The critical, evolving role of the auditor during Workday implementation
Much like any IT system that processes sensitive personal or financial data, Workday's initial configuration should reflect a high standard of controls for audit and regulatory compliance. In his latest deep-dive, Kainos Audit Principal Qadir Quayum explores how an auditor’s role is a critical, evolving necessity during the Workday implementation journey.
Post Workday implementation, it’s not uncommon for the IT team and associated stakeholders to breathe a sigh of relief and reflect upon a job well done, especially when end-user feedback has been largely positive and there’s a notable lack of incident management tickets post go-live.
And while the statement above represents a fairly typical implementation journey, this could actually be the calm before the storm.
The auditor’s starting point
Whenever a new IT system is implemented with any bearing on financial statements, an auditor will immediately perform a series of validation procedures and enquiries across the project. These preliminary procedures are performed in advance of the annual external audit and are part of understanding changes to the business landscape, to determine whether there needs to be adjustment to recurring audit procedures.
This exercise will typically take the form of interviews to understand project governance mechanisms supported by a review of key documentation and supporting evidence. Focus areas are change management, data migration, access rights and user acceptance testing.
Subject to this exercise being satisfactorily concluded, the auditor will proceed to examine controls within the in-scope business cycles. The auditor’s objective, as always, is to evidence that controls over these processes have operated consistently over the audit period. This is where issues can start to manifest.
Day 1 controls
In common with many ERP implementations, controls aren’t always fully embedded and mature from day 1 go-live. This can translate as key controls being temporarily replaced or suspended. Workaround solutions of this nature might include alternative reconciliation mechanisms and approvals—the worst case scenario is that the control is skipped in its entirety exposing the business to risk.
Depending on the nature of the gaps, this can lead to more work for the auditor with corresponding time and materials being billed back to the auditee as over-runs.
Audit approach
The traditional approach to audit relies heavily upon manually testing of controls. This is reflective of the fact that manual controls typically constitute the vast majority of the control environment and lend themselves well to this technique. Automated controls, although much faster to test and review have historically represented a small percentage of the control environment.
When contrasted with automated controls testing, manual testing requires population sampling, advance information requests, collation of evidence and laborious line by line review of results. It also offers a lower degree of audit comfort over control operation.
This observation should be considered alongside the fact that well designed controls should not impose additional effort overhead on the day-to-day operations of the business, with the focus being a cost efficient and seamless integration of controls.
The benefits of adopting a highly automated control environment are therefore without doubt.
In an ideal world, such decisions are made prior to implementation as automation of controls can take longer if addressed as an after-thought that is retro-fitted into the process. However, with the right technologies and grasp of Workday this is not an unsurmountable problem.
Evolving audit techniques
The audit profession itself is in the throes of unprecedented change. Corporate scandals whether financial or data privacy related, emerging controls legislation and heightened C-suite expectations are all reshaping the auditor’s approach - with a corresponding impact on the auditee.
For example, innovations such as intelligent workflow automation whereby potential control breaches are automatically monitored and diverted for investigation and resolution (along with an ability to automatically re-surface cases when new risks emerge) is becoming increasingly common in the audit field allowing for targeted reviews. Accompanying this is a drive towards continuous audit and monitoring of controls; with issues identified and addressed before they can manifest as serious risks and exposure to the business.
As a result of such changes, sample-based testing is rapidly becoming obsolete with mechanisms that allow for analytical scans of full population now the norm.
Indeed, more astute C-suite members view audit automation as a minimum baseline. This implies that even reporting back a clean bill of health to leadership using sample-based testing offers limited audit assurance and may lead to uncomfortable questions around control health for process owner and auditor alike.
Failure to Act
Where an automated control environment does not already exist, the auditor is faced with two remedial courses of action
- Construct their own environment to support automated audit testing. This may draw upon amalgamated data sets from multiple sources and will require the client to facilitate data extraction and modelling based requests; or
- Continue to rely on manually tested controls – with all the inefficiencies and risk exposure this may bring.
Either approach is costly and represents an inefficient way to approach audit.
Final recommendations
When undertaking an implementation, it is important to consider what your control environment will look like and ideally shape and define this in advance.
This will make life easier for both the control operator and auditor leading to a higher level of controls comfort and will also avoid unnecessary compliance cost and effort. To enable this, we suggest the following areas of focus
- Be data driven
- Embed the maximum number of automated controls
- Have your controls operational and consistently performed and documented, from day 1 with supporting evidence easily accessible for later review
- Seek to adopt an intelligent workflow-based approach to controls
- Adopt a continuous controls monitoring model