ISSUES IN ACCOUNTING EDUCATION American Accounting Association Vol. 26, No. 3 DOI: 10.2308/iace-50031 2011 pp. 521–545
Breach of Data at TJX: An Instructional Case Used to Study COSO and COBIT, with a
Focus on Computer Controls, Data Security, and Privacy Legislation
Sandra J. Cereola and Ronald J. Cereola
ABSTRACT: Internal control frameworks (ICF) provide a basis for understanding controls in an organization and for making judgments about the effectiveness of controls. The Sarbanes-Oxley Act of 2002 (SOX) requires companies to report, on an ongoing basis, the effectiveness of their internal controls in their annual filings. The Securities and Exchange Commission (SEC) recommends companies use ICF to help achieve compliance with SOX. ICF provide a useful tool for management and auditors evaluating and addressing the adequacy of controls in their organization. As there is no such thing as a ‘‘risk-free’’ enterprise, developing an understanding of ICF is important for students entering the accounting profession. This instructional case provides students the opportunity to assess internal control risks within an organization’s information system using a ‘‘real-world’’ problem following COSO (SEC-recommended ICF) and/or COBIT as a guide. Students then evaluate the organization’s overall level of internal control risks and formulate recommendations for mitigating such risks.
Keywords: internal controls; COSO; COBIT; internal control framework; data security.
THE CASE: TJX SECURITY BREACH
Y ou are a recent graduate and have accepted an accounting position with one of the big
accounting firms in Massachusetts. Prompted by the discovery of a computer breach of
their corporate systems, TJX Companies (hereafter, referred to as TJX) hires your firm to
review and assess the internal controls related to their information security program and to advise them
as to whether they are in compliance with applicable laws and regulations. As one of your first
assignments, you are placed on the TJX task force. This assignment requires you to use your
knowledge of internal control frameworks (ICF), including the Committee of Sponsoring
Organizations Integrated Framework (COSO) (1992), the Control Objectives for Information and
Sandra J. Cereola is an Assistant Professor and Ronald J. Cereola is an Assistant Professor, both at James Madison University.
Published Online: August 2011
521
related Technology framework (COBIT), state and federal compliance laws1 and other applicable
federal and state information security laws and regulations,2 as well as supplemental evidence, which
you will be required to discover through research of credible sources and cite in your report, to analyze
the case narrative provided on TJX. Upon your review, you are required to prepare a comprehensive
written report discussing your evaluation of TJX’s internal controls. The report will first be presented to
your firm’s top management team and then in summary to TJX’s management team.
In preparation for your involvement with this task force, you are required to review the internal
control framework(s) that you are assigned to use to assess compliance (i.e., COSO and/or COBIT).
The focus of your review will be only on those aspects of COSO and/or COBIT that are significant
to financial reporting and information security.
Company Background
TJX is one of the largest international off-price apparel and home fashions retailers in the U.S.,
with over 2,700 stores worldwide at the end of fiscal 2009. Based in Framingham, Massachusetts,
the company was founded in 1956 as Zayer’s discount department stores. Diversifying into
specialty retailing, the company acquired Hit or Miss in 1969 (an off-price fashion clothing chain
for women), and opened its first T.J. Maxx store in 1977 (modeled after the Marshalls chain, an off-
price fashion store for the whole family). Other TJX ventures in the off-price fashion market
included acquisitions of companies such as Chadwicks of Boston, B.J.’s Wholesale Club, and
Home Club. In 1987, Zayer went public, organizing as TJX Companies Incorporated (found on the
NYSE under the ticker symbol TJX). In 1996, TJX is added to the Standard & Poor’s S&P 500, and
by 2009 the company is ranked 119th in the Fortune 500.
Since its inception, TJX’s operations have remained steadfast. Based on the 2009 annual report, the
company operates five business segments (three reside in the U.S., and one each in Canada and Europe),
including eight retail chains. Each segment has its own administrative, buying and merchandising, and
organization and distribution network. The eight retail chains include T.J. Maxx, Marshalls, Home
Goods, A.J. Wright, HomeSense-Canada, StyleSense, T.K. Maxx, and HomeSense-Europe, selling
brand name items ranging from family apparel, accessories, bedding, and furniture to jewelry, beauty
products, and housewares. TJX’s core-target customer includes the middle- to upper middle-income
shopper. Consolidated net sales in 2009 were over $20 billion, total assets over $7 billion, and operating
cash flows over $2 billion (for financial information, visit TJX Companies website).
