- Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How
- Who in an organization should care more about the collections process – Finance or Sales? Explain
- Controls are important in all the OTC processes including invoicing and collections. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
- You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain
Kevin Berg says
1. Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How
I am not used to a question like this but here goes. If I was a competitor I would try to get the customers contact information from order information obviously through unethical ways. If I could figure out the other companies pricing, order history etc. I could then take this information and use it to my advantage by offering the customers cheaper prices and negotiated terms.
Andres Galarza says
Kevin,
I like this approach. That data would be incredibly important to a competitor. Being able to speak from a place of authority to a potential client because you have their current spending nailed on would be a big advantage.
You could get this information a number of ways, I imagine. Spear phishing emails come to mind.
Jing Jiang says
I think the question is asking us where in the OTC process has the most possibility of suffering an attack. To steal competitor’s insider information is one. I also think to steal customer information such as debit/credit card number in the OTC process could be the other one.
Lezlie Jiles says
Hi, Jing,
At first glance of your comment I wasn’t sure where you were going with your statement about stealing customer PII, but then I thought about it. You are correct in your statement if my understanding is correct… With this comment, you are suggesting that the competitor causes a breach within the rival company. If I’m correct, that could be really risky for both the competitor and the rival organization. If it’s revealed where the breach initiated from. The competitor would find themselves in hot water with the Feds, and the rival organization would be open to criticism for the breach even occurring.
Either way great post.
Kevin Berg says
2. Who in an organization should care more about the collections process – Finance or Sales? Explain
Sales are sales and are actually a credit on the books. They are not cash nor an asset so therefore finance should care more about collections because cash is the most important asset a company has. If you produce items with material and labor and sell it to a company that cannot pay, then it is 100% loss. All of the labor and materials used still need to be paid for so if cash isn’t collected it was a total waste of a sale.
Parneet Toor says
I agree with you Kevin that finance department care more about the collection process. Cash is the lifeblood of every business and plodding customer payments can seriously affect the balance sheet of the organization. Collections are very important part of financial operations and organizations need to set up systems and procedures. More collections more revenue.
Sales is interested in selling products of the organization and concerned with their commission, sale of goods and building relations with customers.
Jing Jiang says
I also agree that finance should pay more attention to the collection process. Any errors in the sales or incorrect document can be accumulated into the accounting entries errors. In addition, during the information transfer, some billed items can be omitted intentionally or unintentionally, which could result in delining the sales revenues.
Michelangelo C. Collura says
Well stated in accounting terms. Another concern for Finance is that collections may not be most revenue-positive by keeping it in-house, so they would need to determine how best to get those payments – whether hiring an outside firm or allocating personnel directly to it.
Yijiang Li says
I agree with you, kevin. Collections process should belong to Finance and Accounting department’s responsibility. At this point ,sales department has finished their job because an order has been created. After Finance and Accounting department receive the payment from customers, they will confirm this order and the rest of work will be transffered to the another department.
Parneet Toor says
Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How
If I get a chance to negatively attack organization’s Order to cash process. I would attack shipping and payment process. Reason for attacking shipping system is that when item is ready for shipping I could change the address of company/customer, by doing so, it shows vulnerability in shipping system. As a result organization loose customer base and goodwill for receiving orders not on time. It would cause so many problems. Also I would be able to gather customer information which I can use in my organization to build relations.
Reason for attacking Payment system is that I would change the price of items ordered by customer. By doing so it will mess up accounts receivable and cash flow. This would make customers unhappy, not want to do business with this organization as their information is manipulated and overcharged.
Khawlah Abdulaziz Alswailem says
Well Said, Parneet. I believe Payments is an important area within the Order to Case process which requires the maximum control. Timely fulfillment of order and collecting payments involves handling of a variety of sensitive data sources including customer and credit information, inventory management and shipping and billing systems. This can be a source of fraud if not controlled properly. Unauthorized access to this information and the rights to update billing details will result in an immediate loss of business.
Yijiang Li says
I agree with you, Parneet. Attacking customer payment process can maximize the benefits of attackers, because those sensitive information from customers including name, address, card number and security code can be used to exchange for a bigger interests in the black market. In addition, loss of customer personally identifiable information (PII) wll also cause a great reputation loss for this organization.
Parneet Toor says
Controls are important in all the OTC processes including invoicing and collections. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
I could think of controls for foreign exchange rate. Example when doing international business date of conversion is very important. It is very imperative to lock the rate for that specific day for making payments. Every country have unique laws, regulations, tax systems, and custom duties is another control that domestic and international businesses have to consider.
Yijiang Li says
Yes, the foreign exchange rate is always a big problem which any international company should concentrate on. In addition, they still have to deal with tariff, local laws and regulations, relationship with local government, etc.
