BackgroundThe TJX Companies Inc. (hereafter, referred to as TJX or company), b

1. Background
2. The TJX Companies Inc. (hereafter, referred to as TJX or company), based in Framingham Massachusetts, is one of the largest domestic and international off-price retailer of apparel and fashion. TJX sells brand name items ranging from family apparel, accessories, bedding, and furniture to jewelry, beauty products and housewares. TJX’s uses a low cost of operations approach, where their core-target customers includes the middle-to upper middle-income shoppers. TJX operates five business segments, where three reside in the U.S. and one each in Canada and Europe. As publicly traded company, TJX is ranked 119th in the Fortune 500. On December 18, 2006, the company discovered an unauthorized intrusion into their computer systems that compromised millions of customer records. Upon discovery, TJX employed two leading computer security and incident response companies to help with the investigation. The investigative companies set a security plan designed to monitor the intrusion, protect customer data and strengthen the computer systems for future attacks. The company then contacted the appropriate law enforcement, including the U.S. department of Justice, U.S. Secret service and the U.S. Attorney’s Office in Boston on December 22, 2006. It was discovered that the scope of the breach spanned approximately 18 months from July 2005, until its detection on December 18, 2006. The company made a public notification of the intrusion on January 17, 2007. The investigation revealed the perpetrators used directional antennas and a laptop to intercept electronic transitions sent over the local store’s wireless network and further compromised the corporate network by uploading utility programs form USB drives into instore computer kiosks, and later used these terminals to access the corporate network. The perpetrators also used keylogging techniques to obtain user identification and password information form the corporate network that was latter used to create fictitious accounts and collect transaction information. TJX suffered significant financial losses as a result of this attack and since has taken steps to increase computer security by implemented protocols and an ongoing program to monitor data security.
3.  
4. Purpose:
5. An internal control review is an overall assessment of the internal control system and whether it sufficiently addresses relevant risks of the company. An internal control review helps protect, monitor, direct, and measure an organization’s tangible and intangible resources. An internal control review determines whether an organization’s controls are appropriate by establishing whether the organization’s policies and procedures are adequate and whether the organization properly structures its governance, monitoring manpower management, and periodically reviewing business activities. Internal control reviews provide value to organizations by encouraging adherence to prescribed policies and procedures, increasing effectiveness and efficiency of operations, improving the reliability of financial reporting, promoting compliance with applicable laws and regulations, and detecting and preventing errors and irregularities in a timely manner. The purpose of internal control review applies to TJX and will address solutions to internal control deficiencies.
6.  
7. Scope:
8. This report provides an overall assessment of TJX’s internal controls and focuses primarily on the company’s IT and information security program controls as they relate to the 2006 breach. The team performed a top-down assessment of TJX’s internal controls, evaluated the organization’s IT controls, identified and analyzed internal control issues using the 1992 COSO framework, determined the compliance with applicable laws and regulations, and investigated regulatory complaints filed against the company.
9.  
10. Findings:
11. The team’s review and analysis of the company’s internal controls determined that TJX possesses a strong and effective control environment. The company’s top-down attitude enables continual development and reassessment of internal controls. TJX is strongly committed to acting with integrity and has demonstrated a willingness to act ethically. The company operates under the Remember Everyone Affects Customer Happiness (REACH ) philosophy. This approach centers in management and staff and encourages performance of duties in a manner that takes values sustainable, ethical, responsible actions that exceeds stakeholders expectations. TJX segregates duties so as to reduce or eliminate opportunities for fraud and fosters an environment in which employees are likely to resist the temptation to commit fraud if the opportunity presents itself, report fraud that does occur, and bring limitations of internal controls that they discover to the attention of decision makers. TJX demonstrates a commitment to develop and retain competent individuals that align with their objectives of control environment. While TJX’s board of directors lacks an IT committee and the associated understanding and evaluation of information systems at the highest level of authority, and despite the severity of the 2006 security breach, the company has instituted an environment that allows deficiencies to be corrected and has made financial reparations to stakeholders and others that suffered losses as a result of the company’s IT security failure
12.  
13. The success of TJX depends critically on their information systems upon which their operations are based. The company uses corporate computer networks in the U.S. and internationally and uses in-store networks. In selling its products, the company uses computer networks to collect personal information from customers to obtain authorization for payment card purchases, verification of personal checks, and process merchandise returns along with sensitive customer information that can be used to facilitate customer harm. Due to TJX dependency on information systems and low cost of operations approach, the company failed to adequately assess the risks associated with information system security and did not specified objectives with sufficient clarity that enable the identification and assessment of risks related to information system security. This constitutes a high-risk control issue, making it a major deficiency under the Committee of Sponsoring Organizations Integrated Framework (COSO) that translated to a material weakness for Section 404 of the Sarbanes Oxley Act (SOX) compliance purposes. Principle 11of the COSO framework which addresses compliance with Sarbanes Oxley Act states, “The organization selects and develops control activities over technology to support the achievement of objectives.” TJX was in clear violation of SOX section 404 as they failed to implement controls over their information systems that would have minimized the risks and could’ve possible prevented the data breach or could’ve have resulted the discovery of the information system breach at a much sooner date. TJX also failed to abide by several standards set by the Payment Card Industry Security Standards Council (PCI). Requirements 3 and 4 of the PCI standards pertain to protecting cardholder data and proper encryption methods. TJX failed to abide by the PCI standards, which left the personal information of its customers vulnerable. Encrypting the data would have made it unusable to the attackers or forced them to expend additional resources to decode it. Encryption software is readily available and can be developed internally if commercially available packages do not meet the company’s needs. TJX should make securing and encrypting customer data a priority. TJX could store only the essential data (names, addresses, etc.), verify the rest (credit card numbers and other such information), and develop a framework that allows trustworthy third parties to process credit card information.
