CVS Pharmacy Case
I have provided a PDF with a case involving CVS Pharmacy. Within Section 1.5 Case requirements, please complete only steps 1 and 2.
Step 1 - Use table 1 and go through each step developing the risk CVS has and if there are any deficiencies within each, please state that as well.
Step 2 - Use Table 2 to complete the step.
Contents lists available at ScienceDirect
Journal of Accounting Education
journal homepage: www.elsevier.com/locate/jaccedu
CVS Pharmacy: An instructional case of internal controls for regulatory compliance and IT risks
Ken H. Guoa,⁎, Brenda L. Eschenbrennerb
aMihaylo College of Business and Economics, California State University, Fullerton, 800 N. State College Blvd., Fullerton, CA 92834-6848, United States b College of Business & Technology, University of Nebraska at Kearney, 1917 W. 24th Street, Kearney, NE 68849, United States
A R T I C L E I N F O
Keywords: COSO Internal Control-Integrated Framework COBIT 5 Internal controls Compliance risk IT risk
A B S T R A C T
The objective of the CVS Pharmacy case study is to teach students how to assess and integrate internal controls from regulatory compliance and information technology (IT) perspectives. The case focuses on the failure of CVS Pharmacy, Inc. to implement necessary controls to comply with regulations that limit the sales of pseudoephedrine. The case gives you the opportunity to sys- tematically apply the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework (May 2013) and the COBIT 5 Framework issued by ISACA to investigate real business and IT issues. More specifically, you can use the frameworks to identify internal control deficiencies, compliance risks, and IT risks. Based on this assessment, you can recommend relevant control measures. The case is appropriate for undergraduate ac- counting information systems courses, as well as courses such as audit and IT audit by utilizing only one of the frameworks.
1. The case
1.1. Introduction
On October 14, 2010, the United States (US) Attorney’s Office for the Central District of California announced that CVS Pharmacy, Inc. (“CVS Pharmacy”) was fined $77.5 million (which included a $75 million civil penalty and the forfeit of $2.5 million profit) for its unlawful sales of pseudoephedrine to organized crime between September 2007 and November 2008 (US Department of Justice, 2011). Pseudoephedrine is a regulated drug used to treat nasal and sinus congestion. The company was charged for its failure to comply with laws that limited the quantity of the drug sold to individual customers. The sales, according to the Attorney’s Office, directly caused an increase in the production of methamphetamine in California.
CVS Pharmacy is the retail pharmacy subsidiary of CVS Caremark Corporation (hereinafter collectively referred to as “CVS”). In addition to retail pharmacies, CVS also operates pharmacy services, retail clinics, and mail-order pharmacy businesses. In fiscal year 2010, CVS had net revenues of more than $96 billion and a net profit of more than $3 billion (CVS Caremark Corporation, 2010a). In 2010, CVS was the 18th largest company in the Fortune 500, according to its annual report, and one of the largest retail pharmacy chains in the United States (US). As of December 31, 2010, it operated more than 7,100 retail pharmacy stores in the US.
Today’s CVS (listed on the New York Stock Exchange, under the ticker symbol “CVS;” website: http://www.cvs.com) is the result of a series of mergers and acquisitions, as well as expansion into new markets over the past few years. Major mergers and acquisitions
https://doi.org/10.1016/j.jaccedu.2017.11.001 Received 4 May 2017; Received in revised form 19 November 2017; Accepted 21 November 2017
⁎ Corresponding author. E-mail addresses: kguo@fullerton.edu (K.H. Guo), eschenbrenbl@unk.edu (B.L. Eschenbrenner).
Journal of Accounting Education 42 (2018) 17–26
Available online 29 November 2017 0748-5751/ © 2017 Elsevier Ltd. All rights reserved.
T
http://www.sciencedirect.com/science/journal/07485751
https://www.elsevier.com/locate/jaccedu
https://doi.org/10.1016/j.jaccedu.2017.11.001
http://www.cvs.com
https://doi.org/10.1016/j.jaccedu.2017.11.001
mailto:kguo@fullerton.edu
mailto:eschenbrenbl@unk.edu
https://doi.org/10.1016/j.jaccedu.2017.11.001
http://crossmark.crossref.org/dialog/?doi=10.1016/j.jaccedu.2017.11.001&domain=pdf
included Eckerd ($2.15 billion), Albertson's ($4.0 billion), Caremark ($26.9 billion), and Longs Drugs ($2.6 billion). The markets in which CVS had a presence also increased from 36 states in 2004 to 44 states in 2010. Like other companies in the industry, CVS had to efficiently and effectively manage various risks, such as regulatory compliance and economic downturns, in order to deliver “strong growth and returns to shareholders” (CVS Caremark Corporation, 2010a).
