The limitations of manual Segregation of Duties monitoring in Workday
Segregation of Duties (SoD) is an essential internal control that reduces risk and prevents fraud. This is also a crucial compliance pillar for companies governed by regulations like SOX. SoD helps ensure that financial reporting is accurate, reliable and complete by ensuring high-risk areas are governed with appropriate controls.
Despite this, many organisations rely on manual processes for managing and monitoring SoD in Workday. These processes are ineffective for modern businesses, causing control deficiencies, compliance weaknesses and operational inefficiency.
Understanding the limitations of these practices is important to identify and mitigate risk. This article explores some of the most common limitations of manual SoD monitoring, the impacts they can have, and how your business can mitigate them.
Manual processes, weaker controls
Although 100% control is not a sustainable or necessary aim of SoD, your organization needs reasonable assurance that critical business processes are protected from errors, fraud or misstatement. However, even businesses with significant investments in security, compliance and operational teams will struggle to deliver sufficient internal controls when relying on manual practices. Some of the main limitations include:
Inefficiency - Manual controls are time-intensive and costly to implement and maintain. As a result, your organisation could be forced to put efficiency above effectiveness, opting for less rigorous controls due to resource constraints. This heightens the risk of harmful gaps in controls that could enable malicious activities.
Human error - Legacy internal control techniques like spreadsheets and static Workday reports increase the risk of unintentional errors, oversight, or bias when implementing and managing controls. As a result, these manual processes are rarely rigorous enough to mitigate risk.
Limited scalability – When your business grows, Workday will reflect this. This can mean more users and increasingly complex processes to ensure control over. Manual controls become more difficult to scale with growth, leaving gaps in SoD monitoring and further limiting your oversight as growth continues.
Poor visibility of SoD conflicts
Workday’s highly configurable nature allows it to adapt to the needs of your business. However, this configurability brings frequent change. Workday’s workflow-based architecture means BPs intersect and security groups overlap, requiring continual monitoring and reporting. Manual processes limit the ongoing visibility of these potential SoD conflicts due to a range of factors:
Knowledge gaps – Outside of your immediate Workday Financials team, SMEs (e.g. internal audit, finance) often lack knowledge of Workday’s configuration and architecture. This limits the ability of these stakeholders to identify critical deficiencies and provide evidence of internal controls.
Outdated data – Workday constantly evolves, with new processes, additional users and updated functionality bringing configuration changes. Manual ‘point in time’ monitoring only provides a static view of SoD conflicts that quickly becomes outdated and irrelevant as the platform develops.
Limited resources – Monitoring these controls involves collecting, distributing and analysing large volumes of information. The time-consuming process limits your teams’ capacity to ensure sufficient visibility of new risks.
The impact of SoD monitoring deficiencies
As your business and Workday platform grow and change, security conflicts and gaps in those controls will appear, even with strong controls in place. So, regular monitoring and reviews provide oversight of changes to security groups, updated BP definitions and new BP configurations and allow quick remediation. But what are the potential impacts when your business relies on manual practices?
Reduced auditability and regulatory compliance
If your organisation is governed by legislative frameworks like SOX, accuracy and reliability are crucial elements of compliance. Often, internal and external audits examine information like financial documents, revenue statements and company records.
When everything from HR stats to payroll data lives in Workday, auditors need to be sure that information is reliable. With limited visibility and controls that cannot be accurately maintained or verified, it is impossible to demonstrate that reporting is complete and accurate.
This can lead to a range of compliance consequences including regulatory penalties, publicly acknowledged material weaknesses (and the associated reputational damage) or more minor control deficiencies.
Security gaps and potential fraud
While Segregation of Duties (SoD) is crucial for compliance, its significant role in safeguarding the security of Workday is often overlooked. Although Workday provides a robust security framework, with access and approvals based on security groups, users can be assigned multiple, conflicting permissions.
Checks should highlight potential conflicts; however, time-intensive, error-prone manual processes open the door to potential gaps in your controls and monitoring. These gaps can give employees end-to-end access to initiate and self-complete critical business processes.
These deficiencies heighten the risk of breaches and occupational fraud. For example, finance employees might be able to add vendors and confirm payments or payroll staff may be able to create and approve new bonus payments.
How can your business mitigate these SoD impacts?
Reliable Workday SoD monitoring is of strategic importance for all businesses, not just those governed by SOX. With the rapid pace of change within organisations, continuous, proactive internal reviews are the only method to ensure financial security and regulatory compliance. However, balancing effort with effective coverage poses a major challenge, potentially forcing your business to choose between managing costs or ensuring compliance. Automation provides an easily deployable solution to mitigate the impact of slow, repetitive and error-prone processes on your teams.
Kainos Smart Audit uses proactive, accurate risk detection to enable rapid remediation of conflicts in real time, before they impact the security and integrity of your platform. With automatic, always-on monitoring that can be deployed in as little as a week, you can reduce SoD monitoring effort by up to 80%, lowering costs and reducing the strain on teams. With secure controls and streamlined reporting functionality, automating your SoD management also reduces the effort involved in audits and SOX compliance.
Ultimately, accuracy and proactivity are critical for sustainable security and compliance, and automation is the most cost effective and scalable solution to achieve this for your business.