- Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How
- Who in an organization should care more about the collections process – Finance or Sales? Explain
- Controls are important in all the OTC processes including invoicing and collections. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
- You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain
Imran Jordan Kharabsheh says
1. Being an outside organization/entity with means of harming the company and benefiting the most out of their misfortune, I would target the payment phase of the Order to Cash process. The reason for this is because a company can suffer across multiple fronts if the payment process goes wrong, including the customer relations and financial fronts. One method that even a single malicious person could pull off to deeply impact the payment process is to alter the amount of payment due at the time of payment and not record the difference, or to collect a falsified and unauthorized cash payment. Other examples of ways that a person, either malicious or non-malicious, can impact the payment phase include incorrect location of entry in the ledger for receipt of payment or incorrectly classifying a long-term payment as a current-term payment.
2. In terms of the risks posed to the collection process, the financial department should be most worried about these risks coming to fruition. The primary reason is that the financial department are the ones who are held accountable for ensuring that the payments have been authorized, properly recorded and actually exist in the locations specified. They tend to serve as the last pair of hands that touches the money prior to accounting for it and depositing it in the appropriate corporate accounts.
3. When considering the differences in the controls set for the invoicing and collections processes of domestic and international companies, it is important to also note the logistical differences and complications that come with catering to more worldly clients. In terms of invoicing for domestic companies for example, some good controls that would suffice could be regular reconciliation of shipment and invoice records, and a concise set of guidelines for the return policy that is established and enforced. International companies, on the other hand, would also need to implement audits on tax collection, and a regular review by management of documents and valid cash payments to adhere and comply with international trade regulations.
4. After discussing the kinds of damage and sheer amount of risks that the payment and billing processes face, I’m definitely most concerned with the proper execution of payment and billing in the Order to Cash process. Having issues in either of these processes can end in catastrophe for the organization, with the company possibly even losing the ability to accept payments through VISA or other credit sources from customers if exposed. Not to mention the loss in credibility these will have with customers, potentially devastating a company financially. This is why proper controls are established and monitored for these processes, such as automatic invoice creation to avoid human errors when creating an invoice for customers.
Imran Jordan Kharabsheh says
Tacking on to part three, it is also important to provide an example of differences in payment controls between domestic and international companies. Domestic companies most often have established and enforced policies and procedures and regular customer statements as a form of control for the payment process. International companies, on the other hand, might also want to include regular system access checks in order to ensure only authorized individuals can access certain bits of information, and more frequent bank reconciliations on the company’s accounts.
Deepa Kuppuswamy says
Payment process phase is a great pick for this question as there is a heightened threat of cyber attack in this area. This kind of attacks are happening more frequently and it is under more scrutiny from customers, regulators and investors. Based on the recent publication made by EY, it was stated that “Share prices of impacted companies dropped an average of 5% after a cyber event was disclosed, and over 30% of customers impacted by the breach ended their relationship with that organization”
Reference: https://www.ey.com/Publication/vwLUAssets/EY-convergence-of-payments-and-cybersecurity/$File/EY-convergence-of-payments-and-cybersecurity.pdf
Above link is an interesting publication to read, it details about ‘What does an organization need to consider across the payment life cycle’.
Yuan Liu says
Hi, Jordan, I totally agree with you about that finance department should care more about collection. The collection include Receive payments, Record amounts in cashbook, Matching receipts to invoices in the sales ledger and Some can be automated, All these processes are running in the finance department, it should be responsible for that.
Deepa Kuppuswamy says
1. Most of the incidents like skimming, fraudulent disbursement and theft could happen through collusion. If I am a person from outside organization, I would first and foremost target on colluding with people in CUSTOMER MASTER MAINTANANCE team and CREDIT NOTE PROCESSING team. However, there are many other targets, but I believe that this is the important and high risk area. By colliding with people who has access to master data would help in setting up a fictitious customer and issue a high credit against the fictitious account. Majority of the insider fraud are caused by collusion and these type of fraud puts company at high risk and this involves larger damages and difficult to detect. Hence, organizations should have strong internal controls in place and also organizations should have a mandatory training to help employees understand and encourage important behavioral skills, setting expectations and organization’s commitment.