1.1.1. Legal background Pseudoephedrine is one of the key ingredients used to make methamphetamine, which “is a powerfully addictive drug that
severely affects users’ minds and bodies, ruins lives, and endangers communities and the environment” (US Department of Justice Drug Enforcement Administration, 2007). It is regulated in many countries around the world such as Australia, New Zealand, and the United Kingdom, to name a few (http://en.wikipedia.org/wiki/Pseudoephedrine).
In the US, as part of the government’s efforts to curb illicit production of methamphetamine, the Combat Methamphetamine Epidemic Act of 2005 (CMEA) was signed into law, effective March 9, 2006, to limit the sales of pseudoephedrine and other related materials. The CMEA set limits of sales of pseudoephedrine by retail drugstores to individuals as follows: (1) the quantity sold to an individual in a day could not exceed 3.6 g, regardless of the number of transactions; and (2) for individuals, purchases in a 30-day period were limited to 9 g.
In addition, the CMEA mandated that regulated retail drugstores implement necessary measures to control and monitor the sales of pseudoephedrine. The required measures included:
1. Placing product such that customers do not have direct access before the sale is made (“behind-the-counter” placement) or in a locked cabinet that is located in an area of the facility to which customers do not have direct access;
2. Delivering the product directly into the custody of the purchaser; 3. Maintaining written or electronic list (logbook) of sales, including quantity sold, names and addresses of purchasers, and date and
time of the sales; 4. Examining acceptable forms of a photo identification card; 5. Requiring purchasers to sign the logbook and enter their names, addresses, and date and time of sale; and 6. Informing purchasers that entering false statements or misrepresentations in the logbook may subject them to criminal penalties
according to the law.
The CMEA also required retail drugstores to provide proper training to those store-front employees who were responsible for directly dealing with customer purchases. Drugstores were to ensure that these employees understood these legal requirements and followed proper procedures. Drugstores were also to self-certify to relevant authorities in their jurisdictions to demonstrate that all store-front employees had undergone the required training.
In accordance with the CMEA, the US Department of Justice Drug Enforcement Administration (DEA) created some specific rules relating to logbooks required to be maintained by drugstores (US Department of Justice Drug Enforcement Administration, 2006). Paper logbooks were to be bound. For electronic logbooks, the records needed to be readily retrievable by the store or law en- forcement agencies, and an electronic signature system could be implemented to capture customers’ signatures. The DEA also re- quired the following notice to be included in all logbooks and to be shown to customers:
“WARNING: Section 1001 of Title 18, United States Code, states that whoever, with respect to the logbook, knowingly and willfully falsifies, conceals, or covers up by any trick, scheme, or device a material fact, or makes any materially false, fictitious, or fraudulent statement or representation, or makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry, shall be fined not more than $250,000 if an individual or $500,000 if an organization, imprisoned not more than five years, or both.”
If inclusion of the notice in the logbooks was not feasible, the notice was to be displayed in a place where the customer would see it when providing relevant information to complete a purchase.
For mail-order pharmacies, the purchase by an individual was limited to 3.6 g per day and 7.5 g in a 30-day period. Some requirements for retail drugstores were not applicable for mail-order pharmacies. These included “behind-the-counter”-like physical control measures and customers signing logbooks. However, the CMEA required mail-order sellers to file monthly reports with the DEA and verify customer identities prior to shipping.
In addition to the Federal CMEA, state laws imposed additional restrictions. According to the DEA, state laws varied considerably from state to state (US Department of Justice Drug Enforcement Administration, 2006). For example, 27 states imposed single transaction limits and 19 states had monthly or weekly limits. As emphasized by the DEA, “CMEA does not preempt those re- quirements under State laws/regulations that are more stringent than the CMEA requirements…. all persons subject to CMEA must comply with the CMEA and the laws in the State(s) in which they sell [pseudoephedrine].”