Among the key success factors for TJX’s rapid growth are its flexible business model and its
corporate culture. TJX’s culture centers on the management and staff acting with integrity, and
emphasizes that all people must be treated with dignity, respect, and caring. They operate under the
Remember Everyone Affects Customer Happiness (REACH) philosophy, which is dedicated to
providing customers, vendors, and co-workers with a level of caring that goes beyond stakeholder
expectations. Further, it is a culture in which success is measured not only on delivering results, but
also on how those results are achieved.
Information Technology
The success of TJX depends critically on their operational performance and the information
systems upon which their operations are based. Success, therefore, depends on TJX’s ability to have
1 Key laws include the Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), and Children’s Online Privacy Protection Act (COPPA).
2 Other regulations promulgated by the Payment Card Industry (PCI), Federal Trade Commission (FTC), and individual states.
522 Cereola and Cereola
Issues in Accounting Education Volume 26, No. 3, 2011
information systems that permit them to maintain a flexible business model, engage in opportunistic
purchasing, maintain an efficient inventory management system, and maintain low-cost operations.
As is prevalent in today’s businesses, TJX relies heavily on its information systems and, thus,
the ability to operate such systems efficiently and effectively has a significant impact on their
overall business operations. Implementing effective internal controls that ensure data reliability,
security, and confidentiality, along with an adequate disaster recovery plan, is essential for ongoing
operations and for reducing litigation risk.
Operations at TJX in 2009 include 19 distribution centers (13 located domestically and six
internationally). Information systems are managed through corporate computer networks and in-
store networks. The networks are linked worldwide, connect corporate headquarters with each
store, and are used for administrative purposes, as well as for processing sales transactions. These
networks also provide access for wireless devices used at each store.
In its daily operations, TJX uses computer networks to collect transaction information,
including personal information from customers as needed for credit card and debit purchases,
personal check verification, and un-receipted returns. Examples of data collected include credit/
debit account numbers, expiration dates and electronic security codes for payment authorization,
bank routing numbers, account and check numbers, driver’s license numbers, date of birth, name,
address, and/or other personal identification numbers (military or state documentation). The
information collected is used to obtain payment authorization and is transmitted from the in-store
networks to designated computers on the central corporate network, and from there to bank
networks. In response, the banks send authorization transmissions back to the corporate networks,
and this information is then transmitted back to the in-store networks.
The Data Security Breach
On December 18, 2006, TJX discovered an unauthorized intrusion into their computer systems
that process and store information related to customer transactions. The intrusion was identified
through suspicious software found on TJX’s computer systems. Upon discovery, TJX employed
both General Dynamics Corporation (GDC) and International Business Machines Corporation
(IBM), two leading computer security and incident response companies, to help with the
investigation.
The investigation began with an examination of TJX’s accounting information systems (AIS),
with the purpose of detecting anomalies in the system. On December 21, 2006, GDC and IBM
determined that TJX’s systems had indeed been breached and that an intruder was still in their AIS.
A security plan was set in motion designed to monitor the ongoing intrusion, protect customer data,
and strengthen the systems’ security from future attacks.
Events following the breach included TJX contacting the appropriate law enforcement
authorities, including the U.S. Department of Justice, U.S. Secret Service, and the U.S. Attorney’s
Office in Boston, Massachusetts, on December 22, 2006. Upon notification, TJX was advised by
the U.S. Secret Service not to disclose the breach publicly at this point, as it would impede upon
further investigation. On December 26th and 27th, contracting banks and debit, credit, and cash
processing companies were notified of the intrusion.
During the ongoing investigation, it was determined that personal, confidential customer
information was stolen, and that the scope of the breach spanned approximately 18 months. Public
notification of the intrusion was released on January 17, 2007, in a press release issued to the public
(for a complete copy of the press release, go to www.tjx.com and click on Investor Information and
then Press Releases; all releases are in chronological order). In the release, the Chairman and acting
Chief Executive Officer (CEO) stated:
Breach of Data at TJX: An Instructional Case Used to Study COSO and COBIT 523
Issues in Accounting Education Volume 26, No. 3, 2011
http://www.tjx.com
We are deeply concerned about this event and the difficulties it may cause our customers. Since
discovering this crime, we have been working diligently to further protect our customers and
strengthen the security of our computer systems, and we believe customers should feel safe
shopping in our stores. Our first concern is the potential impact of this crime on our customers,
and we strongly recommend that they carefully review their credit card and debit card
statements and other account information for unauthorized use. We want to assure our
customers that this issue has the highest priority at TJX.
As a result of the breach and as a courtesy to its customers, TJX established a special helpline
and created a special link on its company website which provided updated information on the
breach.