2. From my understanding of Order to Cash process, I believe that Finance team should care more about Collection process because it is important to remember that it is Finance team which effectively forecasts the cash inflows and plan for expenses accordingly while the Sales team bring business on the floor by effectively responding to each client’s unique needs in a timely manner. In the collections process, payment processing is a major area of concern. When the payment made by the customer is not processed in the system it can lead to inaccurate cash estimates which causes finance teams to incorrectly forecast higher cash deficits. Hence, finance personnel should review all the over due invoices on a regular basis to keep an updated bad debt forecast and determine next steps.
Deepa Kuppuswamy says
Answer to Question 3 and 4:
3. When the company involves in global order to cash process, it has to implement additional controls in invoicing and collection process as the international trade involves difficult process in obtaining payment and collection procedure. For example: collecting past-due invoices is more complicated in export sales in foreign countries with substantially different cultures and legal environments and also with the new GDPR policies there would be additional impact on the sales.
Also, the international OTC process involves exchange rate risk which would be defined as the possible direct loss or indirect loss in the firm’s cash flows, net profit, stock market value from an exchange rate move. So there should be strong control inplace to meet these requirements.
Reference: http://www.imf.org/external/pubs/ft/wp/2006/wp06255.pdf
4. Order to Cash process defines the company’s success and it plays a key role in driving a good relationship with customers and organization. Frauds are likely to occur in three critical areas and following are my key areas of concern: where internal controls are weak, where there is a lack of segregation of duties and when management can override preventive controls. So additional attention should be paid in these three key areas.
Based on the type of business line, organizations should identify and maintain a proactive approach to identify vulnerabilities and then implement effective and efficient internal controls in place. Some of the anti-fraud controls could help reduce the fraud and monitoring should be in place in the following areas:
>Try to avoid manual interventions in O2C process and allow users to place order through digital systems
>Implement and maintain segregation of duties in the following key process areas: Order Management, Process Customer Credit, Invoicing, Accounts Receivable, Collections, Adjustments/deductions
Haitao Huang says
1. If I am an outside organization who wants to launch attacks on an organization’s OTC process, I will focus on the order placement and data entry processes. The initial order receipt is the basis for all subsequent OTC processes such as order fulfillment and revenue recognition. When an order is received, the customer master data such as customer IDs, payment information, or billing addresses, will be summarized and recorded in the system. All the following process in order fulfillment and billing processes are based on the information from the customer master data. If I can corrupt the integrity of customer master data at the initial data entry process, all the subsequent processes will be carried out based on incorrect information. This will result in numerous negative impacts to the entire OTC process, such as sending wrong orders, billing incorrect amount, and unable to collect payments
2. In term of effectiveness, the finance department should be responsible for collecting payments from customers. First, sales should focus on boosting revenue and maintaining relationships with customers. Sales people do not want to ruin relationships with their customers, so they will be either ineffective or not performing the collection at all. Trying to collect payments will take away valuable time from what salespeople should be doing. On the other hand, bookkeeping is one of the fundamental responsibility of a finance department, so the finance department will have a better understanding of each transaction status, cash flow, and overdue payments. Finance department should take responsibility for the collection process.
3. Each country has its own legal system, industrial standards, and custom. A company operates purely domestically only needs to comply with law and regulations in the country where the company has the appearance. This ease the burden on a company when the company designing its control policy. A domestic company can apply a single control policy to all branches because all its branches are subject to identical laws and regulations. The situation will be different companies operate internationally. An international company has to consider various factors in different countries where it operates business. The company might not be able to apply identical controls to all the branches. A control that is effective and valid in one country might be insufficient in other countries because each country has unique requirements for business. For example, if a pure US-based financial institute collects and process customer personal information, it has to take the Gramm Leach Bliley Act (GLBA) into account when designing controls. If the company extended its operation into Europe Union, it now must comply with the GDPR as well.
4. My area of most concern will be in the sales area. In the sales area, fraudulent activities are committed because salespeople usually are incentive or pressured to achieve a higher sales target, especially in positions that are commission-dependent. Salespeople can commit fraudulent activities by issuing fictitious invoices to fictitious customers, reporting a receivable as paid even though it has not been paid or not been paid in full amount, or giving away free products to customers without permission. Fraudulent activity in sales area could result in signification financial and reputation damages to a company. In September 2016, Federal regulators revealed that 5,300 Wells Fargo employees secretly created millions of bank and credit card accounts without their customers’ permission in order to boost sales. The scandal caused Wells Fargo $185 million fine.
