What do you think were the critical factors that fueled the need for IT governance? In what ways did ISO affect the standards for network security?

Need 200 words in APA

978-1-5386-6589-3/18/$31.00©2018 IEEE

COSO Framework for Warehouse Management

Internal Control Evaluation: Enabling Smart

Warehouse Systems

Ratna Sari
Information Systems Department,
School of Information Systems,

Bina Nusantara University,
Jakarta 11480, Indonesia

Computer Science Department, BINUS

Graduate Program – Doctor of
Computer Science, Bina Nusantara

University, Jakarta, Indonesia 11480
rasari@binus.edu

Raymond Kosala
Computer Science Department, BINUS

Graduate Program – Doctor of
Computer Science, Bina Nusantara

University, Jakarta, Indonesia 11480
rkosala@binus.edu

Benny Ranti
Faculty of Computer Science,

Universitas Indonesia,
Depok 16424, Indonesia

ranti@ui.ac.id

Suhono Harso Supangkat
Sekolah Teknik Elektro dan

Informatika,
Institut Teknologi Bandung,

Bandung, Indonesia
suhono@lpik.itb.ac.id

Abstract— There are many ways for the company to
improve its performance, one of them is optimizing the
internal control of the company’s activities. Internal
control is intended to evaluate company activities and
operations. This study took a case study at PT. XYZ
related to the evaluation of internal controls in
warehouse management using the COSO framework
approach. From 5 elements and 17 Principle, study
found, there are 2 principles that have not been applied
in PT. XYZ; enforced accountability and control over
technology. The recommendation given is system
improvement as intended the inventory system to be
more accurate and reliable to enable smart warehouse
systems inside organizations.

Keywords: internal control, COSO framework, warehouse

management, evaluation

I. INTRODUCTION
There are many ways for the company to improve its

performance, one of them is optimizing the internal control
of the company’s activities and also implementation of the
new system to increase efficiency and effectiveness in all
business process activities [4]. Internal control is a process
undertaken by company management to assist the
achievement of operations, reporting and in accordance with
the compliance [9]. The internal optimization is needed
because it describes the overall rules and procedures used by
management to improve management effectiveness in the
business and identify lack of internal control in the business
processes that it can make the organization vulnerable and
possible risks occurs, eventually all these risks can have an
impact on a company’s financial performance [2].

In warehouse management, internal controls devoted to
optimizing the functions, including the process of finished
goods inventory, and it useful to organize the distribution
process to the market. According to Rita Makumbi (2013)
[6] the function of the warehouse management is one of a
service that can help the company’s operational functions
run smoothly as a store of raw material, unfinished goods,
until stock the finished goods or inventory. One of the

problem in warehouse management is high production of
manufacture, company must pay attention to the process
from the beginning of production, to the process of goods
delivery, and inventory calculations.

One of famous approach for warehouse management
control is using COSO framework. COSO framework is one
of tools to maintain the effectiveness and efficiency of
inventory process in organizations [12]. COSO framework
also known as integrated framework that can help company
to:(1) warehouse operation process more effective and
efficient; (2) accountable and reliable of inventory stock
calculation; (3) compliances with government law and
regulations [8].

This research took case study from PT. XYZ as one of
company who implemented the warehouse management.
Based on observing in PT. XYZ, we found that company
still difficulty to balance the production and inventory
storage in warehouse which impact to lack of inventory
control.

II. LITERATURE REVIEW
Early definition of internal control is the plan of

organization to coordinate methods and measure all the
element in process business safe, accurate, reliable,
encourage the prescribed managerial policies [10]. Another
definition of internal control is philosophy of risk alignment,
risk management, ethics, policies, resources, tasks and
responsibilities according to organizational capacity to
manage risk [12].

In warehousing planning and control, company produces
various product, company needs good control over its
inventory which two main objectives such as (1) warehouse
inventory planning and control; (2) reliable inventory report
to support financial statements [11]

Related to COSO framework, basic concepts of internal
control are:(a) internal control is an integrated process and a
tool that can be used to achieve organization goals; (b)
Internal control is not only limited to policies and
procedures but should include all levels within the
organization; (c) Internal control can only provide a
reasonable guarantee, not an absolute guarantee, because

there are limitations that can obstruct the absoluteness of the
internal control itself; (d) Internal Control will ultimately
result in achievement of goals in categories of financial
statements, compliance, operational activities [13].

