Are invoice / payment fraud awareness habits in place for whoever handles money?
Demonstrate that all personnel with invoice approval or payment authorization authority have received documented training on invoice and payment fraud tactics, and that verification procedures are understood and practiced.
Description
What this control does
This control ensures that personnel authorized to process invoices, approve payments, or initiate wire transfers receive targeted training on common fraud tactics such as business email compromise (BEC), vendor impersonation, invoice manipulation, and social engineering techniques used to divert funds. Training emphasizes verification procedures including multi-channel confirmation of payment changes, scrutiny of sender domains and email headers, and escalation protocols for unusual requests. Effective fraud awareness directly reduces financial losses from increasingly sophisticated payment diversion schemes that exploit human trust and process gaps.
Control objective
What auditing this proves
Demonstrate that all personnel with invoice approval or payment authorization authority have received documented training on invoice and payment fraud tactics, and that verification procedures are understood and practiced.
Associated risks
Risks this control addresses
- Business email compromise attacks that impersonate executives or vendors to redirect wire transfers to attacker-controlled accounts
- Invoice manipulation where attackers submit fraudulent invoices for goods or services never rendered, exploiting weak verification controls
- Vendor impersonation schemes where attackers pose as legitimate suppliers with altered banking details in otherwise authentic-looking correspondence
- Spear phishing campaigns targeting accounts payable staff with urgent payment requests designed to bypass normal approval workflows
- Compromise of legitimate vendor email accounts used to send fraudulent payment change notifications that appear genuine
- Social engineering attacks that create artificial urgency or authority pressure to process payments without standard verification steps
- Insider fraud where personnel exploit insufficient segregation of duties or oversight to process unauthorized payments for personal gain
Testing procedure
How an auditor verifies this control
- Obtain the current roster of all personnel with invoice approval authority, payment processing privileges, or wire transfer initiation rights from HR and the finance department
- Request training records showing completion dates, curriculum content, and attendance for fraud awareness training specific to payment and invoice fraud within the last 12 months
- Review the fraud awareness training materials to verify they include concrete examples of BEC attacks, invoice manipulation tactics, vendor impersonation techniques, and verification procedures
- Interview a representative sample of at least three personnel from different roles (e.g., accounts payable clerk, finance manager, executive with payment authority) to assess their understanding of fraud indicators and verification protocols
- Examine documented procedures for payment processing to confirm they include multi-channel verification requirements for payment changes, domain verification steps, and escalation paths for suspicious requests
- Request evidence of recent real-world verification actions, such as call logs, email chains, or incident reports where staff questioned or verified suspicious payment requests
- Test whether personnel can identify fraud indicators by presenting sanitized examples of fraudulent invoices or BEC emails and observing their response process
- Verify that refresher training is scheduled at defined intervals and that new hires with financial authority receive fraud awareness training during onboarding before gaining payment privileges