PAPERS

ACCOUNTING INFORMATION SYSTEM

“Auditing Computer-Based Information System”

and
“The Revenue Cycle: Sales to Cash Collections”

Group 6:

Florencia Irene Purwanto (1813098)

Yuro Dwinanda Liwan (1813108)

Michelle Loeferdy (1813109)

Accounting Study Program

Economics and Business Faculty

Atma Jaya Makassar University

2019
 FOREWORD

Our praise and gratitude to God Almighty because for His blessings and grace, we can
work and complete this paper well. Because of His blessings and mercy, so the author can
complete this paper entitled “Auditing Computer-Based Information System” and “The Revenue
Cycle: Sales to Cash Collections”
Not forgetting, we thank Dr. Marselinus Asri, S.E., M.Sc., Ak., CA as a lecturer in
Accounting Information Systems that have guided us in this course. This paper explains about
how to control accounting information systems and also controls for information security.

We also realize that this paper is far from perfect. We hope that this paper can be useful
as an insight into the readers who read this paper. We ask for criticism and suggestions if there
are mistakes or deficiencies in this paper, so that we can learn more and can arrange other papers
better. Finally, we say thank you and happy reading.

Makassar, 30 October 2019

Author

ii
 TABLE OF CONTENTS

FOREWORD ........................................................................................................................... ii

TABLE OF CONTENTS ........................................................................................................ iii

CHAPTER I PRELIMINARY ................................................................................................. 4

1.1 Background........................................................................................................................ 4
1.2 Problem Formulation ......................................................................................................... 4
1.3 Purpose .............................................................................................................................. 5
1.4 Benefit of Research ........................................................................................................... 5
CHAPTER II DISCUSSION ................................................................................................... 6

CHAPTER 11.......................................................................................................................... 6
2.1 Introduction ....................................................................................................................... 6
2.2 The Nature of Auditing ..................................................................................................... 7
2.3 Information Systems Audits .............................................................................................. 8
2.4 Audit Software................................................................................................................... 9
2.5 Operational Audits of an AIS ............................................................................................ 9
CHAPTER 12........................................................................................................................ 10
2.1 Introduction ..................................................................................................................... 10
2.2 Revenue Cycle Information System ................................................................................ 10
2.3 Sales Order Entry ............................................................................................................ 11
2.4 Shipping........................................................................................................................... 13
2.5 Billing .............................................................................................................................. 14
2.6 Cash Collections .............................................................................................................. 15
FINAL .................................................................................................................................... 18

3.1 Conclusion ....................................................................................................................... 18

3.2 Advice.............................................................................................................................. 18
REFERENCES ...................................................................................................................... 19

iii
 CHAPTER I
PRELIMINARY

1.1 Background
Information System Audit is also called EDP Audit (Electronic Data Processing
Audit) / Computer audit is a process collecting data and evacuating evidence to determine
whether computerized application systems have been implemented and implemented
systems control, internal, commensurate, all assets are well protected or misused and also
guaranteed data integrity, reliability and also the effectiveness and efficiency of
organizing computer-based information.
Cash selling and receiving activities are part of a company's business process,
which is usually called the Revenue cycle. In AIS, to handle these activities a separate
subsystem is needed which includes a series of business activities and data collection
activities and processing them into information repeatedly related to the supply of goods
and services, receiving orders from customers to receiving payments. The main purpose
of this activity is to provide the right goods and services at the right place and time, at the
right price, and smooth payment.
The three basic functions of the AIS for the Revenue cycle are (1) obtaining and
processing data regarding various sales and cash receipts activities, (2) storing and
organizing the data to support decision making, (3) monitoring and monitoring to ensure
data reliability and safeguarding resources organization. On the other hand, management
must also continuously monitor and evaluate the efficiency and effectiveness of the
revenue cycle process for the need for system development.

1.2 Problem Formulation

1. What is auditing and the nature of it?
2. What is the purpose of an information systems audit and audit software?
3. What is operational audits of an AIS?
4. What is the revenue cycle?
5. What are the basic activities in the revenue cycle?

4
1.3 Purpose
1. Know what auditing is and the nature of it.
2. Know the purpose of an information systems audit and audit software.
3. Know what operational audits of an AIS is.
4. Know what the revenue cycle is.
5. Know what the basic activities in the revenue cycle are.

1.4 Benefit of Research

1. Can help other people to understand more of the importance of auditing.
2. Can help organizations to know how audit software works.
3. Can help the organizations to provide their knowledge about information systems
audit.

5
 CHAPTER II

DISCUSSION

CHAPTER 11

2.1 Introduction
This chapter focuses on auditing an accounting information system (AIS).
Auditing is the systematic process of obtaining and evaluating evidence regarding
assertions about economic actions and events in order to determine how well they
correspond with established criteria. Internal auditing is an independent, objective
assurance and consulting activity designed to add value and improve organizational
effectiveness and efficiency, including assisting in the design and implementation of an
AIS. Internal auditing helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.

There are several different types of internal audits:

1. A financial audit examines the reliability and integrity of financial transactions,

accounting records, and financial statements.
2. An information systems, or internal control audit reviews the controls of an AlS to
assess its compliance with internal control policies and procedures and its
effectiveness in safeguarding assets, The audits usually evaluate system input and
output, processing controls, backup and recovery plans, system security, and
computer facilities.
3. An operational audit is concerned with the cconomical and cfficient use of resources
and the accomplishment of established goals and objectives.
4. A compliance audit determines whether entities are complying with applicable laws
regulations, policies, and procedures. These audits often result in recommendations
improve processes and controls used to ensure compliance with regulations.
5. An investigative audit examines incidents of possible fraud, misappropriation of
assets waste and abuse, or improper governmental activitics.

6
2.2 The Nature of Auditing
1. Overview Of The Audit Process

All audits follow a similar sequence of activities. Audits may be divided into
four stages: planning, collecting evidence, evaluating evidence, and communicating
audit results. Figure 11-1 is an overview of the auditing process and lists many of the
procedures performed within each of these stages.

a. Audit Planning
Audit planning determines why, how, when, and by whom the audit will
be performed. The first step is to establish the audit's scope and objectives. For
example, an audit of a publicly held corporation determines whether its financial
statements are presented fairly.
An audit is planned so the greatest amount of audit work focuses on the
areas with the highest risk factors. There are three types of audit risk:
1) Inherent risk is the susceplibility to material risk in the absence of controls.
2) Control risk is the risk that a material misstatement will get through the
intermal control structure and into the financial statements.
3) Detection risk is the risk that auditors and their audit procedures will fail to
detect a material error or misstatement.
b. Collection Of Audit Evidence
Most audit effort is spent collecting evidence. Because many audit tests
cannot be performed on all items under review, they are often performed on a
sample basis. The following are the most common ways to collect audit
evidence:
1) Observation of the activities being audited.
2) Review of documentation to understand how a particular process or internal
control system is supposed to function.
3) Discussions with employees about their jobs anl ahout how they carry out
certain procedures.
4) Questionnaires that gather data.
5) Physical examination of the quantity and/or condition of tangible assets.

7
 6) Reperformance of calculations to verify quantitative information.
7) Vouching for the validity of a transaction by examining supporting
documents.
8) Analytical review of relationships and trends among information to detect
items that should be further investigated.
c. Evaluation Of Audit Evidence
The auditor evaluates the evidence gathered and decides whether it
supports a favorable or unfavorable conclusion. If inconclusive, the auditor
perfoms sufficient additional procedures to reach a definitive conclusion.
d. Communication Of Audit Results
The auditor submits a written report summarizing audit findings and
recommendations to management, the audit committee, the board of directors,
and other appropriate parties. Afterwards, auditors often do a follow-up study to
ascertain whether recommedations were implementes.
2. The Risk-Based Audit Approach
The following internal control evaluation approach, called the risk based audit
approach, provides a framework for conducting information system audits:
a) Determine the threats (fraud and errors) facing the company.
b) Identify the control procedures that prevent, detect, or correct the threats.
c) Evaluate control procedures.
d) Evaluate control weaknesses to determine their effect on the nature, timing, or
extent of auditing procedures.

2.3 Information Systems Audits

The purpose of an information systems audit is to review and evaluate the internal
controls that protect the system. When performing an information systems audit, auditors
should ascertain that the following six objectives are met:

1) Security provisions protect computer equipment, programs, communications,

and data from unauthorized access, modification, or destruction.
2) Program development and acquisition are performed in accordance with
management's general and specific authorization.

8
 3) Program modifications have management's authorization and approval.
4) Processing of transactons, files, reports, and other computer records is accurate
and complete.
5) Source data that are inaccurate or improperly authorized are identified and
handled according to prescribed managerial policies.
6) Computer data files are accurate, complete, and confidential

2.4 Audit Software

Computer-assisted audit techniques (CAATS) refer to audit software, often called
generalized audit software (GAS), that uses auditor supplied specifications generate a
program that performs audit functions, thereby automating or simplifying the audit
process. Two of the most popular software packages are Audit Control Language (ACL)
and Interactive Data Extraction and Analysis (IDEA).

2.5 Operational Audits of an AIS

The techniques and procedures used in operational audits are similar to audits of
information systems and financial statements. The basic difference is audit scope. An
informatim systems audit is confined to internal control and a financial audit to systems
output, whereas an operational audit encompasses all aspects of systems management. In
addition, objectives of an operational audit include evaluating effectiveness, efficiency,
and goal achivement. The step in an operational audit are audit planning and evidence
collection.

9
CHAPTER 12
2.1 Introduction
The revenue cycle is a recurring set of business activities and related informatinn
processing operations associated with providing goods and services to customers and
collecting cash in payment for those sales. The primary external exchange of information
is with customers. Information about revenue cycle activites also flows to the other
accounting cycles. The revenue cycle's primary objective is to provide the right product
in the right place at the right time for the right price.

2.2 Revenue Cycle Information System

1. Process
AOE’s customers can place orders directly via the Internet. In addition,
salespeople use portable laptops to enter orders when calling on customers. The sales
department enters customer orders received over the telephone, by fax, or by mail.
Regardless of how an order is unitially received, the system quickly verifies
customer credit worthiness, checks inventory availability, and notifies the wareheuse
and shipping departments about the approved sale. Wirehouse and shipping
employees enter data about their activities as soon as they are performed, thereby
updating infomation about inventory status in real time. Nightly, the invoce program
runs in batch mode, generating paper, or electronic invoices for customers who
requires invoices. Some of AOE's customers still send checks to one of regional
banks with which AOE has established electronic lockboxes, but an increasing
number use their banks online bill paying service. Each day, the bank sends AOE a
file containing remmitance data, which the cashier uses to update the companay's
cash account balances and the accounts receivable clerk uses to update customer
accounts.

10
 2. Threats And Controls

Activity Threat Controls

General issues 1. Inaccurate or invalid master 1. Data processing integrity
throughout data controls
entire revenue 2. Unauthorized disclosure of 2. Restriction of access to
cycle sensitive information master data
3. Loss or destruction of data 3. Review of all changes to
4. Poor performance master data
4. Access controls
5. Encryption
6. Backup and disaster
recovery procedures
7. Managerial reports

2.3 Sales Order Entry

The revenue cycle begins with the receipt of orders from customers. The sales
department which reports to the vice president of marketing, typically performs the sales
order entry process, but increasingly customers are themselves entering much of this data
through forms on a company's Web site storefront.

1. Process
ln the past, customers orders were entered into the system by employees.
lncreasingly, organizations seek to leverage IT to have customers do more of the data
entry themselves. One way to accomplish this is to have customers complete a form
on the company's Web site. Another is for customers to use electronic data
interchange (EDI) to submit the order electronically in a fomat compatible with the
compauy's sales order processing system. Both techniques improve efficiency and
costs by eliminating the need for human involvement in the sales order entry process.

11
2. Threats and Controls
Activity Threat Controls
Sales order 1. Incompleted/inaccurate 1. Data entry edit controls
entry orders 2. Restriction of access to
2. Invalid orders master data
3. Uncollectible accounts 3. Digital signatures or written
4. Stockouts or excess inventory signatures
5. Loss of customers 4. Credit limits
5. Specific authorization to
approve sales to new
customers or sales that
exceed a customer’s credit
limit
6. Aging of accounts
receivable
7. Perpetual inventory control
system
8. Use of bar codes or RFID
9. Training
10. Periodic physical counts of
inventory
11. Sales forecasts and activity
records
12. CRM systems, self-help
web sites, and proper
evaluation of customer
service ratings

12
2.4 Shipping

1. Process
The picking ticket generated by the sales order entry process triggers the pick
and pack process. Warehouse workers use the picking ticket to identify which
products, and the quantity of each product, to remove from inventory.

