Journal of Accounting Education 42 (2018) 17–26

Contents lists available at ScienceDirect

Journal of Accounting Education

journal homepage: www.elsevier.com/locate/jaccedu

CVS Pharmacy: An instructional case of internal controls for

T
regulatory compliance and IT risks
⁎
Ken H. Guoa, , Brenda L. Eschenbrennerb
a
Mihaylo College of Business and Economics, California State University, Fullerton, 800 N. State College Blvd., Fullerton, CA 92834-6848, United
States
b
College of Business & Technology, University of Nebraska at Kearney, 1917 W. 24th Street, Kearney, NE 68849, United States

AR TI CLE I NF O AB S T R A CT

Keywords: The objective of the CVS Pharmacy case study is to teach students how to assess and integrate
COSO Internal Control-Integrated Framework internal controls from regulatory compliance and information technology (IT) perspectives. The
COBIT 5 case focuses on the failure of CVS Pharmacy, Inc. to implement necessary controls to comply with
Internal controls regulations that limit the sales of pseudoephedrine. The case gives you the opportunity to sys-
Compliance risk
tematically apply the Committee of Sponsoring Organizations of the Treadway Commission
IT risk
(COSO) Internal Control – Integrated Framework (May 2013) and the COBIT 5 Framework issued
by ISACA to investigate real business and IT issues. More specifically, you can use the frameworks
to identify internal control deficiencies, compliance risks, and IT risks. Based on this assessment,
you can recommend relevant control measures. The case is appropriate for undergraduate ac-
counting information systems courses, as well as courses such as audit and IT audit by utilizing
only one of the frameworks.

1. The case

1.1. Introduction

On October 14, 2010, the United States (US) Attorney’s Office for the Central District of California announced that CVS Pharmacy,
Inc. (“CVS Pharmacy”) was fined $77.5 million (which included a $75 million civil penalty and the forfeit of $2.5 million profit) for
its unlawful sales of pseudoephedrine to organized crime between September 2007 and November 2008 (US Department of Justice,
2011). Pseudoephedrine is a regulated drug used to treat nasal and sinus congestion. The company was charged for its failure to
comply with laws that limited the quantity of the drug sold to individual customers. The sales, according to the Attorney’s Office,
directly caused an increase in the production of methamphetamine in California.
CVS Pharmacy is the retail pharmacy subsidiary of CVS Caremark Corporation (hereinafter collectively referred to as “CVS”). In
addition to retail pharmacies, CVS also operates pharmacy services, retail clinics, and mail-order pharmacy businesses. In fiscal year
2010, CVS had net revenues of more than $96 billion and a net profit of more than $3 billion (CVS Caremark Corporation, 2010a). In
2010, CVS was the 18th largest company in the Fortune 500, according to its annual report, and one of the largest retail pharmacy
chains in the United States (US). As of December 31, 2010, it operated more than 7,100 retail pharmacy stores in the US.
Today’s CVS (listed on the New York Stock Exchange, under the ticker symbol “CVS;” website: http://www.cvs.com) is the result
of a series of mergers and acquisitions, as well as expansion into new markets over the past few years. Major mergers and acquisitions

⁎
Corresponding author.
E-mail addresses: kguo@fullerton.edu (K.H. Guo), eschenbrenbl@unk.edu (B.L. Eschenbrenner).

https://doi.org/10.1016/j.jaccedu.2017.11.001
Received 4 May 2017; Received in revised form 19 November 2017; Accepted 21 November 2017
Available online 29 November 2017
0748-5751/ © 2017 Elsevier Ltd. All rights reserved.
K.H. Guo, B.L. Eschenbrenner Journal of Accounting Education 42 (2018) 17–26

included Eckerd ($2.15 billion), Albertson's ($4.0 billion), Caremark ($26.9 billion), and Longs Drugs ($2.6 billion). The markets in
which CVS had a presence also increased from 36 states in 2004 to 44 states in 2010. Like other companies in the industry, CVS had to
efficiently and effectively manage various risks, such as regulatory compliance and economic downturns, in order to deliver “strong
growth and returns to shareholders” (CVS Caremark Corporation, 2010a).

1.1.1. Legal background

Pseudoephedrine is one of the key ingredients used to make methamphetamine, which “is a powerfully addictive drug that
severely affects users’ minds and bodies, ruins lives, and endangers communities and the environment” (US Department of Justice
Drug Enforcement Administration, 2007). It is regulated in many countries around the world such as Australia, New Zealand, and the
United Kingdom, to name a few (http://en.wikipedia.org/wiki/Pseudoephedrine).
In the US, as part of the government’s efforts to curb illicit production of methamphetamine, the Combat Methamphetamine
Epidemic Act of 2005 (CMEA) was signed into law, effective March 9, 2006, to limit the sales of pseudoephedrine and other related
materials. The CMEA set limits of sales of pseudoephedrine by retail drugstores to individuals as follows: (1) the quantity sold to an
individual in a day could not exceed 3.6 g, regardless of the number of transactions; and (2) for individuals, purchases in a 30-day
period were limited to 9 g.
In addition, the CMEA mandated that regulated retail drugstores implement necessary measures to control and monitor the sales
of pseudoephedrine. The required measures included:

1. Placing product such that customers do not have direct access before the sale is made (“behind-the-counter” placement) or in a
locked cabinet that is located in an area of the facility to which customers do not have direct access;
2. Delivering the product directly into the custody of the purchaser;
3. Maintaining written or electronic list (logbook) of sales, including quantity sold, names and addresses of purchasers, and date and
time of the sales;
4. Examining acceptable forms of a photo identification card;
5. Requiring purchasers to sign the logbook and enter their names, addresses, and date and time of sale; and
6. Informing purchasers that entering false statements or misrepresentations in the logbook may subject them to criminal penalties
according to the law.