Parneet Toor says
You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain
I would be more concerned about the billing area because cash is the lifeline for the survival of any business. Organization’s need Cash flow to make payments to suppliers, run payroll for employees, For example, if there is delay in creating invoice whole cash cycle get disturbed. Late payments from customers can damage revenue cycle and accounts receivable as result organization have to face difficult time.
Khawlah Abdulaziz Alswailem says
Good point, Parneet. I agree that billing is the most important part of a company since a company needs to generate revenues and profits. if the billing system is attached by cyber-hackers, the whole company will be affected.
Binju Gaire says
Great points, Parneet. Billing area is indeed the most important and hence it is justifiable to be concerned about this area. No organization can function without cash. It is very important to be aware where the organization stands in terms of its revenue.
Binju Gaire says
Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it?
Answer: As an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process, I would attack the Customer Relationship Management (CRM) system of the organization. The CRM system will have information related to customers including their name and contact information. I would use that information my organization’s competitive advantage to attract more customers.
Michelangelo C. Collura says
Very good thinking, Binju. The CRM system would allow a competitor to save a lot of money on market research, it would allow them to perfectly target these customers, and it could even allow them to disguise themselves as the competitor, though this last example would be illegal and likely only done in desperation.
Khawlah Abdulaziz Alswailem says
I didn’t think about the CRM, Binju!. It’s really a great point. Companies that invest in CRM are using its value to put the customer at the heart of their business, which is the fastest way to increase sales and profits. By attacking this system you will have the most valuable asset for the company- the customer data- which as you mentioned will support you in attracting larger target of customers,
Lezlie Jiles says
Binju,
Great point! I agree, The CRM system would indeed be a great place to attack first. The CRM system houses detailed information as it relates to an organization’s customer base interaction and information. Your suggested tactic would allow you to gain customer contact information for marketing purposes and as well as the purchasing behaviors, which would be a great marketing tool.
Edward Gudusky says
I was thinking along the same lines as you in terms of attacking the CRM system, but then use the information in a way that is different that you were thinking. I would leak the customer information anonymously. A large customer data leak is viewed very negatively by existing and future potential customers.
Binju Gaire says
2. Who in an organization should care more about the collections process – Finance or Sales? Explain
I think the finance department in an organization should care more about the collection process. All the revenues generated in the form of cash from sales are turned over to the finance department. Hence, more obviously, the finance department should pay close attention to the collection process. Additionally, it makes more sense for the finance department to look over the collection process because they are involved in the cash disbursement process as well.
Andres Galarza says
Binju,
I’d add that when it comes to accountability during an audit, the people who ultimately have their necks on the line during a financial audit is Finance. Sales may have to produce some information, but it’s the responsibility of the Finance department to ensure due diligence.
Xiaomin Dong says
1. Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How
If I were an outside organization with goal to cause negative things to happen to an organization’s Order to Cash process, I would attack the delivery or shipping process. For the delivery process, the reason is that when creating the delivery document, it is easy hack into customer’s account to change the destination of their orders, or I can hack into organization’s system and give a tiny change of the address (e.g. change the street number from 123 to 128). For the shipping process, I can hire some bad guys to break or steal the package while the deliveryman distracts from somewhere else.
Binju Gaire says
Interesting points, Xiamoin. I’d say attacking the delivery process is a creative way to hamper the order-to-cash (OTC) process of another organization. Messing up with the delivery means less customer satisfaction which leads to downfall of the business.
Andres Galarza says
Also, certain businesses already have the expectation that some shipments and deliveries will result in a loss. If you were to spread this kind of theft out over long periods of time, and at random destinations, it wouldn’t necessarily attract too much attention.
Xiaomin Dong says
2. Who in an organization should care more about the collections process – Finance or Sales? Explain
I think finance department should care more about the collections process because finance department is responsible for paying vendors or suppliers (accounts payable), accepting payment from customers (accounts receivable), The primary focus of finance department is allocating assets, reducing liabilities and managing cash flow. However, I believe there should be collaboration between the sales and finance department. In order to collect the correct amount of money, communication is needed between the sales department and finance department. For example, if there is a sale event going on, finance department should be notified.
Khawlah Abdulaziz Alswailem says
I agree with you, Xiaomin. The Finance should care more about the collections process since they are the organization within the business that develops discounts, prices, policies, and credits; they are in charge of making sure the business is hitting their projected profit margins and overall profitability of the organization. The collection process should, in fact, be a huge concern to the Finance Dept. due to ensuring their accounts are up-to-date, paid, collected.
Qiyu Chen says
I agree with you. Finance department should care more about the collections process, because this process includes posting account receivable, contact accounts to collect past-due balances, prepare account status reports, research and resolve account receivable discrepancies; however, the collections process seems more related to the accounting department, since the initial invoices and other invoices created during the OTC process need to be collected so that the accountants can make the journal entries and other financial reports. But all of these collections of financial statements and reports are helpful for the Finance. By analyzing the financial reports, Finance can identify the possible issues and potential risks of the process. Since the most important thing for a company is to create more profit, the profitable analysis is also important for the Finance.
