Costco reports a material weakness in internal control. But is it really?
In a news release on October 4th, Costco Wholesale announced its operating results for the 4th quarter and full year ended September 2nd.
In that release, it stated:
While the Company is still completing its assessment of the effectiveness of its internal control over financial reporting as of September 2, 2018, in its upcoming fiscal 2018 Annual Report on Form 10-K, it expects to report a material weakness in internal control. The weakness relates to general information technology controls in the areas of user access and program change-management over certain information technology systems that support the Company’s financial reporting processes. The access issues relate to the extent of privileges afforded users authorized to access company systems. As of the date of this release, there have been no misstatements identified in the financial statements as a result of these deficiencies, and the Company expects to timely file its Form 10-K.
Remediation efforts have begun; the material weakness will not be considered remediated until the applicable controls operate for a sufficient period of time and management has concluded, through testing, that these controls are operating effectively. The Company expects that the remediation of this material weakness will be completed prior to the end of fiscal year 2019.
This information is surprising on many fronts.
For a start, it is rare these days for a company to determine that it has a material weakness related to IT general controls (ITGC).
Let me explain why it is rare, and why I personally question whether management got this right.
A material weakness is defined by the PCAOB Auditing Standard No. 5 (now renumbered as AS No. 2201) as:
“.. a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis”.
Let’s start with what would constitute a material misstatement of Costco’s financials.
Their full year pre-tax net income, according to the release, is just over $4 billion. Materiality is generally 5% of pre-tax net income, which in this case would be $200 million.
It is very hard to envisage a situation where a $200 million error would not be noticed.
To meet the threshold for a material weakness, there has to be “a reasonable possibility” that a $200 million misstatement would not be prevented or detected on a timely basis.
Is there a reasonable possibility that defects in “user access and program change-management” could lead to a $200 million error that is undetected by other controls, such as comparisons of actual to forecast, margin analysis, and so on?
In the early years of SOX compliance, ITGC control failures were among the top sources of material weaknesses (the others were tax treatments and the organization’s knowledge of accounting rules).
But while ITGC control deficiencies continue to be present, it is unusual to see them disclosed as material weaknesses.
The reasons are fairly clear: ITGC deficiencies do not have a direct effect on the financial statements. They simply indicate that the automated controls, or the IT-dependent elements of other controls, may not operate consistently as they should.
Costco has not disclosed any failures of such automated controls or the IT-dependent elements of other controls, and they should if they existed. Neither have they disclosed any accounting errors that flowed from such deficiencies.
If I was on the board of Costco, I would be asking how these control deficiencies might lead to a $200 million misstatement of the annual financials (or a $70 million error in the 4th quarter, when pre-tax net income was $1.4 billion).
It is difficult for me to imagine how that could occur. I may be wrong, but I suspect their audit firm, KPMG, insisted that these deficiencies be categorized as material weaknesses.
Calling these material weaknesses does not seem reasonable to me.
What else surprised me?
They are saying that they will have corrected these deficiencies within one year.
Assuming that they truly are material weaknesses, how can it be acceptable to wait a full year to get them fixed?
How can the market rely on their quarterly reports if the system of internal control is deemed ineffective for that period?
I would not accept that as a board member, an investor, or a regulator!
Finally, the company concluded in its prior quarterly report that its disclosure controls and procedures (which include its internal control over financial reporting) was effective.
If these were in fact material weaknesses (which I doubt), then the question arises as to when management became aware of them – or should have been aware of them. If that predates the 3rd quarter 10-Q, the company may have a problem.
I have to wonder whether companies and their auditors fully understand the principles of SOX compliance and what AS5 actually says!
I teach SOX compliance efficiency and effectiveness to SOX program managers (and their equivalents, such as internal audit management). In my experience, the great majority of companies are doing too much (and the wrong) work and the external audit firms have lost touch with the principles of the top-down and risk-based approach mandated by the PCAOB.
I welcome your views.
By the way, Costco shares lost 4% following the news release. It is not clear how much should be attributed to the material weakness disclosure.
Leave a reply to Edward E Wilcox Cancel reply
Norman Marks on Governance, Risk Management, and Internal Audit 
I would expect the access was very broad and that they used an independent auditor to do a detailed review manual journal entries and other risks and could satisfy their auditor that improper entries were not made.
If it really takes a year to fix I wonder why it is just being discovered.
should have said could “not” satisfy
This is not surprising to me. The “the principles of the top-down and risk-based approach mandated by the PCAOB” have been gone for 5 years or more. It starts with a risk based approach and then you add in all the compliance requirements, especially in ITGCs. At my company, we start with the controls needed to run the company and then the auditor comes back with the additional compliance requirements. The compliance steps come in through the back door and are required by the PCAOB.
I would welcome a return to a top-down, risk-based approach where auditor judgement matters. Unfortunately that doesn’t exist in this environment and there’s no feedback loop to bring it back in line.
