Please find both the attachments of week 3 and week11 discussions.
Deception
Don't use plagiarized sources. Get Your Custom Essay on
Week 3 and Week 11 Discussions
Just from $13/Page
In general, deception refers to a creation of a system component that looks real, but, is in fact, a trap, which helps to achieve several security objectives, such as diversion of attention towards bogus assets, related wasting of energy and time, creation of uncertainty, and conducting of real-time security analysis (Amoroso, 2012). Therefore, a well-developed deceptive system provides a common interface that does not allow the intruder to recognize the differences between real and bogus assets.
The most common form of deception relates to creation of fake attack entry points in the form of honey pots (Cohen, 2006). Thus, creation of deceptive systems requires going through several stages, including scanning (search for exploitable entry points), discovery (finding of exploitable entry points that can be real or fake), exploitation (using of discovered vulnerability), and exposing (observing of behavior of adversary) (Amoroso, 2012). All these stages may raise serious legal and/or social issues, which require the intervention of the national legal community.
As a result, the major goal of the deceptive system usually is to observe the behavior of adversaries in action. Bases on the analysis of these actions, the administrator usually conducts certain actions, such as restricting of access due to frequent guessing of password, accessing of bogus documents that have special placement, and others. However, deception still remains a poorly understood security approach due to its complexity despite the need of an in-depth understanding of the infrastructure. Therefore, construction of an effective deceptive system requires such rationales as selective infrastructure use, sharing of results and insights and reuse of tools and methods.
Question: What are the major inefficiencies in the deception technology nowadays and how they can be mitigated?
References
Amoroso, E. (2012). Cyber attacks: protecting national infrastructure. Elsevier.
Cohen, F. (2006). The use of deception techniques: Honeypots and decoys. Handbook of Information Security, 3(1), 646-655.
Chapter 12
Secure Communications and Network Attacks
Network and Protocol Security Mechanisms
Secure Communications Protocols
Authentication Protocols
overview
Secure Communications Protocols
IPSec
Kerberos
Secure Shell (SSH)
Signal Protocol
Secure Remote Procedure Call (S-RPC)
Secure Sockets Layer (SSL)
Transport Layer Security (TLS)
Authentication Protocols
Challenge Handshake Authentication Protocol (CHAP)
Password Authentication Protocol (PAP)
Extensible Authentication Protocol (EAP)
Secure Voice Communications
Voice over Internet Protocol (VoIP)
Weaknesses and attacks
Secure Real-Time Transport Protocol (SRTP)
Social Engineering
In person, over the phone, e-mail, IM, social networks
PBX Fraud and Abuse
Direct Inward System Access (DISA)
Phreakers
Black box, Red box, Blue box, White box (DTMF)
Multimedia Collaboration
Remote Meeting
Instant Messaging
Manage Email Security
Email Security Goals
Understand Email Security Issues
Email Security Solutions
overview
Email Security Goals
SMTP, POP, IMAP
Open relay, closed relay, authenticated relay
Nonrepudiation
Restrict access
Integrity
Verify delivery
Confidentiality
Understand Email Security Issues
Lack of encryption
Delivery vehicle for malware
Lack of source verification
Flooding
Attachments
Email Security Solutions
Secure Multipurpose Internet Mail Extensions (S/MIME)
MIME Object Security Services (MOSS)
Privacy Enhanced Mail (PEM)
DomainKeys Identified Mail (DKIM)
Pretty Good Privacy (PGP)
Opportunistic TLS for SMTP Gateways
Sender Policy Framework (SPF)
Reputation filtering
Remote Access Security Management
Remote Access and Telecommuting Techniques
Plan Remote Access Security
Dial-Up Protocols
Centralized Remote Authentication Services
overview
Remote Access and
Telecommuting Techniques
Service specific
Remote control
Screen scraper/scraping
Remote node operation
Plan Remote Access Security
POTS/PTSN, VoIP, VPN
Authentication, remote access justification, encrypted for confidentiality
