Every Shipping & Tax Audit check

A flat shipping rate applied to every order regardless of weight, destination, or carrier method is a CWE-682 (Incorrect Calculation) defect that costs money in both directions: the store eats losses on heavy or long-distance shipments, or overcharges customers on lightweight local orders — which triggers chargebacks and cart abandonment. ISO 25010:2011 functional correctness requires that computed outputs match business rules. When every order is charged the same $5.00 regardless of a 50 lb appliance vs. a greeting card, the store is either subsidizing shipping losses or alienating customers who see inflated charges and leave.

Why this severity: Critical because a flat-rate-for-all calculation directly produces financial losses on heavy shipments or overcharges that drive customer disputes and abandonment.

Single-option shipping forces every customer into the same cost-speed tradeoff, driving cart abandonment when buyers need faster delivery or want to avoid paying for speed they don't need. Baymard research attributes roughly half of all checkout abandonment to shipping friction. Missing express or economy tiers also hides revenue: urgent buyers will pay a premium for overnight, and price-sensitive buyers require a cheap ground option to convert at all. From a user-experience (UX) perspective, the absence of choice signals an unfinished store.

Why this severity: High because it directly suppresses conversion across the entire purchase funnel and caps achievable revenue.

Customers who cannot see when their order will arrive either abandon checkout or open support tickets after purchase, both of which erode margin. Delivery-date visibility is a core commerce UX expectation set by Amazon and reinforced across every major retailer; its absence signals an amateur storefront. Gift buyers, event buyers, and deadline-driven purchases all require a concrete arrival window to convert. Missing or identical timeframes across methods also defeats the purpose of offering tiered shipping in the first place.

Why this severity: Medium because it reduces conversion and inflates support load without causing data loss, security impact, or legal exposure.

When a customer changes their shipping state from CA to NY in the checkout form and the displayed shipping cost stays frozen at the California rate, they proceed to payment believing one price and are charged another — a CWE-682 calculation error surfaced at the worst possible moment. ISO 25010:2011 functional correctness and user-experience taxons both apply: the checkout summary is a live contract between the store and the customer. Stale rates cause payment disputes and undermine trust in the exact moment checkout confidence is most fragile. Address-change handlers that call no recalculation function are dead code with real financial consequences.

Why this severity: High because stale shipping costs displayed at the payment step produce direct financial discrepancies that lead to customer disputes and erode checkout conversion.

A free shipping threshold that is hardcoded in two places with different values — $50 in `lib/shipping.ts` and $100 in `components/CartSummary.tsx` — is a CWE-682 defect that will apply free shipping to some customers who don't qualify and deny it to others who do. ISO 25010:2011 functional correctness requires a single source of truth for business rule constants. Inconsistent thresholds also break customer trust: the cart banner says "Add $10 for free shipping" but the checkout still charges $12.99 after the customer crosses the threshold. This produces support tickets and abandoned carts at the highest-intent stage of the funnel.

Why this severity: Medium because threshold inconsistency produces incorrect customer-facing charges and promotional failures that erode trust and generate refund requests.

A single hardcoded tax rate applied to every location — 8.5% regardless of whether the customer is in California, a no-sales-tax state like Oregon, or a VAT jurisdiction in the EU — is both a CWE-682 calculation error and a regulatory compliance failure. South Dakota v. Wayfair (2018) established economic nexus, meaning multi-state sellers must collect destination-state rates. EU VAT Directive 2006/112/EC imposes separate VAT obligations for digital and physical goods sold in EU member states. Overcharging customers in no-tax jurisdictions exposes the business to refund liability; undercharging in mandatory-tax states exposes it to audit penalties and back-tax assessments.

Why this severity: Critical because applying a flat tax rate to all jurisdictions produces regulatory non-compliance with Wayfair nexus rules and EU VAT obligations, exposing the business to both back-tax liability and customer overcharge disputes.

Charging sales tax on groceries in states like Texas or California — where food sold for home consumption is exempt — is a regulatory compliance failure that overcharges customers and exposes the store to audit liability. IRS Publication 334 and state-level tax codes define categories of exempt goods (groceries, prescription drugs, clothing in some states, medical devices). When the product schema has no `is_tax_exempt` flag, the tax calculation applies the full rate to every line item, making exemption enforcement impossible without a code change for each new product type added to the catalog. CWE-682 applies: the calculation is incorrect for exempt products.