The investigation determined that the scope of the intrusion spanned from July 2005 until it
was detected on December 18, 2006. The breach occurred in computer operations at two corporate
offices, one located domestically and one internationally. Both corporate offices process and store
information related to payment card, check, and un-receipted merchandise return transactions for its
customers. Confidential customer information stored at these locations included debit/credit card
information, as well as personal customer information provided with un-receipted returns (these
included customer names and addresses, driver’s license numbers, and military/state identification
numbers, some of which were the same as the customers’ social security numbers).
Details of the examination revealed that the intruders’ initial point of access occurred in the
computer systems located in a Framingham, Massachusetts, store. Using directional antennas and a
laptop computer, the perpetrators intercepted electronic transmissions sent over TJX’s wireless
network. These transmissions included authorization requests, credit and debit card payments, and
other personal customer information. TJX’s systems, at that time, transmitted wireless transactions
using Wired Equivalent Privacy (WEP) technology. Other points of entry occurred at in-store
computer kiosks. Each kiosk is equipped with a personal computer (PC)-style system that is
directly connected to the corporate network and is used to capture jobseeker information. The
intruders connected USB drives with utility programs to these computers and then later used these
terminals to access the corporate network.
Electronic footprints left behind by the intruders on the TJX network identified encrypted
messages indicating which files had been copied. With these footprints, investigators were able to
piece together the dates as to when most of the data was stolen and found that most occurred during
peak sales periods. However, because of the technology used by the intruder, it was difficult for
TJX to determine the contents of the files that were stolen. Other evidence revealed that the
intruders used key logging technology to obtain user identification and password information from
the corporate network and then used this information to create fictitious accounts. These accounts
were later used to collect transaction information remotely.
Current Events/Financial Impact
Since the data breach, TJX has taken steps to increase computer security and protocols and
instituted an ongoing program to monitor data security. From the time of discovery, in 2006, to
2009, TJX expensed $171.5 million pre-tax related to the computer intrusion, and maintains $42.2
million reserve for future losses related to the breach.
TJX press releases highlighting the financial impact indicated: On November 30, 2007, TJX
announced an agreement with Visa USA and Visa Inc. to fund up to a maximum of $40.9 million
pre-tax in alternative recovery payments. On April 2, 2008, TJX announced agreement with
MasterCard International Inc. to fund up to a maximum of $24 million pre-tax in alternative
recovery payments. On June 23, 2009, TJX announced a settlement with a multi-state group of 41
Attorneys General relating to the data breach. In the settlement, TJX established a $2.5 million Data
524 Cereola and Cereola
Issues in Accounting Education Volume 26, No. 3, 2011
Security Fund for use by states to advance data security and technology, provided $5.5 million to
cover states’ expenses (including $1.75 million to cover investigation expenses), certified TJX’s
computer systems meet detailed data security requirements specified by states, and encouraged
development of new technologies to address vulnerabilities in payment card systems.
Other Information
Regulatory Complaints: In light of the data breach, the Federal Trade Commission (FTC) filed
a complaint against TJX Companies in 2008, indicating that they had violated the provisions of the
FTC Act (FTC 2008). The complaint alleged that TJX engaged in a number of practices that failed
to provide reasonable security of personal information in its networks and, as such, resulted in a
computer intrusion (for a complete copy of the FTC complaint, visit www.ftc.gov, click on Actions,
then Cases by Name, and search for ‘‘The TJX Companies, Inc.’’; Docket No. C-072-3055).
Payment Card Industry Standards: All organizations that accept, transmit, or store cardholder
information must follow Payment Card Industry Data Security Standards (PCI DSS) (PCI Security
Standards Council 2008). TJX utilizes commercially available systems to process payment card and
personal information. The technology used for data transmissions and approval is determined and
controlled for by the payment card industry (PCI).
CASE REQUIREMENTS AND QUESTIONS
As part of your first assignment on the TJX task force, you will be responsible for one or more
of the following case requirements listed below. Before starting the requirements, read the case
material. To successfully complete the case, you are required to obtain supplemental evidence
obtained through discovery research of credible sources external to the information provided in the
case (e.g., TJX website, TJX 10-K reports, etc.).
Assignment 1
1992 COSO Framework Assessment Requirements
Using the 1992 COSO framework, perform a robust risk assessment of the case, identifying
any internal control issues related to each of the five 1992 COSO components identified below.
