COSO Internal Control

Control Freak or Risk Taker?

Steve Corbett (
Gerry de Ocampo ( )


Instructional Objectives

Terminal Learning Objective (TLO):
Learners will be able to identify and list the five components of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) model of internal control, and evaluate their work situation to identify the components of the model that not being used or only partially being used.

Enabling learning Objectives (ELOs):
ELO-01: Given the acronym COSO, the employee will be able to state what the acronym stands for.

ELO-02: Given a scenario using the COSO model, the employee will be able to define the term Internal Control.

ELO-03: Given a scenario using the COSO model, the employee will be able to list all five components of the model.

ELO-04: Given a list of components of the COSO model of internal control, the employee will be able to state at least three critical attributes required to implement the:
  • Control Environment component.
  • Risk Assessment component.
  • Control Activities component.
  • Information & Communication component.
  • Monitoring component.

ELO-05: Given a scenario using the COSO model, the employee will be able to list two limiting factors to the system of internal control which prevent it from providing any more than reasonable assurance

ELO-6: Given a scenario using the COSO model, the employee will be able to define the term Risk.

ELO-7: Given an Impact and Likelihood rating for a risk event, the employee will be able to select its overall rating as High, Moderate, or Low.

ELO-8: Given a scenario using the COSO model, the employee will be able to list the four possible Risk Responses.

Learners & Context of Use

Learner Audience:
  • Entry-level internal auditors, employees, managers, and line leaders with direct reports at a global company
  • Ages range from 20s to 60s
  • Diverse ethnicities and nationalities (e.g. Asia, Pacific Rim, Europe)
  • Employees most likely have a low affinity to the subject matter

Learner Needs:
  • Subject matter critical for entry-level internal auditors, managers, and line leaders

Context of use:
  • Corporate training / Classroom environment
  • Classroom set up with tables accommodating 2-4 learners at each table
  • Designed to be played once during the class
  • Introductory instruction on terminology and COSO model delivered prior to the game via web-based or stand-up instruction

Competing Products

No competing products exist. However, a children's game called "Chutes and Ladders" has a similar style of race game play.

Object of the Game

Goal: Be the player with the highest internal control score at the end of the game.
[Note: If time is limited, the game can be modified so that the first person to get 20 internal control points wins.]

Content Analysis

Please see the Board Game Content Analysis template.

Game Materials

Game Item
Game board
Audit cards (22)
Risk Event cards (16)
Critical Attribute cards:
  • 4 for each attribute
  • Total of 88 cards
Player pieces:
  • Red stapler
  • Briefcase
  • Laptop
  • Calculator
Internal Control Score Scale piece:
  • 1 per player piece
Six-sided die
Here is a zip file containing the PDF files for the game board and cards.
<8/13/2016 - we have removed the zip file as we are in the process of making this a board game for purchase and need to block any further attempts to use or distribute the prototype materials - if you have downloaded the materials, you may continue to use for your own training program, but we retain full rights to the intellectual property and copyright>

Time Required and Setup

The game would take about a half hour to complete. Very little preparation is involved. Preparation involves placing each deck of cards in their appropriate space on the board and putting the game pieces in start positions as described below:

  1. Shuffle the Audit cards and place them face down on top of the AUDIT CARDS space.
  2. Shuffle the Risk Event cards and place them face down on top of the RISK EVENT CARDS space.
  3. Arrange the critical attribute cards according to their type. Each type should have four cards.
  4. Each player selects a game piece, and places it at the START area.
  5. Each player begins with 25 internal control points. Place the matching Internal Control Score Scale piece next to the score of 25.

The Rules

Moving around the board
  1. 2-4 players can play.
  2. Roll the die to see who goes first. Highest roll goes first; players then proceed counterclockwise.
  3. Roll the die, and then move player piece into a space along the game path.
  4. You can enter the Information & Communication component region at any time, but you cannot use the Information & Communication region to go into component regions for which you have not obtained at least three critical attribute (CA) cards (see below).

