[Federal Register Volume 75, Number 179 (Thursday, September 16, 2010)]
[Rules and Regulations]
[Pages 56471-56472]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-23031]


=======================================================================
-----------------------------------------------------------------------

POSTAL SERVICE

39 CFR Part 501


Revisions to the Requirements for Authority To Manufacture and 
Distribute Postage Evidencing Systems

AGENCY: Postal ServiceTM.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Postal Service is revising its regulations to require that 
companies that manufacture and distribute postage evidencing systems 
(``Company or Companies'') engage a qualified, independent audit firm 
to perform an examination of and provide an opinion on the design and 
operating effectiveness of relevant internal control activities 
performed by the Companies as service providers to the Postal Service 
under the Statement on Auditing Standards (SAS) No. 70 (``SAS 70'').

DATES: Effective Date: September 16, 2010.

FOR FURTHER INFORMATION CONTACT: Marlo Kay Ivey, Marketing Specialist, 
Postage Technology Management, U.S. Postal Service, at 202-268-7613.

SUPPLEMENTARY INFORMATION: Postage Evidencing Systems are devices or 
systems of components that a customer uses to print evidence that the 
prepaid postage required for mailing has been paid. They include, but 
are not limited to, postage meters and PC Postage systems. The Postal 
Service regulates these systems and their use in order to protect 
postal revenue. Only Postal Service-authorized product service 
providers may design, produce, and distribute Postage Evidencing 
Systems. The Postal Service published a proposed rule in the Federal 
Register on June 1, 2010 at 73 FR 30309-30310 to amend the requirements 
for authority to manufacture and distribute postage evidencing systems. 
This revision clarifies the internal controls required in 39 CFR 
501.15(i), Computerized Meter Resetting System, and 501.16(f), PC 
Postage Payment Methodology. The internal controls requirement was 
added as part of a final rule published in the Federal Register on 
November 9, 2006, at 71 FR 65732.
    Comments: Two comments were received from the Companies (that 
manufacture or distribute postage evidencing systems). The first was 
notification of intent to comply. The second requested that the 
proposed amendment be modified to allow a Company with qualified 
internal audit departments, which meets the independence requirements 
under the Standards for the Professional Practice of the Institute of 
Internal Auditors (``IIA''), to utilize its internal audit department 
to perform the internal controls examination in lieu of engaging an 
independent audit firm.
    The Postal Service gave thorough consideration to this comment. 
While the Postal Service recognizes the IIA as the authoritative body 
over internal audit activities, SAS 70 (Type II) examinations are 
subject to the American Institute of Certified Public Accountants 
(``AICPA'') professional standards, which impose more stringent 
independence requirements and a requirement that the examination be 
performed by a licensed CPA. Therefore, the Postal Service will not 
modify the proposed amendments as requested and will require the 
Companies to annually obtain an SAS 70 (Type II) examination of 
relevant internal controls by a qualified, independent, external audit 
firm. The Postal Service gave through consideration to the comments it 
received, and now announces the adoption of the final rule.

List of Subjects in 39 CFR Part 501

    Postal Service.

0
Accordingly, 39 CFR part 501 is amended as follows:

PART 501--[AMENDED]

0
1. The authority citation for 39 CFR part 501 continues to read as 
follows:

    Authority:  5 U.S.C. 552(a); 39 U.S.C. 101, 401, 403, 404, 410, 
2601, 2605, Inspector General Act of 1978, as amended (Pub. L. 95-
452, as amended); 5 U.S.C. App. 3.


[[Page 56472]]



0
2. Section 501.15 is amended by revising paragraph (i) to read as 
follows:


Sec.  501.15  Computerized Meter Resetting System.