Monitor for abuses
Remote connectivity technology
Transmission protection
Authentication protection
Remote user assistance
Dial-Up Protocols
Point-to-Point Protocol (PPP)
Serial Line Internet Protocol (SLIP)
Centralized Remote
Authentication Services
Remote Authentication Dial-In User Service (RADIUS)
Terminal Access Controller Access-Control System (TACACS+)
TACACS, XTACACS
Virtual Private Network
Tunneling
How VPNs Work
Common VPN Protocols
PPTP, L2F, LT2P, IPSec
SSH, TLS
Virtual LAN
Virtualization
Hypervisors
VM escaping
Virtual Software
Virtual applications
Virtual desktop
Virtual Networking
Software Defined Network (SDN)
Network virtualization
Virtual SAN
Network Address Translation
Private IP Addresses (RFC 1918)
10.255.255.255 (a full Class A range)
172.16.0.0–172.31.255.255 (16 Class B ranges)
192.168.0.0–192.168.255.255 (256 Class C ranges)
Stateful NAT
Port Address Translation (PAT)
Static and Dynamic NAT
Automatic Private IP Addressing (APIPA)
169.254.x.y
Loopback Address
Switching Technologies
Circuit Switching Packet Switching
Constant traffic Bursty traffic
Fixed known delays Variable delays
Connection oriented Connectionless
Sensitive to Sensitive to
connection loss data loss
Used primarily for voice Used for any type
of traffic
Virtual Circuits
PVCs and SVCs
WAN Technologies 1/2
WAN Connection Technologies 1/2
Dedicated vs. Nondedicated
DS-0, DS-1, DS-3, T1, T3
ISDN
BRI vs. PRI
Channel Service Unit/Data Service Unit (CSU/DSU)
Data Terminal Equipment/Data Circuit-Terminating Equipment (DTE/DCE)
X.25
WAN Technologies 2/2
WAN Connection Technologies 2/2
Frame Relay
Committed Information Rate (CIR)
ATM
Switched Multimegabit Data Service (SMDS)
Synchronous Digital Hierarchy (SDH)
Synchronous Optical Network (SONET)
SDLC, HDLC
Miscellaneous Security Control Characteristics
Transparency
Verify Integrity
Transmission Mechanisms
Logging
Error correction
Security Boundaries
Areas of different security requirements
Classifications
Physical vs. logical
Should be clearly defined
Prevent or Mitigate Network Attacks
DoS and DDoS
Eavesdropping
Impersonation/masquerading
Replay attacks
Modification attacks
Address resolution protocol spoofing
DNS poisoning, spoofing, and hijacking
Hyperlink spoofing
Conclusion
Read the Exam Essentials
Review the chapter
Perform the Written Labs
Answer the Review Questions
What do you think were the critical factors that fueled the need for IT governance? In what ways did ISO affect the standards for network security?
Please make your initial post and two response posts substantive. A substantive post will do at least TWO of the following:
· Ask an interesting, thoughtful question pertaining to the topic
· Answer a question (in detail) posted by another student or the instructor
· Provide extensive additional information on the topic
· Explain, define, or analyze the topic in detail
· Share an applicable personal experience
· Provide an outside source (for example, an article from the UC Library) that applies to the topic, along with additional information about the topic or the source (please cite properly in APA)
· Make an argument concerning the topic.
At least one scholarly source should be used in the initial discussion thread. Be sure to use information from your readings and other sources from the UC Library. Use proper citations and references in your post.
Managing and Using Information Systems:
A Strategic Approach – Sixth Edition
Keri Pearlson, Carol Saunders,
and Dennis Galletta
© Copyright 2016
John Wiley & Sons, Inc.
Chapter 9
Governance of the Information Systems Organization
2
Learning Objectives
Understand how governance structures define how decisions are made
Describe governance based on organization structure, decision rights, and control
Discuss examples and strategies for implementation.
© 2016 John Wiley & Sons, Inc.
3
Intel’s Transformation
Huge performance improvements between 2013 and 2014
Was it due to a spending increase?
Intel’s evolution
1992: Centralized IT
2003: Protect Era – lockdown (SOX & virus)
2009: Protect to Enable Era (BYOD pressure)
© 2016 John Wiley & Sons, Inc.
4
No, it was due to a spending decrease, not an increase.
