Guide: How to Win at Auditing Segregation of Duties in Workday
In this new guide, Kainos Security & Compliance Architect Patrick Sheridan shares his experience on how to successfully audit Segregation of Duties (SoD) conflicts within your Workday tenant. The guide also outlines the detailed steps an organisation can take to make the audit process more straightforward for its users and explains the importance of SoD within the wider context of data privacy regulations such as Sarbanes-Oxley (SOX).
What is Segregation of Duties?
Access to financially significant information systems should be commensurate with job responsibilities, and aligned to established segregation of duties policies.
Segregating responsibilities is intended to prevent occupational fraud in the form of asset misappropriation and intentional financial misstatement, and a fundamental element of internal control is the segregation of certain key duties. The basic idea underlying segregation of duties is that no employee or group of employees should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties.
With Workday, this means ensuring that users do not self-complete a business process or perform a task with no involvement from another user in a given business cycle. But while an SoD audit is a vital internal control used to manage risk, organisations often come up against some demanding challenges.
Here are my top tips when performing a Segregation of Duties audit:
1. Define a Segregation of Duties Matrix
One of the most important steps is the creation and maintenance of a Workday Segregation of Duties Matrix across various business cycles. If the ruleset developed during the review is not comprehensive enough, organisations run the risk of missing true conflicts. That being said, you also don’t want to include every combination of low-risk tasks and business processes, as this will result in a mountain of data to review. To avoid this pitfall, ensure that a Subject Matter Expert (SME) reviews the rulesets and ranks each risk, careful consideration should be given to each check and the associated business risk identified.
2. Evaluate business process definitions
Often, when it comes to business processes, organisations tend to focus heavily on permissions within the business process policy and fail to consider the corresponding business process definition(s). While this may work in other systems, it will not within Workday. The issue is that for a person to approve a transaction both the business process policy and the step(s) within the corresponding definition must contain the same security group(s) to allow this. Failure to consider these nuances will create high volumes of noise during the analysis phase via false positives. Another mitigating control Workday provides within the business process definition is Advanced Routing Restrictions which again will help to hugely reduce the amount of data included for analysis. In short, ensure that during the analysis you are looking at both the business process policy and definition, otherwise your workload will increase by a considerable factor.
3. Take a holistic approach when reviewing security assignments
While it is recommended to avoid allowing a single security group to complete a specific business process end to end, we need to think about each user’s security groups assignments to ensure appropriate Segregation of Duties. Remember our goal is to ensure, “no single person is responsible for every stage in a process”. As such, when performing an SoD analysis, the user’s various security assignments should be considered. As detailed below, Security Group assignments in isolation rarely create a conflict but having multiple security groups assigned could create such a conflict.
Ensure that access is monitored holistically across all security groups each worker holds, and toxic combinations of security groups that allow users to circumvent existing controls are identified.
4. Consider tasks and business processes within each business cycle
While it is fair to say the lion’s share of your SoD conflicts will come from transactions that are controlled by one or more business processes, this is not the only thing you have to consider. Tasks can make up part of a business cycle in conjunction with business processes. Within a given business cycle there could be task on task combinations or a mixture of tasks and business processes steps.
The following is an example of a task and business process combination within a business cycle, in which we want to identify who can change a worker's bank details and issue a payment. First, we must look to see who can perform the task Maintain Payment Elections (This task is used to update the bank details to where a worker will be paid) and secondly, we must look to see who can perform a compensation business process, Request Compensation Change, for instance. Whoever can perform both this task and business process can then be identified as a conflict.
Ensure that attention is given to who can perform tasks as unlike business processes, tasks do not contain Approvals or Review steps.
5. Plan SoD audits as an ongoing business requirement
Over time, your configuration will change, new functionality will be rolled out, people will leave, and business requirements will change. In response to this, it is inevitable that new potential SoD conflicts will occur. It is important that regular comprehensive reviews are undertaken, as performing spot checks on the configuration will not suffice. Given the potential for fraud and impact of human oversight / error, it is sensible to seek some form of automated analysis that reviews the entire tenant population as often as possible.
Why Segregation of Duties matters
Segregation of duties is increasingly relevant to internal control regulations. Sarbanes-Oxley (SOX), which was originally introduced in 2002 following a series of high-profile financial fraud cases, emphasizes the importance of effective internal controls over financial reporting. With Workday at the heart of your organisation, establishing foundational IT General controls, including appropriate SoD, is a critical internal control consideration relevant to SOX compliance efforts.
As Workday supports business transactions and stores critical business data, it is crucial for organisations to clearly define where material fraud risks could impact financial reporting processes. By completing the below-mentioned steps, organisations can take a proactive approach to ensuring that their risk and control framework appropriately mitigates SoD risks.
Of course, SOX-friendly regulatory technology can help by proactively detecting and highlighting any Workday SoD conflicts to mitigate the risk of fraudulent activity or accidental wrongdoing. While reducing the time it takes to manually audit SoD requirements, regulatory technologies like Smart Audit also streamline the SOX compliance process and offer organisations the comfort of an always-on approach to security monitoring.
Bonus: Know Workday intimately
It is hopefully apparent from this guide that whoever is performing the SoD analysis must know Workday intimately, or have some pretty Smart tooling available to them. There are various other nuances and considerations that should not be missed when reviewing existing segregation of duty controls, such as business process delegations and correct permissions. You can explore these considerations and more in our latest Whitepaper.
In summary
With time, conflicts can be unintentionally introduced, allowing controls to be circumvented if careful consideration is not given to each configuration change. Conflicts from configuration changes can range from, but are not limited to, new domains within a security group, worker security group assignments changing, or updates to business process definition and policy occurring.
Keeping up with configuration changes in a tenant and ensuring key controls cannot be circumvented to reduce the risk of fraud or error can be time consuming without the support of automated tooling like Smart Audit, a powerful risk platform for Workday that detects, identifies, and helps to resolve Segregation of Duties conflicts across the entire Workday environment including production.