Xiaomin Dong says
3. Controls are important in all the OTC processes including invoicing and collections. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
One example I can think of is the control of money collections due to foreign exchange rate. For international company there is foreign exchange risks occurs because currency’s exchanges rate fluctuates. It’s very important to have a defined date that the money should be collected and both parties agreed with the foreign exchange rate.
Also, when doing the business with international company tariffs and quotas needed to be taking into consideration. They can have a huge impact on the profits of an organization because it might either cuts revenues from the result of tax on those products we are shipping overseas or restricts the amount of revenues that can be earned. Therefore, doing research and have a good control on custom is important.
Jing Jiang says
I agree with you, Xiaoming. Firstly come to my mind was also the foreign exchange rate. Because using different currencies, there must have the exchange rates. But the exchange rates are always changing, it is important to determine the payment date at a certain exchange rate.
In addition, because international transactions usually refer to a long shipping distance and time, when to recognize the sale revenue is also a problem the international business should take into account.
Matthew J. Dampf says
“tariffs and quotas needed to be taking into consideration.”
This wasn’t something I immediately thought of, but you’re definitely right that this can be a big thing to factor in. Something you sell for $x in your local market may sell for $5x in a different market due to tariffs. The best example that I can think of is electronics in Brazil. They have huge import tariffs on them in an attempt to have companies manufacture locally in Brazil. Some companies have chosen to manufacture locally, and some have stayed out of the market completely, but some are dealing with the issue you raised, Xiaomin.
Candace Nelson says
All good points – I was not sure where this question was directed but now I have a better understanding.
Something else to consider is domestic vs. international Payment Card Industry (PCI) compliance requirements:
The PCI Data Security Standard (DSS, or collectively PCI DSS) is a global standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data.
https://www.pcisecuritystandards.org/
The following five programs that were originally formed by credit card companies served as the basis for the PCI Security Standards Council (PCI SSC):
• Visa’s Cardholder Information Security Program,
• MasterCard’s Site Data Protection,
• American Express’s Data Security Operating Policy,
• Discover’s Information Security and Compliance, and the
• Japan Credit Bureau (JCB) Data Security Program
PCI SSC – which was formed in 2006 – helps merchants and financial institutions understand risks associated with payment systems that appeal to hackers due to their vulnerability and the value of stolen credit card numbers (individually and on the dark web). PCI SSC also helps these businesses implement standards, policies and technology to minimize inherent risks and develop more secure payment solutions.
While PCI DSS is global in nature, enforcement of these standards has historically been stricter in the US. It is anticipated that – as enforcement rates in the UK and Europe increase and other countries enact stricter laws around customer notification of data breaches – global PCI compliance rates will increase.
https://www.secureworks.com/resources/wp-pci-dss-compliance-faqs
Mengting Li says
I agree with you. Exchange rate might be different every day, so make an agreement with customers to determine the exact exchange rate is an important way to prevent issues about the exchange rate. Also, High inflation will result in currency decline, making it difficult and unpredictable to operate profitably. But domestic company don’t need to worry about this problem.
Kevin Berg says
Exchange rate will always fluctuate regardless of how you interact with your customers internationally. It simply is the FOREX. You can hope against hope when dealing with the currency market however chances are the rates will flow one way that is against your investment. You have to hope your exchange analyst has the politics and economics of the exchange market under control. Otherwise you might as well be taking your companies money and betting black or red.
Qiyu Chen says
I like your answer. As far as I am concerned,An international company face more risk in the invoicing and collections process. International company should have all kinds of different debit and credit billings, which means they might face more wrong payment information. Company should Review all changes made to invoice /billing documents. Secondly, Wrong invoices /duplicate invoices will become more serious problem, because of the different languages.
Xiaomin Dong says
4. You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain
If I were responsible for the controls of OTC process, third party shipping would keep up at night. During the day time work, I can finish all processes that can be done during the office time, however, third party shipping is my concern because it would involve several problems including products damages, thefts, wrong address deliveries, delivery time delays, international shipments, products returns, etc. these outside works cannot be guaranteed to finish as they promised. If an international customer creates a large bulk of high value products, what if the third party has the problems above? Another concern is about the payment process. International customers will pay for the products in different time zones. If an international customer pays for a large amount of money at night in Philly but that is in the morning during his time, and the payment cannot be done quickly, or even it can be done, nobody checks it immediately and may involve mistakes.
Michelangelo C. Collura says
Absolutely agree with you about shipping. The best the firm could do is collaborate with the shipping company, perhaps offering technical support for issues related to getting their products out to customers. This runs into risks involving shared proprietary company methodology, but the risks are too great otherwise. I could see why a large firm like Amazon wants to ship its own items; it reduces the uncertainty.
