Understanding the COSO 2013 Framework: Four Short Cases for Use in AIS and Auditing Courses

While about 80% of publicly traded companies are moving to COSO 2013, Bob Hirth (who currently chairs COSO) suggests that companies are still working on how to implement the framework in their business. Hirth suggests that determining “how much is enough” to comply with COSO 2013 will continue until there is some sort of “generally accepted” documentation (Buchanan, 2016). Although the SEC did not mandate the use of the COSO 2013 framework for determining internal controls over financial reporting (ICFR), most companies use the framework (Burns & Simer, 2013). When the Committee of Sponsoring Organizations of the Treadway Commission (CSOTC) developed a potential framework, the 2013 COSO Internal Control—Integrated Framework (COSO 2013), for the development and assessment of ICFRs at the end of 2014, the update included the 17 principles and 77 points of focus that guide management to effectively apply the framework and assess its effectiveness. Since many of our students will be auditors or accountants after they graduate, practice applying various components of the COSO 2013 framework can help them develop the analytical and critical thinking skills that are vital to success in the profession. We suggest that the cases presented here help students understand the COSO 2013 framework because: 1) the cases are fictionalized versions of real situations designed to address the COSO 2013 components and related principles, and 2) after testing the cases in several different courses over two semesters, we find high levels of student satisfaction, as well as evidence of student learning.¹

After the initial publication of the updated COSO 2013 framework, the CSOTC issued several guides to assist the governance and audit functions in their evaluation of the effectiveness of the organization's internal control system. For example, one principle of the risk assessment component requires the assessment of fraud risk for the organization. Management and auditors have a responsibility to identify potential fraud risks and to evaluate processes or procedures in place to mitigate this risk (Cotton, Johnigan, & Givarz, 2016; Committee of Sponsoring Organizations of the Treadway Commission, 2013). The Fraud Risk Management Guide, a joint publication of COSO and the Association of Certified Fraud Examiners (ACFE) (2016), provides fraud management risk principles that tie to the five COSO 2013 components.

Management and auditors have different responsibilities when it comes to 1) integrating the COSO 2013 framework into the organization's objectives, risk management, and control, and 2) assessing the effectiveness of the internal control system. The purpose of an internal audit is to provide independent assurance of management's risk management and risk response—i.e., the “third line of defense” (IIA, 2016)—evaluating the effectiveness of risk management and control functions (Anderson & Eubanks, 2015). The cases presented here demonstrate different responsibilities related to risk management and control activities which are discussion topics in courses such as auditing, fraud examination, and accounting information systems.

While it is difficult to isolate individual components of the COSO 2013 framework, we have broken the cases down to focus on a few of the components (and related principles) to help students understand and integrate them. The cases illustrate how the integration of the components can form a strong internal control system. Two of the cases address the risk assessment, control activities, and information/communication components; one addresses the control environment component (explicitly addressing each of the five principles of that component); and the final case requires a fraud risk assessment, as well as identification of the system information and monitoring activities that could mitigate the identified risks. We provide the cases and the recommended responses to the cases in a separate file. The next two sections describe the learning objectives and how we implemented the cases. We then provide evidence of the efficacy of the cases.

Learning objectives of the cases include requiring the students to:

1. Practice performing a risk assessment and making recommendations to respond to the identified risks (Dominic's Donuts, Cost Plus World Market),

2. Identify non-accounting information that could be used to monitor operations (Dominic's Donuts),

3. Evaluate the control environment of an organization in terms of the five principles of the COSO 2013 control environment component (MyBank),

4. Evaluate potential fraud risk, identifying the information and monitoring activities that could be used to mitigate that risk (New Dolphin Phosphate).²

Beginning in the mid-1980s, there has been a call for a reorientation in the content and delivery methods of accounting education (e.g., the American Accounting Association's Committee on the Future Structure, Content, and Scope of Accounting Education (1986) and the 1989 white paper “Perspectives on Education: Capabilities for Success in the Accounting Profession” (Arthur Anderson, 1989)). This discussion continued with Albrecht and Sack's (2000) “Accounting Education: Charting the Course through a Perilous Future,” where the authors noted that instructors did not give students enough “real world” examples. Empirical evidence also highlighted the problem of underprepared graduates who lack the critical thinking skills required in the work environment (Cloete, 2018). Recommendations from that document included discussion of delivery methods that move away from lectures toward approaches that convey critical knowledge, skills, and abilities. The Association to Advance Collegiate Schools of Business (AACSB) standards indicate that accounting students should have skills including, “critical thinking and analytical skills that support professional skepticism, risk assessment, and assurance of accounting information,… internal controls and security” (AACSB accounting accreditation standard A4). We suggest that our cases help develop these skills.