The CMEA also required retail drugstores to provide proper training to those store-front employees who were responsible for
directly dealing with customer purchases. Drugstores were to ensure that these employees understood these legal requirements and
followed proper procedures. Drugstores were also to self-certify to relevant authorities in their jurisdictions to demonstrate that all
store-front employees had undergone the required training.
In accordance with the CMEA, the US Department of Justice Drug Enforcement Administration (DEA) created some specific rules
relating to logbooks required to be maintained by drugstores (US Department of Justice Drug Enforcement Administration, 2006).
Paper logbooks were to be bound. For electronic logbooks, the records needed to be readily retrievable by the store or law en-
forcement agencies, and an electronic signature system could be implemented to capture customers’ signatures. The DEA also re-
quired the following notice to be included in all logbooks and to be shown to customers:
“WARNING: Section 1001 of Title 18, United States Code, states that whoever, with respect to the logbook, knowingly and willfully
falsifies, conceals, or covers up by any trick, scheme, or device a material fact, or makes any materially false, fictitious, or fraudulent
statement or representation, or makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or
fraudulent statement or entry, shall be fined not more than $250,000 if an individual or $500,000 if an organization, imprisoned not more
than five years, or both.”
If inclusion of the notice in the logbooks was not feasible, the notice was to be displayed in a place where the customer would see
it when providing relevant information to complete a purchase.
For mail-order pharmacies, the purchase by an individual was limited to 3.6 g per day and 7.5 g in a 30-day period. Some
requirements for retail drugstores were not applicable for mail-order pharmacies. These included “behind-the-counter”-like physical
control measures and customers signing logbooks. However, the CMEA required mail-order sellers to file monthly reports with the
DEA and verify customer identities prior to shipping.
In addition to the Federal CMEA, state laws imposed additional restrictions. According to the DEA, state laws varied considerably
from state to state (US Department of Justice Drug Enforcement Administration, 2006). For example, 27 states imposed single
transaction limits and 19 states had monthly or weekly limits. As emphasized by the DEA, “CMEA does not preempt those re-
quirements under State laws/regulations that are more stringent than the CMEA requirements…. all persons subject to CMEA must
comply with the CMEA and the laws in the State(s) in which they sell [pseudoephedrine].”

1.1.2. Pseudoephedrine “smurfing”

Since mid-2007, the state of California experienced a surge of large-scale methamphetamine production (US Department of
Justice National Drug Intelligence Center, 2009). According to the National Drug Intelligence Center (NDIC), the surge was fueled by
the organized and widespread pseudoephedrine “smurfing.” Smurfing occurs when multiple, individual purchases of pseudoephe-
drine at quantities at or below legal limits are made in an attempt to avoid legal ramifications. The pseudoephedrine purchases are
then combined together afterwards in order to produce methamphetamine. NDIC found that pseudoephedrine acquired through

18
K.H. Guo, B.L. Eschenbrenner Journal of Accounting Education 42 (2018) 17–26

smurfing was sent in bulk to methamphetamine producers in Mexico. According to the US Attorney’s Office (US Attorneys' Office
Central District of California, 2010), the surge of smurfing in California could be partly attributed to CVS Pharmacy’s failure to
control the sales of pseudoephedrine as required by the CMEA. During the period of more than one year starting mid-2007, smurfers
were able to make repeated purchases of pseudoephedrine from CVS Pharmacy stores that exceeded federal limits set by the CMEA.
Sometimes, smurfers were able to “clean out store shelves.”

1.2. CVS Pharmacy’s compliance practices

According to the investigation by the DEA and other law enforcement agencies (US Attorneys' Office, 2010), CVS Pharmacy had
implemented certain measures in order to comply with the CMEA. These measures included physical control of pseudoephedrine, a
paper-based logbook, and subsequently, an electronic logbook (which replaced the paper-based logbook).

1.2.1. Physical control

To comply with the CMEA, CVS Pharmacy moved all products containing pseudoephedrine behind cash register counters in its
retail stores. The company also provided written materials to train and educate employees about the new federal requirements and
the problem of using pseudoephedrine to make methamphetamine.

1.2.2. Paper logbook

CVS Pharmacy initially implemented paper-based logbooks, which were deemed CMEA-compliant. By using the paper logbook,
cashiers at each store were able to track and prevent excessive pseudoephedrine sales. The paper logbooks recorded customer names
alphabetically and past purchases made by customers.
However, the paper logbooks had some limitations, as CVS Pharmacy suggested (US Attorneys' Office, 2010). The limitations included:

1. Store clerks had to review the logbooks and make manual calculations of daily and monthly purchases by customers;
2. Recording sales in the paper logbooks and verifying quantity limits caused delays at the cash register counter and caused in-
convenience for customers;
3. Use of the logbooks caused some privacy concerns because customers would have to sign the logbook in front of others; and
4. Each individual retail store had its own logbook, and data was difficult to aggregate across stores.