Mengting Li says
I agree with you. During the shipping process, a lot of predictable and unpredictable issues might happen. Like products damages, thefts, wrong address deliveries, delivery time delays, international shipments, products returns you mentioned about. The company should be prepared to solve all kinds of issues from vendors, customers, and shipping companies.
Kevin Berg says
This is a the point where you relinquish control. A third party take your goods and you have to expect them to get your product to the end user who is expecting a benefit. A broken down truck or an unpredictable accident can have a potentially disastrous effect. How important are your goods to getting to your customer? Is it life threatening or bottom line trimming? Both are important from both perspectives. The majority of shipping dock to receiving dock is in the hands of somebody you have no control over. Whether a next day air gets to my customer or not is what would worry me the most.
Qiyu Chen says
I will focus on the invoicing and collections part of OTC process. and focus on the controls of the invoicing and collections parts because the invoicing and collections have most billing information from customer. Once any problem happened, huge damage will bring to not only customers and company. Compare to the shipping process, usually just few orders might have problem; however, invoicing and collection will bring plenty of problem just because of same problem. For example, hackers copy credit and debit information from the company, thousands of customers will face risk of losing money,
Andres Galarza says
Q1: Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it?
I think I would hit the Shipment Creation portion of the process. At that point, the subsequent steps are easier to make appear legitimate. For example, committing fraud on the factory floor, or the warehouse, or at the ports seems infinitely riskier than manipulating an information system. Maybe I’m naive.
As to how I’d do it, I would imagine that you could work with a shell or fraudulent company to generate false shipments, no?
Andres Galarza says
Q2: Who in an organization should care more about the collections process – Finance or Sales?
Surely it’s finance, no? I see Sales as the part of the business that’s responsible for getting the money into the register. However, Finance is going to be ultimately accountable for how every cent gets distributed within and outside of the organization.
Binju Gaire says
Andres, I agree with you. Sales initiate the process for business to get the money , but it is the finance department that will eventually account for the monies collected.
Parneet Toor says
I agree with Binju and Andres, that sales commence the process for sale of goods . I would add my point here sometimes sales department act as a facilitator to help collection department to get collections from their customers who are delayed in making payments.
Andres Galarza says
Q4: You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)?
Oddly enough, I think I’d be most concerned about that packing step that results in what will be the delivery item to the customer. There’s lots of help that I could put in place internally to attempt to monitor issues like theft and fraud. However, if the step (packing) that most directly impacts the “customer experience” results in a negative with my clients, that would pose the greatest risk to the company.
I feel like we go to the Amazon “well” a lot in this class, but if every time I ordered from Amazon my package was all beat to hell, then I’d stop.
Matthew J. Dampf says
Andres, this is my exact thought as well, probably due to being the guy who packed and shipped boxes at a job back in high school. We had a few mistakes in this area, so I’ve seen it happen first hand, and customers were always frustrated. This is a part of the process that is often performed by low level employees who may not be as invested in the success of the company as employees in other parts of the process.
My other thought is fear of generating enough orders, but that’s slightly outside the scope of the question.
Michelangelo C. Collura says
Good point about Amazon. Speaking from experience, I do know they monitor their packing methodology quite closely, both for quota and quality assurance. However, mistakes do happen. The solution they arrived at was to simplify the packing process as much as possible. In essence, the ‘Rebin’ team compile the order, which then has a size attached to it. This size provide the Pack personnel with the specific box they’d use to package the whole thing. The only analysis the pack team must do is fitting items into the box and deciding how much bubble wrap to use. It’s not perfect, but it seems to reduce problems to a manageable level.
Jing Jiang says
Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How
If I am an outside organization with a goal to cause negative things to happen to an organization’s OTC processes, I would attack the place where is the most vulnerable. I think the payment process is the most vulnerable. Some organization may focus more on the security of insider company than the outside environment such as the customer’s payment environment. I don’t know the exactly the methods, may be sending some phishing email to steal customer credit/debit information or install some malware on the organization’s potential customers to stop their payment.
Matthew J. Dampf says
A compromised payment process would definitely hurt the most, but I’m not sure that it’s actually the most vulnerable. Payment controls might be the most established and thoroughly tested in the entire process, so I would think this is a difficult area to attack. I could be wrong though.
Mengting Li says
It reminds me of the Target case. Payment process might involve with outsourcing situation. Like Target outsource their electronic billing to Fazio. Therefore, Fazio owns all the Target’s payment information. It definitely generates more vulnerability if the outsourcing company’s security level is low.
Matthew J. Dampf says
Who in an organization should care more about the collections process – Finance or Sales?
I feel like I’m supposed to say “both”, but I think the Finance is the better answer. The job of Sales is to generate the order – the rest of the process is left to various departments, including Finance. If the order is placed then Sales has done their job. However, a smooth order to cash process is likely to makes Sales’ job easier in the future to generate repeat orders, so they should care about the parts of the process that they aren’t actually involved in as well.
