MILKY MIST DAIRY FOOD PRIVATE LIMITED

Risk & Control Matrix - Order to Cash

Control# COSO Component COSO Principle

Principle 10: The organization selects and develops control activities that
MM_O2C_1 Control Activities contribute to the mitigation of risks to the achievement of objectives to
acceptable levels.

Principle 12: The organization deploys control activities through policies that
MM_O2C_2 Control Activities
establish what is expected and procedures that put policies into action.

Principle 12: The organization deploys control activities through policies that
MM_O2C_3 Control Activities
establish what is expected and procedures that put policies into action.

Principle 10: The organization selects and develops control activities that
MM_O2C_4 Control Activities contribute to the mitigation of risks to the achievement of objectives to
acceptable levels.

Principle 12: The organization deploys control activities through policies that
MM_O2C_5 Control Activities
establish what is expected and procedures that put policies into action.

Principle 12: The organization deploys control activities through policies that
MM_O2C_6 Control Activities
establish what is expected and procedures that put policies into action.

Principle 10: The organization selects and develops control activities that
MM_O2C_7 Control Activities contribute to the mitigation of risks to the achievement of objectives to
acceptable levels.

Principle 10: The organization selects and develops control activities that
MM_O2C_8 Control Activities contribute to the mitigation of risks to the achievement of objectives to
acceptable levels.
Principle 10: The organization selects and develops control activities that
MM_O2C_9 Control Activities contribute to the mitigation of risks to the achievement of objectives to
acceptable levels.

Principle 10: The organization selects and develops control activities that
MM_O2C_10 Control Activities contribute to the mitigation of risks to the achievement of objectives to
acceptable levels.
 Principle 10: The organization selects and develops control activities that
MM_O2C_11 Control Activities contribute to the mitigation of risks to the achievement of objectives to
acceptable levels.
Principle 10: The organization selects and develops control activities that
MM_O2C_12 Control Activities contribute to the mitigation of risks to the achievement of objectives to
acceptable levels.

Principle 12: The organization deploys control activities through policies that
MM_O2C_13 Control Activities
establish what is expected and procedures that put policies into action.

Principle 11: The organization selects and develops general controls over
MM_O2C_14 Control Activities
technology

Principle 10: The organization selects and develops control activities that
MM_O2C_15 Control Activities contribute to the mitigation of risks to the achievement of objectives to
acceptable levels.
 Sub-Process Name Control Objective

Sale order to be created only to appropriate customers or

Sale Order
dealers.

Sale Order All sales should be against a Sales Order

Sale Order Only Authorized Sale Order is created in the app.

Sale Order Payment terms are mapped appropriately within Sales Order

Prices & Discounts are appropriately updated in Sales

Sale Order
orders

Sale Order All Sale Orders are processed

Sale Order All Sale Orders are processed

Sales Order created in App by Sales Team must have been

Finance Verification
communicated by Customer

Balance Outstanding of customer is not beyond the defined

Finance Verification
Credit Limit

Sales Invoice and The Sales Invoice is raised as per the details from Sale
Despatch Order.
Sales Invoice and
Inaccurate recording of sales invoice.
Despatch

Sales Invoice and Sales invoice cannot be booked for closed or finance
Despatch rejected Sales Order

Sales Invoice and

Finished goods are dispatched only upon invoicing
Despatch

Despatch Crates sent are correctly accounted for

Supplementary
Supplementary invoice are accurately processed
Invoices
 with the Control
Risk of Material

of Transactions/
Classification of

Risk Associated

(High, Medium,
Due to Fraud?

Balance/ Class
Inherent Risk

Completeness
Misstatement
Significant)

Disclosure

Accuracy
(Normal,

Account

Cut off
Low)
Risk

Inappropriate Sale Order creation. Normal N Medium NA a

Purchase Order not raised by Distributor in App but

goods are invoiced based on unrecorded Significant Y High
communication

Unauthorized Sale Order creation Normal N Medium NA

Inappropriate Sale Order creation Significant N High NA

Inappropriate pricing recorded in Sale Order Significant N High NA

Sale order raised but not processed Normal N Low NA

Sale Order is rejected due to incorrect reporting of

Significant N High a a a
Stock by Despatch Team

Fraudulent Sales Orders being created by Sales Team Significant Y High

Recovery of outstanding amount Significant N High

Inaccurate processing of sales invoice. Significant N High NA a

Inappropriate processing of sales invoice. Significant Y High NA

Inappropriate processing of sales invoice. Significant Y High NA

Inappropriate dispatching of finished goods Normal N Medium NA a

Crates sent are not received back Significant Y High a

Inappropriate processing of Supplementary sales

Significant N High a
invoice.
Occurrence

Control
Recording
Validity /

Control Nature
Activity Type
Control Description (Manual/
(Preventive/
Automated)
Detective)

There is a well built user friendly application through which an

order can be placed by the customers. Every established customer
Preventive Manual
has been given a User ID and password for accessing the
application. The orders placed by them gets a sequential Order ID.

All Sales Orders must be created in App. If Distributor fails to raise

Purchase Order in App, then Sales Team has to create Sales Order,
a a Preventive Manual
which must have a unique series, based on which further controls
can be established for the sale of goods.

On receipt of the Sales Order in the app it will have a sequential

a a Preventive Manual
number and the same is verified by the Sales Team .

On receipt of customer Order,the Finance Team will verify the

Credit Limit and also shall send the same report to the authorized
a Preventive Manual
person periodically and the same is verified and updated with the
payment terms as per the terms for the customer.

Selling Prices as per the direction of the Management are

a a Preventive Automated
configured by the Finance Team for each SKU

Open Sale Orders are reviewed on a daily basis and in case if any
Order ID is missed ,the Sales Team will send a report “OTC-1” on
a Detective Manual
a daily basis to the marketing team and corrective actions are
initiated.

Physical Inventory Report in OTC 3 to be sent on a systematic

a basis by Despatch Team to Sales Team. Physical Inventory must be Preventive Manual
matched with Inventory as per ERP records

Sales Orders created by Sales Team must be verfied by Finance

a Preventive Manual
Team and the verification must be recorded

Credit Limit Monitoring Report in OTC 2 to be prepared by

a Detective Manual
Finance Team.

ERP automatically captures invoice details and invoice amount as

follows from the sales order number as entered in the app:
1. Customer, Material and Quantity details based on sales order Preventive Automated
2. Price based on the pricing conditions
3. Tax based on tax conditions
 ERP is configured such that invoicing entries are recorded to the
a relevant GL Codes upon raising the Sales invoice in the ERP Preventive Automated
system.

Only sales verified and finance verified entries are imported into
a Preventive Automated
ERP for invoicing and despatch

The Loading Pass is filled and signed up by the person who loads
the goods.Plant security personal allows dispatch of goods only
against the sales invoices.
Plant logistics team checks packing slips with the goods
dispatched.
Plant security personal verifies of goods dispatched with sales
Detective Manual
invoice and matches the quantity of goods dispatched.
The security personal also maintains a register of sales invoices vs
goods dispatched against the same. The Loading pass is verified in
the gate before the vehicle moves outside the premises of the
Company

The actual number of crates for a particular invoice to be captured

as against the pre-defined system calculated number of crates for a Preventive Manual
particular quantity of stock

Supplementary invoices are raised only based on approval of

a a Preventive Manual
Senior Management
 IT Nature (IT
Dependent/Non Frequency Control Owner Process Owner
IT-Dependent)

IT Dependent Event Driven IT Team Sales Team

IT Dependent Event Driven Sales Team Sales Team

Non IT-Dependent Event Driven IT Team Sales Team

Non IT-Dependent Event Driven Finance Team Sales Team

IT Dependent Event Driven Finance Team Finance Team

Non IT-Dependent Daily Sales Team Sales Team

Non IT-Dependent Daily Despatch Team Sales Team

Non IT-Dependent Event Driven Finance Team Sales Team

Non IT-Dependent Daily Finance Team Sales Team

IT Dependent Event Driven IT Team Invoicing and Despatch Team

IT Dependent Event Driven IT Team Invoicing and Despatch Team

IT Dependent Event Driven IT Team Invoicing and Despatch Team

Non IT-Dependent Event Driven Invoicing and Despatch Team Invoicing and Despatch Team

Non IT-Dependent Event Driven Invoicing and Despatch Team Invoicing and Despatch Team

Non IT-Dependent Event Driven Finance Team Finance Team

 Results of Design (No Exceptions Noted /
GAP
Exceptions Noted)
MILKY MIST DAIRY FOOD PRIVATE LIMITED
COSO Principles
Internal Control Component

Control environment

Risk assessment

Control activities

Information and communication

Monitoring
DAIRY FOOD PRIVATE LIMITED

COSO Principle No.

Demonstrate commitment to integrity and ethical values 1
Ensure that board exercises oversight responsibility 2
Establish structures, reporting lines, authorities and responsibilities 3
Demonstrate commitment to a competent workforce 4
Hold people accountable 5
Specify appropriate objectives 6
Identify and analyze risks 7
Evaluate fraud risks 8
Identify and analyze changes that could significantly affect internal controls 9
Select and develop control activities that mitigate risks 10
Select and develop general controls over technology 11
Deploy control activities through policies and procedures 12
Use relevant, quality information to support the internal control function 13
Communicate internal control information internally 14
Communicate internal control information externally 15
Perform ongoing or periodic evaluations of internal controls (or a combination of the two 16
Communicate internal control deficiencies 17