1.2.3. Electronic logbook

In 2007, CVS Pharmacy decided to replace the paper logbooks with a computer system called “MethCheck.”1 The system allowed
CVS Pharmacy stores to track pseudoephedrine sales and provided information to law enforcement agencies when needed. The
system was to be implemented at all CVS Pharmacy stores across the US.
The key feature of the MethCheck system was called “LookBack,” which was designed to track and review customer purchases of
pseudoephedrine and prevent any sales that violated federal and state limits. Without the LookBack feature, the system would be
dysfunctional. The feature, however, needed to be turned on for all states, regardless of whether a state had daily or monthly limits on
pseudoephedrine purchases by individuals (some states, e.g. California and Nevada, do not set monthly limits).2
CVS Pharmacy implemented the MethCheck by disabling the LookBack features in those states that did not impose monthly
limits.3 By doing so, the company was essentially unable to prevent aggregated purchases by an individual that exceeded the daily
limit of 3.6 g imposed by the CMEA. As a result of implementing the MethCheck, the sales of pseudoephedrine at CVS Pharmacy
stores increased significantly from late 2007 to late 2008, particularly in California and Nevada. During that time, some CVS
Pharmacy employees raised concerns about excessive purchases of the drug by individuals. Management, however, did not respond
promptly by investigating the suspicious increases in sales. Instead, employees were instructed to rely on the MethCheck system to
determine whether or not to block a customer purchase. After the government started its investigation of the company’s compliance,
CVS Pharmacy changed the configuration of the MethCheck system by enabling the LookBack feature at stores in California and
Nevada in late 2008 and all other states in February 2009.

1.3. Post-investigation remedial measures

During the government’s investigation, CVS Pharmacy accepted the responsibility for unlawful sales of pseudoephedrine (US
Attorneys' Office, 2010). More specifically, the company acknowledged some unlawful conduct in the California and Nevada stores:
(1) employees at certain CVS Pharmacy stores knowingly sold the drug over the legal limits; (2) the stores that oversold the drug had
reasonable knowledge that the drug would be used to make methamphetamine; and (3) the company’s distribution center was in a
position to monitor and report the excessive sales of pseudoephedrine, but failed to do so.

1
The MethCheck system was designed and marketed by Appriss, Inc., http://www.appriss.com. A brief description of the system can be found on the software
vendor’s website: http://www.appriss.com/sitedocs/MethCheckWhitePaper.pdf (accessed October 20, 2010).
2
Federal laws are different from state laws. According to the US Attorneys’ Office (2010), the CMEA (a federal law) does not “preempt state law” but leaves “in place
varying state requirements governing…monthly sales of PSE to individual customer.”.
3
These states included: Alabama, Arizona, California, Colorado, Connecticut, District of Columbia, Florida, Georgia, Kansas, Maine, Maryland, Massachusetts,
Michigan, Nevada, New Hampshire, New Jersey, New York, North Dakota, Ohio, Pennsylvania, Rhode Island, South Carolina, Texas, Virginia, and Vermont.

19
K.H. Guo, B.L. Eschenbrenner Journal of Accounting Education 42 (2018) 17–26

As part of the non-prosecution agreement with the government, CVS Pharmacy was required to establish and maintain a
Compliance and Ethics Program. This program required the company to exercise due diligence to prevent criminal conduct, promote
and encourage ethical conduct, maintain procedures for an anonymous reporting mechanism, and discipline employees who violated
company policies.

1.4. CVS Pharmacy’s reflections on CMEA compliance

In a statement after the settlement with the government, Thomas M. Ryan, then CEO of CVS Caremark, acknowledged that “the
lapse…was an unacceptable breach of the company’s policies and was totally inconsistent with [the company’s] values. CVS
Pharmacy is unwavering in its support of the measures taken by the federal government and the states to prevent drug abuse” (CVS
Caremark Corporation, 2010b). To prevent future non-compliance, Ryan argued the company has, “strengthened…internal controls
and compliance measures and made substantial investments to improve [the company’s] handling and monitoring of PSE [pseu-
doephedrine] by implementing enhanced technology and making other improvements in…stores and distribution centers” (CVS
Caremark Corporation, 2010b).

1.5. Case requirements

Before starting the case, read the information located in Appendix A. Using the COSO Internal Control – Integrated Framework
(May 2013) and the COBIT 5 (2012) framework, prepare a written report to assess CVS Pharmacy’s internal controls (note: not just
the logbooks) as well as its reporting, operations, compliance, and IT risk. More specifically:

1. Using the COSO Internal Control – Integrated Framework (May 2013), perform an analysis of CVS Pharmacy’s internal controls
and reporting, operations and compliance risk immediately prior to the government’s investigation. More specifically, identify
deficiency/risks (e.g. internal control deficiencies, external events, etc.) that may influence CVS Pharmacy’s business objectives
(e.g., complying with laws and regulations that govern drug sales). Use Table 1 as a template to report your analysis. You may
insert additional rows if needed. Note that not all items are relevant in the case and some external research may be necessary in
order to have a complete picture of the compliance issue (e.g., reading the extra materials).
2. Using the COBIT 5 framework, perform an analysis of CVS Pharmacy’s adoption of the MethCheck system immediately prior to the
government’s investigation. Identify IT risks (e.g. configuration deficiencies) that may influence CVS Pharmacy’s implementation

Table 1
COSO internal control assessment.

COSO internal control component/principle Deficiency or risk

Control environment
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of
internal control.
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the
pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk assessment
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how
the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact the system of internal control.

Control activities
10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to
acceptable levels.
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is expected and in procedures that put policies into
action.
Information and communication
13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to
support the functioning of internal control.
15. The organization communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring activities
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal
control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking
corrective action, including senior management and the board of directors, as appropriate.

