UNIVERSITY OF TOLEDO INTERNAL AUDIT DEPARTMENT

MANAGE CUSTOMER ORDERS

Control practices

The following control objectives provide a basis for strengthening your control environment for

the process of managing customer orders. When you select an objective, you will access a list of

the associated business risks and control practices. That information can serve as a checklist

when you begin reviewing the strength of your current process controls.

This business risk and control information can help you assess your internal control environment

and assist with the design and implementation of internal controls. Please note that this

information is at the generic business process level and many companies will need to go beyond

generic models to address the specific business processes that support the financial and

nonfinancial disclosures being made. You can combine the insight of this business risk and

control information with your industry-specific knowledge and understanding of your company's

environment when conducting internal control assessments and designing and implementing

recommendations.

Effectiveness and efficiency of operations

A. Customers receive quality service throughout the ordering process.

B. Cycle time is compressed through efficient processing and reporting of orders.

C. Management and appropriate employees receive the information they need to service the

customer and control ordering.

D. Management obtains market information that provides insights into customer

expectations of the ordering process.

E. Sales orders are properly authorized.

F. Authorized sales orders are accurately and completely recorded on a timely basis.

G. Sales orders are reliably processed and reported.

H. Performance measures used to control and improve the process are reliable.

Compliance with applicable laws and regulations

A. The order process complies with all applicable laws and regulations.

Effectiveness and efficiency of operations

A. Customers receive quality service throughout the ordering process.

Business risks

• Customers will find the order process difficult or inefficient, resulting in a loss of orders

and future business.

• Customers will not receive all relevant information when placing orders, leading to

dissatisfaction and a loss of future business for the company.

• The company will not capture important information regarding customer demands.

Control practices

UNIVERSITY OF TOLEDO INTERNAL AUDIT DEPARTMENT

MANAGE CUSTOMER ORDERS

1. Train order-processing personnel to answer common questions regarding the company's

products and services.

2. Empower order-processing personnel with sufficient information to confirm current

product availability, confirm delivery dates, and answer common questions.

3. Provide customers with one contact who will be able to answer all their questions and

take orders.

4. Alert customer contacts to all other sources of assistance for customers with complex

orders.

5. Establish procedures for handling orders when the customer's primary contact is not

available.

6. Incorporate enough flexibility into the order process to handle all methods of ordering,

for example, methods such as fax, standard order form, sales representatives, telephone,

EDI, or the web.

7. Implement a user-friendly order management system that can be improved or updated on

a continual basis.

8. Treat the integration of systems control techniques, such as physical and logical controls,

proper approval, and testing of application changes, as an integral component of the

control process.

9. Establish training programs to ensure that personnel know the company's products and

information systems and that these individuals understand the objectives of the order

process.

10. Define clearly the terms of empowerment for staff and management.

11. Install systems controls that are designed to monitor adherence to the limits of authority

delegated to employees.

12. Provide relevant information to employees to enable them to respond to customer needs

on a real-time basis.

13. Use relevant performance measures to monitor the company's responsiveness to

customers (such as order processing time, order follow-up time, and percentage of calls

handled during the initial contact).

14. Ensure employees with the responsibility to control and improve the order process

understand why the performance measures are relevant.

15. Ensure management understands the relationship between performance measures and

company objectives for the ordering process and reinforces them.

16. Design information processes to calculate and report the performance measures of the

ordering process on a consistent and reliable basis.

17. Monitor performance measures for the ordering process over time and against desired

performance levels.

18. Analyze the reasons for variations between actual performance and desired performance

levels, and make necessary adjustments and improvements to the ordering process.

19. Assess periodically the effectiveness of performance measures as a catalyst for

continuous improvement in the ordering process.

B. Cycle time is compressed through efficient processing and reporting of orders.

UNIVERSITY OF TOLEDO INTERNAL AUDIT DEPARTMENT

MANAGE CUSTOMER ORDERS

Business risks

• Delays in reporting of orders to production or delivery will increase delivery times and

reduce customer satisfaction.

• Errors in reporting orders to production will result in incorrect production orders or

picking lists. This will delay shipments and/or the wrong goods will be delivered.

Control practices

1. Design a regular flow of sales orders from the sales department to production or shipping.

2. Use an integrated information system with which the recording of sales orders online

automatically updates production and/or distribution programs.

