EXPEDITORS INTERNATIONAL OF WASHINGTON INC · FY 2022 

Controls & Procedures

Management reported that, as of late 2022, their disclosure controls over financial reporting were deemed ineffective following the identification of a material weakness within a key information technology system. This vulnerability stemmed from an IT control process lacking sufficient precision in reviewing database changes, though it did not result in any identified misstatements for the period. In response to this finding and a major cyber-attack that occurred earlier in 2022, the company has initiated extensive remediation efforts, including ongoing supplemental lookback reviews and the implementation of a new global accounting system.

EXPD L1 Synthesis
  SYMBOLOGY.ONLINE l1 SYNTHESIS 

Expeditors International Of Washington Inc Controls & Procedures Synthesis

Internal Controls and Procedures Assessment Report

Management Conclusions on Control Effectiveness

Management's assessment of internal controls over financial reporting (ICFR) presents a mixed picture, highlighting both significant deficiencies and subsequent corrective actions.

Initial Findings and Material Weakness
  • Ineffectiveness Conclusion: As of December 31, 2022, the Chief Executive Officer and Chief Financial Officer concluded that disclosure controls and procedures were not effective.
  • Evidence (Weakness): This conclusion was driven by a material weakness identified in the fourth quarter of 2022. The weakness related to an information technology (IT) system supporting financial reporting processes, where the control designed to review and authorize direct database changes failed because it did not capture the complete population of changes and thus "did not operate effectively as designed."
  • Root Cause: Management attributed this deficiency to IT control processes lacking sufficient precision and being overly dependent on the interpretation and actions of specific individuals with IT expertise.
  • Impact Assessment: While the material weakness was identified, management noted that it did not result in any identified misstatements to the financial statements for 2022.
Post-Incident Effectiveness Determination
  • Cyber-Attack Context (Changed): Following a major cyber-attack starting February 20, 2022, which necessitated global system shutdowns, management determined that disclosure controls and procedures were effective regarding the impact of the attack itself. Interim procedures were deployed during the disruption to maintain ICFR systems.

Remediation Efforts and Control Enhancements

Management has taken specific steps to address the identified material weakness and strengthen overall security posture.

Weakness Remediation
  • Lookback Review (Action Taken): Prior to filing, the Company performed a lookback review of all direct database changes subject to the control's operating ineffectiveness for the full year 2022. This review found no evidence of improper changes or consequential impacts on ICFR.
  • Ongoing Remediation (Noteworthy/New Procedure): Management is implementing enhancements designed to strengthen IT program change management processes. Furthermore, they will continue to conduct monthly supplemental lookback review procedures of direct database changes until these improvements are fully implemented, which is expected prior to the end of 2023.
Cybersecurity and System Strengthening
  • Incident Response (Noteworthy): In response to the cyber-attack, the Company engaged third-party cybersecurity experts for investigation and assistance. Following system restoration, they enhanced continuous monitoring of the entire information security environment and implemented various process improvements to mitigate future risks.

Changes in Internal Controls and Future Outlook

Systemic Changes
  • New Accounting System (Noteworthy/Future Change): The Company is currently developing and implementing a new accounting system on a worldwide basis over several years. This transition will affect the processes constituting ICFR and requires subsequent testing for operating effectiveness.
  • General Controls: Aside from the material weakness and cyber-attack related items, there were no other changes in internal controls that materially affected ICFR during the most recent fiscal quarter.
Balanced Assessment Summary

The Company demonstrates a commitment to robust control maintenance, evidenced by its immediate lookback review and ongoing remediation plans for the IT database change weakness. However, the initial finding of a material weakness—stemming from insufficient precision in an existing IT General Control (ITGC)—highlights inherent vulnerabilities in reliance on manual interpretation within complex systems. The response to the cyber-attack demonstrates proactive strengthening of security measures and continuous monitoring, while the planned implementation of a new global accounting system signals a significant future effort to improve process efficiency and control structure.