Using COSO framework for evaluating the internal
control helps company to calculate the probability of risk
which can occur adversely [2]. However COSO can
maintain and support the company to maintain risk which
known can give positive feedback nor negative [12].

COSO framework is consist of five: (1) Control
environment; (2) Risk assessment; (3) Control activities; (4)
Information & Communication; (5) Monitoring activities
[7].

Figure 1. The COSO Cube [3]

Table 1. Component of Internal Control in COSO [1]

III. METHODOLOGY
With COSO framework approach this research starting

with process business analysis as preliminary measurement
and basic analysis in PT. XYZ then continue with internal
control evaluation as follow:

Figure 2. The Research Flow for Warehouse Management

Evaluation in PT. XYZ

For detail performed as follows:
1) Meeting related to explaining flow of evaluation

process.
2) Conducting interviews with stakeholders such as IS

team leader operations, IS analyst, supervisor factory
logistics, team leader factory logistics, warehouse staff,
forklift drivers, internal control, and IPG (Information
Protection & Governance) to observe and also learn
detail about how the business process run, systems
used and also the company’s internal control
procedures.

3) Documents checking related to the process of the
finished goods inventory.

4) Doing directly observations in order to learn and
understand more clearly about the working procedures
associated with the process of finished goods
inventory.

IV. ANALYSIS AND RESULT

A. FINDINGS
Based on the results of research and interviews as

part of internal control evaluation, here are the results:
Based on the result above, total of 17 principles from

COSO framework known as 2 principles is in red area for
medium and high risk area, 6 principles is in yellow area
which “not fully adapted for medium and high risk area
and green area for total 9 principles from low and high
risk area.

For the red area, we conducted deeply investigation
as high level evaluation for give the best
recommendation. We found incorrect procedure during
the process of inventory cycle in warehouse, due to goods
receipt in warehouse is not loaded to the shelf directly
and it put to wrong shelf. The impact, a lot of expired
inventory due to incorrect process in goods issue. The
inventory are stored in a multilevel shelf. During the
good issue and shipment for delivery, it was taken
randomly.

Another issued for the red area is control activities for
control over technology. PT. XYZ not only use
warehouse management but also already used one of the
systems like robot machine systems for put the inventory
during the goods receipt. The process starts when
shipping case sent by the conveyor and the systems will
create into one pallet by robot machine then the next step
is data will be stored in the robot database, but once in
while systems went down, there is no back up so the
process will be stopped or create manually. The effect for
this case is lack of control for goods receipt.

B. RECOMMENDATION
After we found the fact findings about internal control

evaluation for warehouse management in PT. XYZ, the
recommendation is as follow:

x Conducting customization through warehouse
management system at PT. XYZ.

x Change business processes related to system
requirements.

The recommendation above expected, will support and
improved the process in PT. XYZ such as:(1) Eliminate the
manual process; (2) Provide reliable information about
location of inventory stored and retrieved; (3) Trackable
inventory; (4) Provide real-time information related to
inventory in the warehouse.

The recommendation of design architecture for
warehouse management customization is using Three-Tier
Architecture. While the warehouse management will
integrated with robot machine and the application will store
into one single application server. This design purpose with
benefit: (1) optimized the server for storage, data process
and retrieving database; (2) Reduce data duplication [5].

Figure 3. Three-Tier Architecture [5]

The business process changes purposed as follow:

Robot Machine

Systems

Warehouse
Management

Systems

DATABASE

Interface Process Integration

Mobile Scanner (Goods Issue)

Inventory Barcode Create
Automatic Inventory Stock Calculation
Recommendation for Goods Issue
Movement (First In First Out Method
Adoption)

Figure 4. System Design

System design from figure 4, describes about additional

interface process integration as bridging between warehouse
management systems and robot machine systems which all
data from the systems will save into single database.
Otherwise the process will improve since the inventory
movement will follow with FEFO (First Expired First Out),
like picture describe in figure 5.

Table 2. Coso Matrix Performance in PT. XYZ

In the figure 5 shown the inventory movement while
systems automatically will scan and check the criteria. If the
criteria of the product proper the next step systems will
input into inventory systems and robot systems will take the
product into the pallet specifically based on criteria and
create delivery notes, afterwards the inventory staff will put
into shelf storing. For the next process, PT. XYZ move the
process of inventory into FEFO System (First Expired First
Out): the systems will create the delivery note (inventory
selection based on expired date) and show which the
inventory should out and help the inventory staff find the
correct inventory.

