Control framework

Cryptographic Mandate Controls

A control class for machine-originated disbursements. When software proposes or initiates a payment, a Cryptographic Mandate Control produces durable, independently verifiable proof that an authorized human approved that specific payment.

This page defines the control class itself. It is written for controllers, internal audit, and audit partners, and it stands on its own whether or not you ever use Yebo.

Definition

What a CMC is

A Cryptographic Mandate Control is a financial control with three properties that ordinary approval workflows do not have.

01

Signature over the payment itself

The approver's device signs the payment parameters: amount, payee, timestamp, and policy version. Not a session, not a login, not a workflow step. The approval is bound to exactly what was approved.

02

Hardware-bound identity

The signing key lives inside the approver's device secure hardware and never leaves it. Only that person, on that device, can produce the signature. (Secure hardware means a chip in the phone that stores keys so they cannot be copied out.)

03

Independent verifiability

The resulting artifact can be verified years later using only the artifact and a public key. No access to the payment vendor's systems, no reliance on anyone's logs, no dependence on Yebo's servers.

Why now

Controls were built for human-speed workflows

Finance is moving toward machine-originated execution. AP automation already proposes payments; increasingly it initiates them. Existing disbursement controls are not broken, they are miscalibrated: they evidence that a workflow ran, not that a human approved a specific payment.

The evidence durability problem

Today the approval usually lives in an AP platform's logs, an email, or a Slack thread. When the auditor tests that control three years later, the vendor relationship may be gone, the logs may be unavailable, and the evidence collapses with them. A rail cannot certify itself.

The certification exposure

Under Sections 302 and 906, executives personally certify controls over every disbursement, including any that software initiates. A CMC gives the certifying officer a durable artifact behind that signature: proof of who approved exactly what, independent of any vendor.

Control language

Sample SOX control description

Draft language for a first-year SOX narrative. Adapt the threshold and scope to your environment with your auditor.

"Disbursements over $5,000 require a Cryptographic Mandate Control: a hardware-bound cryptographic signature over the payment parameters themselves (amount, payee, timestamp, policy version) by an authorized approver, independently verifiable without access to the payment vendor's systems."

Plain English: a human's approval of a specific payment is signed by a key locked inside their device's secure hardware, so the proof of who approved exactly what can be checked years later without trusting anyone's logs.

Auditability

How an auditor would test a CMC

A CMC is designed to be tested with less effort than a conventional approval control, not more.

  1. 1

    Select a sample of disbursements over threshold

    Standard sampling from the disbursement population, exactly as with any approval control.

  2. 2

    Obtain the mandate artifact for each item

    Each disbursement carries its authorization certificate: the signed payment parameters, the approver identity, and the policy version in force.

  3. 3

    Verify the signature independently

    Recompute the verification using the artifact and the published public key. No access to the payment platform, the AP vendor, or Yebo is required.

  4. 4

    Confirm the approver was authorized

    Match the signing identity against the delegation of authority in effect at the payment date.

Implementation

Where Yebo fits

Yebo is one implementation of the CMC control class. It augments the AP platforms you already run; it does not replace them.

The Yebo Authorization Certificate

Each approved payment produces a YAC: a hardware-bound signature over the payment parameters, exportable as an audit artifact and verifiable without Yebo's involvement. AI can propose. It cannot execute.

Fail-closed by design

If the control cannot produce a mandate, the payment does not move. There is no bypass path where money leaves without the artifact existing.

The framework is being shaped by practitioners

We are developing the full CMC framework with input from finance leaders and audit partners before publication: the threat model for machine-originated disbursements, mandate artifact requirements, testing procedures, and control language variants. If you are a controller writing a first-year SOX narrative or an audit partner covering one, we want your review.