1.1.2. Pseudoephedrine “smurfing” Since mid-2007, the state of California experienced a surge of large-scale methamphetamine production (US Department of
Justice National Drug Intelligence Center, 2009). According to the National Drug Intelligence Center (NDIC), the surge was fueled by the organized and widespread pseudoephedrine “smurfing.” Smurfing occurs when multiple, individual purchases of pseudoephe- drine at quantities at or below legal limits are made in an attempt to avoid legal ramifications. The pseudoephedrine purchases are then combined together afterwards in order to produce methamphetamine. NDIC found that pseudoephedrine acquired through
K.H. Guo, B.L. Eschenbrenner Journal of Accounting Education 42 (2018) 17–26
18
http://en.wikipedia.org/wiki/Pseudoephedrine
smurfing was sent in bulk to methamphetamine producers in Mexico. According to the US Attorney’s Office (US Attorneys' Office Central District of California, 2010), the surge of smurfing in California could be partly attributed to CVS Pharmacy’s failure to control the sales of pseudoephedrine as required by the CMEA. During the period of more than one year starting mid-2007, smurfers were able to make repeated purchases of pseudoephedrine from CVS Pharmacy stores that exceeded federal limits set by the CMEA. Sometimes, smurfers were able to “clean out store shelves.”
1.2. CVS Pharmacy’s compliance practices
According to the investigation by the DEA and other law enforcement agencies (US Attorneys' Office, 2010), CVS Pharmacy had implemented certain measures in order to comply with the CMEA. These measures included physical control of pseudoephedrine, a paper-based logbook, and subsequently, an electronic logbook (which replaced the paper-based logbook).
1.2.1. Physical control To comply with the CMEA, CVS Pharmacy moved all products containing pseudoephedrine behind cash register counters in its
retail stores. The company also provided written materials to train and educate employees about the new federal requirements and the problem of using pseudoephedrine to make methamphetamine.
1.2.2. Paper logbook CVS Pharmacy initially implemented paper-based logbooks, which were deemed CMEA-compliant. By using the paper logbook,
cashiers at each store were able to track and prevent excessive pseudoephedrine sales. The paper logbooks recorded customer names alphabetically and past purchases made by customers.
However, the paper logbooks had some limitations, as CVS Pharmacy suggested (US Attorneys' Office, 2010). The limitations included:
1. Store clerks had to review the logbooks and make manual calculations of daily and monthly purchases by customers; 2. Recording sales in the paper logbooks and verifying quantity limits caused delays at the cash register counter and caused in-
convenience for customers; 3. Use of the logbooks caused some privacy concerns because customers would have to sign the logbook in front of others; and 4. Each individual retail store had its own logbook, and data was difficult to aggregate across stores.
1.2.3. Electronic logbook In 2007, CVS Pharmacy decided to replace the paper logbooks with a computer system called “MethCheck.”1 The system allowed
CVS Pharmacy stores to track pseudoephedrine sales and provided information to law enforcement agencies when needed. The system was to be implemented at all CVS Pharmacy stores across the US.
The key feature of the MethCheck system was called “LookBack,” which was designed to track and review customer purchases of pseudoephedrine and prevent any sales that violated federal and state limits. Without the LookBack feature, the system would be dysfunctional. The feature, however, needed to be turned on for all states, regardless of whether a state had daily or monthly limits on pseudoephedrine purchases by individuals (some states, e.g. California and Nevada, do not set monthly limits).2
CVS Pharmacy implemented the MethCheck by disabling the LookBack features in those states that did not impose monthly limits.3 By doing so, the company was essentially unable to prevent aggregated purchases by an individual that exceeded the daily limit of 3.6 g imposed by the CMEA. As a result of implementing the MethCheck, the sales of pseudoephedrine at CVS Pharmacy stores increased significantly from late 2007 to late 2008, particularly in California and Nevada. During that time, some CVS Pharmacy employees raised concerns about excessive purchases of the drug by individuals. Management, however, did not respond promptly by investigating the suspicious increases in sales. Instead, employees were instructed to rely on the MethCheck system to determine whether or not to block a customer purchase. After the government started its investigation of the company’s compliance, CVS Pharmacy changed the configuration of the MethCheck system by enabling the LookBack feature at stores in California and Nevada in late 2008 and all other states in February 2009.
1.3. Post-investigation remedial measures
During the government’s investigation, CVS Pharmacy accepted the responsibility for unlawful sales of pseudoephedrine (US Attorneys' Office, 2010). More specifically, the company acknowledged some unlawful conduct in the California and Nevada stores: (1) employees at certain CVS Pharmacy stores knowingly sold the drug over the legal limits; (2) the stores that oversold the drug had reasonable knowledge that the drug would be used to make methamphetamine; and (3) the company’s distribution center was in a position to monitor and report the excessive sales of pseudoephedrine, but failed to do so.
