Do you require a phone-call verification before paying a new bank account or changing supplier payment details?
Demonstrate that the organization enforces mandatory phone-call verification using pre-authorized contact numbers before processing any new supplier bank account additions or modifications to existing payment details.
Description
What this control does
This control requires that before processing payments to newly added bank accounts or changes to existing supplier payment details, finance personnel must conduct a verbal verification call to a known, trusted contact using a previously validated phone number (not one provided in the change request itself). The call confirms the legitimacy of the request through a secondary communication channel, ensuring the requestor is authentic. This out-of-band verification protects organizations from business email compromise (BEC) and payment diversion fraud, which commonly exploit email impersonation or account takeover to redirect payments.
Control objective
What auditing this proves
Demonstrate that the organization enforces mandatory phone-call verification using pre-authorized contact numbers before processing any new supplier bank account additions or modifications to existing payment details.
Associated risks
Risks this control addresses
- Business email compromise (BEC) attacks where threat actors impersonate executives or suppliers via compromised or spoofed email accounts to redirect payments to attacker-controlled bank accounts
- Vendor impersonation fraud where attackers pose as legitimate suppliers and submit falsified banking change requests through social engineering
- Payment diversion through man-in-the-middle attacks where intercepted legitimate requests are modified to include fraudulent banking details
- Insider fraud where malicious employees create fictitious suppliers or alter legitimate payment details without independent verification
- Account takeover scenarios where compromised supplier email accounts are used to send authentic-looking but fraudulent banking update requests
- Invoice fraud schemes combining fake or altered invoices with simultaneous banking detail changes to evade detection
Testing procedure
How an auditor verifies this control
- Obtain the written policy or procedure document governing supplier master data changes and payment detail updates, noting the specific requirement for phone-call verification
- Review the vendor master file or supplier database to identify all bank account additions and payment detail modifications processed during the audit period
- Select a representative sample of 15-25 instances where new bank accounts were added or existing supplier payment details were changed, stratified by transaction value and department
- For each sampled transaction, request documented evidence of the verification call including call logs, verification checklists, attestation forms, or workflow system records showing the date, time, person called, and outcome
- Cross-reference the phone numbers used for verification against the supplier master file or approved contact registry to confirm they were pre-existing validated numbers, not numbers provided within the change request itself
- Interview 3-5 accounts payable staff members responsible for processing payment changes to confirm their understanding of the verification requirement and how they execute it in practice
- Test one simulated payment change request by submitting a fictitious banking detail change and observe whether finance personnel follow the phone verification procedure before processing
- Review exception logs or override records to identify any instances where the phone verification requirement was bypassed and evaluate whether appropriate compensating controls and management approval were documented