MODULE 2: BASIC CONCEPT OF AIS

TYPES OF ACCOUNTING INFORMATION SYSTEMS

1. Manual Systems
2. Legacy Systems
3. Modern, integrated IT Systems

1. Manual Systems
An entirely manual system would require source documents and
paper-based ledgers and journals.

A source document is a record that captures the key data of a

transaction. The data on a source document usually includes the
date, purpose, entity, quantities, and amount of a transaction.
Some examples of source documents are employee time cards,
purchase orders, sales orders, and cash receipts. A source
document usually serves three important functions in the
accounting system: First, the source document provides the input
data necessary for the accounting system to record the
transaction. Second, the source document triggers business
processes to begin. For example, a purchase order triggers the
business processes that will fill the order and ship goods to the
customer. Third, the source document serves as part of the
permanent audit trail. If necessary, the organization can look up
the source document of a transaction to determine the origin and
validity of the transaction.

A turnaround document is an output of the accounting system

that can be used as an input in a different part of the accounting
system. An example is your credit card statement, which is a
computer output of the system your credit card company uses. The
part of that statement you return with your payment is an input
that can
be used by the company’s accounting system to determine your
account number. The computer system scans the document to
read your account number, and it is not necessary for a person to
manually type in your number. The turnaround document
 improves input efficiency and accuracy by eliminating human
error.

General ledger provides details for the entire set of accounts used
in the organization’s accounting systems. Transactions or
transaction summaries are posted to the general ledger from the
general journal and special journals.

General journal is the place of original entry for any transactions

that are not recorded in special journals. The general journal is
used to record nonroutine transactions and adjusting and closing
entries.

Special journals are established to record specific types of

transactions. For example, a sales journal records all sales. Other
special journals could include a purchases journal, payroll journal,
cash receipts journal, and cash disbursements journal.

Subsidiary ledgers maintain detailed information regarding

routine transactions, with an account established for each entity.
For example, the accounts receivable subsidiary ledger maintains
all detailed information regarding customer purchases, payments,
and balances due.

2. Legacy system
A legacy system is an existing system in operation within an
organization. A legacy system uses older technology in which the
organization has a considerable investment and that might be
well-established in the organization.

3. Modern, Integrated Systems

In today’s AIS environment, numerous accounting software
systems are available for purchase that integrate many or all of the
business processes within an organization. In the early days of
computer automation of accounting, much of the accounting
software was developed and written internally by the
organization’s IT staff. Today, companies more frequently
purchase software rather than develop it internally. Often,
purchased systems are modified by the IT staff to meet specific
needs of the organization.
 These modern, integrated systems usually run in one of two types
of computer architectures, or models. One model is a client–
server model, and the other is cloud computing.

Client–server computing means that there are two types of

computers networked together to accomplish application
processing. The server is usually a large computer that
contains the database and many of the application programs.
Client computers, usually PC-type computers, are networked
to the server and work with the server in such a way that the
network appears to be one integrated system for users.

Cloud computing is a virtual server access and use that is

contracted from a third-party provider. The third-party cloud
or “hosting” provider maintains the hardware, installs
software and software updates on the server, and is
responsible for the ongoing upkeep and maintenance of the
hardware and software.

ACCOUNTING SOFTWARE MARKET SEGMENTS

The accounting software market today is categorized into four market

segments: small company systems, midmarket company systems,
beginning ERP systems, and tier 1 ERP systems.

Regardless of the type of accounting software used, computer

processing is involved in the input of data, the processing of that data,
and the outputs from the system. The next section describes many of
the input and processing methods used in IT systems.

INPUT METHODS USED IN BUSINESS PROCESSES

Source Documents and Keying

Within business processes, the accounting data is often initially
captured and recorded on a source document. One example of
capturing data on a source document is the use of a sales order to
capture data for a sales invoice to be generated in an automated
ERP system. To key in the customer and items ordered, the person
entering the data would need to enter the information from the
source document-the customer sales order.

Bar Codes
A bar code is a printed code consisting of a series of vertical,
machine-readable, rectangular bars and spaces that vary in width
and are arranged in a specific way to represent letters, numbers,
and other human-readable symbols. Bar codes are “read” and
decoded by bar code scanners.

Point of Sale Systems

A point of sale system (POS) is a method of using hardware and
software that captures retail sales transactions by standard bar
coding. The bar code label on the products is usually called the
universal product code, or UPC.