They focused on protecting to enable, not just locking down
4
Intel Reached Level 3:
Developing programs and delivering services
Contributing business value
Transforming the firm
Previously: categorized problems as “business” or “IT”
Now: Integrated solutions are the only way
© 2016 John Wiley & Sons, Inc.
5
IT Governance
Governance (in business) is all about making decisions that
Define expectations,
Grant authority, or
Ensure performance.
Empowerment and monitoring will help align behavior with business goals.
Empowerment: granting the right to make decisions.
Monitoring: evaluating performance.
© 2016 John Wiley & Sons, Inc.
6
A decision right is an important organizational design variable since it indicates who in the organization has the responsibility to initiate, supply
information for, approve, implement, and control various types of decisions.
6
IT Governance
IT governance focuses on how decision rights can be distributed differently to facilitate three possible modes of decision making:
centralized,
decentralized, or
hybrid
Organizational structure plays a major role.
© 2016 John Wiley & Sons, Inc.
7
Four Perspectives
Traditional – Centralized vs decentralized
Accountability and allocation of decision rights
Ecosystem
Control structures from legislation
© 2016 John Wiley & Sons, Inc.
8
Centralized vs. Decentralized Organizational Structures
Centralized – bring together all staff, hardware, software, data, and processing into a single location.
Decentralized – the components in the centralized structure are scattered in different locations to address local business needs.
Federalism – a hybrid of centralized and decentralized structures.
© 2016 John Wiley & Sons, Inc.
9
9
Organizational continuum
10
Federalism
Most companies would like to achieve the advantages of both centralization and decentralization.
Leads to federalism
Distributes, power, hardware, software, data and personnel
Between a central IS group and IS in business units
A hybrid approach
Some decisions centralized; some decentralized
© 2016 John Wiley & Sons, Inc.
11
11
Federal IT
© 2016 John Wiley & Sons, Inc.
12
12
Recent Global Survey
Percent of firms reporting that they are:
Centralized: 70.6%
Decentralized: 13.5%
Federated: 12.7%
© 2016 John Wiley & Sons, Inc.
13
Figure 9.4 IT Accountability and Decision Rights Mismatches
Accountability
Low High
Decision Rights High Technocentric Gap
Danger of overspending on IT creating an oversupply
IT assets may not be utilized to meet business demand
Business group frustration with IT group Strategic Norm (Level 3 balance)
IT is viewed as competent
IT is viewed as strategic to business
Low Support Norm (Level 1 balance)
Works for organizations where IT is viewed as a support function
Focus is on business efficiency Business Gap
Cost considerations dominate IT decision
IT assets may not utilize internal competencies to meet business demand
IT group frustration with business group
© 2016 John Wiley & Sons, Inc.
14
Figure 9.5 Five major categories of IT decisions.
Category Description Examples of Affected IS Activities
IT Principles How to determine IT assets that are needed Participating in setting strategic direction
IT Architecture How to structure IT assets Establishing architecture and standards
IT Infrastructure Strategies How to build IT assets Managing Internet and network services; data; human resources; mobile computing
Business Application Needs How to acquire, implement and maintain IT (insource or outsource) Developing and maintaining information systems
IT Investment and Prioritization How much to invest and where to invest in IT assets Anticipating new technologies
© 2016 John Wiley & Sons, Inc.
15
Political Archetypes (Weill & Ross)
Archetypes label the combinations of people who either provide information or have key IT decision rights
Business monarchy, IT monarchy, feudal, federal, IT duopoly, and anarchy.
Decisions can be made at several levels in the organization (Figure 9.6).
Enterprise-wide, business unit, and region/group within a business unit.
© 2016 John Wiley & Sons, Inc.
16
For each decision category, the organization adopts an archetype as the means to obtain inputs for decisions and to assign responsibility for them.
16
Political Archetypes
Organizations vary widely in their archetypes selected
The duopoly is used by the largest portion (36%) of organizations for IT principles decisions.
IT monarchy is the most popular for IT architecture (73%) and infrastructure decisions (59%).
© 2016 John Wiley & Sons, Inc.
17
Figure 9.6 IT governance archetypes
© 2016 John Wiley & Sons, Inc.
18
There is no best arrangement for the allocation of decision rights.
The most appropriate arrangement depends on a number of factors, including the type of performance indicator.