3. Capture sales order data once at the transaction's source.

4. Use integrated sources to: create information responsive to the needs of production,

delivery, marketing, and other appropriate personnel; enable personnel to access the

information electronically when they need it; and maintain information integrity and

security.

UNIVERSITY OF TOLEDO INTERNAL AUDIT DEPARTMENT

MANAGE CUSTOMER ORDERS

C. Management and appropriate employees receive the information they need to service

the customer and control ordering.

Business risks

• The information provided to employees and management about the ordering process will

not focus on customer needs or support company objectives. Therefore, the company will

have incorrect perceptions about process performance and the nature, number, and size of

customer orders.

• Employees will not improve the ordering process on a timely basis.

• Employees and management will not accurately determine whether the ordering process

is responding to the customer.

Control practices

1. Identify and understand customer expectations.

2. Identify and understand the company's goals in relation to improving the quality of

customer service, reducing the cost of order taking (both in terms of the company and the

customer), and compressing response time.

3. Collect statistics concerning the order-taking process (such as size of orders, number of

orders, timing of orders, and method of order placement).

4. Collect statistics about the order process and use them as a basis for identifying relevant

performance measures that will lead to improvement.

5. Select quantifiable and controllable performances measures that link the order process to

company goals and expectations.

6. Use the order process performance measures to stimulate continuous improvement.

7. Collect and measure pertinent data to produce relevant performance measures.

UNIVERSITY OF TOLEDO INTERNAL AUDIT DEPARTMENT

MANAGE CUSTOMER ORDERS

D. Management obtains market information that provides insights into customer

expectations of the ordering process.

Business risks

• The company will not obtain valuable information about customers and the market.

• The company will not impress upon customers the importance it places on feedback

regarding customers' views and concerns.

• The company will not obtain feedback on the effectiveness of its advertising and

marketing strategies.

Control practices

1. Ensure management solicits feedback from employees who work directly with customers

about the customers' expectations of the ordering process.

2. Incorporate survey questions about the order process into the standard order form.

3. Develop a standard set of questions to be asked during telephone orders, and train

employees to execute the questions properly.

4. Collect, analyze, and synthesize data to create an accurate picture of customer

demographics, order behavior, buying patterns, and expectations.

5. Incorporate customer information into the key assumptions supporting sales, marketing,

and R&D plans.

UNIVERSITY OF TOLEDO INTERNAL AUDIT DEPARTMENT

MANAGE CUSTOMER ORDERS

E. Sales orders are properly authorized.

Business risks

• The company will accept orders from customers who are unauthorized or have exceeded

their credit limit, exposing the company to unacceptable credit risks.

• The company will accept orders at unauthorized prices or terms (or at terms that violate

government regulations).

• The company will accept orders for quality standards that the company cannot meet.

• The company will accept orders from related parties without management's knowledge.

• The company will manufacture and ship products or render services without valid

customer commitments.

• The company will process commission credits for invalid orders.

• The company will deliver products or services to the wrong party.

• The company will deliver wrong goods or services or wrong quantities of goods or

services.

• The company will deliver products or services too early or too late.

Control practices

1. Use a computerized input medium to accept sales orders (such as web-enabled input

screens or EDI).

2. Install security mechanisms within the computer system to accept orders only from

authorized sources.

3. Research, correct, and reenter as necessary and on timely basis customer information that

does not match customer standing data (such as addresses and credit limits).

4. Record and create orders only on the basis of customer purchase orders or other evidence

documenting the customer's initiation of the order.

5. Require management approval for goods or services requested that are not specified or

are not consistent with customer purchase commitments.

6. Perform a computer system credit check on all customer orders before accepting them

into the system.

7. Suspend orders in excess of credit limit and resolve on a timely basis.

8. Require management review and approval of new customers, credit limits, and prices.

9. Install physical and logical security measures to prevent unauthorized access to the order

entry database.

10. Require management review and approval for all sales orders over a specified amount

and for orders with special prices or conditions.

11. Document fully key procedures within the ordering process.

12. Update the documentation of key procedures in the ordering process in response to

changes in management objectives.

UNIVERSITY OF TOLEDO INTERNAL AUDIT DEPARTMENT

MANAGE CUSTOMER ORDERS

F. Authorized sales orders are accurately and completely recorded on a timely basis.

Business risks

• The products, quantity, selling price, payment terms, sales tax, or shipping address

included on the order will be incorrect.

