The Postal Reorganization Act of 1970 requires annual audits of the U.S. Postal Service’s financial statements. In addition, the Postal Accountability and Enhancement Act of 2006 requires the Postal Service to comply with Section 404 of the Sarbanes- Oxley Act (SOX). This section requires the Postal Service to report the scope and adequacy of its internal control structure and procedures and assess their effectiveness.
The U.S. Postal Service Board of Governors contracted with an independent public accounting firm to express opinions on the Postal Service’s financial statements and internal controls over financial reporting. The firm maintains overall responsibility for testing and reviewing significant Postal Service accounts, processes, systems, and internal controls. The U.S. Postal Service Office of Inspector General (OIG) coordinates audit work with the firm to ensure adequate coverage.
Our audit objectives were to determine whether the Postal Service:
- Fairly stated accounting transactions and whether selected key controls surrounding those transactions were operating effectively.
- Properly tested, documented, and reported its examination of selected key financial reporting controls at Postal Service Headquarters and Accounting Services.
- Properly tested, documented, and reported its examination of general controls for the financially significant applications and their underlying infrastructure.
What the OIG Found
The Postal Service’s accounting transactions were fairly stated, and selected key controls were operating effectively. In addition, we found the Postal Service properly tested, documented, and reported selected financial controls.
We did not propose any adjustments or identify any issues or control deficiencies that were material to the financial statements or that would affect the overall adequacy of internal controls.
Further, general controls for financially significant applications and their underlying infrastructure were properly documented and reported. However, management did not always properly test the controls for account approvals, change approvals, default accounts, and security updates.
Specifically, the Postal Service internal control testing team did not always select samples from the correct universe and incorrectly tested passwords for default accounts. Testers were unaware of the issues until the OIG brought them to their attention. As a result, the integrity of the SOX control test was compromised.
Management agreed with our issues and took corrective actions.
What the OIG Recommended
Since the Postal Service took immediate corrective action on the issues identified, we did not make any recommendations.