Khawlah Abdulaziz Alswailem says
1. Assume you’re an outside organization with a goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How
I would attack the payment process if I am an outside organization with a goal to cause negative things to happen to an organization’s OTC process. The reason is that payment process contains all customer’s PII such as name, address, bank information, etc. After I obtain that information, I can basically do whatever I want. I will be able to change the shipping address, charge more than the amount I am supposed to from the customers, etc.
First, I would find out who have access to the system. Then, I would cyber-attack the company’s OTC system by phishing attacks to my targets. The employee is vulnerable to the organization because they might lack the awareness of secure company’s asset. If one of these employees download the Trojan from the phishing emails then I am able to obtain the access to the OTC system.
Binju Gaire says
Well said, Khawlah. Attacking payment process will assist in gathering sensitive information on customer information from an organization. Altering details on shipping address is easy when you have information on customers’ address. And this will directly hamper the organization OTC process.
Khawlah Abdulaziz Alswailem says
Right, Binju. Payment step just seems to be the most vulnerable process in the order to cash process, and also the most commonly attacked process. In fact, attacking this process gives the attacker a platform to access many consumers.
Thanks for your Reply!
Andres Galarza says
I agree with everything you’ve said.
Another, related, point to protection of PII is the idea that it’s going to become more and more regulated in sectors outside of healthcare. The General Data Protection Regulation (GDPR) which has already been passed in the European Union imposes strict penalties against organizations in all sectors of business if they’re not able to show data governance and respond to customer requests.
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
Khawlah Abdulaziz Alswailem says
3. Controls are important in all the OTC processes including invoicing and collections. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
The main difference in the controls of a purely domestic US company and an international company is the period reconciliation of shipping and invoicing records. It is more important and usually more complex for the international company. For example, for the purely domestic US companies, only one shipping company usually involved in the shipping process. However, the international company usually required long-distance shipping, and more than one shipping companies may be involved which may increase the risk of losing shipments, and enhance the importance of reconciliation of the shipping records with different companies.
Parneet Toor says
Great distinction point Khawlah. However, those companies always discover a way to transfer profit to their home country. Doing business on an international level is really difficult to the extent that laws and regulations for shipping are not similar across different countries.
Michelangelo C. Collura says
That’s a good point about multiple shipping companies, something I didn’t think of. This certainly makes shipping much more complicated, with trucks, ships, planes, or even some other method. Add in the exchange rates paid to shipping companies, arrangements with local governments, possible bribes in more lawless areas, and you quickly see a very complicated process.
Yijiang Li says
Khawlah, I learned a lot from your comment. Reconciliation is a critical process for company’s Accounting department especially. In this process, accountants will have a chance to review all materials of shipping and invoicing and correct potential mistakes. For a international company, reconciliation is much more complicated, because they have to deal with local laws and regulations, relationship with local govermment, tariff, etc.
Michelangelo C. Collura says
Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How
The best target is always the weakest point, so that is the first consideration. Since security for customers is random and often inadequate, I’d think that would be the best avenue of attack. Establishing a botnet and making many small orders over a short time could flood the company’s servers, making legitimate orders more difficult to process. If the volume is high enough, we may even cause their ordering function to break down temporarily, costing the firm in lost sales. This type of attack would be useful for competitors wishing to disrupt service, or it could be useful in just general chaos committed by a foreign economic power.
Michelangelo C. Collura says
Who in an organization should care more about the collections process – Finance or Sales? Explain
I would think Finance because they would determine how best to allocate company resources to address this. I think they would be able to take a holistic view of the company’s financial situation and decide to outsource the collections process – both to save in labor costs and also to let someone else, with an core competency in such efforts, handle the process. Sales would be more concerned with the initial agreement with the customer, perhaps the first sale or first recurring transaction, or some type of long-term agreement. In other words, they would handle adding to the firm’s revenue, and Finance would handle trying to avoid losing revenue through efficient collection methods.
Michelangelo C. Collura says
Controls are important in all the OTC processes including invoicing and collections. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
As we’ve discussed before, international invoicing would mean currency exchanges in real time, and any necessary calculations involving WTO rules between those two countries (ex. duties and tariffs). This would not be an issue in a purely domestic firm. With collections, I would think the issue is even more complicated. Some countries may have restrictions on methods for demanding repayment, perhaps not allowing robocalls to customers. A firm would also need to decide how far they want to push the issue in a less regulated country, balancing debt repayment with not alienating the consumer base or national government. They may also need to outsource to a domestic firm for the collections process, either for legal or core competency considerations. None of these issues are likely a concern for a purely domestic firm, though alienating consumers may be a consideration in both cases.