V. CONCLUSION

COSO framework not only providing better internal
control but also measurement of compliance risk due to
reviewing the organization operational as well. COSO
framework can support the risk mitigation, which can give
recommendation and also solution to the company.

Through 5 elements and 17 principles, it will help
company reach the objective nor goal of effectiveness and
efficiency company operation. Another opinion COSO
framework is likely common audit that enables controls not
the business operations but also all personnel inside of
company.

REFERENCES

[1] COSO Framework. (2016). Retrieved from

http://www.bussvc.wisc.edu/intcntrls/cosoframework.h
tml

[2] Diane J. Janvrin, E. A. (2012). The Updated COSO
Internal Control— Integrated Framework:
Recommendations and Opportunities for Future
Research. JOURNAL OF INFORMATION SYSTEMS,
189-213.

[3] J. Stephen McNally, C. (2013, June 2013). The 2013
COSO Framework & SOX Compliance : ONE
APPROACH TO AN EFFECTIVE TRANSITION.
Retrieved from
https://www.coso.org/documents/COSO%20McNallyT
ransition%20Article-
Final%20COSO%20Version%20Proof_5-31-13

[4] Jokipii, A. (2009). Determinants and consequences of

internal control in rms: a contingency theory based
analysis. Springer Science-Business Media, 115-144

[5] Kambalyal, C. (2010). Three Tier Architecture.
Retrieved from
http://channukambalyal.tripod.com/NTierArchitecture.
pdf

[6] Makumbi, R. (2013). Introduction to Warehousing
Principles and Practices. Lambert Academic
Publishing.

Figure 5 – The Process of Inventory Movement

[7] Martin, K., Sanders, E., & Scalan, G. (2014). The
Potential Impact of COSO Internal Control Integrated
Framework Revision on Internal Audit Structured
SOX Work Program . Elsivier – Research in
Accounting Regulations.

[8] Mary B. Curtis, F. H. (2000). The components of a
comprehensive framework of internal control. The
CPA Journal, 64-66.

[9] Miles E.A. Everson, S. E. (2013). Internal Control —
Integrated Framework. NY: Committee of Sponsoring
Organizations of the Treadway Commission.

[10] Procedure, A. I. (2008). Codification of auditing
standards and procedures . University of Mississippi
Library. Accounting Collection.

[11] Ravee, J. M. (2009). Pengantar Akuntansi-Adaptasi
Indonesia . Jakarta: Salemba Empat.

[12] Thomas V. Scannell, S. C. (2013). Supply Chain Risk
Management within the Context of COSO s Enterprise
Risk Management Framework. Journal of Business
Administration Research, 15-28, Vol. 2, No. 1.

[13] Tsay, B.-Y. (2010). Designing an Internal Control
Assessment Program Using COSO’s Guidance on
Monitoring. New York: The CPA Journal.

Managing and Using Information Systems:
A Strategic Approach – Sixth Edition

Keri Pearlson, Carol Saunders,
and Dennis Galletta

© Copyright 2016
John Wiley & Sons, Inc.

Chapter 9
Governance of the Information Systems Organization

2

Learning Objectives
Understand how governance structures define how decisions are made
Describe governance based on organization structure, decision rights, and control
Discuss examples and strategies for implementation.
© 2016 John Wiley & Sons, Inc.
3

Intel’s Transformation
Huge performance improvements between 2013 and 2014
Was it due to a spending increase?
Intel’s evolution
1992: Centralized IT
2003: Protect Era – lockdown (SOX & virus)
2009: Protect to Enable Era (BYOD pressure)
© 2016 John Wiley & Sons, Inc.
4

No, it was due to a spending decrease, not an increase.
They focused on protecting to enable, not just locking down
4

Intel Reached Level 3:
Developing programs and delivering services
Contributing business value
Transforming the firm
Previously: categorized problems as “business” or “IT”
Now: Integrated solutions are the only way
© 2016 John Wiley & Sons, Inc.
5

IT Governance
Governance (in business) is all about making decisions that
Define expectations,
Grant authority, or
Ensure performance.
Empowerment and monitoring will help align behavior with business goals.
Empowerment: granting the right to make decisions.
Monitoring: evaluating performance.
© 2016 John Wiley & Sons, Inc.
6

A decision right is an important organizational design variable since it indicates who in the organization has the responsibility to initiate, supply
information for, approve, implement, and control various types of decisions.
6