18
Emergent Governance:
Digital Ecosystems
Challenge a “top down” approach
Self-interested, self-organizing, autonomous sets of technologies from different sources
Firms find opportunities to exploit new technologies that were not anticipated
Good examples:
Google Maps
YouTube
© 2016 John Wiley & Sons, Inc.
19
Another Interesting Example
Electronic Health Record
Can connect to perhaps planned sources:
Pharmacy
Lab
Insurance Company
And can connect to unplanned sources:
Banks – for payment
Tax authority – for matching deductions
Smartphone apps – for many purposes
© 2016 John Wiley & Sons, Inc.
20
How to Govern in this case?
Might be difficult to impossible!
The systems might simply emerge and evolve over time
No one entity can plan these systems in their entirety
© 2016 John Wiley & Sons, Inc.
21
Mechanisms for Making Decisions
Policies and Standards (60% of firms)
Review board or committee
Steering committee (or governance council)
Key stakeholders
Can be at different levels:
Higher level (focus on CIO effectiveness)
Lower level (focus on details of various projects)
© 2016 John Wiley & Sons, Inc.
22
Summary of Three Governance Frameworks
Governance Framework Main Concept Possible Best Practice
Centralization-Decentralization Decisions can be made by a central authority or by autonomous individuals or groups in an organization. A hybrid, Federal approach
Decision Archetypes Specifying patterns based upon allocating decision rights and accountability. Tailor the archetype to the situation
Digital Ecosystems Members of the ecosystem contribute their strengths, giving the whole ecosystem a complete set of capabilities. Build flexibility and adaptability into governance.
© 2016 John Wiley & Sons, Inc.
23
A Fourth – Out of a Firm’s Control:
Legislation
24
© 2016 John Wiley & Sons, Inc.
Sarbanes-Oxley Act (SoX) (2002)
To increase regulatory visibility and accountability of public companies and their financial health
All companies subject to the SEC are subject to SoX.
CEOs and CFOs must personally certify and be accountable for their firm’s financial records and accounting.
Firms must provide real-time disclosures of any events that may affect a firm’s stock price or financial performance.
20 year jail term is the alternative.
IT departments play a major role in ensuring the accuracy of financial data.
© 2016 John Wiley & Sons, Inc.
25
25
IT Control and Sarbanes-Oxley
In 2004 and 2005, IT departments began to
Identify controls,
Determine design effectiveness, and
Test to validate operation of controls
© 2016 John Wiley & Sons, Inc.
26
26
IT Control and Sarbanes-Oxley
Five IT control weaknesses are repeatedly uncovered by auditors:
Failure to segregate duties within applications, and failure to set up new accounts and terminate old ones in a timely manner
Lack of proper oversight for making application changes, including appointing a person to make a change and another to perform quality assurance on it
Inadequate review of audit logs to not only ensure that systems were running smoothly but that there also was an audit log of the audit log
Failure to identify abnormal transactions in a timely manner
Lack of understanding of key system configurations
© 2016 John Wiley & Sons, Inc.
27
Frameworks for Implementing SoX
COSO – Committee of Sponsoring Organzations of the Treadway Commission.
Created three control objectives for management and auditors that focused on dealing with risks to internal control
Operations –maintain and improve operating effectiveness; protect the firm’s assets
Compliance –with relevant laws and regulations.
Financial reporting –in accordance with GAAP
© 2016 John Wiley & Sons, Inc.
28
28
Control Components
Five essential control components were created to make sure a company is meeting its objectives:
Control environment (culture of the firm)
Assessment of most critical risks to internal controls
Control processes that outline important processes and guidelines
Communication of those procedures
Monitoring of internal controls by management
© 2016 John Wiley & Sons, Inc.
29
Frameworks (continued)
COBIT (Control Objectives for Information and Related Technology)
IT governance framework that is consistent with COSO controls.
Issued in 1996 by Information Systems Audit & Control Association (ISACA)
A company must
Determine the processes/risks to be managed.
Set up control objectives and KPIs (key performance indicators)
Develop activities to reach the KPIs
Advantages – well-suited to organizations focused on risk management and mitigation, and very detailed.
Disadvantages – costly and time consuming
© 2016 John Wiley & Sons, Inc.
