Breach of Data at TJX: An Instructional Case Used to Study COSO and COBIT, with a Focus on Computer Controls, Data Security, and Privacy Legislation

2011 ◽  
Vol 26 (3) ◽  
pp. 521-545 ◽  
Author(s):  
Sandra J. Cereola ◽  
Ronald J. Cereola
Keyword(s):  
Information System ◽  
Internal Control ◽  
Data Security ◽  
Securities And Exchange Commission ◽  
Internal Controls ◽  
Security And Privacy ◽  
Free Enterprise ◽  
Sarbanes Oxley ◽  
Real World Problem ◽  
Privacy Legislation

ABSTRACT Internal control frameworks (ICF) provide a basis for understanding controls in an organization and for making judgments about the effectiveness of controls. The Sarbanes-Oxley Act of 2002 (SOX) requires companies to report, on an ongoing basis, the effectiveness of their internal controls in their annual filings. The Securities and Exchange Commission (SEC) recommends companies use ICF to help achieve compliance with SOX. ICF provide a useful tool for management and auditors evaluating and addressing the adequacy of controls in their organization. As there is no such thing as a “risk-free” enterprise, developing an understanding of ICF is important for students entering the accounting profession. This instructional case provides students the opportunity to assess internal control risks within an organization's information system using a “real-world” problem following COSO (SEC-recommended ICF) and/or COBIT as a guide. Students then evaluate the organization's overall level of internal control risks and formulate recommendations for mitigating such risks.

Does SOX 404 Have Teeth? Consequences of the Failure to Report Existing Internal Control Weaknesses

2014 ◽  
Vol 90 (3) ◽  
pp. 1169-1200 ◽  
Author(s):  
Sarah C. Rice ◽  
David P. Weber ◽  
Biyu Wu
Keyword(s):  
Internal Control ◽  
Securities And Exchange Commission ◽  
Internal Controls ◽  
Class Action ◽  
Management Turnover ◽  
Public And Private ◽  
The Public ◽  
Sarbanes Oxley ◽  
Public And Private Enforcement ◽  
Enforcement Mechanisms

ABSTRACT We examine various penalties that could serve as enforcement mechanisms for Sarbanes-Oxley (SOX) Section 404. We focus on firms with restatements, some of which had previously reported their control weaknesses as required and some of which acknowledged them only after announcing their restatement. We find no evidence that penalties are more likely for firms, managers, or auditors that fail to report existing control weaknesses. Instead, class action lawsuits, management turnover, and auditor turnover are all more likely in the wake of a restatement when control weaknesses had previously been reported. We find similar, although weaker, evidence for Securities and Exchange Commission (SEC) sanctions. These results are consistent with disclosure of control weaknesses making it difficult for management to plausibly claim later that they were unaware of the underlying conditions that led to restatements. The results also suggest that the public and private enforcement mechanisms surrounding SOX 404 are unlikely to provide strong incentives for compliance and offer a potential explanation for why most restatements are issued by firms that previously claimed to have effective internal controls.

The Impact of Internal Controls and Penalties on Fraud

2010 ◽  
Vol 24 (1) ◽  
pp. 1-21 ◽  
Author(s):  
Roberta Ann Barra
Keyword(s):  
Internal Control ◽  
Internal Controls ◽  
Reliability Engineering ◽  
Ceteris Paribus ◽  
Sarbanes Oxley ◽  
Internal Control System ◽  
Analytical Reliability ◽  
Net Assets ◽  
Managerial Employees ◽  
The Impact

ABSTRACT: Little prior research exists on the parameters of internal control activities. The Sarbanes-Oxley Act of 2002 (SOX 2002) makes identifying the properties of these parameters under various conditions important. In this paper, an analytical/reliability engineering methodology is used to investigate the relative impact of penalties versus other types of internal controls on managerial and non-managerial employees’ propensity to commit fraud. Ceteris paribus, increasing required effort with internal controls and/or increasing employee penalties, increases the minimum amount stolen when a fraud incident occurs; that is, more net assets will be taken per fraud incident with controls than without controls. The findings show that the firm’s least-cost scenario with managerial employees is to enforce maximum penalties. The firm’s least-cost scenario with non-managerial employees is to utilize alternative internal controls while imposing minimum penalties. Further, the effectiveness of separation of duties is dependent on the detective controls in the internal control system.