Why this severity: Critical because taxing exempt product categories violates state-specific sales tax rules, exposing the business to regulatory audit penalties and class-action refund claims from systematically overcharged customers.

Applying a 10% coupon discount after tax rather than before it systematically overcharges US customers. In most US states, sales tax is calculated on the post-discount price — applying tax first and then the discount is incorrect under standard US sales tax rules (CWE-682, ISO 25010:2011 functional correctness). A $100 cart with a $10 coupon should produce $90 × 0.085 = $7.65 tax; applying tax before discount produces $8.50 — a $0.85 overcharge per transaction that compounds across every discounted order. When the discount/tax order differs between cart preview and checkout confirmation, customers see a lower total in the cart and a higher total at payment, which triggers abandonment and disputes.

Why this severity: Medium because per-order overcharges from incorrect operation order are small individually but accumulate across every discounted transaction and produce checkout total inconsistencies that customers recognize and flag.

B2B buyers — resellers, nonprofits, government entities — present tax exemption certificates that legally prohibit collecting sales tax on qualifying purchases. When a customer's `is_tax_exempt` flag exists in the database but the tax calculation function never checks it, the store collects tax it is not entitled to receive and must remit it to the state, then issue refunds when challenged. US state resale exemption certificate laws (uniform under the Streamlined Sales Tax Agreement in 24 states) impose penalty exposure when a seller knowingly ignores a valid certificate. CWE-682 applies: the calculation produces an incorrect non-zero result when it should return $0.00.

Why this severity: High because collecting tax from exempt customers despite holding an exemption certificate is a state tax law violation that triggers refund liability and potential audit penalties.

Approximately 12 US states tax shipping charges; the remaining 38 do not. When shipping is always included in the taxable subtotal — or always excluded with no jurisdiction check — the store either overcharges customers in non-taxing states or under-collects tax in states like New York, Illinois, and Pennsylvania (CWE-682, ISO 25010:2011 functional correctness). The EU VAT Directive 2006/112/EC treats shipping as part of the taxable supply, applying a different rule than most US states. US state shipping taxability rules are jurisdiction-specific and cannot be flattened to a global default. When no code comment documents the shipping tax policy, the decision becomes invisible and unauditble.

Why this severity: High because shipping tax treatment errors produce systematic over- or under-collection across every order that involves a jurisdiction with non-default shipping tax rules, compounding into audit exposure.

Displaying tax as a line item only on the checkout page — and omitting it from the cart summary, order confirmation page, and confirmation email — violates both FTC Mail, Internet, or Telephone Order Merchandise rules and EU Consumer Rights Directive 2011/83/EU Article 6, which require clear pre-payment disclosure of total costs. When the tax amount is absent from the confirmation email, customers have no documentation of what they were charged for taxes, which becomes a dispute point during returns or accounting reconciliation. A static `Tax: $0.00` placeholder is worse than omission — it actively misleads the customer about their actual tax liability.

Why this severity: High because omitting tax from order summaries and confirmation emails violates FTC and EU consumer disclosure rules and leaves customers without the documentation required for expense reporting or dispute resolution.

An address form that accepts 12 countries but routes every order through a domestic shipping rate table charges Canadian customers the same flat US rate as Los Angeles — producing direct financial losses when shipping a package to Toronto for $12 that actually costs $34. The store either absorbs the loss or charges the customer incorrectly. CWE-682 (Incorrect Calculation) applies when a country parameter is accepted by the address form but silently ignored by the shipping calculation. International expansion is invalidated if the first cross-border order ships at a domestic rate.

Why this severity: Low because the defect only affects international orders, but within that segment it produces predictable per-order financial losses or customer overcharges that scale with international traffic.

