Internal Controls for eCommerce Companies

Note: This is an extract from another article to focus on eCommerce Companies.
Indian companies act 2013 has mandated that CEO and CFO to certify that “internal financial Controls are adequate and operating effectively”. This is also required to be confirmed by external auditors.
In my opinion this is what companies / auditors should do:

1. Create a Control Catalogue: Create a control catalogue for every function. This can be based on “as is” process which can be reviewed every year based on internal audit’s observations, external auditor’s input, other stakeholders input.
2. Define Key Controls in Control Catalogue: Depending upon philosophy of the organization, number of controls identified can be small or large. Management, external auditors and internal auditors should come together and identify key controls.
3. Get a consensus of Key Controls: Management should first agree on key controls and have a buy-in of external auditors and internal auditors on key controls.
4. Run controls with independent directors: Run key controls and control catalogue with board and get a in-principle approval of directors (specially independent directors and audit committee, if applicable).
5. Repeat the process annually: Run the process again at the end of year, year after year. An annual review of control catalogue would ensure to keep the control catalogue relevant and updated.

The result of above 4 steps would give the standard of Internal controls as applicable to that specific organization to external auditors. The existence and effectiveness of the control will be assessed by functional team (First line of defense) , their supervisors/ Risk Management/ Compliance (Second line of defense) , Internal auditors (Third line of defense), management and external auditors.
What can be top 10 key controls for an eCommerce organisation?

1. Vendor risk assessment: Assessing and approving vendors who can put their goods and services on the eCommerce Portal. A non existent supplier/ fictitious supplier can threaten the existence of organization.
2. Vendor reconciliations (for sales, discounts, revenue)
3. Discount/ promo codes control and reconciliations. Whatif scenarios of promo code uses is more than the intended one. e.g. Promo code intended for once is being used more than once.
4. Monitoring of goods and services listing for prohibited goods/services. (e.g. listing of arms, drugs)
5. Inventory should be “Zero” or Inventory ageing / custody/count.
6. ITGC/ Information security
7. Transaction integrity: Tracking the entire transaction/ rejecting incomplete transaction.
8. Transaction validation: organization need to devise a system to ensure prevention of fraudulent transaction . (Different billing address of user/ credit card/ delivery address).
9. Fraud Monitoring. Fraud is once of the biggest risk, for which organisation need to deploy people with lots of creativity. e.g. Returning fake goods, too many order using mobile wallets from a single customer, or too many credit cards being used by a single customer, etc.
10. Defining and monitoring of KPIs (sales, delivery time, returns, vendor return rate, customer feedback, customer complaints,server loads)

Call for action:
Inputs/ comments/ suggestion: I welcome inputs/ comments / suggestions from readers on how to approach this issue. Feel free to correct me, educate me.
Share the Article: If you like it, share it. If you share it with others, and they comment, we all will get more learned.
(Disclaimer: The views expressed constitute the opinion of the author and the author alone; they do not represent the views and opinions of the author ’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the author is, or has been a part of.)