Breach of Data at TJX: An Instructional Case Used to Study COSO and COBIT, with a Focus on Computer Controls, Data Security, and Privacy Legislation

ABSTRACT

Internal control frameworks (ICF) provide a basis for understanding controls in an organization and for making judgments about the effectiveness of controls. The Sarbanes-Oxley Act of 2002 (SOX) requires companies to report, on an ongoing basis, the effectiveness of their internal controls in their annual filings. The Securities and Exchange Commission (SEC) recommends companies use ICF to help achieve compliance with SOX. ICF provide a useful tool for management and auditors evaluating and addressing the adequacy of controls in their organization. As there is no such thing as a “risk-free” enterprise, developing an understanding of ICF is important for students entering the accounting profession. This instructional case provides students the opportunity to assess internal control risks within an organization's information system using a “real-world” problem following COSO (SEC-recommended ICF) and/or COBIT as a guide. Students then evaluate the organization's overall level of internal control risks and formulate recommendations for mitigating such risks.

Keywords: internal controls, COSO, COBIT, internal control framework, data security

Sandra J. Cereola is an Assistant Professor and Ronald J. Cereola is an Assistant Professor, both at James Madison University.

Source : Sandra J. Cereola and Ronald J. Cereola (2011) Breach of Data at TJX: An Instructional Case Used to Study COSO and COBIT, with a Focus on Computer Controls, Data Security, and Privacy Legislation. Issues in Accounting Education: August 2011, Vol. 26, No. 3, pp. 521-545.