Guarding against significant deficiencies? Photographer: David Maung/Bloomberg via Getty Images
Guarding against significant deficiencies? Photographer: David Maung/Bloomberg via Getty Images

Here are a couple of facts about Citigroup Inc. that on their face would seem to be at odds:

(1) Citigroup management this week said the bank's internal controls over financial reporting were effective as of Dec. 31.
(2) Citigroup last week said it had overstated its fourth-quarter net income by $235 million and would revise its numbers downward after discovering a fraud in Mexico.

How could Citigroup's controls have been effective if they failed to prevent such a significant error? The explanation isn't necessarily comforting. A lot of this is semantics, which can be fun to play with. So let's give it a try.

We can thank the Sarbanes-Oxley Act of 2002 for the requirement that top executives of big corporations attest to the effectiveness of their companies' internal controls. The idea is to make sure that companies can perform basic functions such as maintain accurate financial records, detect unauthorized transactions and keep track of their receipts and expenditures.

So here's the trick. When companies have problems with their internal controls, they may or may not be required to disclose what the problems are. This is where the terminology starts to get silly. Under the Securities and Exchange Commission's rules, a "material weakness" in controls must be disclosed. However, a "significant deficiency" doesn't have to be. What's the difference? In layman's terms, there is none.

But in accounting lingo, there is a difference. Let's start with the definition of material weakness. The auditing standards say it "is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis."

So by now you might be wondering: Wait a second, Citigroup overstated its fourth-quarter earnings by $235 million, or almost 10 percent, apparently because of a $400 million fraud at its Mexican subsidiary. That was material. Otherwise a correction wouldn't have been needed. This actually happened, i.e., we're past the point of it merely being a reasonable possibility. So Citigroup must have had a material weakness, right?

Not necessarily. For one thing, the erroneous numbers were in a news release -- not in its official financial statements. Citigroup caught the errors before it filed its annual report with the SEC. This is why Citigroup called the corrections "adjustments" rather than a restatement. So that's one possible rationale for concluding that the error didn't point to a material weakness.

But there are other possible rationales. Go back to the term "significant deficiency." Here is its definition under the auditing standards: "A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting."

So in other words, it's like a material weakness, only less severe, whatever that's supposed to mean, but important, whatever that's supposed to mean, but not important enough to be material. Got that? I guess Citigroup executives are supposed to know a significant deficiency when they see one. But it's not a helpful definition, which is perfect from the standpoint of any company that might prefer to label certain problems as "deficiencies" rather than "weaknesses."

Those with long memories may even remember a kerfuffle over Citigroup's internal controls dating back to February 2008, before the company got the first of its government bailouts. Citigroup's regulator, the Office of the Comptroller of the Currency, sent a letter to the company's chief executive officer at the time, Vikram Pandit, pointing out all sorts of important ways in which Citigroup's internal controls were weak.

Eight days later, Pandit certified that Citigroup's controls were effective, as part of the bank's annual report. How was he able to justify that? The company has never explained publicly, but we can deduce that Pandit must have decided the weaknesses weren't material. Problem solved.

As for the company's new CEO, Michael Corbat, there still are some questions he should be asking himself, now that he has certified the effectiveness of Citigroup's controls as part of its 2013 annual report. He knows that Citigroup had its numbers wrong when it issued its fourth-quarter earnings release on Jan. 16. He also knows that Citigroup said it didn't learn until mid-February that it had a fraud problem in Mexico, which is now the subject of government investigations. If the bank's controls were slow to catch that problem, what other irregularities might have gone undetected? And how could Corbat be so confident that Citigroup's controls were effective?

(Jonathan Weil is a Bloomberg View columnist. Follow him on Twitter @jonathanweil.)

To contact the author on this story:
Jonathan Weil at

To contact the editor on this story:
Tobin Harshaw at