A way to develop critical skills is to employ cases that teach how to deal with uncertainty by applying analytical skills. Bonner (1999), Knechel (1992), Libby (1991), and Saudagaran (1996) encourage the use of cases in accounting education. Albrecht and Sack (2000) insist pedagogy should include elements of group work to teach leadership and teamwork skills. Hughes (2017) points out that upper-level undergraduate and graduate accounting courses often rely upon teaching cases to help students refine their critical thinking, research, analysis, judgment, and writing skills. Because instructors should present the problem situation to students in the same way it would be presented in “real life,” an appropriate case is one that is loosely structured and has no “correct” answer. The theory of Problem-Based Learning (PBL) posits that by researching and investigating information on their own, students will understand the material better and will retain what they learn. Hence, the instructor becomes a discussion facilitator, helping and advising, rather than providing easy answers (White, 1996). In other words, the textbook no longer drives the course, but instead merely serves as one source of information.

Approaches such as PBL have been used successfully in medicine, nursing, and accounting to improve the learning experience and help students to apply their “common sense” as well as the technical knowledge received through course material to unstructured cases with no “correct” answer (e.g., Lehmann & Heagy, 2005). To reinforce concepts introduced through textbooks and lecture materials, the authors and participating instructors use cases extensively throughout their courses. Although it can be a challenge to use short, unstructured cases, the lack of details allows the students to creatively develop responses to the cases and fosters higher-order skills needed to confront the realities facing accounting graduates: asking the right questions, employing skills to transform various types of data, applying analytic techniques, and interpreting results (Mesa, 2019). To recap, the instructor provides guidance, rather than “correct” answers, to encourage the development of these higher-order skills.

At three different universities, instructors have used these cases in various auditing courses (e.g., graduate/undergraduate auditing, graduate IT auditing, undergraduate/graduate internal auditing), fraud examination (graduate level), and accounting information systems courses (undergraduate and graduate). The authors make extensive use of cases during class meetings throughout the semester. The students worked in a small group, with a class discussion following the groups' response development.³ The four cases presented here, along with the case questions, have evolved based on anecdotal feedback from the students and instructors who have used the cases. In the next section, we discuss our use of the cases in various courses.⁴

We use the first case (Dominic's Donuts) during the first day of the class, allowing us to induce our students to consider risk assessment and how to respond to those risks using basic information about a donut shop business—effectively considering the Risk Assessment and Control Activities components of the COSO 2013 framework. We also want the students to start thinking about information that a manager might use to monitor the business operations (the information/communications component). Since accounting students typically think in terms of accounting information (e.g., income statements, balance sheets, etc.), we encourage them to think of non-accounting information used for day-to-day decision-making (i.e., physical information, such as overtime hours per week, numbers and types of products sold by hour). The case is worked in small groups to encourage discussion among the students. We reiterate that no risk is “too outrageous” to be considered, as evaluating the likelihood and impact of each risk are a part of the exercise. After the group determines its responses, the students participate in a class discussion of the group responses. We have used this case (in various forms) on the first day of class in auditing courses (IT auditing, internal auditing) and the accounting information systems course.⁵

The second case (Cost Plus World Market) incorporates the students' evaluation of risks with a cost/benefit analysis. The discussion surrounds a potential system to automate ordering costs and inventory management. As is typical of most decisions like this, there is no right or wrong answer, and both the quantifiable costs (e.g., cost of the system, costs associated with placing an order) and other costs (e.g., employee reluctance to change systems) must be considered. As part of the benefits analysis, the students consider the types of reports that could better manage and monitor inventory. We typically use this case in an accounting information systems course when discussing the procurement process, or in an auditing course when discussing the planning/scoping process of an audit where the team is reviewing the controls in place, as well as the reliability of information processed from the system. Again, having the students work this case in small groups has been found to be an effective approach.