South Dakota v. Wayfair (2018) eliminated the physical presence requirement for sales tax nexus, meaning any US online seller that crosses state economic thresholds ($100K or 200 transactions annually in most states) must collect and remit destination-state tax. A tax lookup table with only 2 entries (CA and NY) while serving 15 states means the store collects nothing from 13 states where it may already be liable. The Streamlined Sales Tax Agreement creates uniform filing in 24 member states; the EU VAT Directive 2006/112/EC imposes separate VAT registration requirements. Fewer than 3 configured jurisdictions in a multi-state store is not a cosmetic gap — it is unreported tax liability.

Why this severity: Low severity in the audit context because manual remediation is required anyway, but the real-world tax liability exposure scales directly with the number of states served and the sales volume.

Charging sales tax on shipping in Texas (which does not tax separately-stated shipping charges) overcharges every Texas customer on every order. Exempting shipping tax in New York (which does tax it) under-collects on every New York order. US state shipping taxability rules differ by jurisdiction and cannot be flattened to a single global policy. EU VAT Directive 2006/112/EC treats shipping as part of the taxable supply for EU transactions, requiring a third distinct rule. A store with no jurisdiction-specific shipping tax configuration and no documentation of its shipping tax policy is applying an undocumented guess to every order.

Why this severity: Low because jurisdiction-specific shipping tax errors affect a narrower subset of orders, but systematic over- or under-collection still compounds into audit exposure as volume scales.

A tax exemption flag on the customer record that is granted without any certificate validation — no upload, no expiry check, no certificate number format validation — is an open door for fraudulent exemption claims. US state resale exemption certificate laws (and the Streamlined Sales Tax Agreement for member states) require sellers to retain a valid certificate to defend a tax-free sale during an audit. An expired 2019 resale certificate that still exempts a customer today invalidates the seller's audit defense: the state can assess tax plus penalties on every sale covered by an invalid certificate. CWE-682 applies when the exemption calculation returns $0 on the basis of unvalidated input.

Why this severity: Low because fraudulent exemption abuse requires deliberate exploitation, but audit liability from accepting expired certificates is a routine compliance risk that scales with B2B transaction volume.

A checkout flow that reveals the shipping cost only on the post-payment confirmation page — after the card is charged — violates the FTC Mail, Internet, or Telephone Order Merchandise rule and EU Consumer Rights Directive 2011/83/EU Article 6, both of which require pre-payment disclosure of total charges including shipping. Customers who reach the payment button without seeing a shipping line item are authorizing a charge they cannot verify. When the shipping amount is high enough to feel like a surprise, they dispute the charge rather than initiate a return — a chargeback is more automatic than a refund request. Even showing "Shipping: TBD" at the payment step fails the test: a placeholder is not disclosure.

Why this severity: High because withholding shipping cost until after payment is a consumer disclosure violation under FTC rules and EU law, and surprise shipping charges at confirmation are a leading driver of post-payment chargebacks.

When the cart page computes tax inline as `subtotal * 0.085` while the checkout page calls `getTaxAmount()`, and the order creation API passes a different address to a third calculation, a customer who sees $8.50 in the cart arrives at checkout and sees $8.75 — a difference that reads as a pricing error and triggers abandonment or disputes. CWE-682 (Incorrect Calculation) applies when multiple call sites produce divergent values for the same input. ISO 25010:2011 functional correctness requires that the same cart contents and address produce the same tax amount at every display point. Inconsistency is especially damaging during the payment step: customers read the discrepancy as evidence the system is untrustworthy.

Why this severity: High because tax amount discrepancies between cart and checkout are immediately visible to customers and create the impression of a bait-and-switch, driving abandonment at the payment step.

A checkout form that recalculates shipping but not tax when the customer changes their state leaves the tax line frozen at the California rate even after the customer moves to New York. This is a CWE-682 error in the address change flow — the system accepted new data but used it incompletely. ISO 25010:2011 time-behaviour applies as well: a debounced recalculation that updates both shipping and tax within 500ms of an address change is a correctness requirement, not a UX nicety. When the tax line doesn't update until form submission, the customer pays a different amount than shown — which produces payment disputes. Requiring an "Update" button click instead of automatic recalculation is equally broken: customers who don't click it proceed to payment with stale values.

Why this severity: High because incomplete recalculation on address change means customers proceed to payment with a visible total that differs from what they will actually be charged, producing disputes and eroding checkout conversion.