From the moment a customer places an order to the point cash is collected and revenue is recognized, the order-to-cash (O2C) cycle is one of the most complex and consequential processes in any organization. Despite being well understood in theory, it consistently produces significant control failures in practice.
The handoffs between O2C stages are where gaps tend to live, and internal auditors who map the full cycle before selecting a testing approach consistently find more issues than those who jump straight to the control checklist.
Why O2C Workflows Are a High-Risk Area for Internal Audit
Most O2C cycles involve numerous transactions, multiple handoffs between systems and departments, and significant reliance on complex, inconsistently enforced contractual terms. Each of those handoffs is a potential control gap. Internal auditors who understand how automating the order-to-cash process tightens handoffs are better positioned to spot the control gaps left by manual workarounds.
The financial stakes for this are significant. Research estimates that organizations lose between 1 percent and 5 percent of EBITDA annually to revenue leakage, much of it traceable to control failures within the O2C process. Billing errors, missed contract terms, unauthorized discounts, and timing mismatches in revenue recognition are among the most common culprits.
O2C is also where ASC 606 compliance risk lives. The standard requires that revenue be recognized when performance obligations are satisfied. That determination often requires judgment and the question of when and how much revenue to recognize becomes genuinely complex. Those are exactly the conditions where inconsistent application and misstated financials are most likely.
Common Control Gaps Internal Auditors Encounter Across O2C Cycles
The control gaps that appear most often in OTC audits tend to cluster around a handful of themes.
Segregation of duties failures are the most persistent. In organizations where the same individual or team can create customer orders, approve pricing exceptions, generate invoices, and post cash receipts, the conditions for error are structurally embedded. The risk is compounded when access controls in the underlying systems don’t enforce the separation that exists on paper.
Manual reconciliation dependencies are another common gap. Many organizations bridge their CRM, ERP, and billing systems through spreadsheet-based reconciliation processes. These can be error-prone and are often undocumented, informally controlled, and invisible to internal audit until something goes wrong.
Finally, revenue recognition timing is frequently misaligned with the actual transfer of performance obligations, either through premature or delayed recognition. Another important aspect is evaluation of the amount that is being recognized. The amount may differ from the contractually stated balances due to estimation processes required under ASC 606. These elements create financial statement risk, and are areas where internal audit can add real value beyond what the external audit typically covers.
Practical Ways Internal Audit Can Detect Control Gaps in O2C Workflows
Map the Process Before You Test It: Before selecting controls for testing, walk the entire O2C cycle end-to-end with the people who actually run it. Process narratives prepared by management tend to describe how the process is designed to work, while walkthroughs reveal how it actually works. Pay particular attention to handoff points between systems and between departments, as these gaps are where controls are most likely to be informal or entirely absent.
Test Segregation of Duties Through System Access Reviews: Don’t rely on the org chart. Pull user access reports from the ERP, billing system, and CRM, and map them against the roles that should not coexist in a single user profile: order creation, pricing override, invoice generation, and cash application are the four most common conflict points in OTC.
Sample Invoices Against Contract Terms: Select a risk-based sample of invoices and trace each one back to the underlying contract. Test whether the pricing applied matches the contracted rate, whether any discounts were authorized within the approved authority matrix, and whether the timing of revenue recognition corresponds to the actual completion of the performance obligation as defined in the agreement.
Analyze Data for Anomalies: Structured data analytics can reveal patterns that manual testing misses. Look for invoices issued just below approval thresholds (a common indicator of control circumvention), customers with unusually high credit memo or write-off activity, and revenue entries posted outside normal business hours or by users without standard posting roles. High volumes of manual journal entries to revenue accounts in the final days of a reporting period are a particular red flag.
Review System Integration Controls: If data flows between systems (from CRM to order management to billing to the general ledger) test the integration controls at each interface. Are there completeness checks that confirm every order that should generate an invoice actually does? Are there reconciliation controls between the billing sub-ledger and the general ledger? Manual bridges between systems are often where billing falls through the cracks.
Key Things to Consider When Reporting O2C Control Gaps
Internal audit findings on O2C control gaps tend to get more traction with management when they’re framed in financial terms rather than purely in compliance terms. A segregation of duties finding is more compelling when it’s paired with a quantification of the exposure, for example, the dollar value of transactions processed by users with conflicting access during the audit period.
The IIA’s Global Internal Audit Standards emphasize that observations should be communicated in a way that enables informed decision-making. For O2C findings, that means being specific about the root cause because the right remediation looks different in each case.
Resist the tendency to aggregate O2C findings into a single broad recommendation. A revenue recognition timing issue that stems from unclear contract interpretation requires a different fix than a billing error caused by a broken system integration. Keeping them distinct makes it easier for management to assign clear ownership and for the audit to track remediation effectively.
Finally, be clear about the difference between what you tested and what you didn’t. O2C cycles are large, and any audit will cover a sample. Being transparent about the scope of testing builds credibility and sets realistic expectations about residual risk.
Auditing O2C well means going beyond the standard control checklist and understanding the specific failure modes in your organization’s version of the process. The data is almost always there, in transaction logs, access reports, and billing records, if you know where to look and how to ask the right questions. 
Edyta Saini, CPA, FCCA, is Revenue Accounting and Compliance Advisor at RecVue, where she shapes product strategy and thought leadership around ASC 606 and IFRS 15 compliance, close automation, and audit readiness for complex enterprise environments.