COSO Content Analysis

Board Game Content Analysis

Put the Name of Your Game Here

Short description here

Think about the content that you're interested in teaching and break it down into the eight content types in the table below.

Content Type
Content Elements
Game Elements


The smallest unit of information
COSO acronym
Image on game board displaying:

Internal Control model
created by the

of the Treadway Commission


Categories of things with a common name and critical attributes
  1. Internal Control System: Per COSO, an effective Internal Control system comprises five interrelated components: (1) Control Environment, (2) Risk Assessment, (3) Control Activities, (4) Information & Communication, and (5) Monitoring (ELO-03)
  2. Control Environment component is comprised of these critical attributes: (ELO-04)
    • Management Philosophy & Operating Style (established by Board of Directors and CEO)
    • Integrity and Ethical Values (e.g. Code of Conduct)
    • Commitment to Competence
    • Organizational Structure
    • Assignment of authority and responsibility
    • Human resources policies and practices
  3. Risk Assessment component is comprised of these critical attributes: (ELO-05)
    • Establishing objectives
    • Risk identification strategy
    • Risk analysis process
    • Risk response methodology
  4. Control Activities component is comprised of these critical attributes: (ELO-06)
    • Policies
    • Procedures
    • Preventive & Detective Tools
  5. Information & Communication component is comprised of these critical attributes: (ELO-07)
    • Communication of key metrics
    • Communication of control responsibilities
    • Escalation process exists
    • Feedback and resolution mechanisms
    • Information Systems in place
    • High quality information is accessible
  6. Monitoring component is comprised of these critical attributes: (ELO-08)
    • Ongoing monitoring activities – control testing
    • Ongoing monitoring activities – dashboards
    • Ongoing monitoring activities – supervision
    • Separate evaluations - Self-assessments
    • Separate evaluations – Independent 3rd party review
    • Reporting and tracking deficiencies
  7. There are four possible Risk Reponses:
    • Avoid the risk
    • Reduce the risk
    • Share the risk
    • Accept the risk
1. Represented by the 5 regions on the board

2 through 6. Critical attributes for each component are in the form of "treasure" cards that contain a brief description elaborating on the critical attribute.
7. Once a player has acquired the Risk Response critical attribute, when they land on a Risk Event space, they roll the die to first determine if they Avoid the risk, Reduce it, Share it, or Accept it.


If-Then relationships between concepts
The more critical attributes you implement, the less likely you will be impacted by risks or audits.
Each player will have a "strip" that keeps track of their internal control score as they proceed through the game. As they collect more critical attribute "treasures," the higher their internal control score. They will also face risk events and audits (please see Probabilities below) that can reduce their internal control score. The player that reaches the end with the highest score wins.


Step by step actions in a series
Implementing Internal Control:
To ensure an internal control process exists, people within a company need to implement components in this sequence:(ELO-03)
  1. Ensuring an effective Control Environment.
  2. Performing a Risk Assessment to identify and analyze risks and select a risk response.
  3. Establishing Control Activities by setting policies, developing procedures to comply with policies, and operating the preventive / detective controls according to the procedures.
  4. Establishing Monitoring mechanisms to ensure the internal control process continuously operates effectively.

In addtion, each components has critical attributes that precede other critical attributes.
Analyzing Risk:
To determine the overall rating of a risk, use the Risk Rating table.
  1. Assign a likeligood rating to the risk.
  2. Assign an impact rating to the risk.
  3. Cross reference the ratings on the table to identify if the overall risk rating is H, M, or L.
Implementing Internal Control: Players cannot move to the next component region until they have collected all of the critical attributes in the current component region. In addition, some critical attributes cannot be collected on the path unless you have already collected its predecessor.
Analyzing Risk: Accomplished through the Risk Event card, Each card has a unique risk event with a likelihood and impact rating between 1-5 that is used to determine its overall risk rating per the risk rating table on the board (see below). If it is an "H", the player needs to roll a 6 on 1D6 to avoid having it impact their internal control score. If it is an "M", the player needs to roll a 3 or better on 1D6. If it is an "L", the player needs to roll a 2 or better on 1D6. riskchart.gif


Natural or routine sequences of events
Internal Control is a process (ELO-02). It is a means to an end and not an end in itself. Its effectiveness is a state or condition of the process at one or more points in time. By having an internal control process in place, an organization is better prepared against risk events and audits.
The entire board reflects the COSO triangle in order to depict internal control as a process. Players move along a path within it, sequentially moving from Control Environment to Risk Assessment to Control Activities to Monitoring. Players also have an internal control score bar used to keep track of the state or condition of their internal control process at a point in time throughout the game. This score can be impacted by event spaces on the board that limit the effectiveness of the process.


Unpredictable happenings
It takes time to implement
Dice: Player movement -- represents varying time to implement the model and the unpredictable nature of risk events in the corporate event

Companies will periodically be audited. Although audits are often scheduled well in advance, there is a probability that an office will not have a particular critical attribute in place before the audit occurs. If the auditor discovers the gap, it is reported to senior management.
Audit cards: If players land on an Internal Audit space, they are faced with an audit that can reduce (if they fail) or increase (if they pass) their internal control score. Each card will focus on a particular critical attribute. If the player has not collected that critical attribute card, then they will lose 1 point from their internal control score. If they have that critical attribute, they will be rewarded with 1 point added to their internal control score.

Risk events are unpredictable happenings in the corporate environment. The more you implement the COSO model, the more prepared an organization is to face risk events.
Risk cards: If players land on a Risk Event space, they are faced with a risk event (financial loss, a regulatory violation, or an operational failure) that can reduce their internal control score. If the player has a certain critical attribute, they can reduce the likelihood or impact rating of the risk event and possibly drop it from one overall rating to to the next, making it easier to avoid the risk.

Internal Control only provides reasonable assurance: There are various limiting factors to the system of internal control which prevent it from providing any more than reasonable assurance that an organization or process will be successful. ELO-09
  • Judgment: A person can make bad decisions, limiting the effectiveness of internal control related decisions.
  • Breakdowns: People with control responsibilities may not carry them out effectively or make mistakes.
  • Management Override/ Collusion: Some leaders and employees will intentionally go outside established practices to get the job done faster or for personal gain.
  • Cost versus Benefit: Sometimes you must choose to accept a risk when the cost of controlling that risk exceeds the benefit.
Players can land on a space on the board that says Poor Judgement, Breakdown in Carrying Out Control Responsibilites, Management Ovveride/Collusion Occurs, or Control Costs Too Much. This will cause the player to lose an internal control score point or lose a turn.


The backdrop for all the content
To learn about the COSO model of internal control through the context of preparing for an audit in a company.
The game board looks like the COSO model. Players visit various corporate offices along the game path where they implement critical attributes of the COSO model into their companies' plan for establishing and maintaining internal control.

Vantage Points

The roles or points of view from which people look at and interact with this content
Board of Directors: Along with executive management, sets the tone for the internal control environment
CEO: Has ownership of the entire internal control structure of the Company. Sets the tone for the company.
Management: Directly responsible for establishing and maintaining sound internal control systems.
Employees: Produce information and take actions that effect control.
Auditors: Periodically evaluate the effectiveness of the internal control system.
Board of Directors: critical attributes to be obtained
CEO: CEO's office has a control environment critical attribute - manangement philosophy & operating style
Management: players
Employees: players
Auditors: represented by the auditor cards -- can be players too