The third (MyBank) and fourth (New Dolphin Phosphate) cases fit in well with a discussion of the COSO 2013 framework. The MyBank case focuses on the control environment component and its related principles (1–5). The New Dolphin Phosphate case focuses on a risk assessment (including an evaluation of fraud risk), as well as evaluating information/reporting, and monitoring activities that mitigate risk.

When used as a group activity, case responses are first developed within the intact small groups of 3–4 students (approximately 20–30 minutes), followed by a class discussion of all groups' responses (15–20 minutes). We have found that as the students do more of these cases, they develop their responses more quickly, and the discussions become very lively. This change may be due to the positive effect of group learning on the motivation to learn and perception of learning (Clinton & Kohlmeyer, 2005). Studies have shown that the transition from lecture-based to case-based learning helps students retain more knowledge and develop critical thinking and teamwork skills (Tan, 2019).

In the fraud examination course, two of the cases (MyBank and New Dolphin Phosphate) provide the opportunity for the instructor to illustrate the importance of the control environment in establishing an anti-fraud culture. The New Dolphin Phosphate case provides an exercise in fraud detection and prevention. The auditing course can also utilize the Cost Plus World Market to illustrate the integration of the COSO risk assessment and information/communication components. Since the cases are relatively short, instructors can implement them by integrating the discussion about the Fraud Triangle into the case responses developed by the students in small groups. Instructors can also assign the cases as individual take-home assignments. In the fraud examination class, the instructor first covered the concept of the control environment and the importance of setting a tone at the top, then asked students to work as a group to complete the MyBank case. For the New Dolphin Phosphate case, the instructor incorporated the case after covering the risk assessment and information/communication, and monitoring components of the COSO framework. On average, the students took about one to two hours⁶ to complete each case as a group.

Below we present a summary table of how we used the cases in different courses for data collection purposes in the Fall 2018 and Fall 2019 semesters (Table 1). We provide a discussion of student enjoyment and learning in the following sections.

When used as in-class activities, the case grade can be a participation grade based on students' participation in the discussion within their groups, as well as participation in the class discussion.⁷ We have the groups identify a “scribe” who writes down the groups' responses to the questions, and all students are expected to participate in the class discussion. While the groups develop their responses to the case questions, the instructor acts as an administrator, answering questions to clarify elements in the case, but not providing answers to the case questions. During the class discussion of the group responses, the instructor acts as a moderator. To determine a participation grade, the instructor can either collect the responses from the group scribe as a record of the participation grade or record names of students who participate in the discussion. For example, each case discussion could be worth 10 points (total of 40 points) in a 500-point course (8% of the course grade). If the students participate in the group and class discussions, they receive the 10 points for that case. The instructors can also use the cases as individual, out-of-class assignments, with grading done against the teaching notes. The instructor can evaluate the responses' identification of issues, analysis of issues, recommendations on effective solutions, and writing mechanics. We have included an example of a grading rubric in Exhibit 1 of the teaching note.

Students at the authors' university are primarily non-traditional students who come from diverse backgrounds ranging from first-generation college students to students who have been working for many years and are pursuing a master's or undergraduate degree in accounting. In addition, some students have a background in the COSO framework (through previous courses such as auditing), while others are hearing about the framework for the first time (e.g., undergraduate students in an auditing course). The goal of utilizing these cases is to attempt to get the students to a common level of understanding of the COSO 2013 framework. Although these cases have been used for several years by the authors, evidence of student enjoyment was previously based on informal student feedback, as well as comments and feedback from instructors who utilized a case (or cases) in various courses. To formalize this process, we collected self-reported student enjoyment data during the Fall 2018 semester⁸ and administered pre- and post-tests to measure learning in the Fall 2019 semester.

We used some or all of the cases in an internal auditing course, a graduate fraud examination course, and undergraduate/graduate auditing courses at the authors' university.⁹ An instructor from a private university in the Northwest also used the cases in her accounting information systems classes and provided anecdotal feedback about her use of the cases.¹⁰ Instructors had the choice as to whether they wanted to use all of the cases or just some of the cases, depending on which cases addressed their teaching objectives.