Tom, who is adding these ‘compliance requirements’? Who is telling you that they are required by the PCAOB? Tell whoever it is to show you where they are required! The only requirements (which are of the auditors and not management) are those in AS5.
Many audit forms are telling their clients that there are new requirements, such as those in Staff Alert 11. That Alert only restated existing requirements. The PCAOB does NOT get into detail of you have to have his or that control.
So what would be the mitigating controls for weak access management and weak change controls. Sounds like an uncontrolled system which would require extensive mitigating controls.
You have to perform a fraud risk analysis. The effect of weak access controls is almost always an exposure to fraud. The only fraud you have to be concerned with for SOX is one that results in a material misstatement of the consolidated financials. That is per AS5 as well as SEC guidance.
Once you understand how a $200 million misstatement dues to fraud via poor access controls can happen, you can look at the controls. Frankly, almost any forecast/budget to actual or account analysis would detect such an immense number.
With weak change management, you need to understand which key automated or IT-dependent controls might be affected. For which key accounts are they relied on? Only then can you assess whether there are compensating or mitigating controls that would detect a $200 million misstatement.
If any of the automated controls were found to have failed, that would increase the level of risk – but it still has to meet the threshold of a reasonable possibility of a material misstatement.
It may be a serious business issue without being a SOX material weakness.
I wish my perspective was off, but I get to cross check my perspective at an annual peer meeting with about 40 other public companies and we’ve all experienced this – a heavy dose of compliance for about the last 5 years. This is true across all the audit firms. Recall that several years ago the PCAOB re-defined an audit failure to include “you didn’t do what we said you had to do” (my words) versus a control deficiency that could cause a material misstatement.
Perhaps your other readers can reaffirm or let me know I’m way off base.
Sorry…I didn’t mean to post that anonymously. I’m replying to your comment above.
Sadly, the audit firms have gone crazy, asking for stuff that simply is not required. If challenged by asking them to show you where these compliance requirements are to be found, they will have no answer. Saying “the PCAOB told us” is not actually true. They may believe it to be true because somebody at the firm told them. But the only requirement is for a top-down and risk-based approach
One of my followers sent me a note where Deloitte had insisted that they institute controls over an esoteric ITGC area. The justification from the Deloitte auditor was the announcement of a PCAOB speaker at a conference discussing cyber risk.
My advice: don’t knuckle under. Insist that the auditors show you where any of these compliance requirements come from. They will not be able to do so.
Hi Norman – I just happened to stumble upon your post. It was an interesting read (as were the comments) and you certainly have great insight and have raised some very thought provoking questions.
I’m a director at one of the “Big Four” firms and am currently serving in a role within the firm’s national office. One of my responsibilities is to support engagement teams before, during, and after PCAOB inspections.
Based on the findings of the PCAOB through their inspection program, my view is that the PCAOB Division of Registration and Inspections is indeed enforcing a compliance agenda that is much more prescriptive than the wording of the auditing standards. This is one of the reasons why auditors are often not able to point directly to a paragraph within a standard or other guidance when discussing “new” compliance requirements/expectations with their clients. Every year, inspection findings result in additional firm guidance and/or focus areas, which are communicated to engagement teams as they plan their upcoming audits. Many of the findings continue to be related to the design and/or operating effectiveness of the Issuer’s ICFR. Part I inspection reports can sometimes help auditors to bridge this gap by illustrating inspection findings and themes to audit clients.
I’ve heard from clients many times over the years who are frustrated that the auditor’s regulator (through the auditor) is holding public companies to a higher standard than the companies’ own regulator. I would tend to agree.
I hear you. Somebody is missing the point that AS5 requires a top-down and risk-based approach. If the PCAOB Examiners are asking for more, which is non-compliant with the standard, the firms should be able to push back. In any event they should not ask for unecessary work from management.
By the way, I have yet to see a PCAOB Inspection that asked for something beyond AS5. Usually what happens is that the external auditor asks for something where there is no risk of a material error and blame it on the PCAOB. But they are unable or unwilling to show management where the Examiners have required it.
Once again, I think the main purpose of AS-5 was to stop the runaway external auditors from over testing and charging too much.
Page 2 of AS-5: “Second, these benefits have come at a significant cost. Costs have been greater than expected and, at times, the related effort has appeared greater than necessary to conduct an effective audit of internal control over financial reporting.”
Unfortunately, someone in Congress may have to get involved. The PCAOB is apparently auditing only what externals don’t do without any consequences from them doing too much. After AS-5 costs started to drop, now they have slowly creeped back up. Material mis-statement risk has now been turned into a general “risk”.
A Material Weakness is a great way they have come up with to charge more. They immediately eliminate any reliance on internal audit to start (and that means even an effective internal audit dept), then they up their requirements and test more than they should. Nowhere does it say in AS-5 that they have to dump all reliance after a Material Weakness, but they do so across the board from what I have seen.
Lastly, I hate the term ITGC in relation to SOX. If a system has been deemed a “SOX application”, do you just apply all ITGC controls to it? Or do you select controls based on SOX risk? In my opinion, not all may apply.