Electronic Data Interchange

Electronic data interchange (EDI) is the intercompany,
computer-to-computer transfer of business documents in a
standard business format. EDI transmits purchase orders,
invoices, and payments electronically between trading partners.
Since transmission is electronic, the paper source documents and
the manual keying of those documents are eliminated.

E-Business and E-Commerce

Data is also electronically exchanged between trading partners in
e-business and e-commerce. E-business relates to all forms of
online electronic business transactions and processing, whereas
e-commerce is a type of e-business that is specific to consumer
 online buying and selling. A major difference between EDI and
e-business (including e-commerce) is that EDI uses dedicated
networks, while e-business uses the Internet. As is true for EDI,
when data is exchanged electronically between trading partners,
much of the manual data input process is eliminated, thereby
reducing time, cost, and errors.

PROCESSING ACCOUNTING DATA

After accounting information has been input into the accounting

system, it must be processed. Processing accounting data involves
calculations, classification, summarization, and consolidation. In
manual accounting systems, this processing occurs through the
established manual methods and the recording, posting, and closing
steps in the journals and ledgers. Automated processing can be
accomplished by batch processing or online and real-time
processing.

Batch processing
Batch processing requires that all similar transactions are grouped
together for a specified time, and then this group of transactions is
processed together as a batch. Batch processing is best suited to
applications having large volumes of similar transactions that can
be processed at regular intervals. Payroll processing is a good
example of a system that is well suited to batch processing. All time
cards can be grouped together for a two-week period, for example,
and all payroll processing then takes place on the entire set, or
batch, of time cards.

Online Processing
With online processing, transactions are not grouped into batches;
rather, each transaction is entered and processed individually.
Thus, online processing requires that data from the related
business processes be stored in random access files.

Realtime processing
Realtime processing means that the transaction is processed
immediately, and in real time, so that the output is available
immediately. Real-time processing usually requires a database
and database management software systems.
OUTPUTS FROM THE AIS RELATED TO BUSINESS PROCESSES

General categories of outputs:

1. Trading partner documents such as checks, invoices, and
statements

Some of the outputs of the accounting information system are

documents exchanged with trading partners such as customers
and vendors. Invoices and statements are examples of
documents sent to customers. Checks are outputs sent to
vendors. These outputs may be in electronic or paper form. For
example, electronic outputs include checks sent to vendors via
electronic funds transfer and customer invoices sent via
electronic data interchange.

2. Internal documents

Internal documents are another form of output from an

accounting information system. Examples of internal
documents include credit memorandums, receiving reports,
production routing documents, and production scheduling
documents. These documents may be printed paper forms, or
they may be in the form of screen outputs viewed on the user’s
computer.

3. Internal reports

Internal reports provide feedback to managers to assist them

in running the business processes under their control. For
example, an aged accounts receivable report may be prepared
for the manager responsible for accounts receivable; the
managers who oversee inventory would be interested in an
inventory status report identifying those products that are at
low stock levels.

Internal reports may be printed on paper, viewed on a computer

screen, or created (either on screen or paper) as customizable
queries that allow a manager to “drill down” into the details of
the process being managed.
 4. External reports

External reports are usually financial statements that include a

balance sheet, income statement, and statement of cash flows.

DOCUMENTING PROCESSES AND SYSTEMS

Systems professionals and accountants must understand the

documentation and charts that describe accounting systems. Such
documentation allows the accountant to analyze and understand the
procedures and processes of a business process and the systems that
capture and record accounting data. The old adage that a picture is
worth a thousand words is true for users documenting processes and
systems. A picture, or chart, of the system is a concise, complete, and
easy-to-understand way to analyze a process or system. The various
types of popular pictorial representations of processes and systems
used in businesses today include the following:

1. Process maps
2. System flowcharts
3. Document flowcharts
4. Data flow diagrams

1. Process Maps
Process maps are pictorial representations of business
processes in which the actual flow and sequence of events in the
process are presented in diagram form—the start of a process,
the steps within the process, and a finish of the process.

