Costco is investigating an "internal control" issue that apparently involves privileged access to the company's IT and financial systems. In a vague statement, the warehouse indicated that the access issue involved both internal employees and contractors. Still, it sounds like the issue was limited and did not involve any hacks or data breaches.
Costco doesn't expect the issue to impact its financial statements, but an internal investigation is ongoing, the company says. Costco disclosed the issue as part of a Q4 operating report announcement on Thursday, October 4.
Costco Control Issue: The Company's Statement
During a call with Wall Street analysts on October 4, Costco CFO Richard Galanti said:
"We plan to report in our Form 10-K a material weakness in internal control related to general IT controls. These controls relate to internal user access and program change management over certain of our IT systems that relate to our financial reporting processes. I can tell you that there have been no misstatements identified in the financial statements as a result of the deficiencies, and we expect to timely file our Form 10-K.
Remediation efforts have begun. But material weakness will not be considered remediated until the applicable controls operate for a sufficient period of time and we conclude through testing that controls are operating effectively. We expect that the remediation of the material weakness will be completed prior to the end of fiscal 2019."
Costco Financial Controls: Is Anything At Risk?
In a follow-up Q&A session, a JP Morgan analyst asked Costco executives if the control issue has or will trigger any risks involving Costco's financial statements.
Galanti's response:
"Well, keep in mind first of all that we feel comfortable and we feel that ultimately our auditors feel comfortable... The issues had to do with internal user access, so people within IT or contractors. And when somebody who may have had access to something they should have and sometimes that they -- once they should have had that access relieved, it took a little too long to do so.
So, the controls weren’t in place. We should have done a better job. We went back as far as we could and looked back as far as we could in some systems, for the entire fiscal year, which is what you want to do and some of the newer systems, there was no look back ability for certain things.
Costco has found "no issues whatsoever" in terms of misstatements or breaches. Still, Galanti conceded that the company continues to carefully research the issue until the company releases its 10-K statement.
Partner and Supply Chain: Compliance and Security
The Costco control issue highlights the need for organizations to carefully monitor and enforce internal and external access to their IT systems and associated financial systems.
Although Costco has not announced any type of breach related to the control issue, the company's disclosure reinforces the need for businesses to understand how partners and IT contractors access corporate IT systems.