30
30
IS and the Implementation of SoX Compliance
The IS department and CIO are involved with the implementation of SoX.
Section 404 deals with management’s assessment of internal controls.
Six tactics that CIOs can use in working with auditors, CFOs, and CEOs (Fig. 9.9):
Knowledge building (Build a knowledge base)
Knowledge deployment (Disseminate knowledge to management.)
Innovation directive (Organize for implementing SoX)
Mobilization (Persuade players and subsidiaries to cooperate)
Standardization (Negotiate agreements, build rules)
Subsidy (Fund the costs)
A CIO’s ability to employ these various tactics depends upon his/her power (relating to the SoX implementation).
© 2016 John Wiley & Sons, Inc.
31
The CIO needs to acquire and manage the considerable IT resources to make SoX compliance a reality.
31
Managing and Using Information Systems:
A Strategic Approach – Sixth Edition
Keri Pearlson, Carol Saunders,
and Dennis Galletta
© Copyright 2016
John Wiley & Sons, Inc.
978-1-5386-6589-3/18/$31.00©2018 IEEE
COSO Framework for Warehouse
Management
Internal Control Evaluation: Enabling Smart
Warehouse Systems
Ratna Sari
Information Systems Department,
School of Information Systems,
Bina Nusantara University,
Jakarta 11480, Indonesia
Computer Science Department, BINUS
Graduate Program – Doctor of
Computer Science, Bina Nusantara
University, Jakarta, Indonesia 11480
rasari@binus.edu
Raymond Kosala
Computer Science Department, BINUS
Graduate Program – Doctor of
Computer Science, Bina Nusantara
University, Jakarta, Indonesia 11480
rkosala@binus.edu
Benny Ranti
Faculty of Computer Science,
Universitas Indonesia,
Depok 16424, Indonesia
ranti@ui.ac.id
Suhono Harso Supangkat
Sekolah Teknik Elektro dan
Informatika,
Institut Teknologi Bandung,
Bandung, Indonesia
suhono@lpik.itb.ac.id
Abstract— There are many ways for the company to
improve its performance, one of them is optimizing the
internal control of the company’s activities. Internal
control is intended to evaluate company activities and
operations. This study took a case study at PT. XYZ
related to the evaluation of internal controls in
warehouse management using the COSO framework
approach. From 5 elements and 17 Principle, study
found, there are 2 principles that have not been applied
in PT. XYZ; enforced accountability and control over
technology. The recommendation given is system
improvement as intended the inventory system to be
more accurate and reliable to enable smart warehouse
systems inside organizations.
Keywords: internal control, COSO framework, warehouse
management, evaluation
I. INTRODUCTION
There are many ways for the company to improve its
performance, one of them is optimizing the internal control
of the company’s activities and also implementation of the
new system to increase efficiency and effectiveness in all
business process activities [4]. Internal control is a process
undertaken by company management to assist the
achievement of operations, reporting and in accordance with
the compliance [9]. The internal optimization is needed
because it describes the overall rules and procedures used by
management to improve management effectiveness in the
business and identify lack of internal control in the business
processes that it can make the organization vulnerable and
possible risks occurs, eventually all these risks can have an
impact on a company’s financial performance [2].
In warehouse management, internal controls devoted to
optimizing the functions, including the process of finished
goods inventory, and it useful to organize the distribution
process to the market. According to Rita Makumbi (2013)
[6] the function of the warehouse management is one of a
service that can help the company’s operational functions
run smoothly as a store of raw material, unfinished goods,
until stock the finished goods or inventory. One of the
problem in warehouse management is high production of
manufacture, company must pay attention to the process
from the beginning of production, to the process of goods
delivery, and inventory calculations.
One of famous approach for warehouse management
control is using COSO framework. COSO framework is one
of tools to maintain the effectiveness and efficiency of
inventory process in organizations [12]. COSO framework
also known as integrated framework that can help company
to:(1) warehouse operation process more effective and
efficient; (2) accountable and reliable of inventory stock
calculation; (3) compliances with government law and
regulations [8].
This research took case study from PT. XYZ as one of
company who implemented the warehouse management.
Based on observing in PT. XYZ, we found that company
still difficulty to balance the production and inventory
storage in warehouse which impact to lack of inventory
control.