1 The MethCheck system was designed and marketed by Appriss, Inc., http://www.appriss.com. A brief description of the system can be found on the software vendor’s website: http://www.appriss.com/sitedocs/MethCheckWhitePaper.pdf (accessed October 20, 2010). 2 Federal laws are different from state laws. According to the US Attorneys’ Office (2010), the CMEA (a federal law) does not “preempt state law” but leaves “in place
varying state requirements governing…monthly sales of PSE to individual customer.”. 3 These states included: Alabama, Arizona, California, Colorado, Connecticut, District of Columbia, Florida, Georgia, Kansas, Maine, Maryland, Massachusetts,
Michigan, Nevada, New Hampshire, New Jersey, New York, North Dakota, Ohio, Pennsylvania, Rhode Island, South Carolina, Texas, Virginia, and Vermont.
K.H. Guo, B.L. Eschenbrenner Journal of Accounting Education 42 (2018) 17–26
19
As part of the non-prosecution agreement with the government, CVS Pharmacy was required to establish and maintain a Compliance and Ethics Program. This program required the company to exercise due diligence to prevent criminal conduct, promote and encourage ethical conduct, maintain procedures for an anonymous reporting mechanism, and discipline employees who violated company policies.
1.4. CVS Pharmacy’s reflections on CMEA compliance
In a statement after the settlement with the government, Thomas M. Ryan, then CEO of CVS Caremark, acknowledged that “the lapse…was an unacceptable breach of the company’s policies and was totally inconsistent with [the company’s] values. CVS Pharmacy is unwavering in its support of the measures taken by the federal government and the states to prevent drug abuse” (CVS Caremark Corporation, 2010b). To prevent future non-compliance, Ryan argued the company has, “strengthened…internal controls and compliance measures and made substantial investments to improve [the company’s] handling and monitoring of PSE [pseu- doephedrine] by implementing enhanced technology and making other improvements in…stores and distribution centers” (CVS Caremark Corporation, 2010b).
1.5. Case requirements
Before starting the case, read the information located in Appendix A. Using the COSO Internal Control – Integrated Framework (May 2013) and the COBIT 5 (2012) framework, prepare a written report to assess CVS Pharmacy’s internal controls (note: not just the logbooks) as well as its reporting, operations, compliance, and IT risk. More specifically:
1. Using the COSO Internal Control – Integrated Framework (May 2013), perform an analysis of CVS Pharmacy’s internal controls and reporting, operations and compliance risk immediately prior to the government’s investigation. More specifically, identify deficiency/risks (e.g. internal control deficiencies, external events, etc.) that may influence CVS Pharmacy’s business objectives (e.g., complying with laws and regulations that govern drug sales). Use Table 1 as a template to report your analysis. You may insert additional rows if needed. Note that not all items are relevant in the case and some external research may be necessary in order to have a complete picture of the compliance issue (e.g., reading the extra materials).
2. Using the COBIT 5 framework, perform an analysis of CVS Pharmacy’s adoption of the MethCheck system immediately prior to the government’s investigation. Identify IT risks (e.g. configuration deficiencies) that may influence CVS Pharmacy’s implementation
Table 1 COSO internal control assessment.
COSO internal control component/principle Deficiency or risk
Control environment 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of
internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the
pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Risk assessment 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how
the risks should be managed. 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control.
Control activities 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to
acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 12. The organization deploys control activities through policies that establish what is expected and in procedures that put policies into
action. Information and communication 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to
support the functioning of internal control. 15. The organization communicates with external parties regarding matters affecting the functioning of internal control.
Monitoring activities 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal
control are present and functioning. 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking
corrective action, including senior management and the board of directors, as appropriate.
K.H. Guo, B.L. Eschenbrenner Journal of Accounting Education 42 (2018) 17–26
20
of the system. Use Table 2 as a template to report your analysis. You may insert additional rows if needed. 3. Based on your analyses of the deficiencies, risks, and information system issues, recommend internal control measures that CVS
Pharmacy may implement to address these issues. Also, identify the internal control measure and its corresponding principle. Use Table 3 as a template to report your analysis. You may insert additional rows if needed. Note that you do not need to fill up all cells.