Figure 1. Process Map Symbols

 Figure 2. Sample Process Map of Class Registration
2. System Flowcharts
A system flowchart is intended to depict the entire system,
including inputs, manual and computerized processes, and
outputs. System flowcharts do not necessarily show details of
each process, but display the overall sequence of processes and
the media used for processing and storage. Processing and
storage are shown as manual or computerized. Inputs can be
documents, keying of input, electronic input, or processes that
feed data to other processes. Outputs may be documents,
statements, reports, data stored in files, or data fed into other
processes. System flowcharts are used by systems professionals
in the design and maintenance of IT systems. In general,
accountants and auditors do not use system flowcharts
extensively. Accountants and auditors are more likely to use
process maps, data flow diagrams, and document flowcharts.
Figure 3. Common System Flowchart Symbols

Figure 4. Sample Payroll System Flowchart

3. Document Flowcharts
A document flowchart shows the flow of documents and
information among departments or units within an
organization. Document flowcharts are usually divided into
columns, each representing a department or unit of the
organization. Document flowcharts trace each document in a
process from its origin to its final destination. Thus, the
document flowchart shows the origin of a document, the units
to which it is distributed, the ultimate disposition of the
document, and everything that happens as it flows through the
system. For documents prepared in duplicate, the document
flowchart shows the flow for each copy of the document.

A document flowchart is a special kind of system flowchart that

depicts only document flows. However, document flowcharts do
not necessarily show all the related business processes.
Document flowcharts are useful for not only understanding the
flow of documents, but also in understanding internal controls.
The symbols used in document flowcharts are similar to those
used for system flowcharts, as presented in Figure 3 (previous
page).

Figure 5. Sample Restaurant Document Flowchart

4. Data Flow Diagrams
A data flow diagram, or DFD, is used by systems professionals to
show the logical design of a system. The advantage of DFDs is
that they use only four symbols and are simple to read and
understand.

Systems professionals use data flow diagrams in structured

system design, a process wherein the logical system is
diagrammed at a high, conceptual level first. In succeeding
steps, the data flow diagrams are exploded into more levels of
detail until the logical structures of all detailed tasks have been
shown in successive data flow diagrams. “Exploding” means that
each individual process is shown in progressively more detail in
a subsequent diagram. Although data flow diagrams are easy to
read, accountants and business consultants more frequently use
process maps.

Figure 6. Data Flow Diagram Symbols

Figure 7. Sample Restaurant Data Flow Diagram
MODULE 3: FRAUD, ETHICS, AND INTERNAL CONTROL

ACCOUNTING-RELATED FRAUD
Fraud can be defined as the theft, concealment, and conversion
to personal gain of another’s money, physical assets, or
information.
In fraud, there is a distinction between misappropriation of
assets and misstatement of financial records.
Misappropriation of assets involves theft of any item of value.
It is sometimes referred to as a defalcation, or internal theft, and
the most common examples are theft of cash or inventory.
Restaurants and retail stores are especially susceptible to
misappropriation of assets because their assets are readily
accessible by employees.
Misstatement of financial records involves the falsification of
accounting reports. This is often referred to as earnings
management, or fraudulent financial reporting.

Three Conditions of Fraud, known as the FRAUD TRIANGLE

• Incentive to commit the fraud. Some kind of incentive or

pressure typically leads fraudsters to their deceptive
acts. Financial pressures, market pressures, job related
failures, or addictive behaviors may create the incentive
to commit fraud.
 • Opportunity to commit the fraud. Circumstances may
provide access to the assets or records that are the objects
of fraudulent activity. Only those persons having access
can pull off the fraud. Ineffective oversight is often a
contributing factor.
• Rationalization of the fraudulent action. Fraudsters
typically justify their actions because of their lack of
moral character. They may intend to repay or make up for
their dishonest actions in the future, or they may believe
that the company owes them as a result of unfair
expectations or an inadequate pay raise.

Understanding these conditions is helpful to accountants as

they create effective systems that prevent fraud and fraudulent
financial reporting. Fraud prevention is an increasingly
important role for accounting and IT managers in business
organizations, because instances of fraud and its devastating
effects appear to be on the rise.

CATEGORIES OF ACCOUNTING-RELATED FRAUD

1. Management fraud
Management fraud, conducted by one or more toplevel
managers within the company, is usually in the form of
fraudulent financial reporting. Oftentimes, the chief
executive officer (CEO) or chief financial officer (CFO)
conducts fraud by misstating the financial statements
through elaborate schemes or complex transactions.
Managers misstate financial statements in order to receive
such indirect benefits as the following:
a. Increased stock price. Management usually owns
stock in the company, and it benefits from increased
stock price.
 b. Improved financial statements, which enhance the
potential for a merger or initial public offering (IPO),
or prevent negative consequences due to
noncompliance with debt covenants or decreased
bond ratings.
c. Enhanced chances of promotion, or avoidance of
firing or demotion.
d. Increased incentive-based compensation such as
salary, bonus, or stock options.
e. Delayed cash flow problems or bankruptcy.