Information Security and Sarbanes-Oxley Compliance: An Exploratory Study

2011 ◽  
Vol 25 (1) ◽  
pp. 185-211 ◽  
Author(s):  
Linda Wallace ◽  
Hui Lin ◽  
Meghann Abell Cefaratti
Keyword(s):  
Internal Control ◽  
Internal Controls ◽  
Future Research ◽  
Internal Auditors ◽  
Sarbanes Oxley ◽  
Current Usage ◽  
Survey Results ◽  
Organizational Focus ◽  
It Personnel ◽  
Control Implementation

ABSTRACT: The Sarbanes-Oxley Act of 2002 (SOX) created a resurgence of organizational focus on internal controls. In this study, we examine the extent to which the information technology (IT) controls suggested by the ISO 17799 security framework have been integrated into organizations’ internal control environments. We collected survey data from 636 members of the Institute of Internal Auditors (IIA) on the current usage of IT controls in their organizations. In addition to identifying the most and least commonly implemented IT controls, the survey results indicate that control implementation differences exist based on a company’s status as public or private, the size of the company, and the industry in which the company operates. Training of internal auditors and/or IT personnel is also associated with significant differences in implemented controls. We discuss the implications of our research and offer suggestions for future research.

scholarly journals Assessing Students Learning Of Internal Controls: Closing The Loop

2009 ◽  
Vol 2 (2) ◽  
pp. 47-54
Author(s):  
T. S. Amer ◽  
Lawrence C. Mohrweis
Keyword(s):  
Internal Control ◽  
Rank Order ◽  
Internal Controls ◽  
Assessment Process ◽  
Advisory Council ◽  
Control Group ◽  
Accounting Faculty ◽  
Sarbanes Oxley ◽  
Novel Approach ◽  
Essay Question

This study describes the multifaceted components of an assessment process. The paper explains a novel approach in which an advisory council participated in a fun, hands-on activity to rank-order learning outcomes. The top ranked learning competency, as identified by the advisory council, was the need for students to gain a better understanding of internal controls. With this competency identified, the advisory council exercise was then followed-up by a modification in the auditing course. An empirical study, consisting of a control group and a treatment group, was conducted to assess whether performance on an internal control essay question by students now met or exceeded established expectations. The results indicated that students preliminary understanding of internal controls had been enhanced. The accounting faculty further closed the loop by approving a new internal controls course designed to cover, in greater detail, topics such as the COSO internal controls framework, Sarbanes-Oxley requirements, recent PCAOB statements, and real-world cases involving internal control failures.

SOX Section 404 Material Weakness Disclosures and Audit Fees

2006 ◽  
Vol 25 (1) ◽  
pp. 99-114 ◽  
Author(s):  
K. Raghunandan ◽  
Dasaratha V. Rama
Keyword(s):  
Financial Reporting ◽  
Internal Control ◽  
Audit Fees ◽  
Internal Controls ◽  
Fiscal Year ◽  
Section 404 ◽  
Control Material ◽  
Material Weakness ◽  
Sarbanes Oxley ◽  
The Mean

Section 404 of the Sarbanes-Oxley Act and Auditing Standard No. 2 (PCAOB 2004) require management and the auditor to report on internal controls over financial reporting. Section 404 is arguably the most controversial element of SOX, and much of the debate around the costs of implementing section 404 has focused on auditors' fees (Ernst & Young 2005). In this paper, we examine the association between audit fees and internal control disclosures made pursuant to section 404. Our sample includes 660 manufacturing firms that have a December 31, 2004 fiscal year-end and filed the section 404 report by May 15, 2005. We find that the mean (median) audit fees for the firms in our sample for fiscal 2004 is 86 (128) percent higher than the corresponding fees for fiscal 2003. Audit fees for fiscal 2004 are 43 percent higher for clients with a material weakness disclosure compared to clients without such disclosure; however, audit fees for fiscal 2003 are not associated with an internal control material weakness disclosure (in the 10-K filed following fiscal 2004). We also find that the association between audit fees and the presence of a material weakness disclosure does not vary depending on the type of material weakness (systemic or non-systemic).

COSO 2013: Aligning Internal Controls and Principles

2016 ◽  
Vol 32 (3) ◽  
pp. 117-127 ◽  
Author(s):  
Denise Dickins ◽  
Rebecca G. Fay
Keyword(s):  
Critical Thinking ◽  
Financial Reporting ◽  
Internal Control ◽  
Financial Statements ◽  
Thinking Skills ◽  
Securities And Exchange Commission ◽  
Internal Controls ◽  
Critical Thinking Skills ◽  
Reading Assignment

ABSTRACT Strong systems of internal control over financial reporting (ICFR) are critical to the production of reliable financial statements. Securities and Exchange Commission (SEC) regulations require that companies design, maintain, and regularly evaluate their systems of ICFR, and Auditing Standard No. 5 requires that auditors evaluate companies' systems of ICFR. Therefore, it is necessary for accountants to be able to (1) describe and classify internal controls and (2) determine deficiencies in internal control. Recent reports suggest that accountants may lack sufficient training and guidance in these respects (e.g., Rapoport 2012). This activity provides an opportunity for students to practice these skills while learning more about the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) 2013 Framework. Provided are a summary discussion of ICFR and the COSO 2013 Framework, an outside-of-class reading assignment, and an activity that requires students (independently or in groups, either in or outside of class) to employ critical-thinking skills to: (1) classify (i.e., map) a listing of controls as being aligned with one (or more) of the COSO 2013 Framework's five components and 17 principles that comprise a well-designed system of internal control, and (2) identify any deficiencies (gaps) in design due to missing or inadequate internal controls.