14.  
15.  
16.  
17. The review and assessment of internal controls revealed that TJX also lacked multiple control activities related to information system security during business operations. Following the breach of data at TJX, The Federal Trade Commission issued a complaint against the company for violation of their standards that stated in part:
18. 8.Since at least July 2005, respondent engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its networks. In particular, respondent:
19. (a) created an unnecessary risk to personal information by storing it on, and transmitting it between and within, in-store and corporate networks in clear text;
20. (b) did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to in-store networks without authorization;
21. (c) did not require network administrators and other users to use strong passwords or to use different passwords to access different programs, computers, and networks;
22. (d) failed to use readily available security measures to limit access among computers and the internet, such as by using a firewall to isolate card authorization computers; and
23. (e) failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as by patching or updating anti-virus software or following up on security warnings and intrusion alerts.
24. The complaint highlighted major high risk control deficiencies in the company’s control activities related to information system security for operating purposes. This control deficiencies allowed the perpetrators to connect to in-store wireless networks without authorization and access customer information stored in clear text. It is recommended that TJX uses authentication system to log-on the network to prevented employees and staff from accessing information that is not necessary to access to perform their job functions and to prevent unauthorized users from accessing the corporate network and information systems.
25.  
26. Furthermore, TJX did not require its employees to use strong passwords or to use different passwords to access different programs, computers, and networks. TJX must require its employees to practice proper password security by using passwords that are unique to users of the company’s information system that are difficult to decipher and requiring different passwords for different functions, as well as a password update minimum once a year.
27. TJX also failed to use readily available security measures to limit access among computers and the internet. TJX should have implemented firewalls to protect and isolate critical or vulnerable areas of the network and IT systems, particularly those containing important, confidential customer data, such as card authorization computers and connections to networks outside of the company’s control.
28. The company’s jobseeker kiosks represented another high risk unsecured point of access to the company’s information system. The kiosks were not sufficiently isolated from the main corporate network and were open to anyone, allowing attackers to use them as points of entry to both the main network and in-store networks. The intruders used their unrestricted access to the unprotected jobseeker kiosks to upload utility programs and later used these terminals to access corporate network. The perpetrators also use keylogging technology obtain information from the corporate network and created fictitious accounts that were used to later collect transaction information from the company that compromised sensitive customer information. TJX should have isolated the computers at the kiosks from the corporate network and prevented them from transmitting information to the corporate network without authorization. The company should have also protected them with firewalls and similar defenses.
29.  
30.  
31. As a result of the lack of internal controls over information security system, it was determined that the company to lack the ability to generate relevant quality information to support the functioning of other components particularly those of the control activities, and risk assessment. Many control activities and risk assessment controls rely on the reliability and timeliness of information and reports, thus making it a high-risk control weakness. The absence of controls and information play a role in the delayed discovery of the data breach that compromised customer data. This lack of information and controls related to information system security did not enable communication of internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors. It is recommended that TJX invests in their information system security to benefit form the relevant information that stronger controls will provide and identify and communicate signs of unauthorized entry into company’s networks. Upon discovery of the unauthorized intrusion, TJX exercise a strong control related to information and communication, by employing two leading computer security and incident response companies and the appropriate law enforcement to conduct an investigation and monitor and protect the information system’s data. TJX also exercised a strong control by establishing a special helpline and creating a special link on its company website that provided updated information on the breach.
32.  
33.  
34. TJX failed to implement controls that monitor their information security system. The company failed to comply with the COSO Principle 16 that states, “The organization selects, develops and performs ongoing/and or separate evaluations to ascertain whether the components of internal control are present and functioning.” This is a high-risk control issue, where TJX’s lack of monitoring on its own information security systems caused the breach to last for an extended period of time, which in turn lead a massive loss of data affecting millions of TJX’s customers. Proper monitoring processes would have helped TJX discover the breach sooner, and would have decreased the loss of that occurred. The breach served as an impetus to reevaluate security risks and procedures and institute new security measures. A resolution to monitoring controls is having TJX provide training and awareness program that trains employees to look for signs of unauthorized intrusion. Another recommendation is to enable application and network witness logs and monitor them. This allows staff to communicate suspicious and abnormal material or use of the company’s information systems. A third recommendation is to monitor user access into network. This is design to examine unusual activity on computer network.
35.  
36. Conclusion
37. Based on our analysis, the task force finds that TJX is not in compliance with SOX because the company has failed to identify IT weaknesses that present the risk of material misstatement and to implement appropriate controls to provide reasonable assurance that the internal controls are working properly and reduce the probability of such material misstatement to.In addition, we find that TJX is not in compliance with Section 5(a) of the Federal Trade Commission Act because its failure to provide reasonable and appropriate security measures constitutes an unfair act or practice.
38. Due to TJX’s failure to accurately calculate the risk and effects of unauthorized intrusion into their information systems and network, the company did not have important network security protocols in place and failed to regularly check whether the company’s systems were compromised. The company did not regularly path or update antivirus software, conduct network security investigations, or follow up on security warnings or intrusion alerts. As a result, the company failed to provide timely information of the data breach and incurred significant losses when the network was eventually breached. The lack of internal controls over information system security led to the breach spanned for approximately 18 months
39.  
40. Proper monitoring processes would have helped TJX discover the breach sooner, and would have decreased the loss of that occurred. The breach served as an impetus to reevaluate security risks and procedures and institute new security measures. TJX developed a comprehensive new IT system security plan and certified that its computer systems met applicable state and federal standards.