Barry, you make a number of points. BTW, your quote is on page 2.
I agree that the PCAOB Examiners have only been looking at whether the work performed by the auditors justifies their opinion. They are not looking at efficiency.
I disagree on MWs. If the auditors and management kept their eyes focused on potential MWs, we would all be better off. Unfortunately, scopes almost always include controls that, should theu fail, would never be MWs – and so they should not have been in scope.
Agree that nothing says that after a (true) MW, all reliance has to stop. Audit Committees should challenge the auditors on that.
Have a look at both IIA GAIT and the SEC interpretive guidance. ITGCs should be included in scope to address risks that critical functionality (automated controls, etc.) continue to function as desired. GAIT provides a top-down and risk-based approach that gets the right controls in scope.
That is why we at the IIA developed the GAIT methodology. As echoed by the SEC, ITGC related controls should be included in scope only if they are relied on to prevent or detect a material error in the financials. Just because an application is involved in a significant account it doesn’t mean that all possible ITGC controls should be included in scope.
We had a situation where an acquired company although using SAP had virtually no segregation of duties. Using a vendor tool we were able to sort all transactions by SoD risk and have management review transactions over a threshold as a compensating control. I will be interested to see the details of the Costco situation. I think their 10-k should be out in a week or so.
For the most part I would tend to agree with your assessment, however I would be concerned with change management failure. That could be very significant.
Excellent analysis by Norman
Thank you for your article. I have been practicing SOX since the beginning. One area I found the auditors I work with to be out of alignment with guidance is in the evaluation of IT control deficiencies. I have always followed ‘A Framework for Evaluating Control Exceptions and Deficiencies’ Version 3 December 20, 2004. Chart III in that framework relates to IT controls and generally speaking you cannot have a Significant Deficiency or a Material Weakness in an IT control unless it was a causal factor in a material misstatement. The only other path is the ‘prudent official’ analysis. Like you – I fail to see this as a Material weakness. One might put it down as a Significant Deficiency as a tool to escalate the matter and remediation to the Audit Committee as a management tactic.
Sorry, but the SEC has indicate that the framework you mention is not acceptable. Please consider the IIA’s GAIT for ITGC deficiencies
I should add to my prior post that all the big audit firms were contributors to the evaluation framework I have referenced. Thanks!
Yes, nine firms and a professor from Georgia State
Charles is correct about the difficulty of IT being a material weakness 15 years ago, and so is Norman that a basic analytical analysis should catch a $200 million misstatement. However, Tom, Norman, and the Big 4 Auditor are correct that the rules have changed.
I’ve been out of the game since 2012 and am just getting back in. Today’s lack of common sense and the reliance on useless minutia is making me step back and say wow.
However, the timeline is accurate. Having helped remediate a half dozen material weaknesses, as a consultant, that’s about right. Mostly because, the controls have to be successfully tested before they can be said to be remediated. And, for annual controls, that’s just once a year.
So, for an access change, the first step is to determine what access everyone needs to do their job. Once that’s done, they can figure out what the new structure will look like. In this case, it sounds like they’ll need to divide some jobs. This means, hiring more people and creating new job classifications. Then they can make the changes to the computer system.
Also, it sounds like they were relying on analytics to catch any problems and that KPMG shot that down.
On a related note, I stumbled across this because, as a volunteer, I am helping my first ever non-profit prepare for their first ever audit (after operating for 15 years). The thought was to decrease the time, effort, and work of the all volunteer organization and rely heavily on analytics, but the CPA’s we’ve talked to puked all over that plan. They’ve also said we need more than just news articles to show we held events.
I used to joke about the “full employment act for lawyers and accountants”, but, today, it certainly sounds like one got passed without my hearing about it.
So, I’m feeling like Alice slipping down the rabbit hole, and, suddenly, very, very old. Am glad the changes have caught someone as well run as Costco by surprise as well.
Michael, you are right in that practices – especially by the external auditors – have slipped away from the top-down approach required by the PCAOB. The rules have not changed an iota, just the inability to focus on what represents at least a reasonable possibility of a material misstatement.
Not sure if this paragraph from 10-k helps clarify the doubts?
“There were ineffective information technology general controls (ITGCs) in the areas of user access and program change-management over certain information technology (IT) systems that support the Company’s financial reporting processes. As a result, business process automated and manual controls that were dependent on the affected ITGCs were ineffective because they could have been adversely impacted. These control deficiencies were a result of: IT control processes lacked sufficient documentation; insufficient knowledge and training of certain individuals with IT expertise; and risk-assessment processes inadequate to identify and assess changes in IT environments and personnel that could impact internal control over financial reporting.”
I’m not persuaded that represents a material weakness. There has to be at least a reasonable possibility of a material error or omission in the filed financial statements.
Costco has no clue what they are saying. Probably forced by the gestapo-like tactics by their external audit firm. Pretty sad for a big company. Whimps.