Home > Risk > Costco reports a material weakness in internal control. But is it really?

Costco reports a material weakness in internal control. But is it really?

In a news release on October 4th, Costco Wholesale announced its operating results for the 4th quarter and full year ended September 2nd.

In that release, it stated:

While the Company is still completing its assessment of the effectiveness of its internal control over financial reporting as of September 2, 2018, in its upcoming fiscal 2018 Annual Report on Form 10-K, it expects to report a material weakness in internal control. The weakness relates to general information technology controls in the areas of user access and program change-management over certain information technology systems that support the Company’s financial reporting processes. The access issues relate to the extent of privileges afforded users authorized to access company systems. As of the date of this release, there have been no misstatements identified in the financial statements as a result of these deficiencies, and the Company expects to timely file its Form 10-K.

Remediation efforts have begun; the material weakness will not be considered remediated until the applicable controls operate for a sufficient period of time and management has concluded, through testing, that these controls are operating effectively. The Company expects that the remediation of this material weakness will be completed prior to the end of fiscal year 2019.

This information is surprising on many fronts.


For a start, it is rare these days for a company to determine that it has a material weakness related to IT general controls (ITGC).

Let me explain why it is rare, and why I personally question whether management got this right.

A material weakness is defined by the PCAOB Auditing Standard No. 5 (now renumbered as AS No. 2201) as:

“.. a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis”.

Let’s start with what would constitute a material misstatement of Costco’s financials.

Their full year pre-tax net income, according to the release, is just over $4 billion. Materiality is generally 5% of pre-tax net income, which in this case would be $200 million.

It is very hard to envisage a situation where a $200 million error would not be noticed.

To meet the threshold for a material weakness, there has to be “a reasonable possibility” that a $200 million misstatement would not be prevented or detected on a timely basis.

Is there a reasonable possibility that defects in “user access and program change-management” could lead to a $200 million error that is undetected by other controls, such as comparisons of actual to forecast, margin analysis, and so on?

In the early years of SOX compliance, ITGC control failures were among the top sources of material weaknesses (the others were tax treatments and the organization’s knowledge of accounting rules).

But while ITGC control deficiencies continue to be present, it is unusual to see them disclosed as material weaknesses.

The reasons are fairly clear: ITGC deficiencies do not have a direct effect on the financial statements. They simply indicate that the automated controls, or the IT-dependent elements of other controls, may not operate consistently as they should.

Costco has not disclosed any failures of such automated controls or the IT-dependent elements of other controls, and they should if they existed. Neither have they disclosed any accounting errors that flowed from such deficiencies.

If I was on the board of Costco, I would be asking how these control deficiencies might lead to a $200 million misstatement of the annual financials (or a $70 million error in the 4th quarter, when pre-tax net income was $1.4 billion).

It is difficult for me to imagine how that could occur. I may be wrong, but I suspect their audit firm, KPMG, insisted that these deficiencies be categorized as material weaknesses.

Calling these material weaknesses does not seem reasonable to me.


What else surprised me?

They are saying that they will have corrected these deficiencies within one year.

Assuming that they truly are material weaknesses, how can it be acceptable to wait a full year to get them fixed?

How can the market rely on their quarterly reports if the system of internal control is deemed ineffective for that period?

I would not accept that as a board member, an investor, or a regulator!


Finally, the company concluded in its prior quarterly report that its disclosure controls and procedures (which include its internal control over financial reporting) was effective.

If these were in fact material weaknesses (which I doubt), then the question arises as to when management became aware of them – or should have been aware of them. If that predates the 3rd quarter 10-Q, the company may have a problem.


I have to wonder whether companies and their auditors fully understand the principles of SOX compliance and what AS5 actually says!

I teach SOX compliance efficiency and effectiveness to SOX program managers (and their equivalents, such as internal audit management). In my experience, the great majority of companies are doing too much (and the wrong) work and the external audit firms have lost touch with the principles of the top-down and risk-based approach mandated by the PCAOB.


I welcome your views.


By the way, Costco shares lost 4% following the news release. It is not clear how much should be attributed to the material weakness disclosure.



  1. Edward E Wilcox
    October 8, 2018 at 6:42 PM

    I would expect the access was very broad and that they used an independent auditor to do a detailed review manual journal entries and other risks and could satisfy their auditor that improper entries were not made.

    If it really takes a year to fix I wonder why it is just being discovered.

    • Edward E Wilcox
      October 8, 2018 at 6:43 PM

      should have said could “not” satisfy

  2. Tom Paul
    October 9, 2018 at 12:58 PM

    This is not surprising to me. The “the principles of the top-down and risk-based approach mandated by the PCAOB” have been gone for 5 years or more. It starts with a risk based approach and then you add in all the compliance requirements, especially in ITGCs. At my company, we start with the controls needed to run the company and then the auditor comes back with the additional compliance requirements. The compliance steps come in through the back door and are required by the PCAOB.

    I would welcome a return to a top-down, risk-based approach where auditor judgement matters. Unfortunately that doesn’t exist in this environment and there’s no feedback loop to bring it back in line.

    • Norman Marks
      October 9, 2018 at 2:29 PM

      Tom, who is adding these ‘compliance requirements’? Who is telling you that they are required by the PCAOB? Tell whoever it is to show you where they are required! The only requirements (which are of the auditors and not management) are those in AS5.