For one author's internal auditing course (n = 16, 14 graduate accounting students, two undergraduate accounting students), all four cases were utilized. During the fifteen-week semester, the cases were administered as follows: the Dominic's Donuts case during the first class period, the MyBank case the third week of class, the Expense Reimbursement case (Lehmann, 2010) the eleventh week, and the Cost Plus World Market case in week fourteen. The cases were integrated with the class meeting's topic areas and used as in-class, small group¹¹ exercises. Students received participation credit for actively contributing to their group's development of responses and for their involvement in the full-class discussion.

The graduate and undergraduate auditing courses used two of the cases. One non-author instructor used the Cost Plus World Market and MyBank cases in his auditing courses. The instructor used these cases as in-class individual assignments. The instructor stated that the students enjoyed the cases, and he found that the Cost Plus World Market case fostered the most discussion from the students. The graduate auditing instructor used the MyBank case as an out of class assignment for her graduate auditing course. Students said they liked the case because it helped them better understand each of the five underlying principles of the control environment component.

One author used the MyBank case and the Expense Reimbursement case¹² in the graduate fraud examination course as in-class assignments. Students worked on the cases in groups. Each group had two to three students. The in-class assignment provided students an opportunity to discuss their understanding of each component of the COSO framework, especially how the attitudes of top management affect the company's actions, policies, and procedures. Students informally commented to their instructor that the MyBank case helped them understand why the control environment is referred to as an umbrella over the other four components of internal control. The Expense Reimbursement case (i.e. the updated version of the Lehmann, 2010 case) provided an opportunity for students to apply the risk assessment, information and communication, and monitoring components of the COSO framework. But we noted the Expense Reimbursement case needed updating, so we developed the New Dolphin Phosphate case for use in future semesters.

A non-author instructor at the private university in the Northwest used all four cases in her accounting information systems course during the Fall 2018 quarter. Students worked the cases in small groups in class. The instructor spent 30–45 minutes of class time on each case. She found the bank case the most useful of the four cases, as her students struggle to understand the COSO framework's control environment component. She ranked the Expense Reimbursement (Lehmann, 2010) case as her second “favorite,” noting the students enjoyed working that case as well. She remarked that the Cost Plus World Market case was the most useful for teaching the students recognition of risk exposures. She stated the students really enjoyed all four cases, although the MyBank case encouraged the most discussion from the students.

In the Fall 2019 semester, another non-author instructor at a large university in the Northeast United States used a variation of the New Dolphin Phosphate case¹³ in her AIS course. She assigned this case as an individually submitted assignment after discussing the COSO 2013 framework in class for approximately 50 minutes. She felt the case helped her students apply the framework to a real situation, but that the students struggled with differentiating between control activities (activities implemented to mitigate identified risks) and monitoring activities (review activities to verify that the implemented control activities are working as designed and are effectively mitigating identified risks).

Students in the internal auditing, fraud examination, and auditing courses at our university filled out the survey found in Exhibit 1 in the Fall 2018 semester after working on the cases assigned by their instructor. As mentioned above, some instructors used all four cases, while others used one or two of the cases. Table 2 shows the demographic information for the full sample. All of the students except one were accounting majors, and 43 of the students were graduate students. In the internal auditing class (where all four cases were used), the overwhelming favorite case was the Dominic's Donuts case (56% of the students ranked the case as their favorite). In the other courses, the MyBank case was the students' favorite by 72% of the fraud examination students and 58% of the undergraduate auditing students.¹⁴

Table 3 shows the level of agreement with the survey questions (Exhibit 1) for the full sample (Panel A) and the individual classes (Panels B-D). Students indicated their level of agreement with the survey statements (Exhibit 1). The level of agreement ranged from 0 (strongly disagree) to 100 (strongly agree) in 10% increments. For the full sample, the average mean agreement level for the survey questions ranged from 86.36 (between “agree” and “strongly agree”) for wanting more cases like this to 91.93 for adding to the students' textbook knowledge. In general, the students agreed the cases were realistic (minimum mean 87.93 in fraud examination, maximum mean 94.88 in internal auditing), and they enjoyed working the case (minimum mean agreement 85.70 in undergraduate auditing, maximum mean agreement 89.50 in internal auditing). The cases helped them understand the COSO 2013 framework (minimum mean agreement 88.28 in fraud examination, maximum mean agreement 93.13 in internal auditing) and apply it (minimum mean agreement 88.28 in fraud examination, maximum mean agreement 95.00 in internal auditing). The cases added to their textbook knowledge (minimum mean agreement 89.31 in fraud examination, maximum mean agreement 95.63 in internal auditing). The students also agreed they would like to see more cases like these (minimum mean agreement 86.67 in undergraduate auditing, maximum mean agreement 90.67 in internal auditing).