Management fraud may involve overstating revenues and

assets, understating expenses and liabilities, misapplying
accounting principles, or any combination of these tactics.

Management fraud typically:

• Is intended to enhance financial statements
• Is conducted or encouraged by the top managers
• Involves complex transactions, manipulations, or
business structures
• Involves top management’s circumvention of the
systems or internal controls that are in place—known
as management override

The most effective measure to prevent or detect

management fraud is to establish a professional internal
audit staff that periodically checks up on management
activities and reports to the audit committee of the board of
directors.
2. Employee Fraud

Employee fraud is conducted by non-management

employees. This usually means that an employee steals cash
or assets for personal gain. While there are many different
kinds of employee fraud, some of the most common are as
follows:

• Inventory theft. Inventory can be stolen or

misdirected. This could be merchandise, raw materials,
supplies, or finished goods inventory.
• Cash receipts theft. This occurs when an employee
steals cash from the company. An example would be the
theft of checks collected from customers.
o Skimming - organization’s cash is stolen before it is
entered into the accounting records. For example, a
ticket agent in a movie theater who accepts cash from
customers and permits those customers to enter the
theater without a ticket. The cash collected could be
pocketed by the agent, and there would be no record of
the transaction.
o Larceny - Fraudsters may also steal the company’s cash
after it has been recorded in the accounting records.
Larceny is typically detected when performing a
reconciliation of cash accounts (to the accounts
receivable or payable records) or when preparing the
bank reconciliation.
• Accounts payable fraud. Here, the employee may
submit a false invoice, create a fictitious vendor, or
collect kickbacks from a vendor. A kickback is a cash
payment that the vendor gives the employee in
exchange for the sale; it is like a business bribe.
• Payroll fraud. This occurs when an employee submits
a false or inflated time card.
 • Expense account fraud. This occurs when an
employee submits false travel or entertainment
expenses, or charges an expense account to cover the
theft of cash.
Collusion occurs when two or more people work together to
commit a fraud. For example, if a warehouse employee stole
inventory and an accounting clerk covered it up by altering
the inventory records, the fraud would be difficult to detect.
3. Customer Fraud

Customer fraud occurs when a customer improperly

obtains cash or property from a company, or avoids a
liability through deception. Examples of customer fraud
include credit card fraud, check fraud, and refund fraud.
Credit card fraud and check fraud involve the customer’s
use of stolen or fraudulent credit cards and checks. Refund
fraud occurs when a customer tries to return stolen goods
to collect a cash refund.

4. Vendor Fraud

Vendor fraud occurs when vendors obtain payments to

which they are not entitled. Unethical vendors may
intentionally submit duplicate or incorrect invoices, send
shipments in which the quantities are short, or send lower-
quality goods than ordered. Vendor fraud may also be
perpetrated through collusion. For example, an employee of
a company could make an agreement with a vendor to
continue the vendor relationship in the future if the
employee receives a kickback.
5. Computer Fraud

Computer fraud is a fraud wherein the computer is used as

a tool to more quickly and efficiently conduct a fraud.

Two Sources of Computer Fraud

• Internal Sources of Computer Fraud
When an employee of an organization attempts to
conduct fraud through the misuse of a computer-based
system, it is called internal computer fraud.

Internal computer fraud concerns each of the following

activities:

1. Input manipulation
- Input manipulation usually involves altering
data that is input into the computer. For
example, altering payroll time cards to be
entered into a computerized payroll system
is a type of input manipulation. Other
examples of input manipulation would be
creating false or fictitious data inputs,
entering data without source documents, or
altering payee addresses of vendors or
employees.

2. Program manipulation
- Program manipulation occurs when a
program is altered in some fashion to
commit a fraud.
Examples of program manipulation:
Salami technique - fraudster alter a
program to slice a small amount from
several accounts and then credit those small
 amounts to the perpetrator’s benefit. For
example, a program that calculates interest
earned can be altered to round down to the
lower 10cent amount; that small excess of
interest earned can be deposited to the
perpetrator’s account.

Trojan horse programs - is a small,

unauthorized program within a larger,
legitimate program, used to manipulate the
computer system to conduct a fraud. For
example, the rogue program might cause a
certain customer’s account to be written off
each time a batch of sales or customer
payments are processed.