20
K.H. Guo, B.L. Eschenbrenner Journal of Accounting Education 42 (2018) 17–26

Table 2
COBIT assessment.

COBIT processes/domains IT risk

Governance
1. Evaluate, Direct, & Monitor

Management
2. Align, Plan & Organize
3. Build, Acquire & Implement
4. Deliver, Service & Support
5. Monitor, Evaluate, & Assess

Table 3
Internal control matrix.

Internal control measure Type of control (1) Component/principle

1. Management Processes
2. Operational Processes
3. Information Processes

Note: (1) Type of internal control measure (P: Preventive; D: Detective; C: Corrective).

of the system. Use Table 2 as a template to report your analysis. You may insert additional rows if needed.
3. Based on your analyses of the deficiencies, risks, and information system issues, recommend internal control measures that CVS
Pharmacy may implement to address these issues. Also, identify the internal control measure and its corresponding principle. Use
Table 3 as a template to report your analysis. You may insert additional rows if needed. Note that you do not need to fill up all
cells.
4. Write a report summarizing your analysis of the above three tables. Your report should include:
• Background: Provide an overview of the company and the issues.
• Purpose: Explain the purpose of your report. Also provide a brief description of the scope of your report and the methods you use
for analyses.
• Findings: Provide and thoroughly discuss your assessment of CVS Pharmacy’s internal controls and risks. Recommendations can
be based on whether management should avoid, accept, reduce, or share the risk based on your assessment. Also, if you feel that
additional information would assist in providing more detailed or elaborated assessments, include a “Request for Information” as
part of your Findings that contains a list of the information needed and its purpose. For example, no information is provided
regarding a designated Chief Compliance Officer at CVS. A “Request for Information” might be “1. An Organization Chart that
includes all executive management positions. Purpose – to determine if a Chief Compliance Officer position had been established
at CVS, which will assist with assessing the Control Environment at CVS.”
• Recommendations: Recommend internal control measures that may help reduce the risks you assessed. In this section, make sure
you relate back to completed Tables 1–3. Make sure to integrate your analyses.
• Conclusion: Summarize your analyses, findings, and recommendations.

2. Teaching notes

2.1. Introduction

Internal control is one of the key issues that organizations have to address when adopting information systems. Two com-
plementary frameworks that can be applied in this context include the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) Internal Control - Integrated Framework (ICF) and the COBIT framework issued by ISACA.4 The ICF, issued in
1992, is a mature framework that has been incorporated into many policies, rules, and regulations (COSO (Committee of Sponsoring
Organizations of the Treadway Commission), 2004). In 2013, COSO issued an updated version of ICF (COSO (Committee of
Sponsoring Organizations of the Treadway Commission, 2013). The framework can be used to design, implement, maintain, and
assess the effectiveness of internal controls, and support the organization’s efforts to accomplish its objectives. By definition, the
COBIT framework focuses on the control issues related to information technology (IT). However, it is also influenced by the COSO
internal control framework. The most recent version is COBIT 5. In this case, we focus on the application of the new COSO ICF and
COBIT.5

4
COBIT was previously known as the Control Objectives of Information and Related Technology; ISACA was previously known as the Information Systems Audit
and Control Association. Both now go by their acronyms only.
5
Our discussion is based on COSO ICF 2013 and COBIT 5. Hereinafter we omit the versions of these two frameworks, unless stated otherwise to avoid confusion.

21
K.H. Guo, B.L. Eschenbrenner Journal of Accounting Education 42 (2018) 17–26

With the exception of Cereola and Cereola (2011), most teaching cases in the accounting education literature (for recent reviews
see Apostolou, Dorminey, Hassell, & Rebele, 2014; Apostolou, Dorminey, Hassell, & Watson, 2013) have focused on either COSO ICF
or COBIT in an isolated manner and rarely considered them in an integrative manner. For example, Savage, Norman, and Lancaster
(2008) used a movie about the collapse of Barings Bank to teach the COSO internal control framework (whereby students would
watch the movie and learn internal control concepts), but did not integrate COBIT. Sinason and Normand (2006) focused on systems
development life cycle and did not consider how the COBIT framework might be applied. Similarly, Norman, Payne, and Vendrzyk
(2009) focused on IT risk only, highlighting several general areas of IT issues such as system development and data security, but did
not use COBIT. Also, they mentioned COSO in passing as background information but did not fully integrate the framework in a
systematic manner. Cereola and Cereola (2011) used both COSO ICF and COBIT in their case. Their case is focused on a data security
breach resulting in confidential customer data being stolen by hackers through both wireless and wired networks. Security is an
important but narrower issue in IT. An updated literature review by Apostolou, Dorminey, Hassell, and Rebele (2016) suggested that
no teaching cases have been published on IT topics since 2014.6
Our case, on the other hand, focuses on IT adoption and implementation issues in the broad context of internal control con-
siderations and risk management. It highlights how the general legal and social environment might pose significant threats to
businesses. It also helps students understand and appreciate the use and management of information technology in a broader business
context, e.g., how IT can be used to support business objectives and how IT risks can have a significant impact on general business
risks. Thus students can better appreciate the link between business and IT. This case study is adaptable and can be utilized by
applying only one framework (i.e., COSO ICF or COBIT). Thus, this case can facilitate the achievement of learning objectives of
various accounting courses, including accounting information systems, audit, and IT audit courses.