To evaluate whether there were any differences in the mean agreement levels between the classes, we performed a one-way ANOVA with class as the factor. Table 4 shows there were no significant differences in agreement between the classes, with the exception of Q1 relating to realism of the cases (marginally significant) and Q3 (the cases were a good teamwork exercise), most likely because the undergraduate auditing students did not work the cases in groups.¹⁵ This suggests that the agreement levels did not differ significantly between the classes with regard to realism, enjoyment, etc.

In the Fall 2019 semester, the authors collected pre- and post-test data from two auditing sections (n = 38) that included undergraduates (n = 33) and graduates (n = 5),¹⁶ a cross-listed internal auditing section (n = 16) that included 13 undergraduates (n = 13) and graduates (n = 3), and a graduate accounting information system (AIS) class (n = 7). In all, 61 students completed both the pre- and post-tests, with 46 of the participants listed as undergraduates and 15 of the participants listed as graduate accounting majors (Table 5, Panel A). We surveyed the participants and found that since the Fall 2017 semester (two years prior), 17 of the students had taken an auditing course, 27 had taken an AIS course, three had taken a fraud examination course, and two had taken an internal auditing course (Table 5, Panel B). Two students in the auditing course indicated that they had taken auditing, and one student in the internal auditing course indicated that he/she had taken internal auditing. We suspect that these students did not closely read the survey, which asked which of the classes had been completed since the Fall 2017 semester (emphasis added).

In the undergraduate/graduate internal auditing course and the graduate accounting information systems (AIS) course, we used three of the cases: the Dominic's Donuts case,¹⁷ the MyBank case, and the New Dolphin Phosphate case. The Dominic's Donuts (or a variation) case was administered the first day of class, the MyBank case near the middle of the 15-week semester, and the New Dolphin Phosphate case¹⁸ near the end of the semester. The students worked all cases in groups of three to four (the groups remained intact throughout the semester) during class. We graded the students' work for their participation based on their comments during the class discussion and by observation by the instructor of the within-group discussions as the groups prepared their responses to the case questions. Each case was worth 10 points in a 500-point course for the internal auditing course and 7.5 points (out of 500) for the AIS course.¹⁹

In the two auditing sections, we offered all four cases to the students. In both sections, we used the MyBank case in class after covering the topic of the COSO 2013 framework. The students worked in a small group (2–3 students per group) to discuss the case and submitted their written responses as a group at the end of the class. The case was worth 5 points out of 340-point total for the auditing course. The instructor offered the other three cases (Dominic's Donuts, Cost Plus World Market, and the chemical plant version of the New Dolphin Phosphate) as extra credit individual assignments. Each bonus case was worth 3 points. Most of the students completed all three of the bonus cases.

In these 15-week courses, we gave the pre-test the first day of the class and gave the post-test during a class meeting in mid-November. The tests administered to the students with the correct answers can be found in the Teaching Note. Scores were based on the number of correct answers out of the 18 true/false questions.

Table 6 shows the mean pre-test and post-test scores by classification (i.e., undergraduate versus graduate). The mean pre-test score for the undergraduates (12.04) was lower than the mean pre-test score for the graduates (13.47). Likewise, the mean post-test score for the undergraduates (13.24) was lower than the mean post-test score of the graduates (14.40). The undergraduates showed a mean increase of 1.43 points on the post-test, an 8% increase over the mean pre-test score. The graduate mean increase was 0.93 points on the post-test, or a 5% mean increase over the pre-test score.