II. LITERATURE REVIEW
Early definition of internal control is the plan of
organization to coordinate methods and measure all the
element in process business safe, accurate, reliable,
encourage the prescribed managerial policies [10]. Another
definition of internal control is philosophy of risk alignment,
risk management, ethics, policies, resources, tasks and
responsibilities according to organizational capacity to
manage risk [12].
In warehousing planning and control, company produces
various product, company needs good control over its
inventory which two main objectives such as (1) warehouse
inventory planning and control; (2) reliable inventory report
to support financial statements [11]
Related to COSO framework, basic concepts of internal
control are:(a) internal control is an integrated process and a
tool that can be used to achieve organization goals; (b)
Internal control is not only limited to policies and
procedures but should include all levels within the
organization; (c) Internal control can only provide a
reasonable guarantee, not an absolute guarantee, because
there are limitations that can obstruct the absoluteness of the
internal control itself; (d) Internal Control will ultimately
result in achievement of goals in categories of financial
statements, compliance, operational activities [13].
Using COSO framework for evaluating the internal
control helps company to calculate the probability of risk
which can occur adversely [2]. However COSO can
maintain and support the company to maintain risk which
known can give positive feedback nor negative [12].
COSO framework is consist of five: (1) Control
environment; (2) Risk assessment; (3) Control activities; (4)
Information & Communication; (5) Monitoring activities
[7].
Figure 1. The COSO Cube [3]
Table 1. Component of Internal Control in COSO [1]
III. METHODOLOGY
With COSO framework approach this research starting
with process business analysis as preliminary measurement
and basic analysis in PT. XYZ then continue with internal
control evaluation as follow:
Figure 2. The Research Flow for Warehouse Management
Evaluation in PT. XYZ
For detail performed as follows:
1) Meeting related to explaining flow of evaluation
process.
2) Conducting interviews with stakeholders such as IS
team leader operations, IS analyst, supervisor factory
logistics, team leader factory logistics, warehouse staff,
forklift drivers, internal control, and IPG (Information
Protection & Governance) to observe and also learn
detail about how the business process run, systems
used and also the company’s internal control
procedures.
3) Documents checking related to the process of the
finished goods
inventory.
4) Doing directly observations in order to learn and
understand more clearly about the working procedures
associated with the process of finished goods
inventory.
IV. ANALYSIS AND RESULT
A. FINDINGS
Based on the results of research and interviews as
part of internal control evaluation, here are the results:
Based on the result above, total of 17 principles from
COSO framework known as 2 principles is in red area for
medium and high risk area, 6 principles is in yellow area
which “not fully adapted” for medium and high risk area
and green area for total 9 principles from low and high
risk area.
For the red area, we conducted deeply investigation
as high level evaluation for give the best
recommendation. We found incorrect procedure during
the process of inventory cycle in warehouse, due to goods
receipt in warehouse is not loaded to the shelf directly
and it put to wrong shelf. The impact, a lot of expired
inventory due to incorrect process in goods issue. The
inventory are stored in a multilevel shelf. During the
good issue and shipment for delivery, it was taken
randomly.
Another issued for the red area is control activities for
control over technology. PT. XYZ not only use
warehouse management but also already used one of the
systems like robot machine systems for put the inventory
during the goods receipt. The process starts when
shipping case sent by the conveyor and the systems will
create into one pallet by robot machine then the next step
is data will be stored in the robot database, but once in
while systems went down, there is no back up so the
process will be stopped or create manually. The effect for
this case is lack of control for goods receipt.
B. RECOMMENDATION
After we found the fact findings about internal control
evaluation for warehouse management in PT. XYZ, the
recommendation is as follow:
• Conducting customization through warehouse
management system at PT. XYZ.
• Change business processes related to system
requirements.
The recommendation above expected, will support and
improved the process in PT. XYZ such as:(1) Eliminate the
manual process; (2) Provide reliable information about
location of inventory stored and retrieved; (3) Trackable
inventory; (4) Provide real-time information related to
inventory in the warehouse.
