When Macy’s on Wednesday reported more details about the “hiding” of $151 million, it became clear their accounting controls simply didn’t work. It exposed a massive software hole in just about every enterprise environment. Credit: Mike Strand The Macy’s accounting nightmare is only getting worse, with the $24 billion retailer telling the SEC on Wednesday that both its annual report from last year and its auditor report “should no longer be relied on.” Although the amount “hidden” was only $151 million — at the high end of Macy’s original estimate of “$132 million to $154 million” — the retailer said it exposed a massive weakness in its checks and balances procedures. Macy’s did not get specific about the nature of the flaws, but the problem seems to be that the software charged with monitoring financial transactions was never designed to catch accountants doing what they do best: categorizing numbers in ways designed to make the company’s performance look better than it is. Such software is typically designed to catch true fraud, such as an employee exfiltrating money out of an enterprise into bank accounts they control, or payments to fraudulent contractors or even simple math errors. Apparently, the Macy’s system had weak safeguards that were easily sidestepped. Accounting officials say these same technology deficits likely exist in every enterprise. Macy’s “management identified a material weakness in its internal control over financial reporting related to the design of existing internal control activities involving manual journal entries over delivery expenses and certain other non-merchandise expenses, and the reconciliation of the related accrued liabilities,” the SEC filing said. “The Company identified that a single employee, who is no longer with the Company, intentionally made erroneous accounting entries and falsified underlying documentation, to understate delivery expenses from the fourth quarter of 2021 through the third quarter of 2024.” When Macy’s first reported the incident, it used the word “hidden” and made no reference to “falsified underlying documentation.” Those are big clues about what likely happened. “The material weakness was the result of deficiencies in the design of controls over delivery expense and certain other non-merchandise expenses, and the related accrued liabilities, whereby the design of the controls did not consider the potential for employee circumvention of these controls,” the company said in its filing, adding there were “failures to obtain, or generate and use, relevant, quality information to support the functioning of these controls, including validation of the reliability of the information.” Here’s the key “you’ve got to be kidding” point: “The design of the controls did not consider the potential for employee circumvention of these controls.” Really? The designers for an accounting system managing $24 billion in cash flow never considered that somebody might try to circumvent controls? Like perhaps someone engaged in naughtiness? The filing also showed some seeming contradictions. It stressed, for example, that this problem was done by just one employee — as though that’s a good thing. Imagine a Pentagon official explaining how 40 nuclear warheads were stolen and said, “I know this sounds bad, but this wasn’t done by a squadron on enemy fighters. This theft was just done by one guy, so all is fine.” Macy’s also tried to say that this was not that big a deal. “The Company evaluated the errors and determined that the related impact was not material to results of operations or financial position for any historical annual or interim period.” But by the end of the filing, Macy’s attorneys used a lot of words to essentially say this actually was a big deal. “As a result of the material weakness in the Company’s internal control over financial reporting described above, on December 10, 2024 the Audit Committee of the Board of the Company determined, based on the recommendation of management following its consultation with the Company’s independent registered public accounting firm KPMG LLP, that management’s report on internal control over financial reporting as of February 3, 2024…should no longer be relied upon. Additionally, KPMG LLP’s opinion as to the effectiveness of the Company’s internal control over financial reporting as of February 3, 2024 included within the Report of Independent Registered Public Accounting Firm in the Company’s Annual Report on Form 10-K for the fiscal year ended February 3, 2024, should no longer be relied upon.” In accounting speak, declaring that their financials are not to be trusted is admitting that this is a big deal. Why? Given the lack of meaningful controls and strong safeguards in this one business unit, there is every reason to believe that the same lack of safeguards exist elsewhere in the company — and according to accountants, in just about every enterprise. Stefan van Duyvendijk, an industry principal with accounting software vendor FloQast, reviewed Macy’s filing and said that the retailer “is trying to distract people” by implying that the “small package delivery” unit is “the only place where Macy’s has this weakness.” This happened because that small package area was likely deemed low-risk, van Duyvendijk said, but Macy’s “reviews over journal entries are the same across the company.” That means Macy’s likely knows that other similar issues could easily crop up — and that is what is tainting all of their reported financials and audits. The lone employee apparently reported that the small package unit owed less than it really did. “ERP is incapable of catching something like this,” van Duyvendijk said. For other enterprises, this glaring hole in controls could be worse. The Macy’s problem appears— so far –to be one employee manipulating numbers to make the department look better. It wasn’t outright fraud or theft. But that’s merely because the employee didn’t try to steal. But the same lax safeguards that allowed expense dollars to be underreported could have just as easily allowed actual theft. “What will happen when someone actually has motivation to commit fraud? They could have just as easily kept the $150 million,” van Duyvendijk said. “They easily could have committed mass fraud without this company knowing. (Macy’s) people are not reviewing manual journals very carefully.” Another accounting specialist, JR Kunkle, an auditor and GRC specialist who runs his own consulting firm, Kunkle Consulting, agreed that the ERP and accounting systems used today can’t prevent accounting fraud in the way they should. “If an individual is hellbent, he can change codes in the software. (Management) is going to rely on the accountant to setup the accruals,” Kunkle said. “Any kind of accounting entry requires judgment.” And today’s business software systems are incapable of reviewing and managing human judgment. “Once you get inside (the accounting decision process) and there is a judgment factor, ERP can give you data about it, saying that it’s a shipping expense, but I don’t think systems in general can figure out what an accountant should enter,” Kunkle said. “I don’t know that you can automate that.” Another financial specialist, Emburse CFO Adriana Carpenter, said that the software problem exists, but there areaccounting tactics that can minimize exposure. “It’s true that most ERPs are not designed to catch erroneous accounting,” she said. “However, there are software tools that allow CFOs and CAOs to create more robust controls around accounting processes and to ensure the expenses get booked to the correct P&L designation. Initiating, approving, recording transactions, and reconciling balances are each steps that should be handled by a separate member of the team. There are software tools that can assist with this process, such as those that enable use of AI analytics to assess actual spend and compare that spend to your reported expenses. Some such tools use AI to look for overriding journal entries that reverse expense items and move those expenses to a balance sheet account.” The specific problem Macy’s is struggling with could be minimized for others, she said. For example, someone bypassing safeguards can eventually be detected. “In the event of management overriding accounting controls, leveraging the spend data on an end-to-end spend management platform and using AI analytics can identify this type of override by automatically comparing total spend to your P&L and identifying discrepancies,” Carpenter said. “In the case of this Macy’s accounting error, AI analytics would have identified differences in total payments versus the expense that was being reported.” The ultimate problem here involves enterprise CIOs and their teams who trust software controls too much. Trusting software to religiously do what it is supposed to do is asking for trouble. Trusting that software to do what it was never designed to do? That is just demanding trouble. SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe