Why continuous Workday auditing enables and protects your organisation
Ensuring the accuracy and integrity of your company’s audit and compliance controls is the single most important goal of your audit function and a never-ending but mission-critical objective on your CFO’s to-do list.
To this end the automation built into Workday is truly game changing. Rules and workflows for managing everything from assignment of employee benefits, payroll and critical financial cycles are all there out of the box, just waiting to be configured. This means nearly all your key transactions–from hiring a worker to paying a key supplier–are fully automated. While this all sounds like a dream, when you have a product that “just works” on this scale, but forget “how” it works, it's easy to come crashing back down to reality with a thump. Unfortunately, the truth is, with great power (of one) comes great responsibility.
It's essential to remember that your Workday configuration is the backbone of your organisation’s control environment. As such, it’s critical that your controls–whether they’re in Workday or not–must ensure privileged data, such as Personal Information (PI), stays private and that the risk of people committing fraud or exploiting security vulnerabilities have been appropriately mitigated. The impact of getting this wrong could result in anything from an organisational inconvenience to non-compliance with key regulations such as Sarbanes-Oxley (SOX), GDPR or the CCPA (to name but a few). Penalties for non-compliance can include jail time and / or fines that can reach into 100s of millions of dollars depending on the legislation or type of incident, not to mention reputational damage which is harder to quantify but can be even more damaging to a business long term.
As Forrester recently predicted, the impact of COVID and recent increase in remote working is expected to increase the risk of insider threats to account for 1/3 of overall security breaches in 2021. So, how can we be sure that our controls are tight enough to prevent the wrong people gaining access to diversity data; or even know if the people with access are abusing their access? How can we be sure that business processes have the appropriate segregation of duties in place to prevent someone at bonus time changing global workforce bank details to be that of a fraudster? Do you have these controls in place and are you sure they are tight enough, and would your workforce have the time and skills to check with a high degree of accuracy?
Don’t be too hard on yourself if that’s not the case—about 15% of the companies we have spoken to didn’t have a good answer to this question either (however, your Auditors will feel differently so you likely will want to fix this). Over the last year we have spoken to over 100 organisations and very few have a robust, scalable process or tight controls in place. The common approach seems to be an annual manual audit of things like security, SoD and general access controls.
But manual audits present further challenges for organisations, and some of the most common issues when manually auditing Workday are:
It requires taking data out of Workday and into a less secure environment,
The depth and applicability will vary hugely depending on the Workday knowledge of the team,
Typically, this is a lengthy and inefficient process which can easily cause “audit fatigue”,
It's prone to human error (which will increase your auditor’s scepticism in the reliability of the data); and,
The audit can be out-of-date before your teams have finished with the exercise, meaning risks or vulnerabilities introduced between audits are unlikely to be identified until the next audit (or they are exploited).
The reality today is that Workday (like many other ERPs) is now more than ever a mission-critical system—it’s your financial system of record, manages your entire global workforce, and it is the single source of truth for a vast array of sensitive personal and confidential information. As such, auditing your Workday configuration to ensure you have the correct controls in place has never been more important.
So what’s the answer? Automation! The only way to ensure controls are tight and vulnerabilities are caught before they are exploited is to leverage the power of continuous audit—the optimal model for governance and compliance that prevents and identifies risks before they can escalate.
Aside from mitigating risk, automation provides a simple, scalable, and cost-effective solution. But don’t take our word for it, Gartner recently published a report that showed that organisations who automated their internal controls saved up to 27% on their Audit fees, so having a plan or technology in place for continuous auditing makes more than just good security sense.