Next, classify each internal control issue as a strength or weakness, and then for each weakness,
assess its risk as high, moderate, or low (high risk occurs when a company does not have any
corrective actions in place when a key internal control weakness is found, and the company suffers
a substantial loss as a result; moderate risk occurs when an internal control weaknesses is found and
the company does not have any corrective actions in place, however, only minor losses may occur
as a result; and a low risk occurs when an internal control weakness is found and is considered a
control deficiency). Finally, classify each risk as a financial, compliance, and/or operational risk
(financial refers to internal controls designed to provide reasonable assurance regarding the
reliability of the financial statements; compliance is concerned with adherence to rules, policies, and
procedures, both internal and external to the organization; and operational is concerned with the
effectiveness and efficiency of the organization’s activities and whether they help to reduce risks
faced by the organization). Use Exhibit 1 to document your work.
1. Control Environment: Includes the evaluation of both soft and hard controls. Soft controls
consist of integrity and ethical values, commitment to competence, board of directors and
audit committee, and management’s philosophy and operating style. Hard controls include
organizational structure, assignment of authority and responsibility, and human resource
policies and procedures.
Breach of Data at TJX: An Instructional Case Used to Study COSO and COBIT 525
Issues in Accounting Education Volume 26, No. 3, 2011
http://www.ftc.gov
EXHIBIT 1
Requirement 1 TJX 1992 COSO Risk Assessment Matrix
Risk Assessment (High, Moderate, or Low); Type Risk (F = Financial, C = Compliance, and/or O = Operational)
Note: When completing this requirement, additional rows may be added as needed.
COSO Component Control Issue Strength or Weakness
Risk Assessment Type Risk
1. Control Environment: TJX does not have a board of directors
information technology committee
Weakness Low F, C, O
2. Risk Assessment
3. Control Activities
4. Information and
Communication
(continued on next page)
526 Cereola and Cereola
Issues in Accounting Education Volume 26, No. 3, 2011
2. Risk Assessment: Relevant risks that can impact organizational goals and objectives are
identified and assessed. Includes risk assessment in relation to company-wide objectives,
process-level objectives, risk identification and analysis, and managing change.
3. Control Activities: Include policies and procedures in place that limit risks that may impact
organization’s objectives. Examples include activities related to security (application and
network), application change management, business continuity and backups, and
outsourcing.
4. Information and Communication: Relevant information must be identified, captured, and
communicated in a form and timeframe that allows individuals to carry out their
responsibilities. Assessment involves evaluating the quality of information and
effectiveness of the communication.
5. Monitoring: A process must exist to verify internal control systems are functioning over
time. Accomplished through ongoing monitoring, separate evaluations, and reporting of
deficiencies.
Assignment 2
2004 COSO ERM Framework Assessment Requirements
Using the COSO ERM framework (COSO 2004), perform a robust risk assessment identifying
any internal control issues related to each of the eight components identified below. Next, classify
each internal control issue as a strength or weakness, and then, for each weakness, assess its risk as
high, moderate, or low (high risk occurs when a company does not have any corrective actions in
place when a key internal control weakness is found, and the company suffers a substantial loss as a
result; moderate risk occurs when an internal control weaknesses is found and the company does
not have any corrective actions in place, however, only minor losses may occur as a result; and a
low risk occurs when an internal control weakness is found and is considered a control deficiency).
Finally, classify each risk as a financial, compliance, and/or operational risk (financial refers to
internal controls designed to provide reasonable assurance regarding the reliability of the financial
statements; compliance is concerned with adherence to rules, policies, and procedures, both internal
and external to the organization; and operational is concerned with the effectiveness and efficiency
of the organization’s activities and whether they help to reduce risks faced by the organization). Use
Exhibit 2 to document your work.
EXHIBIT 1 (continued)
COSO Component Control Issue Strength or Weakness
Risk Assessment Type Risk
5. Monitoring
Breach of Data at TJX: An Instructional Case Used to Study COSO and COBIT 527
Issues in Accounting Education Volume 26, No. 3, 2011
EXHIBIT 2
Requirement 2 TJX 2004 COSO ERM Risk Assessment Matrix
Risk Assessment (High, Moderate, or Low); Type Risk (F = Financial, C = Compliance, and/or O = Operational).
Note: When completing this requirement, additional rows may be added as needed.
COSO ERM Component Control Issue
Strength or Weakness
Risk Assessment
Type Risk
1. Internal Control
Environment
TJX does not have a board of directors
information technology committee
Weakness Low F, C, O
2. Objective Setting
3. Event Identification
4. Risk Assessment
5. Risk Response
(continued on next page)
528 Cereola and Cereola
Issues in Accounting Education Volume 26, No. 3, 2011
1. Internal Environment: Encompasses the tone of the organization, sets the basis for how
risk is perceived and addressed.
