PR.AC-4 / DE.CM-4 NIST Cybersecurity Framework v1.1

Do you have a written process to verify wire transfer / payment-change requests out-of-band (e.g. callback to known number)?

Demonstrate that the organization has implemented and enforces a documented out-of-band verification process for wire transfers and payment-change requests that prevents unauthorized financial transactions through secondary authentication channels.

Description

What this control does

This control requires the organization to maintain a documented procedure mandating out-of-band verification for wire transfer and payment-change requests. The process typically involves authenticating requests through a secondary communication channel (such as calling a pre-registered phone number) before executing high-risk financial transactions. This mitigates business email compromise (BEC) and payment fraud by ensuring that requests originating from compromised email accounts or fraudulent sources are detected before funds are transferred.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Business email compromise (BEC) attacks where threat actors impersonate executives or vendors to request fraudulent wire transfers
Email account takeover leading to unauthorized payment redirection without detection
Spear-phishing campaigns targeting finance personnel to authorize fraudulent transactions through spoofed or compromised email
Vendor impersonation attacks submitting fake banking detail changes to redirect legitimate payments
Internal fraud where employees initiate unauthorized payment changes without dual-control verification
Social engineering attacks exploiting urgency or authority to bypass normal approval processes
Man-in-the-middle attacks intercepting and modifying legitimate payment instructions in transit

Testing procedure

How an auditor verifies this control

Request and review the organization's documented wire transfer and payment-change verification policy or standard operating procedure.
Verify the policy explicitly requires out-of-band verification and specifies acceptable secondary verification methods (e.g., callback to known number, in-person confirmation, authenticated portal).
Confirm the policy defines threshold amounts or conditions triggering mandatory out-of-band verification.
Interview finance and accounts payable personnel to assess their understanding of and adherence to the out-of-band verification requirement.
Select a sample of 15-25 wire transfers and payment-change requests from the past 12 months, ensuring coverage of various amounts and vendor types.
Examine supporting documentation for each sampled transaction to identify evidence of out-of-band verification (call logs, verification checklists, attestations, secondary approvals).
Test the verification process by simulating a payment-change request and observing whether staff follow the documented out-of-band procedure.
Review any exceptions or policy overrides to determine whether they were appropriately authorized and documented with risk acceptance.

Evidence required Auditors should collect the written wire transfer and payment-change verification policy, training records demonstrating staff awareness, transaction logs or approval records for the selected sample showing out-of-band verification timestamps and methods, call logs or verification checklists completed during the validation process, and any incident reports related to attempted payment fraud. Supporting evidence may include screenshots of verification workflows in financial systems, email threads showing callback confirmations, and approved exception documentation.

Pass criteria The control passes if a documented out-of-band verification process exists, staff demonstrate awareness and adherence through interviews, and at least 95% of sampled transactions contain evidence of proper secondary verification with no unapproved exceptions.