IT Governance
IT governance focuses on how decision rights can be distributed differently to facilitate three possible modes of decision making:
centralized,
decentralized, or
hybrid
Organizational structure plays a major role.
© 2016 John Wiley & Sons, Inc.
7

Four Perspectives
Traditional – Centralized vs decentralized
Accountability and allocation of decision rights
Ecosystem
Control structures from legislation
© 2016 John Wiley & Sons, Inc.
8

Centralized vs. Decentralized Organizational Structures
Centralized – bring together all staff, hardware, software, data, and processing into a single location.
Decentralized – the components in the centralized structure are scattered in different locations to address local business needs.
Federalism – a hybrid of centralized and decentralized structures.
© 2016 John Wiley & Sons, Inc.
9

9

Organizational continuum

10

Federalism
Most companies would like to achieve the advantages of both centralization and decentralization.
Leads to federalism
Distributes, power, hardware, software, data and personnel
Between a central IS group and IS in business units
A hybrid approach
Some decisions centralized; some decentralized
© 2016 John Wiley & Sons, Inc.
11

11

Federal IT
© 2016 John Wiley & Sons, Inc.
12

12

Recent Global Survey
Percent of firms reporting that they are:
Centralized: 70.6%
Decentralized: 13.5%
Federated: 12.7%
© 2016 John Wiley & Sons, Inc.
13

Figure 9.4 IT Accountability and Decision Rights Mismatches
  Accountability
    Low High
Decision Rights High Technocentric Gap
Danger of overspending on IT creating an oversupply
IT assets may not be utilized to meet business demand
Business group frustration with IT group Strategic Norm (Level 3 balance)
IT is viewed as competent
IT is viewed as strategic to business
Low Support Norm (Level 1 balance)
Works for organizations where IT is viewed as a support function
Focus is on business efficiency Business Gap
Cost considerations dominate IT decision
IT assets may not utilize internal competencies to meet business demand
IT group frustration with business group

© 2016 John Wiley & Sons, Inc.
14

Figure 9.5 Five major categories of IT decisions.
Category Description Examples of Affected IS Activities
IT Principles How to determine IT assets that are needed Participating in setting strategic direction
IT Architecture How to structure IT assets Establishing architecture and standards
IT Infrastructure Strategies How to build IT assets Managing Internet and network services; data; human resources; mobile computing
Business Application Needs How to acquire, implement and maintain IT (insource or outsource) Developing and maintaining information systems
IT Investment and Prioritization How much to invest and where to invest in IT assets Anticipating new technologies

© 2016 John Wiley & Sons, Inc.
15

Political Archetypes (Weill & Ross)
Archetypes label the combinations of people who either provide information or have key IT decision rights
Business monarchy, IT monarchy, feudal, federal, IT duopoly, and anarchy.
Decisions can be made at several levels in the organization (Figure 9.6).
Enterprise-wide, business unit, and region/group within a business unit.
© 2016 John Wiley & Sons, Inc.
16

For each decision category, the organization adopts an archetype as the means to obtain inputs for decisions and to assign responsibility for them.
16

Political Archetypes
Organizations vary widely in their archetypes selected
The duopoly is used by the largest portion (36%) of organizations for IT principles decisions.
IT monarchy is the most popular for IT architecture (73%) and infrastructure decisions (59%).
© 2016 John Wiley & Sons, Inc.
17

Figure 9.6 IT governance archetypes
© 2016 John Wiley & Sons, Inc.
18

There is no best arrangement for the allocation of decision rights.
The most appropriate arrangement depends on a number of factors, including the type of performance indicator.
18

Emergent Governance:
Digital Ecosystems
Challenge a “top down” approach
Self-interested, self-organizing, autonomous sets of technologies from different sources
Firms find opportunities to exploit new technologies that were not anticipated
Good examples:
Google Maps
YouTube
© 2016 John Wiley & Sons, Inc.
19

Another Interesting Example
Electronic Health Record
Can connect to perhaps planned sources:
Pharmacy
Lab
Insurance Company
And can connect to unplanned sources:
Banks – for payment
Tax authority – for matching deductions
Smartphone apps – for many purposes
© 2016 John Wiley & Sons, Inc.
20

How to Govern in this case?
Might be difficult to impossible!
The systems might simply emerge and evolve over time
No one entity can plan these systems in their entirety
© 2016 John Wiley & Sons, Inc.
21

