Tjx data breach case study

ISSUES IN ACCOUNTING EDUCATION American Accounting Association Vol. 26, No. 3 DOI: 10.2308/iace-50031 2011 pp. 521–545

Breach of Data at TJX: An Instructional Case Used to Study COSO and COBIT, with a

Focus on Computer Controls, Data Security, and Privacy Legislation

Sandra J. Cereola and Ronald J. Cereola

ABSTRACT: Internal control frameworks (ICF) provide a basis for understanding controls in an organization and for making judgments about the effectiveness of controls. The Sarbanes-Oxley Act of 2002 (SOX) requires companies to report, on an ongoing basis, the effectiveness of their internal controls in their annual filings. The Securities and Exchange Commission (SEC) recommends companies use ICF to help achieve compliance with SOX. ICF provide a useful tool for management and auditors evaluating and addressing the adequacy of controls in their organization. As there is no such thing as a ‘‘risk-free’’ enterprise, developing an understanding of ICF is important for students entering the accounting profession. This instructional case provides students the opportunity to assess internal control risks within an organization’s information system using a ‘‘real-world’’ problem following COSO (SEC-recommended ICF) and/or COBIT as a guide. Students then evaluate the organization’s overall level of internal control risks and formulate recommendations for mitigating such risks.

Keywords: internal controls; COSO; COBIT; internal control framework; data security.

THE CASE: TJX SECURITY BREACH

Y ou are a recent graduate and have accepted an accounting position with one of the big

accounting firms in Massachusetts. Prompted by the discovery of a computer breach of

their corporate systems, TJX Companies (hereafter, referred to as TJX) hires your firm to

review and assess the internal controls related to their information security program and to advise them

as to whether they are in compliance with applicable laws and regulations. As one of your first

assignments, you are placed on the TJX task force. This assignment requires you to use your

knowledge of internal control frameworks (ICF), including the Committee of Sponsoring

Organizations Integrated Framework (COSO) (1992), the Control Objectives for Information and

Sandra J. Cereola is an Assistant Professor and Ronald J. Cereola is an Assistant Professor, both at James Madison University.

Published Online: August 2011

521

related Technology framework (COBIT), state and federal compliance laws1 and other applicable

federal and state information security laws and regulations,2 as well as supplemental evidence, which

you will be required to discover through research of credible sources and cite in your report, to analyze

the case narrative provided on TJX. Upon your review, you are required to prepare a comprehensive

written report discussing your evaluation of TJX’s internal controls. The report will first be presented to

your firm’s top management team and then in summary to TJX’s management team.

In preparation for your involvement with this task force, you are required to review the internal

control framework(s) that you are assigned to use to assess compliance (i.e., COSO and/or COBIT).