4. Write a report summarizing your analysis of the above three tables. Your report should include:
• Background: Provide an overview of the company and the issues. • Purpose: Explain the purpose of your report. Also provide a brief description of the scope of your report and the methods you use for analyses.
• Findings: Provide and thoroughly discuss your assessment of CVS Pharmacy’s internal controls and risks. Recommendations can be based on whether management should avoid, accept, reduce, or share the risk based on your assessment. Also, if you feel that additional information would assist in providing more detailed or elaborated assessments, include a “Request for Information” as part of your Findings that contains a list of the information needed and its purpose. For example, no information is provided regarding a designated Chief Compliance Officer at CVS. A “Request for Information” might be “1. An Organization Chart that includes all executive management positions. Purpose – to determine if a Chief Compliance Officer position had been established at CVS, which will assist with assessing the Control Environment at CVS.”
• Recommendations: Recommend internal control measures that may help reduce the risks you assessed. In this section, make sure you relate back to completed Tables 1–3. Make sure to integrate your analyses.
• Conclusion: Summarize your analyses, findings, and recommendations.
2. Teaching notes
2.1. Introduction
Internal control is one of the key issues that organizations have to address when adopting information systems. Two com- plementary frameworks that can be applied in this context include the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework (ICF) and the COBIT framework issued by ISACA.4 The ICF, issued in 1992, is a mature framework that has been incorporated into many policies, rules, and regulations (COSO (Committee of Sponsoring Organizations of the Treadway Commission), 2004). In 2013, COSO issued an updated version of ICF (COSO (Committee of Sponsoring Organizations of the Treadway Commission, 2013). The framework can be used to design, implement, maintain, and assess the effectiveness of internal controls, and support the organization’s efforts to accomplish its objectives. By definition, the COBIT framework focuses on the control issues related to information technology (IT). However, it is also influenced by the COSO internal control framework. The most recent version is COBIT 5. In this case, we focus on the application of the new COSO ICF and COBIT.5
Table 2 COBIT assessment.
COBIT processes/domains IT risk
Governance 1. Evaluate, Direct, & Monitor
Management 2. Align, Plan & Organize 3. Build, Acquire & Implement 4. Deliver, Service & Support 5. Monitor, Evaluate, & Assess
Table 3 Internal control matrix.
Internal control measure Type of control (1) Component/principle
1. Management Processes 2. Operational Processes 3. Information Processes
Note: (1) Type of internal control measure (P: Preventive; D: Detective; C: Corrective).
4 COBIT was previously known as the Control Objectives of Information and Related Technology; ISACA was previously known as the Information Systems Audit and Control Association. Both now go by their acronyms only. 5 Our discussion is based on COSO ICF 2013 and COBIT 5. Hereinafter we omit the versions of these two frameworks, unless stated otherwise to avoid confusion.
K.H. Guo, B.L. Eschenbrenner Journal of Accounting Education 42 (2018) 17–26
21
With the exception of Cereola and Cereola (2011), most teaching cases in the accounting education literature (for recent reviews see Apostolou, Dorminey, Hassell, & Rebele, 2014; Apostolou, Dorminey, Hassell, & Watson, 2013) have focused on either COSO ICF or COBIT in an isolated manner and rarely considered them in an integrative manner. For example, Savage, Norman, and Lancaster (2008) used a movie about the collapse of Barings Bank to teach the COSO internal control framework (whereby students would watch the movie and learn internal control concepts), but did not integrate COBIT. Sinason and Normand (2006) focused on systems development life cycle and did not consider how the COBIT framework might be applied. Similarly, Norman, Payne, and Vendrzyk (2009) focused on IT risk only, highlighting several general areas of IT issues such as system development and data security, but did not use COBIT. Also, they mentioned COSO in passing as background information but did not fully integrate the framework in a systematic manner. Cereola and Cereola (2011) used both COSO ICF and COBIT in their case. Their case is focused on a data security breach resulting in confidential customer data being stolen by hackers through both wireless and wired networks. Security is an important but narrower issue in IT. An updated literature review by Apostolou, Dorminey, Hassell, and Rebele (2016) suggested that no teaching cases have been published on IT topics since 2014.6
Our case, on the other hand, focuses on IT adoption and implementation issues in the broad context of internal control con- siderations and risk management. It highlights how the general legal and social environment might pose significant threats to businesses. It also helps students understand and appreciate the use and management of information technology in a broader business context, e.g., how IT can be used to support business objectives and how IT risks can have a significant impact on general business risks. Thus students can better appreciate the link between business and IT. This case study is adaptable and can be utilized by applying only one framework (i.e., COSO ICF or COBIT). Thus, this case can facilitate the achievement of learning objectives of various accounting courses, including accounting information systems, audit, and IT audit courses.
