In this video, we walk through 5 AUD practice questions in each to teach about the control environment elements, entity and IT controls. These questions are from AUD content area 2 on the AICPA CPA exam blueprints: Assessing Risk and Developing a Planned Response.
The best way to use each video is to pause each time we get to a new question in the video, and then make your own attempt at the question before watching us go through it.
Also be sure to watch one of our free webinars on the 6 “key ingredients” to an extremely effective & efficient CPA study process here…
Control Environment Elements
The control environment sets the tone for an entire organization’s internal control system. Think of it as the “personality” of a business—reflecting its core values, leadership style, and commitment to ethical behavior. When leadership consistently models high standards of integrity, employees are more likely to follow established policies and procedures.
Example:
- Code of Conduct Adoption: A technology startup implements a clear code of conduct, ensuring every developer, salesperson, and executive understands the importance of honesty in coding practices, client communication, and data handling. This shared understanding boosts trust and clarity across all levels of the company.
Management’s Philosophy and Operating Style
Management’s philosophy and operating style have a direct influence on how seriously internal controls are taken. If leaders regularly discuss the importance of risk management and address potential issues openly, employees will feel more accountable for safeguarding company processes.
Example:
- Transparent Communication: A CFO who holds quarterly town hall meetings to discuss financial risks and operational goals sets a tone of transparency. Employees see that management takes risk seriously, and they’re more likely to report irregularities or suggest improvements to existing controls.
Entity-Level Controls
Entity-level controls are those that span the entire organization, rather than focusing on a single department or process. They address overarching governance, ethical standards, and risk management policies that guide decision-making throughout all levels of the business. These controls often influence how more specific, transaction-level controls are designed and implemented.
Example:
- Organization-Wide Policies: A retailer enforces an ethics policy that applies to everyone—from corporate headquarters down to individual store employees—and also sets enterprise-wide guidelines for data protection. This ensures consistency in decision-making and risk management across multiple departments and geographic locations.
IT General Controls (ITGCs)
IT General Controls (ITGCs) ensure that an organization’s technology systems run reliably and securely. These include policies for access control, system updates, data backup, and recovery procedures. Effective ITGCs not only protect data integrity but also support smooth and uninterrupted business operations.
Example:
- Change Management Approval: Before updating the point-of-sale software in hundreds of locations, a major restaurant chain requires formal approval and testing to ensure the new version doesn’t introduce errors or security vulnerabilities.
Primary Objective of Data Security Controls
Data security controls focus on preventing unauthorized access, alteration, or deletion of important information—whether it’s financial data, intellectual property, or customer records. By implementing these controls, companies reduce the risk of fraud, leaks, and other data breaches that can harm their reputation and bottom line.
Example:
- Role-Based Access: An insurance company grants claim adjusters access only to files they need for their specific jobs. This prevents a marketing intern or a finance analyst from seeing private customer information unrelated to their role.
Conclusion
The questions we explored highlight essential elements of an effective internal control system, showing how the control environment, management’s philosophy, entity-level controls, ITGCs, and data security measures work together to protect an organization. By setting a strong tone at the top, implementing organization-wide standards, and ensuring robust IT and data controls, businesses can better manage risk, foster ethical behavior, and maintain trust with stakeholders.