2.2. Learning objectives

Although CVS adopted an electronic logbook system (“MethCheck”) to record and check customer purchases, the implementation
of the system was flawed and the company failed to prevent over-purchases of PSE by individuals. In October 2010, CVS paid a fine of
$77.5 million ($75 million civil penalty and the forfeiture of $2.5 million of profits) to settle a lawsuit brought by the US Attorney’s
Office for the Central District of California for the company’s unlawful sales of PSE (US Department of Justice, 2011). The case
demonstrates the importance of internal controls and the proper management of regulatory compliance and IT risks, which can be
examined using the COSO ICF and COBIT framework.
The overall learning objectives are for students to understand and apply the two frameworks (i.e., COSO ICF and COBIT) to
general business risks and IT risks. The specific learning objectives (LO) include:

LO1. Understand the COSO ICF and COBIT;

LO2. Apply COSO ICF and COBIT to assess internal controls and risks;
LO3. Understand different types of controls (e.g. preventive, detective, and corrective) and identify specific measures to reduce
risks;
LO4. Identify specific information systems controls for managing risks; and
LO5. Understand IT risks from an internal control perspective.

2.3. Past implementation of the case

This case has been adopted in undergraduate AIS courses at two AACSB-accredited universities. In our implementation, the case
was assigned to students as a required reading before the class sessions that covered internal controls. Students were also required to
read COSO ICF and COBIT. The following instructional approaches were taken: (1) discussion of the case and the most recent COSO
ICF and COBIT in class; and (2) group case report. Throughout the courses, the case was used as an example and students were
encouraged to participate in class discussions, which focused on applying the two frameworks to the examination of the case. For
example, when the objective dimension of the COSO ICF was introduced, students were asked to refer to the case and discuss the
operations, reporting, and compliance objectives CVS Pharmacy should have managed more effectively. For the COBIT framework,
we focused on the four control domain areas: plan, build, run, and monitor.
At one university, two classes approximately two-and-half-hours in length, were spent on discussions of the two frameworks. At
the other university, three 75-min classes were spent discussing the two frameworks. At the latter university, participation was also
included in the student’s final grade and students were instructed that the case would be discussed during the classes covering
internal controls and be factored into their final course participation grade.
The advantage of discussing the case in class before students prepare their group reports is that students: (1) gain an under-
standing of the frameworks by discussing them; (2) clarify their understanding of the CVS Pharmacy case; and (3) learn from other
students (and the instructor) in open discussion of both the framework and the case. There are, however, some disadvantages of
discussing the case in class. For example, this may limit students’ thinking; they may believe that what is discussed in class is the only
correct answer. When the case was used at the authors’ institutions, a small number of students were found to simply “copy” whatever
they heard in the classroom without further studying the case material thoroughly.

6
We thank Natalie Churyk (Editor-in-chief) for this point.

22
K.H. Guo, B.L. Eschenbrenner Journal of Accounting Education 42 (2018) 17–26

Table 4
Student feedback.

Mean Median Standard deviation t-Statistic

Pre-case questionnaire (N = 81)

1. My current working knowledge of internal control is: 3.53 4 1.54 −2.747*
2. My current working knowledge of COSO is: 1.72 1 1.18 −17.390*
3. My current working knowledge of COBIT is: 1.69 1 1.17 −17.769*
4. My current working knowledge of risk management is: 3.25 4 1.52 −4.441*
5. Internal controls are important to my professional development 4.33 4 1.83 1.623

Post-case questionnaire (N = 83)

1. The case increased my working knowledge of internal control 5.01 5 1.66 5.543*
2. The case increased my working knowledge of COSO 4.95 5 1.59 5.443*
3. The case increased my working knowledge of COBIT 4.87 5 1.65 4.804*
4. The case increased my knowledge of risk management 5.12 5 1.63 6.260*
5. Internal controls are important to my professional development. 5.41 6 1.88 6.833*
6. The case is relevant in identifying internal control deficiencies. 5.39 6 1.77 7.155*
7. The case is relevant in identifying specific controls to achieve effective/efficient operations. 5.16 6 1.73 6.109*
8. The case is relevant in identifying specific controls to achieve compliance with applicable laws 5.30 6 1.75 6.768*
9. I found the case interesting 5.08 6 1.89 5.206*
10. The case is relevant because it was based on a real-world company 5.47 6 1.82 7.358*
11. The case was understandable, even though I had no formal training in internal control frameworks 5.06 6 1.73 5.582*
12. The case provided beneficial learning experience 5.10 6 1.81 5.537*
13. The case enhanced my critical-thinking skills 5.04 5 1.68 5.640*
14. Class discussion helped me to identify areas for improvement in my case solution 4.83 5 1.95 3.878*
15. The group report enhanced my understanding of the COSO and COBIT frameworks 4.73 5 1.85 3.595*
16. The work load of the group report was appropriate 4.55 5 1.82 2.753*
17. The group report was a good way to learn the COSO and COBIT concepts 4.60 5 1.85 2.955*

Notes:
* p < .05. T-tests are based on the differences between mean responses and neutral response of 4. Pre-case survey: two-tail; Post-case survey: one-tail.