Collecting critical attribute cards
  1. Players advance up the different internal control component levels by collecting CA cards from each component.
  2. You can move up to the next component level, after collecting at least three CA cards from the current component level. [Note: If time is limited, the game can be modified so that players collect at least two CA cards before moving up to the next component level.]
  3. To collect a CA card, you must move your game piece into the office on the path containing the critical attribute. The piece can move into the office with a die roll of the minimum number or higher.
    • When you enter the office, obtain the designated CA card. Some cards have a predecessor attribute indicated on the card. If you don't have the prerequisite CA card, you cannot collect the attribute.
    • You earn internal control points as indicated on each CA card collected.
    • Once you have collected a CA card, you cannot collect the same CA card again.

Dealing with Opportunity spaces, Limitation of Control spaces, and event cards
  1. If you land on an Opportunity space, you receive the points indicated.
  • You can only receive points from a particular Opportunity space only one time; that is, if you land on the same space again, you do not get the points.
  1. If you land on a Limitation of Control space, you slide back down to the square of the lower component level as indicated by the arrow on the board.
  2. If you land on an Audit space, pick up an Audit card. If you have the critical attribute listed on the card, you earn the internal control point value shown, otherwise you lose the internal control point value shown.
  3. If you land on a Risk Event space, pick up a Risk Event card.
    • Each Risk Event has an overall rating of High, Moderate, and Low based on its Likelihood and Impact rating displayed on the card.
      • Refer to the Risk Rating table to determine the overall risk rating of High (H), Moderate (M), or Low (L).
      • In the example Risk card shown, the Impact is 5 and Likelihood is 4, which makes the overall risk rating High (H).
    • Each Risk Event card will also display a critical attribute. If you have the critical attribute listed on the card, reduce the Impact or Likelihood rating of the risk (as indicated on the card) and determine its new overall rating.
      • Using the example Risk card shown above, if you have the Detective Controls CA card, you would then reduce the Impact rating to 3 (Likelihood of 4 remains the same), which would make the overall risk rating Moderate (M).
      • If you do not have the critical attribute, no deduction can be made, and your overall risk rating would remain High (H).
      • If the overall risk rating is:
        • High (H), you must roll a 6 to avoid the Risk completely and not roll the die again (see below).
        • Moderate (M), you need to roll a 3 or higher to avoid the Risk completely and not roll the die again (see below).
        • Low (L), you need to roll a 2 or higher to avoid avoid the Risk completely and not roll the die again (see below).
    • If you did not avoid the Risk during the first roll, roll the die again to determine if you can further mitigate against the risk event. On the second roll, if you roll a:
      • 1 or 2, you Reduce the risk and lose half of the value of the loss indicated on the Risk Event card.
      • 3 or 4, you Share the risk with an opponent of your choice, and you both lose half of the value of the loss indicated on the Risk Event card.
      • 5 or 6, you Accept the risk and lose the full value of the loss indicated on the Risk Event card.
        • Furthermore, if you have the Risk Response critical attribute, you Share the risk with an opponent of your choice if you roll a 5 or 6 on the second roll. You both lose half of the value of the loss indicated on the Risk Event card.

Winning the game
  1. Once you collect the required number of CA cards in the Monitoring component, go directly to the Finished! space.
    • The first player to reach the Finished! space is rewarded with 5 internal control score points and the game ends.
    • The player with the highest internal control score wins. [Note: If time is limited, the game can be modified so that the first person to get 45 internal control points wins.]
  2. If there is a tie for the highest score, the players tied for the highest score each select an Audit card and apply the result to their score.
    • Repeat, if necessary, until the tie is broken.
  3. You cannot go below zero or above 50 in your internal control score.