2.2. Learning objectives
Although CVS adopted an electronic logbook system (“MethCheck”) to record and check customer purchases, the implementation of the system was flawed and the company failed to prevent over-purchases of PSE by individuals. In October 2010, CVS paid a fine of $77.5 million ($75 million civil penalty and the forfeiture of $2.5 million of profits) to settle a lawsuit brought by the US Attorney’s Office for the Central District of California for the company’s unlawful sales of PSE (US Department of Justice, 2011). The case demonstrates the importance of internal controls and the proper management of regulatory compliance and IT risks, which can be examined using the COSO ICF and COBIT framework.
The overall learning objectives are for students to understand and apply the two frameworks (i.e., COSO ICF and COBIT) to general business risks and IT risks. The specific learning objectives (LO) include:
LO1. Understand the COSO ICF and COBIT; LO2. Apply COSO ICF and COBIT to assess internal controls and risks; LO3. Understand different types of controls (e.g. preventive, detective, and corrective) and identify specific measures to reduce risks; LO4. Identify specific information systems controls for managing risks; and LO5. Understand IT risks from an internal control perspective.
2.3. Past implementation of the case
This case has been adopted in undergraduate AIS courses at two AACSB-accredited universities. In our implementation, the case was assigned to students as a required reading before the class sessions that covered internal controls. Students were also required to read COSO ICF and COBIT. The following instructional approaches were taken: (1) discussion of the case and the most recent COSO ICF and COBIT in class; and (2) group case report. Throughout the courses, the case was used as an example and students were encouraged to participate in class discussions, which focused on applying the two frameworks to the examination of the case. For example, when the objective dimension of the COSO ICF was introduced, students were asked to refer to the case and discuss the operations, reporting, and compliance objectives CVS Pharmacy should have managed more effectively. For the COBIT framework, we focused on the four control domain areas: plan, build, run, and monitor.
At one university, two classes approximately two-and-half-hours in length, were spent on discussions of the two frameworks. At the other university, three 75-min classes were spent discussing the two frameworks. At the latter university, participation was also included in the student’s final grade and students were instructed that the case would be discussed during the classes covering internal controls and be factored into their final course participation grade.
The advantage of discussing the case in class before students prepare their group reports is that students: (1) gain an under- standing of the frameworks by discussing them; (2) clarify their understanding of the CVS Pharmacy case; and (3) learn from other students (and the instructor) in open discussion of both the framework and the case. There are, however, some disadvantages of discussing the case in class. For example, this may limit students’ thinking; they may believe that what is discussed in class is the only correct answer. When the case was used at the authors’ institutions, a small number of students were found to simply “copy”whatever they heard in the classroom without further studying the case material thoroughly.
6 We thank Natalie Churyk (Editor-in-chief) for this point.
K.H. Guo, B.L. Eschenbrenner Journal of Accounting Education 42 (2018) 17–26
22
In our implementation, students had two weeks to complete the report (the required length of the report was three to six pages single-spaced). In their reports, students were required to use the two frameworks to analyze the case and recommend internal control measures. Students were encouraged to use professional judgment and creativity in developing their reports. There is, however, a potential risk. To ensure students knew exactly what to do for case analysis, we provided a report outline and three specific supporting tables that asked students to identify relevant issues (risks and controls, etc.) for each of the COSO ICF com- ponents and principles, as well as COBIT control domain areas.
Some caveats should be noted about group work. First, although the group report assignment helps students generate ideas and learn from each other, some students may try to take a “free ride.” To deal with this issue, we required team member evaluations to be submitted to the instructor the class meeting after the report was due. In the evaluations, students could evaluate all team members by providing a score (up to 100 points/member) and anecdotal comments.
We graded student work on two criteria. The first is content (80%) which includes overall case analysis, application of COSO ICF, application of COBIT, and control measures. The other criterion is presentation or writing, which evaluates students’ work in terms of style and format.
