20 years of SOX – How can small to midsized companies streamline their SOX IT controls on Workday?
Smaller and midsized companies invest in Workday to help them transform and scale business operations. The same is needed for Sarbanes-Oxley (SOX) compliance. Smaller organizations need efficient and effective internal controls to support their risk management and financial reporting requirements.
In this article, Nick Stone, Head of Audit at Kainos, explores how you can operate world-class Workday IT controls in a fraction of the time – and streamline your SOX compliance process.
Sarbanes-Oxley marks 20 years
Sarbanes-Oxley celebrated its 20th anniversary this year - and the SEC is reiterating the importance of the regulation. SOX is, indeed, important. It defines a baseline expectation for governance and internal control over the information supporting our capital markets. It promotes trust. But SOX is also costly. For reasons primarily related to size, smaller and midsize organizations frequently struggle to implement effective internal controls that are also cost effective.
But technology is turning the tide. A wave of new technologies, including Workday, are helping smaller organizations transform their business operations to increase efficiency and scale. And compliance technology is doing the same for SOX.
IT Control Challenges for Smaller Workday Teams
With Workday at the center of your organization, establishing foundational IT General controls, including appropriate segregation of duties (SoD), access rights and change control is an important consideration for SOX. Workday stores critical business data related to employee, customers, suppliers and financials and as a result, Workday is likely to be subject to your internal control requirements.
Common challenges faced by companies subject to internal controls over financial reporting (ICFR) requirements continue to include IT controls, especially segregation of duties and privileged access. In most cases, smaller organizations are still performing Workday security and configuration change controls manually using custom reports exported to spreadsheets. This approach is inefficient, often ineffective, and prone to error.
Key areas of IT risk that you should think about in the context of ICFR requirements include:
- Security & Privileged Access – Failure to restrict access to Workday may result in unauthorized transactions leading to error, unintended consequences or financial loss. Business transactions and downstream internal controls depend on appropriate access rights. Ensure you have the right level of visibility to key security groups, the capabilities granted to security groups, and security group membership.
- Configuration Control – Failure to secure Workday may compromise the integrity of transactional processing and reporting accuracy. In an ICFR environment, ineffective configuration control may impair your ability to rely on automated and system-dependent controls in Workday – or even the reports generated from Workday. Robust configuration controls and production migration practices are important. If you rely on implementers to make production changes manually, be aware that time intensive monitoring of your implementer activity is likely required.
- Segregation of Duties – Fraud prevention is an important aspect of internal controls over financial reporting. In Workday, SoD considerations must draw upon a combination of multiple business processes, business process definition configurations, and tasks. Understanding exactly what these are, and which combinations are material risks, is fundamental to an effective SoD analysis supporting your system of internal control.
Recommendations for Smaller & Midsize Companies
Workday is audit ready. But it’s up to the company to define efficient internal controls supporting their SOX assessment program.
1. Assess Risk: Most risk assessments evaluate inherent, control and residual risk at a process, sub-process, or activity level. For a Workday environment, we recommend assessing risk by object (configurations, tasks, business processes, integrations and reports) to ensure alignment with ICFR scope and materiality considerations. Build an inventory of the Workday objects that matter and form an opinion on relative risk. Risk factors including control maturity, fraud, privacy, and financial impact are common risk criteria used in this type of risk assessment. The outcome of the activity should be a prioritized list of Workday objects organized by business cycle, functional area and/or domain to define the scope of your Workday SOX assessment. We find that this type of approach helps the business focus available resources on the risks and control practices that matterand ultimately improves compliance outcomes.
2. Collaborate with your Auditor: Take the time early in your annual planning process to agree on risk perspectives and control activities with your auditor. SOX is about management’s internal controls – not the auditor’s. Use the planning process to form and defend your position on risk. Communicate that position to your audit team and agree on the controls needed to mitigate material risks. Most organizations that collaborate with their audit team end up with better designed controls and better outcomes.
3. Enable Audit Trails: Armed with a risk-based library of configurations and corresponding object instance detail, companies can effectively configure Workday Audit Trails using Audit Tags. Using audit tags can significantly improve the focus of your configuration controls by tagging object instances and then using the Audit Trail Report to monitor changes for each object instance tagged.
4. Baseline & Monitor Security: Most organizations still perform reviews of security group membership as a key SOX control. User access reviews generally consume a significant amount of time each quarter. Ironically, most of the time these controls are not effective because the access extended by the reviewed security groups is not evaluated during the review. Reviewing only security group membership exposes organizations to risk of fraud and human error because the access extended by the security group is not evaluated.
Instead, consider using your risk assessment results to focus your access review on the security groups that grant privileges to the objects and fields that matter. Use custom reports or Workday security monitoring solutions to baseline your security configurations and continuously monitor changes to the baseline. This approach is not only more efficient than quarterly manual audit, but also more effective since it targets the risks relevant to your organization and compliance objectives.
5. Limit Segregation of Duties: Most smaller companies have challenges properly segregating job duties systematically. To complicate the matter, Workday security is constantly changing which makes it hard for organizations to timely monitor and respond to SoD risks. To simplify SoD in Workday, first limit your scope using the risk assessment previously recommended. Evaluate where conflicts may result in a risk of fraud that exceeds your materially threshold or your company risk appetite. Limit your scope to those risks and develop a library of business processes and task combinations that enable in-scope conflicts.
Due to the complexity and time-consuming nature of SoD analysis, consider monitoring membership of the security groups that grant access to business process and task combinations using Workday security monitoring tools. Because smaller and midsized organizations have smaller teams subject to increased SoD risk, you may also want to consider defining policies that accept the risk of known SoD conflicts that exist for valid business reasons. If you opt for this approach, you should ensure that adequate user activity monitoring controls are defined. Keep in mind that Workday user activity logs are purged every 30 days – so timely monitoring is required.
SOX Risk Management
SOX doesn’t have to be a burden for smaller and midsized companies. Risk management, when done right, can be a competitive differentiator. But cost matters, especially for smaller, growing organizations that make daily decisions between headcount and systems investment. The right tools can help you do more for less.
At Kainos, we know Workday and we know IT control automation. We specialize in Workday-certified solutions, such as Smart Audit, which automatically tests and evidences the effectiveness of your Workday internal controls offering instant comfort and peace of mind. Smart Audit is SOX-friendly, reducing the risk of non-compliance by effectively managing data privacy, system access and SoD risks within your entire Workday production.