Table 8 analyzes the differences between undergraduates and graduates on the pre-test (Panel A) and between undergraduates and graduates on the post-test scores (Panel B). These results verify statistically what Table 6 shows visually for the pre-test and post-test scores (one-way ANOVA analysis). As would be expected, there was a significant difference in the pre-test scores between graduate students (higher) than undergraduates (p <0.03) (Table 7, Panel A). For the post-test, however, the difference between the graduate and undergraduate scores was only marginally different (p < 0.06) (Table 7, Panel B). Additional analysis showed that courses previously taken did not significantly affect the pre-test scores for either graduates or undergraduates.²⁰

Table 8 shows the results of the paired-sample t-tests for the full sample (Panel A), for undergraduates only (Panel B), and for graduates only (Panel C). For the full sample (Table 8, Panel A), the post-test scores (mean score = 13.52) were significantly higher than the pre-test scores (mean score = 12.39) (p < 0.00). Since the tests were true/false, the mean scores for each question were not meaningful individually, although we did review the paired t-test results to determine which questions showed significant improvement. We also did the same analysis by class and by classification (graduate versus undergraduate). The individual classes all showed significant improvement on the post-test total score (except for the graduate AIS course (n =7)—this is most likely due to the small number of students in the class).

When we parsed the data to evaluate the graduate versus undergraduate participants, the undergraduates showed the most improvement on the post-test both on the total score and on many of the individual questions. The difference in the pre-test (mean score = 12.04) versus post-test scores (mean score = 13.24) for the undergraduates was significant (p < 0.00) (Table 8, Panel A). The graduates also improved on the post-test (pre-test mean score = 13.47 versus post-test mean score = 14.40) (Table 8, Panel C), but the questions that they improved on differed from those that the undergraduates improved on (Table 8, Panels B and C). As shown in Table 7, Panel B, the undergraduates improved on questions 1 (LO4), 4 (LO4 and LO1), 5 (LO3), 6 (LO1), 15 (LO4), 16 (LO1), and marginally improved on question 17 (LO2).²¹ The graduates (Table 8, Panel C) improved on questions 1 (LO4) and 16 (LO1). This is probably related to the graduate students having more experience and coursework than the undergraduates. Overall, our results suggest these cases benefit both undergraduates and graduates in a variety of courses. In general, the undergraduates showed the most improvement on the post-test, but the graduates appeared to benefit from working the cases in their classes as well.

We also ran a general linear model to further evaluate the effects of classification (either undergraduate or graduate) and which class they were taking in the Fall 2019 semester on their test scores (Table 9). As would be expected, classification had a marginally significant effect (p < 0.08) on the participants' scores, but the class they were taking in the Fall 2019 semester (undergraduate auditing, undergraduate/graduate auditing, undergraduate/graduate internal auditing, or graduate AIS) did not significantly affect the participants' scores.

We developed these four cases to help students better understand the COSO 2013 framework and apply one or more of the components of the framework to a case scenario. These cases are intended for use in either graduate or undergraduate accounting information systems, auditing, or fraud examination courses. Various instructors from three universities used the cases; instructors at our university collected feedback and evidence of learning from the students.

Our experience teaching auditing, fraud examination, and accounting information systems courses agrees with prior pedagogy literature, which suggests that case studies have benefits when used in conjunction with traditional methods of course topic presentation (i.e., Boyce et al., 2001; Markus & McConnell, 2001). In addition to helping the students learn to perform risk assessments and controls evaluations, these cases provide a means for students to identify potential fraud risk, control environment issues, and make recommendations to improve internal controls and information presentation in several different scenarios. Our analysis suggests the students enjoyed working the cases and felt they were helpful in understanding the COSO 2013 framework. Although our pre- and post-test results did not show large improvements in the scores for our graduate participants, the improvement in the overall score was statistically significant. The results for the undergraduates indicated significantly higher post-test scores on questions related to all four of our learning objectives.

The authors would like to thank Jessica Stansel for providing the framework for the Cost Plus World Market case. We also thank Sarah Bee (Seattle University), Lorrie Metzger (University at Buffalo), and Randall Xu (University of Houston – Clear Lake) for agreeing to test our cases in their classes. The work done by Diyoni Apriliana is also appreciated. Feedback from the students at University of Houston – Clear Lake is appreciated, and their comments contributed to the improvement of the cases. Comments from two reviewers, an associate editor, and the editor improved this manuscript considerably.