Motivational Issues

We gave careful consideration to addressing learner motivation in our game design. Working under the premise that most learners are uninterested, we wanted to inject our game idea with elements specifically designed to motivate those who play the game. There is an inherent "threat" level in the COSO internal control model, probably due to its close association with internal auditing within companies. Additionally, the dryness of the topic lends itself to boredom, and so our intentional application of learning motivational theories to actual game elements will help make an already boring topic more interesting, and hopefully engaging to those learners attending mandatory training sessions on the subject. Below we discuss which aspects of two motivational theories used in the design of our game.

ARCS Motivational Theory - Keller
We believe the unique shape and colors of the game board provides a unique visual appeal to learners. The triangular shape definitely catches one's attention.

Although most players of this game will most likely be required to attend training on the internal control model, we believe the images used in the game such as office locations and the scenarios written on game cards describing applications of the internal control model provide a practical relevance to the game. The learners' game experience will provide some contextual experience to situations they will encounter in their businesses and places of work.

While the COSO internal control model may sometimes be difficult to understand, we think that the regular feedback provided to game players will build learner confidence and familiarity with the model.

Similar to treasure hunts or scavenger hunts, the game has an element for the learner to "collect COSO treasures" (the five components of the COSO model). We believe this gives learners a sense of satisfaction while learning about the model because in order to win the game, they must collect all the "treasures" (critical attributes at each component level).

Individual and Interpersonal Motivational Theory - Malone and Lepper

Individual Motivations:
Challenge: Goals, Uncertain Outcomes, Performance Feedback -
  • Goals - We've incorporated the main goal of "collecting treasures" as the primary vehicle for learning the COSO internal control model. By attaining the goal, the players of the game will be exposed to all the aspects of the COSO model.
  • Uncertain Outcomes - Using dice for movement adds an element of randomness to the game, which simulates that the time required to have all the components of the COSO model in place in a business also takes time. Furthermore, the use of "damage tables" to simulate the likelihood and impact of risk events mirrors real-life risk assessment and analysis.
  • Performance Feedback - Players receive positive and negative feedback while playing the game through the Risk event cards and Audit cards. Negative reinforcement from a negative impact event teaches the players about actual consequences of not putting the COSO model into practice in their business while positive reinforcement from positive impact events or the collection of COSO model components rewards players for learning the model and models the likelihood of positive business results when risks are mitigated through the COSO internal control model.

Sensory Curiosity - The uniqueness of the game board shape and its colors will appeal visually to players. The game board is a direct artifact of the COSO model itself, which appears often in COSO literature. Thus, the components of the COSO model are visually reinforced to the learner.

Interpersonal Motivations:
Competition - Players of the COSO game compete against each other to "collect treasures", which are the critical attributes of the COSO model. The player with the most points wins the game. To a certain extent, all learners are competitive to a certain degree. Additionally, we believe people will naturally enjoy collecting items in the game. The added competition factor of striving to have the most points at the end of the game by collecting the critical attributes will increase learner motivation to play the game.

Design, Development, and Evaluation Processes

Once we determined the game idea, we decided on the type of game; in our case, a race game. The next step was to examine the content to see if learning about it was feasible through a game. Since Steve works with this content daily at his job, he generated an initial "content dump" into a Content Analysis word document with some initial learning objectives. The content came from the references noted below and previous training content developed by Steve Corbett for his company.

There are no extant games in the market that teach the COSO internal control model. We realized early on that we are pioneers in this area of business. If our game does what it purports to do, there could be some potential to market this game in the financial controls and auditing industry.

Before moving forward with devising game elements, we finalized the enabling learning objectives so that each content item was aligned to one or more learning objectives. Additionally, we worded the learning goal of the game into a terminal learning objective that describes what the outcome for the learner is after playing the game.

Content Analysis to Game Elements
The most difficult part of the design process was to come up with meaningful game elements for the content items that we wanted the game to teach. We realized that creating a concept for the physical game board, as well as, devising game-play rules are important game elements as well. So we created game elements, the board game concept, and the game rules at the same time, interchanging efforts among the three, demonstrating the important interrelationships between the three.

Prototype and Feedback
Please see our Prototype Playtest Evaluation Chart .