Assessing Internal Audit with Text Mining

2018 ◽  
Vol 17 (02) ◽  
pp. 1850020 ◽  
Author(s):  
Georgia Boskou ◽  
Efstathios Kirkos ◽  
Charalambos Spathis
Keyword(s):  
Text Mining ◽  
Financial Reporting ◽  
Internal Control ◽  
Audit Quality ◽  
Internal Audit ◽  
Internal Controls ◽  
Annual Reports ◽  
Previous Attempt ◽  
Sarbanes Oxley ◽  
Audit Information

Recently internal controls, corporate governance and risk management have received a great deal of attention. Regarding internal control, several research studies address the issue of internal audit quality. Noteworthy, according to Sarbanes–Oxley (SOX) the internal controls over financial reporting are assessed by the auditors and the management. In the present study, we assess internal controls over financial reporting by employing Text Mining techniques. We analyse the annual reports of 133 publicly traded Greek Companies. The textual parts of the annual reports that refer to internal audit mechanism are extracted. We adopt a Vector Space model and the term-document matrix records the occurrence frequencies of the terms. By applying feature selection, a set of significant keywords, which are used as predictors, is extracted. The Linear Regression model developed explains the variance of the data and highlights significant predictors. The model manages to successfully assess the internal audit function. By performing PCA, major underlying procedures and concepts related to internal audit quality are revealed. Inspite of the undoubted importance of the assessment of internal audit, no previous attempt has been made to assess internal audit and to extract internal audit information from corporate disclosures by using Text Mining techniques. Our results can be useful to internal and external auditors, managers, company decision-makers, regulators and researchers.

The Impact of Information Technology Internal Controls on Firm Performance

2012 ◽  
Vol 24 (2) ◽  
pp. 39-49 ◽  
Author(s):  
Lemuria D. Carter ◽  
Brandis Phillips ◽  
Porche Millington
Keyword(s):  
Information Technology ◽  
Firm Performance ◽  
Internal Control ◽  
Ordinary Least Squares ◽  
Internal Controls ◽  
Publicly Traded ◽  
Sarbanes Oxley ◽  
Internal Control Weaknesses ◽  
Performance Results ◽  
The Impact

Since the introduction of the Sarbanes-Oxley (SOX) Act in 2002, companies have begun to place more emphasis on information technology (IT) internal controls. IT internal controls are policies that provide assurance that technical systems operate as intended, provide reliable data, and comply with regulations. Research suggests that firms with strong internal controls perform better than those with internal control weaknesses. In this study, the authors evaluate the impact of IT internal controls on firm performance. The sample includes 72 publicly traded firms, 36 that reported IT internal control weaknesses and 36 that did not. The results of ordinary least squares (OLS) regression indicate that substantive IT internal control weaknesses negatively impact firm performance. Results and implications for research and practice are discussed.

Earnings Management of Firms Reporting Material Internal Control Weaknesses under Section 404 of the Sarbanes-Oxley Act

2008 ◽  
Vol 27 (2) ◽  
pp. 161-179 ◽  
Author(s):  
Kam C. Chan ◽  
Barbara Farrell ◽  
Picheng Lee
Keyword(s):  
Earnings Management ◽  
Internal Control ◽  
Internal Controls ◽  
Corporate Disclosure ◽  
Section 404 ◽  
Sarbanes Oxley ◽  
Material Weaknesses ◽  
Potential Benefits ◽  
Internal Control Weaknesses ◽  
Reported Earnings

SUMMARY: The main objectives of the Sarbanes-Oxley Act of 2002 are to improve the accuracy and reliability of corporate disclosure. Under Section 404 of the Sarbanes-Oxley Act, the external auditor has to report an assessment of the firm’s internal controls and attest to management’s assessment of the firm’s internal controls. Material weaknesses in internal controls must be disclosed in the auditor and management reports. The objective of this study is to examine if firms reporting material internal control weaknesses under Section 404 have more earnings management compared to other firms. The results provide mild evidence that there are more positive and absolute discretionary accruals for firms reporting material internal control weaknesses than for other firms. Since the findings of ineffective internal controls by auditors under Section 404 may cause firms to improve their internal controls, Section 404 has the potential benefits of reducing the opportunity of intentional and unintentional accounting errors and of improving the quality of reported earnings.

Sign in / Sign up

Export Citation Format

Share Document