Trap door alterations - is a valid

programming tool that is misused to commit
fraud. As programmers write software
applications, they may allow for unusual or
unique ways to enter the program to test
small portions, or modules, of the system.
These entranceways can be thought of as
hidden entrances, or trap doors. Before the
program is placed into regular service, the
trap doors should be removed, but a
programmer may leave a trap door in place
in order to misuse it to commit fraud.

3. Output manipulation
- Computer systems generate many different
kinds of output, including checks and
reports. If a person alters the system’s
checks or reports to commit fraud, this is
 known as output manipulation. This kind of
fraud is often successful simply because
humans tend to trust the output of a
computer and do not question its validity or
accuracy as much as they might if the output
were manually produced.

• External Sources of Computer Fraud

In most cases, external computer frauds are conducted

by someone outside the company who has gained
unauthorized access to the computer. These fraudsters
are commonly known as hackers. However, it is
possible that someone within the organization—
essentially, anyone who can gain access to an
organization’s computer system—could attempt these
frauds.

Two common types of external computer fraud are

hacking and spoofing.

Hacking is the term commonly used for computer

network break-ins. Hacking may be undertaken for
various reasons, including industrial espionage, credit
card theft from online databases, destruction or
alteration of data, or merely thrill-seeking.

DoS Attacks - A particular kind of hacking that has

increased dramatically in recent years is denial of
service (DoS) attacks. A denial of service attack is
intended to overwhelm an intended target
computer system with so much bogus network
traffic that the system is unable to respond to valid
network traffic.
Spoofing occurs when a person, through a computer
system, pretends to be someone else. There are two
kinds of spoofing that are currently prevalent: Internet
spoofing and email spoofing.
Internet spoofing is the most dangerous to the
accounting and control systems, because a spoofer
fools a computer into thinking that the network
traffic arriving is from a trusted source. Within the
Internet, each computer server is identified by a
unique Internet protocol (IP) address. Any
network traffic between computers is broken into
small “packets” of data. Each packet includes the IP
addresses of both the sender and receiver of the
packet. In spoofing, the originating IP address is
intentionally changed to make it appear that the
packet is coming from a different IP address. Many
computer systems include a security system that
accepts packets only from known and trusted
sources—essentially, an address book of trusted IP
addresses. A spoofer circumvents that system by
pretending that the packet originates from a
trusted source. These packets can contain
malicious data such as viruses, or programs that
capture passwords and login names.
Email spoofing is usually used in an attempt to
scam consumers. For example, a bank customer
might get an email that looks as if it comes from the
customer service department, asking recipients to
provide confidential information such as their log-
in and password. With these fake emails, the
sender is hoping that unsuspecting customers will
reply and divulge confidential information that will
allow the spoofer to commit fraud.
POLICIES TO ASSIST IN THE AVOIDANCE OF FRAUD AND
ERRORS

Following are three critical actions that an organization can

undertake to assist in the prevention or detection of fraud and
errors:
1. Maintain and enforce a code of ethics.
2. Maintain a system of accounting internal controls.
3. Maintain a system of information technology controls.

These ongoing actions will not entirely prevent or detect all

fraud or errors, but they can greatly reduce the chance of fraud
and errors.

1. Maintenance of a Code of Ethics

Documenting and adhering to a code of ethics should

reduce opportunities for managers or employees to conduct
fraud. This will only be true, however, if top management
emphasizes this code of ethics and disciplines or discharges
those who violate the code.
2. Maintenance of Accounting Internal Controls

Internal control systems provide a framework for fighting

fraud. However, attempting to prevent or detect fraud is
only one of the reasons that an organization maintains a
system of internal controls.

The objectives of an internal control system are as

follows:
1. Safeguard assets (from fraud or errors).
2. Maintain the accuracy and integrity of the accounting
data.
3. Promote operational efficiency.
4. Ensure compliance with management directives.

This control system includes three types of controls.

Preventive controls are designed to avoid errors,
fraud, or events not authorized by management.
Preventive controls intend to stop undesirable acts
before they occur. For example, keeping cash locked in
a safe is intended to prevent theft.

Detective controls help employees to uncover or

discover errors, fraud, or unauthorized events.
Examples of detective controls include matching
physical counts to inventory records, reconciling bank
statements to company records, and matching an
invoice to its purchase order prior to payment. When
these types of activities are conducted, it becomes
possible to detect problems that may exist.