Michelangelo C. Collura says
You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain
Areas outside the company’s control would be most concerning. In my mind, unexpected demand for a given product and shipping problems would be the biggest issues. With unexpected demand, the firm could try to bulk up supply once it realizes what is going on, but items can quickly become very popular with seemingly no reason. An amusing example was a banana-slicing device sold on Amazon; it was a mediocre item selling infrequently, but due to some viral memes about the device, it became a hot seller very quickly, so Amazon needed to work with the manufacturer to produce far more than they ever expected to need in a given time. This is a risky situation, as delayed orders may make customers cancel or go elsewhere. With shipping, some issue in USPS, FedEx, or UPS could cause massive problems for us, and we can’t really control the outcome. If UPS employees strike for example, or some company-wide digital glitch causes order processing problems, we would be directly affected and unable to do much to alleviate the issue. I would think some collaboration and resource-sharing does happen in such situations, but it would still be much more difficult than an in-house breakdown.
Lezlie Jiles says
1. Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How
If I were an outside organization looking to negatively impact my competitor I would definitely want to impact their customer base. I believe this can be accomplished by interfering with their customer contacts, such as shipment and invoicing errors. By doing this I would expect that a customer receiving the wrong shipment or costly invoicing would eventually reduce their customer base.
Two of our classmates(Binju and Jing) pointed out great points that I had not thought about, but would definitely cause a negative impact. Their suggestions were to attack the CRM system and the causing a data breach. Think Binju’s idea of attacking the CRM system was an excellent point, so excellent that I had to restate. This suggestion could cause all type of issues for the attacked organization and be very beneficial to the competitor.
Jing’s suggestion of causing a breach within the organization was good, but very risky and not to mention it does cross the line of unethical practices. However, her suggestion would indeed cause the competitor to experience customer issues and loses.
Candace Nelson says
2. Who in an organization should care more about the collections process – Finance or Sales? Explain
There are different reasons each of these departments would be concerned about the collections process:
Finance is responsible for monitoring and reporting budgeted vs. actual sales and properly accounting for the potential uncollectibility of accounts receivable. A reserve for uncollectible (doubtful) accounts should be recorded as a percentage of aged accounts receivable based on the history of collectability. For instance, a 2% reserve might be applied against current receivables, with 10% against receivables that are between 90 and 120 days old, and as much as 100% for receivables that are over a year old.
Sales has at least a few considerations about collectability of accounts receivable, as follows:
From a personal perspective, if a Salesperson (male or female) is earning a commission, they are usually (and rightfully) “docked” for uncollectible accounts for which they are responsible. Hence, from a selfish perspective it is in their best financial interest when accounts receivable are fully collected.
If customer accounts are uncollectible, it could be due to the volume of sales that are being made to them. Once an account is flagged as problematic (perhaps once it exceeds 90 days), there should be a process in place to prevent further sales until the account is brought current. As a Salesperson, it does not make sense to continue selling to a customer who has demonstrated an inability to pay for what they have already purchased.
Another factor to be considered is the process whereby credit is extended to customers and the propriety of credit limits over time. In a recent SOX audit we recommended that management review all credit limits annually at a minimum, and that consideration be given to changing such limits (upwards or downwards) based on each customer’s order and payment history. For instance, if a customer purchases $10K worth of goods per month on average, there is no reason for them to have a $100K credit limit. It creates an unnecessary risk that – if the customer were to suddenly face financial difficulties, they could order up to the $100K limit within a short time frame (e.g. perhaps they are planning to file for bankruptcy and want to increase their inventory beforehand), thereby increasing the likelihood of not being able to pay in full. On the other hand, if a customer has a history of paying timely and in full, and their purchases repeatedly exceed their credit limit, it is perfectly reasonable for it to be raised once sufficient diligence is performed, including review of a Dun & Bradstreet credit report and/or the customer’s annual financial statements.
In summary, it is in the best interest of every employee that sales be collectible since – regardless of the nature of the business (profit vs. non-profit) – income is the life blood of an organization that allows them to do what they do. Additionally, employee bonuses are often tied to company profitability, which is based on net (collectible) sales, so every employee potentially has “skin in the game”.
Michelangelo C. Collura says
Very thoughtful Candace. I’m curious about how a firm decides that sales can go to collections – in other words, at what point of accounts receivable balance does it become an issue for a firm? Some might take the approach you describe, of trying to ensure all AR are handled, but I would think there is some residual benefit to tossing the worst accounts to an outside firm to handle collections. This likely means accounts will be paid (mostly) while not sucking up labor costs in-house by having sales folk handle the collection process. Rather, they can focus on generating more new sales.
Lezlie Jiles says
2. Who in an organization should care more about the collections process – Finance or Sales? Explain
This question hit home a little bit because this is felt by my office on a day to day bases. The only department that truly cares about the collection process is finance. The sales department’s true concern is with sales and sales only. Once the sale has been made and the sales quota has been meant the sales department process concerns have been achieved. However, finance follows the money, and where the money goes finance goes.
