Financial statement risk assessment following the COSO framework: An instructional case study

The purpose of this paper is to teach students the fundamental and most critical aspects of performing a financial statement risk assessment, a skill vital to help ensure both auditor and public‐company compliance with guidance found in the Sarbanes‐Oxley Act of 2002 (SOX), the SEC's Interpretative Guidance regarding Management's Report on Internal Control over Financial Reporting, the control deficiency evaluation framework found in Auditing Standard No. 5 (AS5) of the Public Company Accounting Oversight Board (PCAOB), and the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

This instructional case study helps students assess the impact of a set of hypothetical internal control deficiency risks in various industries, including inherent and residual financial statement risk assessment, and concludes with determining which identified internal control weaknesses are significant deficiencies and material weaknesses in internal control. Included in the financial statement residual risk assessment process are example entity‐level and process‐level controls described in COSO. Learning objectives, implementation guidance, and the efficacy of using the case study in the undergraduate or graduate auditing or accounting information systems courses are also provided.

The results of classroom testing of the case study at two universities provides evidence the case study increases student understanding of the implications of internal controls and their impact on the reliability of the financial statements significantly. Students also found the case to be challenging, interesting, relevant, clear, understandable, and a realistic approximation of what they might expect to encounter in the real‐world when performing a financial statement risk assessment.

The case study includes the development of skills important to students in performing financial statement risk assessments, either as an auditor or when working in a private industry environment, including making professional judgments related to risk assessment.