• Products that have been authorized for shipment will not be shipped.

• Sales orders will be lost, destroyed, or altered.

• Delinquent orders will not be identified, resulting in customers that are dissatisfied and/or

cancelled orders.

• Duplicate sales will not be recorded.

Control practices

1. Install computer system routines to validate sales order data input (such as customer

name and number, prices, terms, and credit limits) either online or in a batch processing,

against master file data.

2. Pre-number sequentially and account for all sales orders.

3. Ensure that edit checks exist within the system that reject the input of a sales order

number that was already entered and place it into a suspense file where it can be

researched, reviewed and reentered (if necessary) on a timely basis.

4. Ensure that any sales order entry with invalid, missing, or incomplete information is

rejected for reentry (online environment) or stored in a suspense file (batch) where it is

researched, corrected, and reentered on a timely basis.

5. Perform a one-for-one check between the sales order source documents (such as a

customer initiated purchase order or signed contract) and the sales order.

6. Ensure sales personnel reconcile control totals of orders entered for the day with the total

of orders accepted by the order entry system and that the results of variance

investigations are reviewed and approved.

7. Send computer-generated sales order confirmations to customers for order

acknowledgement on a timely basis.

8. Ensure that the automated order entry system--where the customer enters sales order data

through a public web site, an extranet portal, or a Value Added Network using EDI)--

allows customers to verify the accuracy and completeness of their sales order

information.

9. Require proper documentation and full support for orders before they are released to

production and/or shipping. Items to be reviewed may include contract forms, shipping

and payment terms, credit approvals, applicable tax calculations, pricing and extensions,

and compliance with export control requirements.

10. Require management approval for discounts and allowances in excess of predefined

limits.

11. Review transaction files periodically for delinquent orders.

UNIVERSITY OF TOLEDO INTERNAL AUDIT DEPARTMENT

MANAGE CUSTOMER ORDERS

G. Sales orders are reliably processed and reported.

Business risks

• Unauthorized changes will be made to programs, causing unauthorized processing

results.

• Unauthorized versions of files and/or programs will be used to process transactions,

resulting in unauthorized or incorrect business transactions.

• Files (transaction, reference, or master) will be lost, altered, or damaged, resulting in

inefficiencies, lost assets, or incorrect processing of transactions.

Control practices

1. Require authorization for all changes to program routines.

2. Install computer system security controls, such as access control software, to preclude

unauthorized individuals from modifying programs.

3. Employ tape and/or disk management systems to ensure that appropriate versions of

transaction files, master files, and programs are used in processing.

H. Performance measures used to control and improve the process are reliable.

Business risks

• Inaccurate measures will lead to erroneous perceptions about process performance,

resulting in inappropriate decisions.

Control practices

1. Use data captured at the transaction source to automatically measure performance (such

as processing time, follow-up time and number of calls required).

2. Review performance measures for the order process periodically to ensure they reflect

performance.

3. Obtain feedback relevant to the order process via sources such as customer surveys,

complaints, sales, and service calls.

4. Communicate the feedback obtained via customer surveys, complaints, customer service

calls, and other sources to employees responsible for improving the order process.

5. Ensure management and employees understand how performance measures link to

customer satisfaction and accept the use of such measures as tools for improving process

performance.

6. Link performance measures for the ordering process to performance evaluations for both

employees and managers with customer service responsibilities.

UNIVERSITY OF TOLEDO INTERNAL AUDIT DEPARTMENT

MANAGE CUSTOMER ORDERS

Compliance with applicable laws and regulations

A. The order process complies with all applicable laws and regulations.

Business risks

• The company will incur fines.

• The company will lose its right to operate.

• Noncompliance with export control regulations will result in fines and/or loss of

exporting privileges.

• The company will face litigation from customers alleging failure of the company to

comply with legal or contractual obligations.

• Collection of accounts will not be possible for goods or services already provided.

Control practices

1. Involve the legal department or outside counsel in developing and updating customer

order forms and processing procedures to ensure they comply with legal requirements.

2. Obtain legal department authorization before any order forms are released or any

procedure is performed.

3. Consult with relevant government authorities about the intent of existing regulations and

possible future requirements.

4. Ask legal counsel to review order processing procedures in light of new laws or

regulations to ensure continuing compliance.

5. Document and fully support orders before releasing them to production and/or shipping.

6. Review applicable tax documentation and calculations and compliance with export

control requirements.