Deepa Kuppuswamy says
Hi Haitao,
Great answer! Nice thoughts on all these questions. I would like to add-on a point to you first answer. Instead of the statement ‘Order placement and data entry process’, i would say that we focus on “Payment process” to be more specific because during the order placement process we focus more on the items/products that we are intending to purchase and from your answer I can understand that you are focusing on Customer master data and payment process so i would like to just point it out to Payment process instead of ‘Order placement and data entry process’,
Penghui Ai says
Hi Hatitao,
You have a great opinion about question 4. Fictitious customers could be a serious problem for a company, especially for those company that has poor internal controls. A fictitious customer would cause a huge loss to the company.
Penghui Ai says
1. If I am an outside organization with a goal to cause negative things to happen to an organization’s Order to Cash (OTC) process, I will attack the shipment portion because it is the most vulnerable section which easy to suffer theft, fraud, or failure. It is hard to make sure no package lost or stolen in the shipment portion. The package might be stolen by people pick it up in the front of your door, or the package might be lost by the careless management of your apartment’s officer. As an outside organization, I can be a customer to buy their products and report a missing package to the company, or I can send advertisements of our products to their customers by getting their customers’ shipping address from the shipping portion, or I can make their shipping system invalid to ship products to customers.
2. I think the finance department should care more about the collections process. First, Finance department should be responsible for the collations process, which requires them to report the amounts correctly in the system and make sure the number in their journals is matched with the number in the company’s bank account. Instead of the Sales department, I think they are not responsible for the collections process, but they are more concerned with the numbers of sales because it affects their performance.
3. The OTC process involves different departments in the company. For example, the accounting department is responsible for the payment portion, and they need to check each account is correctly recorded. The warehouse should be responsible for the shipment section, and make sure no errors in the number of inventories. The auditing group should be responsible to check all the processes are efficient.
4. If I am responsible for the controls of the entire Order to Cash (OTC) Process, I will concern the most on the invoice and payment portion. When the employees create the invoice, we need to make sure all the information on the invoice is correct, especially the amount of the payment. After the invoice created, the most suffering period is waiting for the customers’ payment. I need to concern when the customers will pay the bill, so the board of director can make decisions on the long-term operation. In addition, I am worried about whether the amount of payment matches with the invoice.
Rouying Tang says
Hello Penghui, your post are very thoughtful, thank you for your sharing. I do agree with you on the point that the shipment are the most vulnerable process of the order to cash process, especially when a third party are related. And the invoice and payment portion does worth for concerns.
Deepa Kuppuswamy says
Hi Penghui,
Nice answer for question-4. Invoice and Payment process as a whole which contributes to Account Receivables module is a vital process for the company as it decides the organizations overall revenue, profit and loss. Most of the organizations do trip in this area as this is the complicated process to manage when the company size increases. I would say an efficient O2C process solely depends on this module.
And just adding on to your last statement about matching between payment amount and invoice, i guess there is a functionality in ERP systems (in SAP, Oracle, JdEdwars) called 2-way and 3-way match which is automatically performed by system with out any human intervention. So monitoring these records periodically by management would be sufficient and would add value to this process.
Haitao Huang says
Great answer to questions 3. I would like to add that segregation is an important factor that the finance department should handle the collection process. If the salespeople handle all the task from creating orders to collecting payments, there are opportunities that salespeople could commit fraudulent activities, for example, the salespeople could keep a payment to themselves but mark it as unpaid.
Rouying Tang says
1. Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How
If I am an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. I would try to attack the database of shipping document include client names, addresses, and orders. I can either destroy the data to interrupted the shipping process due to losing corresponding information; or leaking the information about the personal information and purchasing history; or I can change the morphism between customer, address and orders to cause the errors of Order to cash process like shipping the wrong products to the wrong customers.
2. Who in an organization should care more about the collections process – Finance or Sales? Explain
I belief both of them would care about the collections process, however they would have different emphasis. For sale department, they would care more about how to increasing the profits through booming the revenue, the cash collection would usually work as a measurement linking to the bones of their salaries and promotion. While for the finance department, they would care more about the time and the accuracy and occurrence of recording and reporting all cash inflow.