Lessons Learned
Design Process
Given our instructional design background, we felt very comfortable starting our design by establishing a learning goal or intended learner outcome, followed by writing learning objectives. As we thought about the goal and the learner’s intended outcome for the given setting and audience, we wrote a terminal learning objective and its supporting enabling learning objectives.

Starting from the learning objectives gave our game a solid backbone with respect to designing it for specific learner outcomes.

Development Process
We definitely formed a great team. Steve has a strong graphic arts and media background, while Gerry has a strong background in teaching, instructional design, and writing. The strengths in our skill sets were complementary. Steve contributed to the project with his subject matter expertise about the COSO internal control model and his artistic capabilities to produce a visually appealing, high-quality game board, pieces, and various game elements. Gerry contributed by leveraging his experience in instructional design to guide the design approach, as well as, bring clarity to the complex and abstract concepts of COSO.

Testing and Evaluation Process
Two play testers evaluated our prototype game board and elements. The most useful comment from both testers was that our game’s weakest point was its heavy reliance on luck rather than strategy and decision-making. We brainstormed various ideas about introducing a specific game-play strategy into the game. Our main idea was having the players in the game adopt one of two game-play strategic roles:

(1) Risk-taker: This player obtains only one critical attribute before advancing to the next level, with the primary goal of trying to get to the Finished! space first to end the game. The Risk-taker is not so concerned with collecting critical attributes, but is more concerned about avoiding Risk events. The primary way for this player to win is to finish the game as quickly as possible before other players collect too many points.

(2) Control freak: This player obtains multiple critical attributes per level before advancing to the higher levels, with the primary goal of amassing as many points as possible from each level. This player is not so concerned with being the first one to get to the Finished! space, but rather to collect lots of critical attributes for points and protection against Risk events. The primary way for this player to win is to slowly outscore his opponents.

After much consideration of the nuances of adopting this strategy, we decided not to explicitly incorporate it after all. As the game is played over time, we believe that players will formulate one of these two strategic roles naturally. Furthermore, to write these roles into the game would introduce both game-play complexity to the rules, as well as major physical modifications to the board. Because of complexity and time constraints we abandoned the explicit incorporation of these roles.

But in order to accommodate our prototype testers’ comment about “too much luck” in the game we decided to make some modifications (see the Prototype Playtest Evaluation Chart for a brief listing and description of the modification to the rules, game board, and elements). The following are three key modifications to the rules and game elements we incorporated to reduce the influence of luck in game-play:

(1) Changing the Risk Response roll of the die to occur each time a player undergoes a Risk event.

This change adds a bit more excitement to the game, especially because you don’t have to have the Risk Response critical attribute to mitigate the risk. Additionally, the next rule described below creates more involvement with other players when responding to Risk events.

(2) Changing the likelihood that a player undergoing a Risk event can share the risk with another player.

There is now at least 33 1/3% chance that players can “share the risk” with another player, which increases the game’s tension level by increasing the chance that players’ scores will be reduced, as well as involving other players in the risk response aspect of the game.

(3) Adding Opportunity spaces to the game board so that there are more chances to earn points without having to collect critical attribute cards.

This was included to accommodate the Risk-taker strategy: the Risk-taker spends less time acquiring points via obtaining critical attributes, so this is an additional way for this type of player to overcome a Control freak player who slowly amasses points.


  • Books & Journals
    • Keller, J. M., & Suzuki, K. (1988). Use of the ARCS Motivation Model in Courseware Design. In D. H. Jonasse
      (Ed.), Instructional Designs for Microcomputer Courseware. Hillsdale, NJ: Lawrence Erlbaum.
    • Malone, T. W. and Lepper, M. R. (1987). Making learning fun: A taxonomy of intrinsic motivations for learning. In Snow, R. E. and Farr, M. J., editors, Aptitude, Learning and Instruction: Conative and Affective Process Analyses, volume 3, pages 223-253. Hillsdale, NJ: Lawrence Erlbaum Associates.
  • Electronic