How do auditors gain an understanding of the internal controls in an IT environment? Solution The control environment is the foundation on which an effective system of internal control is built and operated in an organization that strives to (1) achieve its strategic objectives, (2) provide reliable financial reporting to internal and external stakeholders, (3) operate its business efficiently and effectively, (4) comply with all applicable laws and regulations, and (5) safeguard its assets. Most of the well-publicized failures (including not only Enron and WorldCom, but also the governance failures that led to the 2008 financial crisis) were, at least in part, the result of weak control environments. The control environment includes the following elements: • Integrity and ethical values. • Management philosophy and operating style. • Organizational structure. • Assignment of authority and responsibility. • Human resource policies and practices. • Competence of personnel. Central to any approach to auditing the control environment is the assessment of risks from failure of each one of the six individual control environment elements as defined in the glossary of the Standards. Upon determining the risks relating to each one of the six control environment elements, the chief audit executive (CAE) may consider including in his or her annual audit plan one or more failures can miss the fundamental aspects of the organization’s foundation..