Rouying Tang says
3. Controls are important in all the OTC processes including invoicing and collections. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
The different in the controls of a purely domestic US company vs. an international company can includes using different pre-numbered shipping documents to separating them. They must take different shipping monitored and controlled since the postal companies and carries are usually different. The process of customer and export tax reporting are extra for the international company. Some company may require the labors must include the local language and the shipping address may be in different language so the use of Unicode and UTF-8 ASCII should be concerned.
4. You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain
I would more concerned about the shipping and delivery status, since that part are usually out sourcing to other carries or postal which are out of our controls. However, the speed service quality of delivery are critical to the whole order to cash process. The losing or damage of package in delivery can cause the fail of whole sale procedure and double the cost.
Deepa Kuppuswamy says
‘OUT SOURCING’ to other companies caught my attention. Nice point on this one.
Organizations always owns the risks of losing sensitive data and loss of confidentiality when any part of their work is outsourced. Before outsourcing any services, organizations should think about reputation risk, confidentiality of information,proprietary information, Quality etc.. Any breaches/attack in the supplier company will directly impact the parent company so it should consider about the above mentioned risks and plan ahead accordingly.
Yuan Liu says
1. In my opinion, I would attack the order system first, especially online shopping platform, which is easier to be hacked without tracking history. As we know, Customer order is the beginning of Order to Cash progress, which means if there is no customer order, all the progress step would be shut down and with no meaning. It is the basement of the progress to support business running. Lots of company prefer to build online shopping system based on the internet, which is easier to find vulnerability to crash it. Hackers can attack online order system to make it crashed. At the meantime, the company without any order cannot do anything before they fix the order system. This situation could waste lots of company’s resource to keep it running without any profit, such as labor cost and electric bill.
2. I think financial department should be care more about the collection progress in company compared with sale department. Progress collections is the payments received from customers as deposits before the associated work is performed or product is delivered. Sales department focus on the number of how much product they can sell and how much profit they can profit for the company. Financial department focus on the company’s financial performance, such as lower liability rate. There would be some account receivables coming out before customers’ payment. Most of them will become shot-term liability. However some of them will be long-term liability or bad debt because customer cannot pay it. If bad debt or long-term come out, there would be a series negative influence of financial performance, which effect financial department performance.
3. No two countries have the same political and legal systems. Each government has its own policies relating to foreign firms and products. The key is to understand that once you are in a foreign market you must abide by the rules and laws of that country, not the ones in your own market. These laws and regulations can severely impact the potential long term success of your business and it is wise to consult with legal counsel, based in that country, to ensure you reduce the risk of these laws and regulations effect on your firm. For example, tax will be put into the payment automatically once the payment occur based on the American law. However, How much tax need to be paid depends on how big your company is and how much production the company declare based on the Chinese law.
4. Shipping should be the hardest part in the Order to Cash progress in my opinion. There are many common risk in the shipping progress, such as Manipulate client names and addresses
on shipping documents, Shipment of unfinished product and Shipment of more product than the customer ordered. The reason why there are lots of common risk is shipping include many step, which include delivery document, basis for shipment, create, picking, packing. Each step could be mistake. Shipping is the most complicated part of the Cash or Order progress.
Peiran Liu says
1. If I am an outside organization with goal to cause negative effects to happen to an organization’s Order to Cash process, the process I would like to choose is the order process. As the payment process is the most secured part of the company, the shipping part is usually finished by outsourcing companies, the most effective way to attack would be to attack the order process. The way I am going to do it is sending fake order successful emails to customers, as it could be the way to know either their password or their payment information.
2. The organization that should care more about the collection process should be the finance department. The reason why it should be the finance department is that the company should first focusing on getting their money back when they sell their products. Whether the company is profitable or not is the second thing to be considered.
3. For international company, the currency to use is a important control compared to a purely domestic US company, as they don’t need to worried about this. The other important control is the delivery time. For a purely domestic US company, the delivery time can be controlled very well, as the estimated time is usually the case. But for a international company, there will be many variables on the road, which means the delivery time can be different in different scenarios.
4. The area which could be my most concern is still the payment process. Although the likelihood could be very low, with our most secured system, when there is a accident, the impact could be very high, which means that we still have a above moderate risk.