In our implementation, students had two weeks to complete the report (the required length of the report was three to six pages
single-spaced). In their reports, students were required to use the two frameworks to analyze the case and recommend internal
control measures. Students were encouraged to use professional judgment and creativity in developing their reports. There is,
however, a potential risk. To ensure students knew exactly what to do for case analysis, we provided a report outline and three
specific supporting tables that asked students to identify relevant issues (risks and controls, etc.) for each of the COSO ICF com-
ponents and principles, as well as COBIT control domain areas.
Some caveats should be noted about group work. First, although the group report assignment helps students generate ideas and
learn from each other, some students may try to take a “free ride.” To deal with this issue, we required team member evaluations to be
submitted to the instructor the class meeting after the report was due. In the evaluations, students could evaluate all team members
by providing a score (up to 100 points/member) and anecdotal comments.
We graded student work on two criteria. The first is content (80%) which includes overall case analysis, application of COSO ICF,
application of COBIT, and control measures. The other criterion is presentation or writing, which evaluates students’ work in terms of style
and format.

2.4. Efficacy of the case

We believe the case can help students learn internal controls by using either of the frameworks (COSO ICF and COBIT).
Pedagogically speaking, instructors can avoid teaching internal controls in abstract terms. The case can give students some concrete
examples of internal control measures and how they are related to risks. The case demonstrates that a simple function in an in-
formation system can have a negative chain of effects on a firm’s business operations. Thus, from an internal control standpoint,
information systems must be properly designed and implemented and their potential impact on overall business operations should be
properly assessed. Here the COBIT framework is useful for understanding various issues related to information systems design and
implementation. The COSO ICF, on the other hand, is useful for students to understand the overall picture and general methodologies
of internal controls and how information systems may play a role.
We conducted pre- and post-case student surveys to evaluate the efficacy of the case. The pre-case survey (N = 81, 74% response rate)
asked students about their knowledge of internal control and IT risk. Other than the same questions about internal control and IT risk, the
post-case survey (N = 83, 76% response rate) also asked students about the content and the implementation of the case. All questions were
on a seven-point Likert scale, with 1 indicating strongly disagree and 7 strongly agree. The results of the surveys are shown in Table 4.
The results indicated that students’ knowledge of internal control and IT risk improved significantly.7 In the pre-case survey,
students’ self-assessed knowledge (mean values in parentheses) in the following areas was significantly below average (i.e. neutral

7
It should be noted that this does not mean the case is the only factor. Reading textbooks and other materials will also help students learn the two frameworks. We
thank Natalie Churyk (Editor-in-chief) for this point.

23
K.H. Guo, B.L. Eschenbrenner Journal of Accounting Education 42 (2018) 17–26

response of 4 on a 7-point Likert scale): internal control (3.53), COSO (1.72), COBIT (1.69), and IT risk (3.25). Post-case survey
results indicated that their knowledge was significantly above average: internal control (5.01), COSO (4.95), COBIT (4.87), and IT
risk (5.12). T-tests of the differences between pre-case and post-case means of the first four questions were significant (p < .001),
suggesting that the case and classroom discussion helped students to understand internal control and risk management. The fifth
survey question also indicated that students had a better understanding of the importance of internal control (pre-case 4.33, post-case
5.41, t = 18.80, p < .001). Similarly, as indicated by the t-statistics (p < .01), students also gave positive evaluations of case
content (e.g. relevance to internal control) and implementation (e.g. group work).
In addition to the rating, students were asked to provide written comments on the case. Overall, they noted that they appreciated
the relevance of the case to the concepts they were learning in the course. They also commented that using a real-world scenario
facilitated their understanding of the direct application of internal control concepts in industry. Students stated that the case was well
structured, interesting, easy to grasp yet complex enough to promote extensive thinking, and not overly burdensome. Some students
thought the case helped their comprehension of the concepts discussed in class, their ability to assess risk and refine their problem-
solving skills, and would directly benefit their performance in the class and improve their confidence in their internal control
knowledge. They also appreciated the opportunity to develop their own ideas regarding how they would have addressed a real-world
situation such as this. In addition, students appreciated the fact that the case highlighted that even a large company can make
mistakes and have internal control issues.
We assessed student performance by using a grading rubric (available from the authors upon request). In total, 129 students
completed the case. The grades ranged from 60% to 100% (mean: 90%; median: 90%; Standard deviation: 9%).8 Overall, student
performance was satisfactory in terms of accomplishing the learning objectives.9 For example, most students were able to understand
and apply the key elements of the two frameworks. Thus scores were usually high in comparison to conventional accounting courses.
A plausible reason for those who had low scores (60s) is that the case is “qualitative” in nature (although it is also possible that those
students did not put in enough effort). Some students could be more familiar and comfortable with number-crunching and had
difficulty dealing with ambiguity and insufficient, qualitative information.
The reasons for losing points varied. For example, some students integrated one framework extensively but not the other fra-
mework to the same degree and only highlighted a few key aspects. Integrating only one framework thoroughly but not the other may
have occurred because the case was divided up among different members of the group to complete, with some conducting a more
thorough analysis than others. A common issue among the groups, however, was lacking details and discussions to support their
arguments for the case analysis as well as not providing good depth or breadth of coverage of the frameworks. Although students
could identify key elements, for the most part, providing thorough discussions was more challenging.
To avoid these pitfalls, instructors may want to remind students that providing a response is not enough. Emphasis may need to be
placed on providing thorough discussions to support their responses (e.g., both breadth and depth). This emphasis on thorough
discussions also provides students an opportunity to continue refining their written communication skills. Thus, from a teaching
standpoint, instructors may emphasize the nature of the case and provide students some assistance in terms of case study method. In
the next sections, we elaborate on alternative implementation methods.

