Internal Controls and Procedures Assessment: EXPEDITORS INTERNATIONAL OF WASHINGTON INC.
Management Conclusions on Control Effectiveness
Management has concluded that both its disclosure controls and procedures, as well as its internal control over financial reporting (ICFR), were not effective as of December 31, 2024. This conclusion was supported by the company's independent auditor, KPMG LLP, which issued an adverse opinion on the effectiveness of ICFR.
Key Findings and Weaknesses
- Material Weakness: The primary finding is the existence of material weaknesses in ICFR. These deficiencies created a reasonable possibility that a material misstatement to the consolidated financial statements would not be prevented or detected on a timely basis, even though no actual misstatements were identified during the period.
- Root Cause (IT Controls): The weaknesses stem from IT general controls over systems and processes. Specifically, unauthorized access and changes to databases and related applications could go undetected because system logic excluded certain changes from review or capture.
- Personnel Deficiency: These control deficiencies are linked to personnel lacking specific training and experience required to fulfill internal control responsibilities related to information technology.
Remediation Efforts and Control Enhancements
Management has initiated a comprehensive remediation process under the oversight of the Audit Committee, demonstrating an active commitment to strengthening controls.
Ongoing Remediation Actions
- External Assistance: The company engaged PwC US Consulting, LLP to assist with entity-wide risk assessment, control design assessment, and the overall remediation process.
- Personnel & Assessment: Management is continuing to hire additional qualified personnel and conduct ongoing entity-wide risk assessments to identify relevant IT systems and process risks.
- System Improvements (Noteworthy): The company is actively examining third-party developed software solutions designed to improve controls over system access and tracking changes to databases. Furthermore, management continues to implement enhancements specifically designed to strengthen IT change management and logical access processes.
Status of Remediation
- Weakness: Despite these efforts, the material weaknesses are not yet fully remediated. Management noted that additional control deficiencies were identified during the remediation review process. Full remediation remains uncertain due to the complexity and interdependencies of legacy and current systems, and the time required for third-party software implementation.
Changes in Internal Controls During Reporting Period
Control Modifications
- General Status: Except for the ongoing remedial actions related to the material weaknesses, there were no other changes in ICFR that materially affected or are reasonably likely to affect internal control during the most recent fiscal quarter.
- Noteworthy Oversight Increase (Strength): The Audit Committee has significantly increased its oversight of remediation efforts by requiring monthly reports and formal comprehensive presentations from the Chief Information Officer, Chief Information Security Officer, and Chief Technology Officer at all Audit Committee meetings.