* * * * *
    (i) Security and Revenue Protection. To receive Postal Service 
approval to continue to operate systems in the CMRS environment, the RC 
must submit to a periodic examination of its CMRS system and any other 
applications and technology infrastructure that may have a material 
impact on Postal Service revenues, as determined by the Postal Service. 
The examination shall be performed by a qualified, independent audit 
firm and shall be conducted in accordance with the Statement on 
Auditing Standards (SAS) No. 70, Service Organizations, developed by 
the American Institute of Certified Public Accountants (AICPA), as 
amended or superseded. The examination shall include testing of the 
operating effectiveness of relevant RC internal controls (Type II SAS70 
Report). If the service organization uses another service organization 
(sub-service provider), Postal Service Management should consider the 
nature and materiality of the transactions processed by the sub-service 
organization and the contribution of the sub-service organization's 
processes and controls in the achievement of the Postal Service's 
information processing objectives. The Postal Service should have 
access to the sub-service organization's SAS 70 report. The control 
objectives to be covered by the SAS 70 report are subject to Postal 
Service review and approval and are to be provided to the Postal 
Service 30 days prior to the initiation of each examination period. As 
a result of the examination, the auditor shall provide the RC and the 
Postal Service with an opinion on the design and operating 
effectiveness of the RC's internal controls related to the CMRS system 
and any other applications and technology infrastructure considered 
material to the services provided to the Postal Service by the RC. Such 
examinations are to be conducted on no less than an annual basis, and 
are to be as of and for the twelve months ended June 30 of each year 
(except for the period ending June 30, 2010, for which the period of 
coverage will be no less than six months, and except for new contracts 
for which the examination period will be no less than the period from 
the contract date to the following June 30, unless otherwise agreed to 
by the Postal Service). The examination reports are to be provided to 
the Postal Service by August 15 of each year. To the extent that 
internal control weaknesses are identified in a Type II SAS 70 report, 
the Postal Service may require the remediation of such weaknesses and 
review working papers and engage in discussions about the work 
performed with the auditor. Postal Service requires that all 
remediation efforts (if applicable) are completed and reported by the 
RC prior to the Postal Service's fiscal year end (September 30). The RC 
will be responsible for all costs to conduct these examinations.
* * * * *

0
3. Section 501.16 is amended by revising paragraph (f) to read as 
follows:


Sec.  501.16  PC postage payment methodology.

* * * * *
    (f) Security and revenue protection. To receive Postal Service 
approval to continue to operate PC Postage systems, the provider must 
submit to a periodic examination of its PC Postage system and any other 
applications and technology infrastructure that may have a material 
impact on Postal Service revenues, as determined by the Postal Service. 
The examination shall be performed by a qualified, independent audit 
firm and shall be conducted in accordance with the Statement on 
Auditing Standards (SAS) No. 70, Service Organizations, developed by 
the American Institute of Certified Public Accountants (AICPA), as 
amended or superseded. The examination shall include testing of the 
operating effectiveness of relevant provider internal controls (Type II 
SAS 70 Report). If the service organization uses another service 
organization (sub-service provider), Postal Service Management should 
consider the nature and materiality of the transactions processed by 
the sub-service organization and the contribution of the sub-service 
organization's processes and controls in the achievement of the Postal 
Service's information processing objectives. The Postal Service should 
have access to the sub-service organization's SAS 70 report. The 
control objectives to be covered by the SAS 70 report are subject to 
Postal Service review and approval and are to be provided to the Postal 
Service 30 days prior to the initiation of each examination period. As 
a result of the examination, the auditor shall provide the provider, 
and the Postal Service, with an opinion on the design and operating 
effectiveness of the internal controls related to the PC Postage system 
and any other applications and technology infrastructure considered 
material to the services provided to the Postal Service by the 
provider. Such examinations are to be conducted on no less than an 
annual basis, and are to be as of and for the twelve months ended June 
30 of each year (except for the period ending June 30, 2010 for which 
the period of coverage will be no less than six months, and except for 
new contracts for which the examination period will be no less than the 
period from the contract date to the following June 30, unless 
otherwise agreed to by the Postal Service). The examination reports are 
to be provided to the Postal Service by August 15 of each year. To the 
extent that internal control weaknesses are identified in a Type II SAS 
70 report, the Postal Service may require the remediation of such 
weaknesses and review working papers and engage in discussions about 
the work performed with the auditor. The provider will be responsible 
for all costs to conduct these examinations.
* * * * *

Neva R. Watson,
Attorney, Legislative.
[FR Doc. 2010-23031 Filed 9-15-10; 8:45 am]
BILLING CODE 7710-12-P