2. Threats and controls

Activity Threat Controls

Shipping 1. Picking the wrong items or
the wrong quantity
2. Theft of inventory
3. Shipping erros (delay or
failure to ship, wrong
quantities, wrong items,
wrong addresses, duplication) 4. Documentation off all
1. Barcode and RFID
technology
2. Reconciliation of picking
lists to sales order details
3. Restriction of physical
access to inventory
inventory transfers
5. RFID and bar code
technology
6. Periodic physical counts of
inventory and reconciliation
to recorded quantities
7. Reconciliation of shipping
documents with sales
orders, picking lists, and
packing slips
8. Use RFID systems to
identify delays
9. Data entry via bar-code
scanners and RFID
10. Data entry edit controls (if
shipping data entered on

13
 terminals
11. Configuration of ERP
system to prevent duplicate
shipments

2.5 Billing

1. Process
The basic document created in the billing process is the sales invoice which
notifies customers of the amount to be paid and where to send payment. Like many
companies, AOE still prints paper invoices that it mails to many of its smaller
customers Larger customers, however, receive invoices via EDI. EDI not only
eliminates printing and postage costs. but also the labor involved in performing those
tasks. For companies that generate hundreds of thousands a sales invoices annually
saving even a few seconds per invoice can yield significant cost reductions. TDI
invoices and online hill payment also benefit customers by reducing their tin and
costs, which should increase both satisfaction and loyalty.
2. Threats and controls

Activity Threat Controls

Billing 1. Failure to bill 1. Separation of billing and
2. Billing errors shipping functions
3. Posting errors in accounts 2. Periodic reconciliation of
receivable invoices with sales orders,
4. Inaccurate or invalid credit picking tickets, and
memos shipping documents
3. Configuration of system
automatically enter pricing
data
4. Restriction of access to
pricing master data
5. Data entry edit controls

14
 6. Reconciliation of shipping
documents (picking tickets,
bills of lading, and packing
list) to sales orders
7. Data entry controls
8. Reconciliation of batch
totals
9. Mailing of monthly
statements to customers
10. Reconciliation of subsidiary
accounts to general ledger
11. Segregation of duties of
credit memos authorization
from both sales order entry
and customer account
maintenance
12. Configuration of system to
block credit memos unless
there is either
corresponding
documentation of return of
damaged goods or specific
authorization by
maanagement

2.6 Cash Collections

1. Process
Because cash and customer checks can he stolen easily, it is important to take
appropriate measures to reduce the risk of theft. As discussed more fully in the section on
controls, this means that the accounts receivable function. which is responsible for recording
customer remittances, should not have physical access to cash or checks. lnstead, the
cashier, who reports to the treasurer, handles customer remittances and deposits them in the
bank.

15
2. Threats and controls
Activity Threat Controls
Cash 1. Theft of cash 1. Segregation duties-the
collection 2. Cash flow problems person who handles
(deposits) payments from
customers should not also
a. Post remittances to
customer accounts.
b. Create or authorize
credit memos
c. Reconcile the bank
account
2. Use of EFT, FEDI, and
lockboxes to minimize
handling of customer
payments by employess
3. Obtain and use a UPIC to
receive EFT and FEDI
payments from customers.
4. Immediately upon opening
mail, create list of all
customer payments
received
5. Prompt, restrictive
endorsement of all
customer payment
6. Use of cash registers
7. Daily deposit off all cash
receipts
8. Lockbox arrangements,
EFT, or credit cards

16
 9. Discounts for prompts
payment by customers
10. Cash flow budgets

17
 FINAL

3.1 Conclusion
Internal controls are the processes implemented to provide reasonable assurance
because it permeates an organization’s operating activities and is an integral part of
management activities. Internal controls are also important because it can be used as
safeguard assets, maintain records in sufficient detail, provide accurate and reliable
information, prepare financial reports, promote and improve operational efficiency,
encourage adherence to prescribed managerial policies, and comply with applicable laws
and regulations. There are also three kinds of control framework and each of them has it
usage depends on firm’s requirements.
We also have to understand what kind of tactics that criminals use to attack an
organization’s information system so as not to get caught up in an unwanted situation. If
we have a basic understanding of those kind of things, we can proceed to discuss
methods for mitigating the risk that such attacks, as well as random threats such as
viruses and worms, will be successful.

3.2 Advice
We must remain vigilant and improve internal controls also information security
system so that we are not trapped in a condition that will hamper the company’s
activities.

18
 REFERENCES
Romney, Marshall B and Paul John Steinbart. 2015. Accounting Information System. United
States of America: Pearson.

19