In applying this question to my daily tasks it is up to my office to receive and recognize the payments. Once the order is processed we collect (or not) all payments via cash, credit cards, and collection items. Those transactions are then reconciled via our bank deposits and any transaction that is not received it our responsibility to investigate.
Candace Nelson says
Hi Lezlie –
It is truly unfortunate that Finance cares more about sales than the sales people do in your organization. It makes me wonder whether your employer measures sales against quotas net of uncollectible accounts.
I have had experience with auditing bonus programs that were fundamentally flawed in that they compensated salespersons based on gross vs. net sales Hence, there was no risk for said salesperson if they sold to a financially unstable customer. The company still faced the risk of bad debt (and the lost opportunity to sell the same product to a customer who would pay), while potentially “incenting” the sales force to do the wrong thing.
Depending on your role within your organization, you may want to recommend a process improvement. Just a thought!
Lezlie Jiles says
Hi, Candace
You are absolutely correct in your statement “they compensated salespersons based on gross vs. net sales” and I definitely agree. However, my organization is quite different. We don’t deal in sales per say. There is no “sales” rep basing their bonus off of gross nor net, or sales reps at all. Nevertheless, when looking at your comment if that were the case, yes the process would definitely be flawed. In applying your comment to the mortgage crash a few years ago this was definitely the case. Mortgages were created with the knowledge that they were indeed going to be bad debt, and compensations were given anyway. Thereby, leaving the finance department liable for collecting the bad debt. And, as I stated earlier, finance is really the only part of the organization that cares about the collections process. Where the money goes finance goes…
Candace Nelson says
Haha – agreed!
Michelangelo C. Collura says
Loved reading this discussion. It sheds light on some systemic issues related to sales and the collection process, particularly in industries where quantity seems to matter more than quantity.It feels like information silos are at play in such situations – with Sales staying in their lane, disregarding the concern of Finance, who then need to clean up the mess left unnecessarily. Alternatively, they shift the risk onto a third party, as we saw during the housing crisis you mentioned. with firms shuffling collateralized debt obligations around and around without genuine concern for debt collection.
Candace Nelson says
4. You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain
As has been demonstrated over and over – recently with how Wells Fargo’s “stretch” sales goals resulted in fraud – my biggest concern has less to do with the day to day controls vs. an organizations strategic goals and objectives and the “tone at the top” that dictates the level of integrity a company expects of its employees.
The Association of Certified Fraud Examiners (ACFE) published the results of a study titled Tone at the Top: How Management Can Prevent Fraud in the Workplace, in which tone at the top has been defined as follows:
“Tone at the top refers to the ethical atmosphere that is created in the workplace by the organization’s leadership. Whatever tone management sets will have a trickle-down effect on employees of the company. If the tone set by managers upholds ethics and integrity, employees will be more inclined to uphold those same values. However, if upper management appears unconcerned with ethics and focuses solely on the bottom line, employees will be more prone to commit fraud because they feel that ethical conduct is not a focus or priority within the organization. Employees pay close attention to the behavior and actions of their bosses, and they follow their lead. In short, employees will do what they witness their bosses doing.”
http://www.acfe.com/uploadedfiles/acfe_website/content/documents/tone-at-the-top-research.pdf
It has been determined that Wells Fargo’s “8 is great” mantra – that describes the requirement of salespersons to get every bank customer to enroll in eight products or services (regardless of need) or face the risk of losing their jobs – was sufficient pressure to cause fraudulent behavior. Management seemingly ignored the impact this pressure was having on bank employees and claimed to have no knowledge of the level of deception it took to meet this unrealistic goal. In fact, Senator Robert Menendez of New Jersey was quoted as saying: “This isn’t the work of 5,300 bad apples. This is the work of sowing seeds that rotted the entire orchard. You (John Stumpf, former Wells Fargo CEO) and your senior executives created an environment in which this culture of deception and deceit thrived.”
https://www.theguardian.com/business/us-money-blog/2016/sep/22/wells-fargo-scandal-john-stumpf-elizabeth-warren-senate
Yet, Mr. Stumpf “retired” amidst the unraveling of the scandal, taking more than $133 million with him. It really makes you wonder if crime does pay… which is what frightens me the most!
As an interesting side note, Mr. Stumpf was subsequently required to repay $69 million of pay and stock grants pursuant to a criminal investigation into the role he played in the fraud, about which the Board of Directors stated he “turned a blind eye to the fraudulent accounts being created under his nose.”
https://www.nytimes.com/2017/04/10/business/wells-fargo-pay-executives-accounts-scandal.html
Lezlie Jiles says
3. Controls are important in all the OTC processes including invoicing and collections. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
I believe the invoicing, collection, and shipping controls would be affected differently by domestic companies vs. international ones. The OTC controls for a domestic company would follow the typical period reconciliation of shipping and invoicing process, but the difference would definitely be recognized for an international customer. International trade would be the driving difference in OTC because of the exchange rate in currency and the shipping ability or inability due to international regulations.