The recommendation of design architecture for
warehouse management customization is using Three-Tier
Architecture. While the warehouse management will
integrated with robot machine and the application will store
into one single application server. This design purpose with
benefit: (1) optimized the server for storage, data process
and retrieving database; (2) Reduce data duplication [5].
Figure 3. Three-Tier Architecture [5]
The business process changes purposed as follow:
Robot Machine
Systems
Warehouse
Management
Systems
DATABASE
Interface Process Integration
Mobile Scanner (Goods Issue)
Inventory Barcode Create
Automatic Inventory Stock Calculation
Recommendation for Goods Issue
Movement (First In First Out Method
Adoption)
Figure 4. System Design
System design from figure 4, describes about additional
interface process integration as bridging between warehouse
management systems and robot machine systems which all
data from the systems will save into single database.
Otherwise the process will improve since the inventory
movement will follow with FEFO (First Expired First Out),
like picture describe in figure 5.
Table 2. Coso Matrix Performance in PT. XYZ
In the figure 5 shown the inventory movement while
systems automatically will scan and check the criteria. If the
criteria of the product proper the next step systems will
input into inventory systems and robot systems will take the
product into the pallet specifically based on criteria and
create delivery notes, afterwards the inventory staff will put
into shelf storing. For the next process, PT. XYZ move the
process of inventory into FEFO System (First Expired First
Out): the systems will create the delivery note (inventory
selection based on expired date) and show which the
inventory should out and help the inventory staff find the
correct inventory.
V. CONCLUSION
COSO framework not only providing better internal
control but also measurement of compliance risk due to
reviewing the organization operational as well. COSO
framework can support the risk mitigation, which can give
recommendation and also solution to the company.
Through 5 elements and 17 principles, it will help
company reach the objective nor goal of effectiveness and
efficiency company operation. Another opinion COSO
framework is likely common audit that enables controls not
the business operations but also all personnel inside of
company.
REFERENCES
[1] COSO Framework. (2016).
Retrieved from
http://www.bussvc.wisc.edu/intcntrls/cosoframework.h
tml
[2] Diane J. Janvrin, E. A. (2012). The Updated COSO
Internal Control— Integrated Framework:
Recommendations and Opportunities for Future
Research. JOURNAL OF INFORMATION SYSTEMS,
189-213.
[3] J. Stephen McNally, C. (2013, June 2013). The 2013
COSO Framework & SOX Compliance : ONE
APPROACH TO AN EFFECTIVE TRANSITION.
Retrieved from
https://www.coso.org/documents/COSO%20McNallyT
ransition%20Article-
Final%20COSO%20Version%20Proof_5-31-13
[4] Jokipii, A. (2009). Determinants and consequences of
internal control in firms: a contingency theory based
analysis. Springer Science-Business Media, 115-144
[5] Kambalyal, C. (2010). Three Tier Architecture.
Retrieved from
http://channukambalyal.tripod.com/NTierArchitecture.
pdf
[6] Makumbi, R. (2013). Introduction to Warehousing
Principles and Practices. Lambert Academic
Publishing.
Figure 5 – The Process of Inventory Movement
[7] Martin, K., Sanders, E., & Scalan, G. (2014). The
Potential Impact of COSO Internal Control Integrated
Framework Revision on Internal Audit Structured
SOX Work Program . Elsivier – Research in
Accounting Regulations.
[8] Mary B. Curtis, F. H. (2000). The components of a
comprehensive framework of internal control. The
CPA Journal, 64-66.
[9] Miles E.A. Everson, S. E. (2013). Internal Control —
Integrated Framework. NY: Committee of Sponsoring
Organizations of the Treadway Commission.
[10] Procedure, A. I. (2008). Codification of auditing
standards and procedures . University of Mississippi
Library. Accounting Collection.
[11] Ravee, J. M. (2009). Pengantar Akuntansi-Adaptasi
Indonesia . Jakarta: Salemba Empat.
[12] Thomas V. Scannell, S. C. (2013). Supply Chain Risk
Management within the Context of COSO’s Enterprise
Risk Management Framework. Journal of Business
Administration Research, 15-28, Vol. 2, No. 1.
[13] Tsay, B.-Y. (2010). Designing an Internal Control
Assessment Program Using COSO’s Guidance on
Monitoring. New York: The CPA Journal.
