The Postal Reorganization Act of 1970 requires annual audits of the Postal Service’s financial statements. In addition, the Postal Accountability and Enhancement Act of 2006 requires the Postal Service to comply with Section 404 of the Sarbanes-Oxley Act. This section requires the Postal Service to report the scope and adequacy of its internal control structure and procedures and assess their effectiveness. Further, Postal Service policy requires annual audits of officers’ travel and representation expenses.
The U.S. Postal Service Board of Governors contracted with an independent public accounting (IPA) firm to express audit opinions on the Postal Service’s fiscal year (FY) 2020 financial statements and internal controls over financial reporting (an integrated audit). The IPA firm maintained overall responsibility for testing and reviewing significant Postal Service accounts, processes, and internal controls. We coordinated audit efforts with the IPA firm to ensure adequate coverage.
Our audit objectives were to determine whether the Postal Service:
- Fairly stated accounting transactions in the general ledger and whether selected key controls surrounding those transactions were designed and operating effectively.
- Properly tested, documented, and reported its examination of selected key financial reporting controls related to Postal Service Headquarters (HQ) and Accounting Service Centers.
We tested 26 key financial reporting controls, traced accounting transactions, and reviewed supporting documentation for 15 accounting processes and determined the Postal Service fairly stated accounting transactions in the general ledger, and selected key controls over those transactions were operating effectively.
The Postal Service properly tested, documented, and reported its examination of selected key financial reporting controls related to HQ and Accounting Services except for minor documentation and sampling issues. We discussed these with management and corrective action was taken during the audit.
Further, Postal Service officers’ travel and representation expenses were supported and complied with Postal Service guidelines.
Overall, we did not propose any adjustments or identify any issues or control deficiencies that were material to the financial statements or that would affect the overall adequacy of the internal control environment.
Finally, we identified a policy compliance issue related to suspension of user access for separated employees. Supervisors did not always suspend employee access to Postal Service information systems coincident with their effective dates of separation as required by current policy. We did not assess why this occurred as it was outside the scope of our audit. However, we analyzed the timing of supervisor actions for separations not processed by Human Resources (HR) within [redacted] of the effective dates. Supervisors did not suspend employee access for over 90 percent of these separations in August and September 2020.
When supervisors do not suspend employee access as required, the HR separations process or account inactivity will trigger an automated revocation of system access. The timeliness of these HR separation processes degraded during FY 2020. Improving supervisor compliance with the current policy would reduce the level of detective monitoring necessary to assess the impact of suspended employee access on the financial statements.
In FY 2019, the Postal Service determined that due to a lack of comprehensive policies and procedures over system access for former employees, access to financially relevant systems was not timely revoked. During FY 2020 management remediated the issue by implementing system changes, enhancing communications and training, publishing checklists, and adding business and technology controls. Management also monitored whether certain former employees with access removed [redacted] after their dates of separation had accessed financially relevant systems in ways that impacted the financial statements.
As of the end of FY 2020 the Postal Service concluded, and the independent public accountant agreed the lack of comprehensive policies and procedures over system access for former employees was remediated. However, management and the IPA firm determined that separated employees’ access to systems was not always being removed timely and they continue to monitor this.
We recommended management reiterate the requirement for supervisors to immediately suspend systems access for separated employees and monitor progress to ensure compliance.