Typically an organization could recognize the process (e.g., order, payment, and shipment) fairly quickly when dealing with a domestic customer, However, an international consumer would have to be handled differently, especially because of the exchange rate. Making sure the daily rate is correct and payment is received timely.
Mengting Li says
Who in an organization should care more about the collections process – Finance or Sales? Explain
I would say finance department should care more about the collection process because the sales department’s job is to bring in more business. The only thing they need to do is to create more orders then make more money for the company. If sales department tries to collect reduces their effective with their clients. In addition, finance department should own the process of tracking receivables and flagging any potential issues.
Mengting Li says
You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain
I might pay more attention to payment process because this process involved money transfer. Hackers try everything they can do to find the vulnerability to steal customers’ payment information, like credit and debit card information. Also, they might also hack the payment system in order to steal money from this process. Because this process related to a large customers environment which is very hard to control, it might lead to more vulnerability in this process.
M. Sarush Faruqi says
Mengting,
Great points. I agree that the payment process is the most vulnerable to fraud and hacks. A large portion of customers use their credit cards as a means to pay for a service or item. Companies who give the option for online payments must employ payment processing controls to reduce the risk of a hacking incident to occur.
Lezlie Jiles says
4. You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain
In dealing with finance I would definitely have to say invoicing, collection and recording of payment. Although, customer-driven point in this process is essentially important to an organization sustainability and growth. However, the recognition of revenue if definitely as equally important in keeping an organization’s objectives on course.
There are several sub-processes within OTC that could keep me up at night because risks can be identified throughout O2C. However, my concerns would be with invoicing, collection and recording because there are many outlets for fraud.
Qiyu Chen says
1.Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How?
In my opinion, I will attack the Invoicing & Collection part of OTC process. The reason is that there are a lot of credit and debit notes in this part, which means I can have thousands of billing information from this part so that I can get huge profit from this part and also bring huge damage to this company. The step of how can I do that is following:
step 1: select a malware
step 2 : installed the malware on all of company terminals
Step 3: make a copy of the numbers of all cards used.
M. Sarush Faruqi says
Who in an organization should care more about the collections process – Finance or Sales? Explain
The Finance department should care more about the collections process as they are the business function responsible for making sure the all of the numbers in the books and the financial statements are correct for reporting purposes. If the company is publicly traded, shareholders need to know whether or not the company made a profit or not. This can only be achieved if the numbers on the financial statements are accurate. If the company is private, the CEO needs to know if profits have been reported in order to weigh the number against the costs being incurred. The Finance department is typically the business function which takes care of all this so they should be concerned about the collections process. When I think of the Sales department, I think of the business function responsible for bringing money or revenue into the business and not necessarily recording all of the monetary figures.
Edward Gudusky says
Who in an organization should care more about the collections process – Finance or Sales? Explain
I’ll again go against the grain on this one for the sake of provoking different thought processes. I’ll say that sales should care more about the collection process. One reason where I think this way is if somebody from Sales posts a very large sale but does so with incorrect terms (maybe giving an order much longer repayment timeline than is allowed by the company) or other parts of the sale that cause delays in collections, the entire company could suffer. Yes Finance does care about a situation like this, but this problem is not because of them.
Edward Gudusky says
Controls are important in all the OTC processes including invoicing and collections. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
If an order is flagged as an international transaction, there may be additional shipping checks prior to when the shipment is expected to arrive to the customer. Due to more lengthy shipping and possible loss or damage of goods, an additional inspection upon arrival to the country of the customer would be way to ensure the product is accounted for and not damaged. If this check is not in place, the customer can easily place claims of damage and dissatisfaction in order to either not pay or to receive discounts even if they are not warranted. I see this as more of a problem with international orders as US to US orders are pretty standardized.
Edward Gudusky says
You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain
I would be most concerned with cyber attack technology advancing at a rate where software controls can’t keep up to remain protected. I would be worried that this would cause either a security breach where customer information is leaked (meaning the company makes the news and then needs to spend lots of money to rectify the problem) or company financials are tampered with (thinking more along the lines of fraud for this).
Yijiang Li says
1. Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How
When we are trying to attack a IT system, we should consider the following two factors: 1) where are the system vulnerability located; 2) where is the maximization of benefits. Combining with the above two factors, I consider attacking the customer payments in the Order to Cash (OTC) process.
Initially, when customers use their credit cards to make a payment, most sensitive information including name, address, card number and security code will be stored in our servers for a brief time. At this moment, attacking those servers will provide us an opportunity to steal all those valuable data. Second, the system which deals with customer payment is usually connected to a third-party vendor (Financial institutions, etc.). Therefore, there is a chance for attacker to hack in the main system through third-party’s portal.