Mechanisms for Making Decisions
Policies and Standards (60% of firms)
Review board or committee
Steering committee (or governance council)
Key stakeholders
Can be at different levels:
Higher level (focus on CIO effectiveness)
Lower level (focus on details of various projects)
© 2016 John Wiley & Sons, Inc.
22

Summary of Three Governance Frameworks
Governance Framework Main Concept Possible Best Practice
Centralization-Decentralization Decisions can be made by a central authority or by autonomous individuals or groups in an organization. A hybrid, Federal approach
Decision Archetypes Specifying patterns based upon allocating decision rights and accountability. Tailor the archetype to the situation
Digital Ecosystems Members of the ecosystem contribute their strengths, giving the whole ecosystem a complete set of capabilities. Build flexibility and adaptability into governance.

© 2016 John Wiley & Sons, Inc.
23

A Fourth – Out of a Firm’s Control:
Legislation
24

© 2016 John Wiley & Sons, Inc.

Sarbanes-Oxley Act (SoX) (2002)
To increase regulatory visibility and accountability of public companies and their financial health
All companies subject to the SEC are subject to SoX.
CEOs and CFOs must personally certify and be accountable for their firm’s financial records and accounting.
Firms must provide real-time disclosures of any events that may affect a firm’s stock price or financial performance.
20 year jail term is the alternative.
IT departments play a major role in ensuring the accuracy of financial data.
© 2016 John Wiley & Sons, Inc.
25

25

IT Control and Sarbanes-Oxley
In 2004 and 2005, IT departments began to
Identify controls,
Determine design effectiveness, and
Test to validate operation of controls
© 2016 John Wiley & Sons, Inc.
26

26

IT Control and Sarbanes-Oxley
Five IT control weaknesses are repeatedly uncovered by auditors:
Failure to segregate duties within applications, and failure to set up new accounts and terminate old ones in a timely manner
Lack of proper oversight for making application changes, including appointing a person to make a change and another to perform quality assurance on it
Inadequate review of audit logs to not only ensure that systems were running smoothly but that there also was an audit log of the audit log
Failure to identify abnormal transactions in a timely manner
Lack of understanding of key system configurations
© 2016 John Wiley & Sons, Inc.
27

Frameworks for Implementing SoX
COSO – Committee of Sponsoring Organzations of the Treadway Commission.
Created three control objectives for management and auditors that focused on dealing with risks to internal control
Operations –maintain and improve operating effectiveness; protect the firm’s assets
Compliance –with relevant laws and regulations.
Financial reporting –in accordance with GAAP
© 2016 John Wiley & Sons, Inc.
28

28

Control Components
Five essential control components were created to make sure a company is meeting its objectives:
Control environment (culture of the firm)
Assessment of most critical risks to internal controls
Control processes that outline important processes and guidelines
Communication of those procedures
Monitoring of internal controls by management
© 2016 John Wiley & Sons, Inc.
29

Frameworks (continued)
COBIT (Control Objectives for Information and Related Technology)
IT governance framework that is consistent with COSO controls.
Issued in 1996 by Information Systems Audit & Control Association (ISACA)
A company must
Determine the processes/risks to be managed.
Set up control objectives and KPIs (key performance indicators)
Develop activities to reach the KPIs
Advantages – well-suited to organizations focused on risk management and mitigation, and very detailed.
Disadvantages – costly and time consuming
© 2016 John Wiley & Sons, Inc.
30

30

IS and the Implementation of SoX Compliance
The IS department and CIO are involved with the implementation of SoX.
Section 404 deals with management’s assessment of internal controls.
Six tactics that CIOs can use in working with auditors, CFOs, and CEOs (Fig. 9.9):
Knowledge building (Build a knowledge base)
Knowledge deployment (Disseminate knowledge to management.)
Innovation directive (Organize for implementing SoX)
Mobilization (Persuade players and subsidiaries to cooperate)
Standardization (Negotiate agreements, build rules)
Subsidy (Fund the costs)
A CIO’s ability to employ these various tactics depends upon his/her power (relating to the SoX implementation).
© 2016 John Wiley & Sons, Inc.
31

The CIO needs to acquire and manage the considerable IT resources to make SoX compliance a reality.
31

Managing and Using Information Systems:
A Strategic Approach – Sixth Edition
Keri Pearlson, Carol Saunders,
and Dennis Galletta

© Copyright 2016
John Wiley & Sons, Inc.