2.5. Implementation alternatives

Instructors may consider alternatives to implementing the case. First, given the aforementioned potential framing effect, in-
structors may emphasize the importance of studying the case from “outside the box” and avoid “over-discussion” of the case in class.
In doing so, students can be encouraged to make an individual effort to understand the frameworks, the case, and complete their
reports. For example, instructors may lead the case discussion on one dimension of the COSO ICF and leave other dimensions for
students to study and explore.
Second, given the relatively significant amount of work, another alternative method is to assign group members to different
sections of the report (Savage et al., 2008). This will help students develop a more comprehensive coverage and present a more
thorough discussion of the case as a group. However, a caveat to be considered is that individual students may not put effort in
understanding and integrating other members’ work. To deal with this issue, instructors can require students to present their work
and answer questions in class so that individual students’ performance can be evaluated. Another method instructors may consider is
to make the teams small enough (e.g., 2–3 students per team) such that freeloading is harder to accomplish. If member evaluations
are implemented, instructors may also require justification for any scores higher than 90.
Third, instructors may adapt the case as an individual assignment (see Cereola & Cereola, 2011 for discussions on group work and
individual assignments). An alternative approach is to divide the case into two parts: compliance risk management (using COSO ICF)
and IT risk management (using COBIT). This will allow students to work on two smaller, perhaps easier, parts in a somewhat isolated
manner. After that, they can try to integrate and examine how IT risk should be managed in the overall context of business risk
management. For the purpose of assessment, instructors may require students to submit three smaller reports: analysis using COSO
ICF, analysis using COBIT, and integration summary. Another alternative that may accommodate the objectives of the course is to
only apply one of the frameworks.

8
These statistics reflect one of the two schools where the authors implemented the case. Statistics from the other school was not available due to employment
change of one of the authors.
9
It is worth noting that the grading was somewhat subjective and there is no clear-cut right or wrong answer.

24
K.H. Guo, B.L. Eschenbrenner Journal of Accounting Education 42 (2018) 17–26

Fourth, given that the case was developed based on publically available information, instructors may consider two alternative
approaches to assigning the reading material. One typical and conventional approach is to assign the full case as reading material; an
alternative approach is to assign some selected key source documents (see the list of references for the case) as required reading
materials to students. When deciding which approach to use, instructors may consider the advantages and disadvantages of each
approach. The use of original source documents may inspire more original thinking on the part of the students. It may also provide
more information than the written case would do, because some information may have been intentionally or unintentionally filtered
during the case development process. The written case, however, may make it easier for students to process the relevant information.
In the original implementation in the first semester, some of the source documents were used as required reading materials.
Fifth, instead of assessing internal controls, an alternative requirement instructors may consider is to ask students to create a novel
design of an internal control system. An advantage to this method is that students do not need to deal with the limits on publicly
available company information.10 They can instead focus on how to apply the two frameworks to design an effective control system in
a comprehensive manner. Another alternative is to ask students to assess risk by comparing pre- and post-government investigation.
This approach may help students better understand the potential impact of those changes imposed by government agencies.
Finally, it should be noted that the case is not meant to be self-contained. Some basic knowledge of the two frameworks is needed.
Depending on individual teaching styles, instructors may talk about the case first and then raise questions regarding how to assess
internal controls. Alternatively, they may give a lecture on internal controls and then use the case to illustrate how the two fra-
meworks may be applied to assess and design internal controls in systematic manners.

2.6. Adopting the case for other courses

While the case was originally developed for undergraduate AIS courses, it can be readily used in graduate courses as well with
little or no change needed. Case study and group report methods are widely used in graduate programs such as the MBA and MSA
(Andersen & Schiano, 2014). Instructors may wish, however, to consider changing the case requirement. For example, student
presentations may be added as a grading component.
The case is also suitable for IT audit or internal audit courses. In fact, enterprise risk management, internal control, and IT risks
are among the key knowledge areas in which internal auditors should have sufficient competence (Reding et al., 2013). This CVS
Pharmacy case may be used as supplemental material for helping students better understand these topics in an integrative manner.
The case may also be adopted for financial audit courses with minimal modifications. Financial audit courses typically include the
COSO internal control framework and discuss IT controls in passing, but do not cover IT risks in details. Thus, instructors may take
out the IT risk part of the case and assign the COSO part only. The IT risk part may be used as supplementary material for class
discussion when covering IT controls within the COSO framework (e.g., COSO Principle 11: General controls over technology). For
example, PCAOB Auditing Standard No. 12 (para. 15) states that “The following are examples of situations in which business risks
might result in material misstatement of the financial statements: … Use of information technology (“IT”) (a potential related
business risk might be, e.g., that systems and processes are incompatible).” The CVS Pharmacy case can best illustrate such risk. In
addition, the case may be used for discussing contingent liabilities. Questions for financial auditors may include: (1) how should
auditors assess contingent liabilities related to compliance? (2) to what extent should auditors assess information systems risks as part
of their financial audit engagement? and (3) how should auditors assess materiality in such cases (e.g., speaking with perfect
hindsight, whether the fine of $77 million was material)?

2.7. Suggested solution and grading rubric

Suggested solution and sample grading rubric are available upon request from the authors.

Acknowledgement

We are grateful to Editor-in-Chief Natalie T. Churyk for her valuable guidance. We also thank the associate editor and two
anonymous reviewers for their helpful comments and suggestions.