Corrective controls are those steps undertaken to

correct an error or problem uncovered via detective
controls. For example, if an error is detected in an
employee’s time card, there must be an established set
of steps to follow to assure that it is corrected. These
steps would be corrective controls.
Due to ongoing problems with fraudulent financial
reporting, the Committee of Sponsoring Organizations
(COSO) undertook a comprehensive study of internal
control and in 1992 issued the Internal Control Integrated
Framework, commonly known as the COSO report. The
COSO report has provided the standard definition and
description of internal control accepted by the accounting
industry. The framework has been updated and expanded
in 2013 to provide various clarifications and enhancements
to its internal control guidance. According to the COSO
report, there are five interrelated components of internal
control: the control environment, risk assessment, control
activities, information and communication, and monitoring.

Control Environment – it sets the tone of an organization

and influences the control consciousness of its employees.
The control environment is the foundation for all other
components of internal control, and it provides the
discipline and structure of all other components.

Control environment factors include:

• The integrity and ethical values of the entity’s people
• Management’s oversight responsibility, including its
philosophy and operating style
• The way management establishes structure and
assigns authority and responsibility
• The way management develops its people and
demonstrates commitment to competence
• The board of directors demonstrates independence
from management and exercises oversight of internal
control
 • The organization holds individuals accountable for
their internal control responsibilities.

Risk Assessment - every organization continually faces

risks from external and internal sources. These risks
include factors such as changing markets, increasing
government regulation, and employee turnover. Each of
these can cause drastic changes in the day-to-day
operations of a company by disrupting routines and
processes, including those designed to help prevent or
detect fraud and errors. In order for management to
maintain control over these threats to its business, it must
constantly be engaged in risk assessment, whereby it
considers existing threats and the potential for additional
risks and stands ready to respond should these events
occur.

Management must develop a systematic and ongoing

way to do the following:
1. Specify the relevant objectives to enable the
identification and assessment of risks relating to
objectives.
2. Identify the risks (both internal and external, and due
to both fraud or error), and determine how the risks
should be managed.
3. Consider the potential for fraud in assessing risks.
4. Identify and assess changes that could significantly
affect the system of internal control.

Control Activities - the COSO report identifies control

activities as the policies and procedures that help ensure
that management directives are carried out and that
management objectives are achieved. A good internal
control system must include control activities that occur at
all levels and in all functions within the company, including
controls over technology.

The internal control framework requires that an

organization accomplish the following:
• Develop control activities that contribute to the
mitigation of risks.
• Develop general controls over technology
• Deploy control activities through policies that establish
expectations and procedures to put those policies into
action.
These control activities can be divided into the following
categories:
1. Authorization of transactions
2. Segregation of duties
3. Adequate records and documents
4. Security of assets and documents
5. Independent checks and reconciliations

Information and Communication - The COSO internal

control framework requires that an organization create and
use an information and communication system that
includes the following factors:
• The system obtains or generates and uses relevant
quality information to support the functioning of
internal control.
• The system internally communicates information,
including objectives and responsibilities for internal
control.
• The system communicates with external parties
regarding matters affecting the functioning of internal
control.
 Monitoring - The COSO internal control framework
requires that an organization establish monitoring systems
that accomplish the following:
• Select, develop, and perform ongoing or separate
evaluations to ascertain whether the components of
internal control are present and functioning.
• Evaluate and communicate internal control
deficiencies in a timely manner to responsible parties
who can take corrective action.

Any system of control must be constantly monitored to

assure that it continues to be effective. Monitoring involves
the ongoing review and evaluation of the system.

3. Maintenance of Information Technology Controls

Over time, the cost of computer hardware and software has

dramatically decreased, while computing power has vastly
increased. This means that today most small companies
can afford to maintain computerized accounting systems,
while larger companies place even greater reliance on
computer-based systems. Information technology plays
such an important role in organizations that any failure in
these systems can halt such ongoing operations as sales,
manufacturing, or purchasing. IT systems have become the
lifeblood of operations for most companies.

There is a paradox in this increased use of information

technology. Computerized systems increase the efficiency
and effectiveness of the organizations that use them; but at
the same time, they increase vulnerability. The more that an
organization relies on information technology, the greater
the risks are, including unauthorized access, hackers,
business interruption, and data inaccuracies. These extra
risks call attention to the need for internal controls over and
above those described in the COSO report.

In response to this need, the Information Systems Audit

and Control Association (ISACA) developed an extensive
framework of information technology controls, entitled
COBIT, for Control Objectives for Information
Technology. COBIT is extremely important guidance for
those who design or audit IT systems.