2.4. Efficacy of the case
We believe the case can help students learn internal controls by using either of the frameworks (COSO ICF and COBIT). Pedagogically speaking, instructors can avoid teaching internal controls in abstract terms. The case can give students some concrete examples of internal control measures and how they are related to risks. The case demonstrates that a simple function in an in- formation system can have a negative chain of effects on a firm’s business operations. Thus, from an internal control standpoint, information systems must be properly designed and implemented and their potential impact on overall business operations should be properly assessed. Here the COBIT framework is useful for understanding various issues related to information systems design and implementation. The COSO ICF, on the other hand, is useful for students to understand the overall picture and general methodologies of internal controls and how information systems may play a role.
We conducted pre- and post-case student surveys to evaluate the efficacy of the case. The pre-case survey (N=81, 74% response rate) asked students about their knowledge of internal control and IT risk. Other than the same questions about internal control and IT risk, the post-case survey (N=83, 76% response rate) also asked students about the content and the implementation of the case. All questions were on a seven-point Likert scale, with 1 indicating strongly disagree and 7 strongly agree. The results of the surveys are shown in Table 4.
The results indicated that students’ knowledge of internal control and IT risk improved significantly.7 In the pre-case survey, students’ self-assessed knowledge (mean values in parentheses) in the following areas was significantly below average (i.e. neutral
Table 4 Student feedback.
Mean Median Standard deviation t-Statistic
Pre-case questionnaire (N=81) 1. My current working knowledge of internal control is: 3.53 4 1.54 −2.747*
2. My current working knowledge of COSO is: 1.72 1 1.18 −17.390*
3. My current working knowledge of COBIT is: 1.69 1 1.17 −17.769*
4. My current working knowledge of risk management is: 3.25 4 1.52 −4.441*
5. Internal controls are important to my professional development 4.33 4 1.83 1.623
Post-case questionnaire (N=83) 1. The case increased my working knowledge of internal control 5.01 5 1.66 5.543*
2. The case increased my working knowledge of COSO 4.95 5 1.59 5.443*
3. The case increased my working knowledge of COBIT 4.87 5 1.65 4.804*
4. The case increased my knowledge of risk management 5.12 5 1.63 6.260*
5. Internal controls are important to my professional development. 5.41 6 1.88 6.833*
6. The case is relevant in identifying internal control deficiencies. 5.39 6 1.77 7.155*
7. The case is relevant in identifying specific controls to achieve effective/efficient operations. 5.16 6 1.73 6.109*
8. The case is relevant in identifying specific controls to achieve compliance with applicable laws 5.30 6 1.75 6.768*
9. I found the case interesting 5.08 6 1.89 5.206*
10. The case is relevant because it was based on a real-world company 5.47 6 1.82 7.358*
11. The case was understandable, even though I had no formal training in internal control frameworks 5.06 6 1.73 5.582*
12. The case provided beneficial learning experience 5.10 6 1.81 5.537*
13. The case enhanced my critical-thinking skills 5.04 5 1.68 5.640*
14. Class discussion helped me to identify areas for improvement in my case solution 4.83 5 1.95 3.878*
15. The group report enhanced my understanding of the COSO and COBIT frameworks 4.73 5 1.85 3.595*
16. The work load of the group report was appropriate 4.55 5 1.82 2.753*
17. The group report was a good way to learn the COSO and COBIT concepts 4.60 5 1.85 2.955*
Notes: * p < .05. T-tests are based on the differences between mean responses and neutral response of 4. Pre-case survey: two-tail; Post-case survey: one-tail.
7 It should be noted that this does not mean the case is the only factor. Reading textbooks and other materials will also help students learn the two frameworks. We thank Natalie Churyk (Editor-in-chief) for this point.
K.H. Guo, B.L. Eschenbrenner Journal of Accounting Education 42 (2018) 17–26
23
response of 4 on a 7-point Likert scale): internal control (3.53), COSO (1.72), COBIT (1.69), and IT risk (3.25). Post-case survey results indicated that their knowledge was significantly above average: internal control (5.01), COSO (4.95), COBIT (4.87), and IT risk (5.12). T-tests of the differences between pre-case and post-case means of the first four questions were significant (p < .001), suggesting that the case and classroom discussion helped students to understand internal control and risk management. The fifth survey question also indicated that students had a better understanding of the importance of internal control (pre-case 4.33, post-case 5.41, t= 18.80, p < .001). Similarly, as indicated by the t-statistics (p < .01), students also gave positive evaluations of case content (e.g. relevance to internal control) and implementation (e.g. group work).