Appendix A

A.1. Supplemental reading materials

Before completing the required analysis and reports, you need to be familiar with the two frameworks (i.e. COSO ICF 2013 and
COBIT 5) and CVS Caremark. Following are supplemental materials that should be read in addition to the internal controls chapters
assigned in your textbook/provided to you:

• COSO Internal Control-Integrated Framework: Frequently Asked Questions. Available at the COSO website: http://www.coso.org/
documents/COSO%20FAQs%20May%202013%20branded.pdf

10
We thank an anonymous reviewer for this point.

25
K.H. Guo, B.L. Eschenbrenner Journal of Accounting Education 42 (2018) 17–26

• COSO Internal Control – Integrated Framework (May 2013) Executive Summary. Available at the COSO website: http://www.
coso.org/documents/coso%202013%20icfr%20executive_summary.pdf
• COBIT 5: Frequently Asked Questions. Available at the ISACA website: http://www.isaca.org/COBIT/Pages/FAQs.aspx
• COBIT 5: Available at ISACA website: http://www.isaca.org/COBIT/Pages/Product-Family.aspx
• CVS Caremark Corporation Form 10-K – Risk Factors. Available at the CVS Caremark website: http://phx.corporate-ir.net/
Phoenix.zhtml?c = 99533&p = irol-sec.

References

Andersen, E., & Schiano, B. (2014). Teaching with cases: A practical guide. Harvard Business School Publishing.
Apostolou, B., Dorminey, J. W., Hassell, J. M., & Rebele, J. E. (2014). A summary and analysis of education research in accounting information systems (AIS). Journal
of Accounting Education, 32(2), 99–112.
Apostolou, B., Dorminey, J. W., Hassell, J. M., & Rebele, J. E. (2016). Accounting education literature review (2015). Journal of Accounting Education, 35, 20–55.
Apostolou, B., Dorminey, J. W., Hassell, J. M., & Watson, S. F. (2013). Accounting education literature review (2010–2012). Journal of Accounting Education, 31(2),
107–161.
Cereola, S. J., & Cereola, R. J. (2011). Breach of data at TJX: An instructional case used to study COSO and COBIT, with a focus on computer controls, data security,
and privacy legislation. Issues in Accounting Education, 26(3), 521–545.
COSO (Committee of Sponsoring Organizations of the Treadway Commission) (2004). Enterprise risk management – Integrated framework, executive summary.
From: < http://www.coso.org/documents/coso_erm_executivesummary.pdf > Retrieved November 6, 2012.
COSO (Committee of Sponsoring Organizations of the Treadway Commission (2013). Internal control – Integrated framework. Available at: < www.coso.org > .
CVS Caremark Corporation (2010a). Annual report. Available at: < http://media.corporate-ir.net/media_files/irol/99/99533/2010_Annual_Report.pdf > ..
CVS Caremark Corporation (2010b). CVS/pharmacy announces agreements with US Drug Enforcement Administration and US Attorneys' Offices. From: < http://phx.
corporate-ir.net/Phoenix.zhtml?c=99533&p=irol-newsArticle&ID=1482916&highlight= > Retrieved October 20, 2010.
Norman, C. S., Payne, M. D., & Vendrzyk, V. P. (2009). Assessing information technology general control risk: An instructional case. Issues in Accounting Education,
24(1), 63–76.
Reding, K. F., Sobel, P. J., Anderson, U. L., Head, M. J., Ramamoorti, S., Salmasick, M., & Riddle, C. (2013). Internal auditing: Assurance & advisory services (3rd ed.).
Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation (IIARF).
Savage, A., Norman, C. S., & Lancaster, K. A. S. (2008). Using a movie to study the COSO internal control framework: An instructional case. Journal of Information
Systems, 22(1), 63–76.
Sinason, D. H., & Normand, C. J. (2006). Omni Furniture Company: A systems development lifecycle case. Journal of Information Systems, 20(2), 81–91.
US Attorneys' Office (2010). Non-prosecution agreement between the United States Attorneys' Offices for the Central District of California and the District of Nevada and CVS
Pharmacy, Inc. From: < http://lib.law.virginia.edu/Garrett/prosecution_agreements/pdf/cvs.pdf > Retrieved October 20, 2010.
US Attorneys' Office Central District of California (2010). CVS admits illegally selling pseudoephedrine to criminals who made Methamphetamine, agrees to pay $77.6 million
to resolve government investigation. From: < http://www.justice.gov/usao/cac/pressroom/pr2010/148.html > Retrieved October 30, 2010.
US Department of Justice (2011). CVS Pharmacy Inc. agrees to pay $17.5 million to resolve false prescription billing case. From: < http://www.justice.gov/opa/pr/2011/
April/11-civ-485.html > Retrieved April 22, 2011.
US Department of Justice Drug Enforcement Administration (2006). Rules: Retail sales of scheduled listed chemical products; self- certification of regulated sellers of
scheduled listed chemical products. From: < http://www.deadiversion.usdoj.gov/fed_regs/rules/2006/fr0926.htm > Retrieved October 20, 2010.
US Department of Justice Drug Enforcement Administration (2007). Procedures for establishment of individual import, manufacturing, and procurement quotas assessment of
annual needs questions and answers. From: < http://www.deadiversion.usdoj.gov/meth/q_a.htm > Retrieved October 20, 2010.
US Department of Justice National Drug Intelligence Center (2009). Situation report: Pseudoehpedrine Smurfing fuels surge in large-scale methamphetamine pro-
duction in California. Available at: <http://www.justice.gov/archive/ndic/pubs36/36407/36407p.pdf>.

26