2. Objective Setting: Ensures management has in place a process to set objectives that
support and are in line with the entity’s mission and are consistent with their risk appetite.
3. Event Identification: Identifies internal and external events that may impact the
achievement of an entity’s objectives, distinguishing between risks and opportunities.
4. Risk Assessment: Analyzes risks, considering the likelihood and impact as a basis for how
risks should be managed.
5. Risk Response: Management selects a risk response: avoiding, accepting, reducing, or
sharing risk; develops a set of actions aligned with the entity’s risk tolerance and appetite.
6. Control Activities: Include policies and procedures in place that limit risks that may impact
the organization’s objectives. Examples include activities related to security (application
and network), application change management, business continuity and backups, and
outsourcing.
7. Information and Communication: Relevant information must be identified, captured, and
communicated in a form and timeframe that allows individuals to carry out their
responsibilities. Assessment involves evaluating the quality of information and
effectiveness of the communication.
EXHIBIT 2 (continued)
COSO ERM Component Control Issue
Strength or Weakness
Risk Assessment
Type Risk
6. Control Activities
7. Information and
Communication
8. Monitoring
Breach of Data at TJX: An Instructional Case Used to Study COSO and COBIT 529
Issues in Accounting Education Volume 26, No. 3, 2011
EXHIBIT 3
Requirement 3 TJX 2007 COBIT Risk Assessment Matrix
Risk Assessment (High, Moderate, or Low); Type Risk (F = Financial, C= Compliance, and/or O = Operational)
Note: When completing this requirement, additional rows may be added as needed.
COBIT Component Control Issue Strength or Weakness
Risk Assessment
Type Risk
1. Plan and Organize (IT
environment)
Assessment of Risks—lack of control
over information technology
environment
Weakness High F, C, O
2. Acquire and Implement
(program development
and change)
3. Deliver and Support
(computer operations
and access to programs
and data)
(continued on next page)
530 Cereola and Cereola
Issues in Accounting Education Volume 26, No. 3, 2011
8. Monitoring: A process must exist to verify internal control systems are functioning over
time. Accomplished through ongoing monitoring, separate evaluations, and reporting of
deficiencies.
Assignment 3
2007 COBIT Framework Assessment Requirements
Using the 2007 COBIT framework related to each of the four domains identified below,
perform a robust risk assessment identifying any internal control issues related to the use of
information technology. Next, classify each internal control issue as a strength or weakness, and
then, for each weakness, assess its risk as high, moderate, or low (high risk occurs when a company
does not have any corrective actions in place when a key internal control weakness is found, and
the company suffers a substantial loss as a result; moderate risk occurs when an internal control
weakness is found and the company does not have any corrective actions in place, however, only
minor losses may occur as a result; and a low risk occurs when an internal control weakness is
found and is considered a control deficiency). Finally, classify each risk as either a financial,
compliance, and/or operational risk (financial refers to internal controls designed to provide
reasonable assurance regarding the reliability of the financial statements; compliance is concerned
with adherence to rules, policies, and procedures, both internal and external to the organization;
and operational is concerned with the effectiveness and efficiency of the organization’s activities
and whether they help to reduce risks faced by the organization). Use Exhibit 3 to document your
work.
1. Plan and Organize: Define strategic plan, identify IT that may contribute to the
achievement of business strategy/objectives, ensure compliance with external require-
ments, assess risk, and manage projects.
2. Acquire and Implement: Acquire, develop, and implement IT solutions identified.
3. Deliver and Support: Concerned with the delivery of required services, including support,
training, education, security, and continuity. Manage configuration, data, facilities
operations, and problems.
4. Monitor and Evaluate: Assess IT for quality and compliance (management oversight,
independent assurance by internal and external sources, independent audit).
EXHIBIT 3 (continued)
COBIT Component Control Issue Strength or Weakness
Risk Assessment
Type Risk
4. Monitor and Evaluate
(IT environment)
Breach of Data at TJX: An Instructional Case Used to Study COSO and COBIT 531
Issues in Accounting Education Volume 26, No. 3, 2011
E X
H IB
IT 4
R eq
u ir
em en
t 4
1 9
9 2
C O
S O
-2 0
0 7
C O
B IT
M a
p p
in g
M a
tr ix
N o
te :
W h
en co
m p
le ti
n g
th is
re q
u ir
em en
t, ad
d it
io n
al ro
w s
m ay
b e
ad d
ed as
n ee
d ed
.
C O
B IT
C o
m p
o n
en t
C O
S O
C o
m p
o n
en t
C o
n tr
o l
E n
v ir
o n
m en
t R
is k
A ss
es sm
en t