EXPEDITORS INTERNATIONAL OF WASHINGTON INC · FY 2021 

Controls & Procedures

Operational resilience faces extreme pressure when major cyber disruptions collide with necessary systemic evolution. Despite management concluding that internal controls over financial reporting were effective, recent disclosures detail a critical attack that forced the shutdown of global operating systems and initiated extensive efforts to modernize core accounting infrastructure. These events present noteworthy challenges to the company’s control environment as it works to restore operations and enhance cybersecurity processes.

EXPD L1 Synthesis
  SYMBOLOGY.ONLINE l1 SYNTHESIS 

Expeditors International Of Washington Inc Controls & Procedures Synthesis

Internal Controls and Disclosure Procedures Assessment Report

Overall Control Status Summary

Management concluded that both the company's disclosure controls and procedures, as well as its internal control over financial reporting (ICFR), were effective as of December 31, 2021. However, the report highlights significant operational changes and risks stemming from a major cyber-attack and ongoing system modernization efforts, which represent noteworthy challenges to the control environment.

Management Conclusions on Controls

Disclosure Controls Effectiveness
  • Conclusion: The Chief Executive Officer and Chief Financial Officer concluded that disclosure controls and procedures were effective as of the reporting period at the reasonable assurance level.
  • Evidence: "Based upon that evaluation, the Chief Executive Officer and Chief Financial Officer concluded that our disclosure controls and procedures were effective as of the end of the period covered by this report at the reasonable assurance level."
Internal Control Over Financial Reporting (ICFR) Effectiveness
  • Conclusion: Management assessed ICFR based on the COSO framework and concluded that internal control over financial reporting was effective as of December 31, 2021.
  • Evidence: "Based on this assessment, management has concluded that, as of December 31, 2021, our internal control over financial reporting was effective."

Material Weaknesses and Control Deficiencies

  • No material weaknesses or significant deficiencies in ICFR were identified during the period covered by the report. The filing explicitly states there were no changes to internal controls that materially affected ICFR in the most recent fiscal quarter.

Changes, Remediation, and New Controls (Noteworthy Events)

The reporting period included several noteworthy operational shifts and risks:

System Modernization and Transition
  • New Control/Procedure: The company is developing a new accounting system, which will be implemented globally over the next several years. This transition inherently affects existing ICFR processes and requires ongoing testing for operating effectiveness.
  • Impact: This modernization effort represents an ongoing change to the control environment designed to improve efficiency in financial and transactional processes.
Cyber-Attack Incident and Remediation Efforts (Critical Change)
  • Change/Event: A critical event occurred on February 20, 2022, when a cyber-attack forced the company to shut down most of its global operating systems, including accounting systems, to ensure system safety. This represents a major disruption and change in operational controls.
  • Remediation/New Controls: The company is currently bringing enterprise systems back online and plans to implement enhancements to existing cybersecurity systems and processes beginning in the first quarter of 2022.

Inherent Limitations and Scope

Management provided standard disclosures regarding the inherent limitations of any internal control system:

  • Limitations: Management noted that no system can provide absolute assurance against all errors or intentional fraud, due to resource constraints and the nature of controls.
  • Scope: The ICFR system is designed to provide reasonable assurance regarding the reliability of financial reporting, including ensuring transactions are recorded accurately and preventing unauthorized use of assets.