      Many audit forms are telling their clients that there are new requirements, such as those in Staff Alert 11. That Alert only restated existing requirements. The PCAOB does NOT get into detail of you have to have his or that control.

      • Edward E Wilcox
        October 10, 2018 at 7:46 AM

        So what would be the mitigating controls for weak access management and weak change controls. Sounds like an uncontrolled system which would require extensive mitigating controls.

        • Norman Marks
          October 10, 2018 at 7:57 AM

          You have to perform a fraud risk analysis. The effect of weak access controls is almost always an exposure to fraud. The only fraud you have to be concerned with for SOX is one that results in a material misstatement of the consolidated financials. That is per AS5 as well as SEC guidance.

          Once you understand how a $200 million misstatement dues to fraud via poor access controls can happen, you can look at the controls. Frankly, almost any forecast/budget to actual or account analysis would detect such an immense number.

        • Norman Marks
          October 10, 2018 at 8:01 AM

          With weak change management, you need to understand which key automated or IT-dependent controls might be affected. For which key accounts are they relied on? Only then can you assess whether there are compensating or mitigating controls that would detect a $200 million misstatement.

          If any of the automated controls were found to have failed, that would increase the level of risk – but it still has to meet the threshold of a reasonable possibility of a material misstatement.

          It may be a serious business issue without being a SOX material weakness.

      • Anonymous
        October 10, 2018 at 9:44 AM

        I wish my perspective was off, but I get to cross check my perspective at an annual peer meeting with about 40 other public companies and we’ve all experienced this – a heavy dose of compliance for about the last 5 years. This is true across all the audit firms. Recall that several years ago the PCAOB re-defined an audit failure to include “you didn’t do what we said you had to do” (my words) versus a control deficiency that could cause a material misstatement.

        Perhaps your other readers can reaffirm or let me know I’m way off base.

        • Tom Paul
          October 10, 2018 at 9:46 AM

          Sorry…I didn’t mean to post that anonymously. I’m replying to your comment above.

        • Norman Marks
          October 10, 2018 at 9:49 AM

          Sadly, the audit firms have gone crazy, asking for stuff that simply is not required. If challenged by asking them to show you where these compliance requirements are to be found, they will have no answer. Saying “the PCAOB told us” is not actually true. They may believe it to be true because somebody at the firm told them. But the only requirement is for a top-down and risk-based approach

          One of my followers sent me a note where Deloitte had insisted that they institute controls over an esoteric ITGC area. The justification from the Deloitte auditor was the announcement of a PCAOB speaker at a conference discussing cyber risk.

          My advice: don’t knuckle under. Insist that the auditors show you where any of these compliance requirements come from. They will not be able to do so.

  3. Barry
    October 11, 2018 at 11:13 AM

    Once again, I think the main purpose of AS-5 was to stop the runaway external auditors from over testing and charging too much.

    Page 2 of AS-5: “Second, these benefits have come at a significant cost. Costs have been greater than expected and, at times, the related effort has appeared greater than necessary to conduct an effective audit of internal control over financial reporting.”

    Unfortunately, someone in Congress may have to get involved. The PCAOB is apparently auditing only what externals don’t do without any consequences from them doing too much. After AS-5 costs started to drop, now they have slowly creeped back up. Material mis-statement risk has now been turned into a general “risk”.

    A Material Weakness is a great way they have come up with to charge more. They immediately eliminate any reliance on internal audit to start (and that means even an effective internal audit dept), then they up their requirements and test more than they should. Nowhere does it say in AS-5 that they have to dump all reliance after a Material Weakness, but they do so across the board from what I have seen.

    Lastly, I hate the term ITGC in relation to SOX. If a system has been deemed a “SOX application”, do you just apply all ITGC controls to it? Or do you select controls based on SOX risk? In my opinion, not all may apply.

    • Norman Marks
      October 11, 2018 at 3:09 PM

      Barry, you make a number of points. BTW, your quote is on page 2.

      I agree that the PCAOB Examiners have only been looking at whether the work performed by the auditors justifies their opinion. They are not looking at efficiency.

      I disagree on MWs. If the auditors and management kept their eyes focused on potential MWs, we would all be better off. Unfortunately, scopes almost always include controls that, should theu fail, would never be MWs – and so they should not have been in scope.

      Agree that nothing says that after a (true) MW, all reliance has to stop. Audit Committees should challenge the auditors on that.

      Have a look at both IIA GAIT and the SEC interpretive guidance. ITGCs should be included in scope to address risks that critical functionality (automated controls, etc.) continue to function as desired. GAIT provides a top-down and risk-based approach that gets the right controls in scope.

  4. anonymous
    October 12, 2018 at 5:22 AM

    We had a situation where an acquired company although using SAP had virtually no segregation of duties. Using a vendor tool we were able to sort all transactions by SoD risk and have management review transactions over a threshold as a compensating control. I will be interested to see the details of the Costco situation. I think their 10-k should be out in a week or so.

  5. Anonymous
    October 24, 2018 at 3:17 PM

    For the most part I would tend to agree with your assessment, however I would be concerned with change management failure. That could be very significant.

  6. James A.
    November 7, 2018 at 4:43 PM

    Excellent analysis by Norman

  1. October 6, 2018 at 8:38 PM
  2. October 22, 2018 at 1:50 AM
  3. November 27, 2018 at 6:00 AM
  4. November 27, 2018 at 7:01 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: