Dear League Members,

As the US Postal Service advances forward into the future as Postmasters, OIC’s and PMR’s we are experiencing more and more change. The Sarbanes-Oxley Act (SOX) of 2002 grew out of large corporate financial scandals. As a result of SOX, Section 404 the US Postal Service Act of 2006, we are mandated as an organization to be SOX Compliant by September 30, 2010.

Please take time to read the information below. This will help to provide guidance on what will be expected of you as a Postmaster, OIC or PMR, and be confident knowing that the Colorado / Wyoming League of Postmasters is working to bring you training that will help you to achieve SOX Compliance.

Who is USPS accountable to for SOX compliance?

The Postal Regulatory Commission (PRC) monitors and manages USPS compliance with SOX. The Postal Act of 2006 expanded the authority of the PRC (formerly known as the Postal Rate Commission) to include enhanced independent regulatory oversight.

What does SOX mean for the Postal Service?

SOX is a Postal-wide effort and requires the support and help of all functional groups and employees. Some of you will be directly involved in this effort, but most of you will just need to follow the processes, policies, and procedures that we already have in place.

What is an internal control?

Internal control is the process an organization uses to manage risk and has three main objectives:

1. Promote effectiveness and efficiency of operations.
2. Ensure reliability of financial reporting.
3. Maintain compliance with applicable laws and regulations.

An example would include reconciling a SmartPay credit card statement by the 18th of the following month by matching eBuy authorizations with the purchases shown on the card, and card holder and approving official signing the statement. In the process you are ensuring that the statement is accurate, the items on the statement are authorized, and this particular internal control is completed timely. Another example is verifying appropriate access to various IT applications that we use to conduct business. The ranges of internal controls are across the organization, from workroom floor and window operations, to District, Area, and Headquarters activities.

How are internal controls tested?

Internal controls are tested to determine whether they are functioning the way they are supposed to. Testing provides objective evidence of how well controls are executed. There are many ways of testing internal controls; the method used depends on the type of control being tested. The following are a list of testing methods:

• Interviewing people who perform the control activity
• Observing of the control activities as they are being performed
• Examining documented evidence of performance of the control activities during the
• evaluation period
• Performing the control activity in order to independently evaluate the results of
• processing Inquiries

What is the frequency of testing after we document processes?

Testing can occur at different intervals, depending on the frequency of the control activity (i.e. annually, quarterly, monthly, weekly or daily). The frequency of testing also depends on:

• The nature of the control
• The frequency of occurrence of the control across the organization
• The risk(s) to financial reporting that the control is intended to reduce

What causes internal control failures?

There are several reasons why internal controls might fail the test. Here are a few:

• Design – the design of the control is not appropriate for a particular unit or operation.
• People – those responsible for executing the control for whatever reason choose not to
• execute the control.
• Training – those responsible for executing controls have not received appropriate
• training.
• Policy and Procedure changes – either we’ve changed the way we do business but have not updated our formal Policies and Procedures directives, or we have updated our formal Policies and
• Procedures directives and not effectively communicated those changes to those who need to know.

Who will be responsible for maintaining SOX compliance after September 30, 2010?

We have until September 30, 2010 to become compliant. We must remain compliant thereafter. The SOX PMO will establish an ongoing monitoring process for long-term SOX compliance. Postal Service leadership, including the Postmaster General, Chief Financial Officer, and all other officers, must continue encouraging and supporting SOX compliance to establish and maintain a strong internal control program as a way of doing business beyond 2010.