Out-of-band verification for finance requests
Demonstrate that all high-risk financial transactions require independent verification through a separate communication channel before execution, preventing unauthorized payments resulting from compromised or spoofed communications.
Description
What this control does
Out-of-band verification for finance requests requires that payment, wire transfer, vendor changes, and other financial transactions be confirmed through a secondary communication channel independent of the original request medium. When a finance team receives an email requesting payment or account changes, staff must verify the request via phone call, SMS, video conference, or in-person confirmation using previously-verified contact information before processing. This control breaks the attack chain of business email compromise (BEC) and social engineering attacks by ensuring attackers cannot complete fraudulent transactions even after compromising email accounts or impersonating executives.
Control objective
What auditing this proves
Demonstrate that all high-risk financial transactions require independent verification through a separate communication channel before execution, preventing unauthorized payments resulting from compromised or spoofed communications.
Associated risks
Risks this control addresses
- Business email compromise (BEC) attacks where attackers impersonate executives or vendors to request fraudulent wire transfers
- Phishing-based payment redirection where compromised accounts send authentic-looking payment instructions with altered bank details
- Vendor impersonation attacks using lookalike domains to intercept legitimate payment workflows
- Account takeover leading to internal requests for unauthorized payments that appear legitimate within the compromised system
- Social engineering attacks exploiting urgency or authority to bypass standard approval processes
- Spoofed communications that replicate organizational formatting and signatures to manipulate finance personnel
- Supply chain fraud where attackers compromise third-party communications to redirect legitimate payments
Testing procedure
How an auditor verifies this control
- Obtain the documented policy defining financial transaction thresholds requiring out-of-band verification, approved verification methods, and contact information maintenance procedures
- Review the list of transaction types subject to verification requirements including wire transfers, ACH payments, vendor master file changes, and account update requests
- Select a sample of 15-25 financial transactions processed during the audit period that meet threshold criteria, ensuring representation across transaction types and payment amounts
- For each sampled transaction, verify documentation shows out-of-band verification was completed including date, time, verification method used, and name of person who confirmed
- Validate that contact information used for verification came from pre-established trusted sources rather than details provided in the original request
- Interview 3-5 finance personnel to confirm understanding of procedures, ability to articulate when verification is required, and knowledge of approved verification channels
- Test the control by simulating a financial request email to finance staff and observing whether they initiate proper out-of-band verification before processing
- Review exceptions or urgent payment logs to verify no systematic bypassing of verification requirements occurs under time pressure or executive requests
Where this control is tested