) Security and Revenue Protection. To receive Postal Service 
approval to continue to operate systems in the CMRS environment, the RC 
must submit to a periodic examination of its CMRS system and any other 
applications and technology infrastructure that may have a material 
impact on Postal Service revenues, as determined by the Postal Service. 
The examination shall be performed by a qualified, independent audit 
firm and shall be conducted in accordance with the Statements on 
Standards for Attestation Engagements (SSAEs) No. 16, Service 
Organizations, developed by the American Institute of Certified Public 
Accountants (AICPA), as amended or superseded. Expenses associated with 
such examination shall be incurred by the RC. The examination

[[Page 10995]]

shall include testing of the operating effectiveness of relevant RC 
internal controls (SOC 1 Type II SSAE 16 Report). If the service 
organization uses another service organization (sub-service provider), 
Postal Service management should consider the nature and materiality of 
the transactions processed by the sub-service organization and the 
contribution of the sub-service organization's processes and controls 
in the achievement of the Postal Service's control objectives. The 
Postal Service should have access to the sub-service organization's SOC 
1 Type II SSAE 16 report. The control objectives to be covered by the 
SOC 1 Type II SSAE 16 report are subject to Postal Service review and 
approval, and are to be provided to the Postal Service 30 days prior to 
the initiation of each examination period. As a result of the 
examination, the service auditor shall provide the RC and the Postal 
Service with an opinion on the design and operating effectiveness of 
the RC's internal controls related to the CMRS system and any other 
applications and technology infrastructure considered material to the 
services provided to the Postal Service by the RC. Such examinations 
are to be conducted on no less than an annual basis, and are to be as 
of and for the 12 months ended June 30 of each year (except for new 
contracts for which the examination period will be no less than the 
period from the contract date to the following June 30, unless 
otherwise agreed to by the Postal Service). The examination reports are 
to be provided to the Postal Service by August 15 of each year. To the 
extent that internal control weaknesses are identified in a SOC 1 Type 
II SSAE 16 report, the Postal Service may require the remediation of 
such weaknesses and review working papers and engage in discussions 
about the work performed with the service auditor. The Postal Service 
requires that all remediation efforts (if applicable) are completed and 
reported by the RC prior to the Postal Service's fiscal year end 
(September 30). In addition, the RC will be responsible for performing 
an examination of their internal control environment related to the 
CMRS system and any other applications and technology infrastructure 
considered material to the services provided to the Postal Service by 
the RC, in particular, disclosing changes to internal controls for the 
period of July 1 to September 30. This examination should be documented 
and submitted to the Postal Service by October 14. The RC will be 
responsible for all costs related to the examinations conducted by the 
service auditor and the RC.
* * * * *

0
3. Section 501.16 is amended by revising paragraph (f) to read as 
follows:


Sec.  501.16  PC postage payment methodology.

* * * * *
    (f) Security and Revenue Protection. To receive Postal Service 
approval to continue to operate PC Postage systems, the provider must 
submit to a periodic examination of its PC Postage system and any other 
applications and technology infrastructure that may have a material 
impact on Postal Service revenues, as determined by the Postal Service. 
The examination shall be performed by a qualified, independent audit 
firm and shall be conducted in accordance with the Statements on 
Standards for Attestation Engagements (SSAEs) No. 16, Service 
Organizations, developed by the American Institute of Certified Public 
Accountants (AICPA), as amended or superseded. Expenses associated with 
such examination shall be incurred by the provider. The examination 
shall include testing of the operating effectiveness of relevant 
provider internal controls (SOC1 Type II SSAE 16 Report). If the 
service organization uses another service organization (sub-service 
provider), Postal Service management should consider the nature and 
materiality of the transactions processed by the sub-service 
organization and the contribution of the sub-service organization's 
processes and controls in the achievement of the Postal Service's 
control objectives. The Postal Service should have access to the sub-
service organization's SOC 1 Type II SSAE 16 report. The control 
objectives to be covered by the SOC 1 Type II SSAE 16 report are 
subject to Postal Service review and approval, and are to be provided 
to the Postal Service 30 days prior to the initiation of each 
examination period. As a result of the examination, the service auditor 
shall provide the provider and the Postal Service with an opinion on 
the design and operating effectiveness of the internal controls related 
to the PC Postage system, and any other applications and technology 
infrastructure considered material to the services provided to the 
Postal Service by the provider. Such examinations are to be conducted 
on no less than an annual basis, and are to be as of and for the 12 
months ended June 30 of each year (except for new contracts for which 
the examination period will be no less than the period from the 
contract date to the following June 30, unless otherwise agreed to by 
the Postal Service). The examination reports are to be provided to the 
Postal Service by August 15 of each year. To the extent that internal 
control weaknesses are identified in a SOC 1 Type II SSAE 16 report, 
the Postal Service may require the remediation of such weaknesses, and 
review working papers and engage in discussions about the work 
performed with the service auditor. The Postal Service requires that 
all remediation efforts (if applicable) are completed and reported by 
the provider prior to the Postal Service's fiscal year end (September 
30). In addition, the provider will be responsible for performing an 
examination of their internal control environment related to the PC 
Postage system and any other applications and technology infrastructure 
considered material to the services provided to the Postal Service by 
the provider, in particular, disclosing changes to internal controls 
for the period of July 1 to September 30. This examination should be 
documented and submitted to the Postal Service by October 14. The 
provider will be responsible for all costs related to the examinations 
conducted by the service auditor and the provider.
* * * * *

Stanley F. Mires,
Attorney, Legal Policy & Legislative Advice.
[FR Doc. 2014-03539 Filed 2-26-14; 8:45 am]
BILLING CODE 7710-P