Man Group achieves effortless & automated Workday compliance With Smart Audit
Project Requirements
Project Results
About Man Group
Man Group is an active investment management firm founded in 1783, which runs $135 billion* of client capital in liquid and private markets, managed by investment specialists based around the world. Headquartered in London, the firm has offices across four continents and approximately 1,500 employees operating across multiple jurisdictions.
Futureproof Investments
As a large, prestigious financial services company, Man Group are dedicated to implementing market-leading operational systems and applying the highest level of security to these.
Man Group went live with Workday HCM and Financials in January 2019. Workday was a completely new system to the company at a time when they were going through rapid, ongoing operational change. From the implementation of the system, Man Group aimed to provide a robust auditing and alerting framework around this system. As they investigated the optimum way of delivering this, the technology department at Man Group felt that they required more from Workday’s built-in reporting and logging, to provide the level of comfort that their industry demanded.
“Ultimately, I am responsible for our Workday configuration and any potential issues in that configuration. Therefore, it is essential that I can proactively monitor and ensure that our sensitive data remains secure and that we have robust configuration to enforce segregation of duties. It is a business as well as a regulatory imperative that private information isn’t exposed to anyone who doesn’t absolutely need that information, even inside Man Group itself. As a financial institution, we always seek the highest level of assurance that our configuration and control systems meet our objectives in terms of privacy and compliance,” explains Tim Perkins, Head of Corporate Systems at Man Group.
Keeping abreast of Data Privacy Legislation
One of the advantages of Workday is that it provides a high level of configurability in terms of offering different privileges to various people within the Finance and Human Resources departments. However, when it comes to auditing and making sure that everyone has the right privileges, this requires an expert eye and carefully managed governance—especially given the strict and ever-evolving user privacy and regulatory governance controls that must be adhered to.
“Ultimately, organisations have a responsibility to protect personal data within their systems. We must ensure that personal data is restricted to those people who need access to do their job but cannot or should not be available beyond their job responsibilities. We ran periodic reports in Workday focusing on segregation of duties and user activity.” describes Tim.
The team at Man Group wanted to make full use of the data from the reports to track user activity and detect any anomalies. They also sought to implement a case management mechanism to manage escalation and resolution.
Configuration Coverage Confidence: The Overall Impact of Kainos Smart Audit
In July 2020, Man Group adopted Smart Audit (developed by Kainos), a software tool designed to automate the monitoring and management of risk on the Workday control environment in relation to access management, user activity and segregation of duties. Smart Audit was the only tool available that would provide this level of insight, support audit coverage across all Workday tenants, come with out of the box controls specifically for Workday and have the ability to case manage risks.
Access Control, Permissions and Provisioning
In any system that allows management of personnel, payments and finance, the issue of preserving user permissions is complex and needs to be managed carefully. Workday provides multiple permission levels, both for groups and individuals. However, as with any complex configuration, people can be misassigned because they change roles, leave the company or simply are accidentally assigned the wrong permissions. A tool that provides full visibility over segregation of duties has significant value for security assurance.
Tim notes that “Smart Audit recognises people’s roles and areas of heightened risk. The system highlights those users who are inactive or where a change in access rights could create a potential risk.”
User Activity: Smart Analysis
Prior to adoption of Smart Audit, Man group performed manual reviews only for high-risk areas. According to Tim, the team had to invest significant effort to identify anomalies in user activity, log-ins and task executions. The level of control and reporting within Smart Audit, provides Man Group with peace of mind that they can proactively identify areas of concern before they become issues.
Smart Audit benefits the team by providing a high-level overview of issues, with simple drill-down capabilities that allow the team to go deeper for analysis and resolution.
Configuration Control
“Workday configuration control is another area where Smart Audit has made a major contribution to our business. Workday configuration changes can happen at multiple levels, for example, managers might grant access to employees in their department, the system upgrade might include configuration changes, or a change in company policy might require a change.
Smart Audit provides us with transactional monitoring, history and reporting on key configuration changes to our Workday tenants.”
Tim continues, “Furthermore, because of the ease of using Smart Audit, we are able to run configuration controls against both testing and development environments thus providing us with a more comprehensive view of risk across all Workday tenants. Prior to Smart Audit, we only ran checks on our production environment. We can now model and check controls prior to deploying into a production environment. This means we can pre-empt and address issues before they impact our live environment. Ultimately, we have a far higher level of assurance over the state of our system configuration. That is a major benefit for Man Group.”
Testing and Audit: Synergy for Security and Performance
Kainos Smart Audit was an addition to the Smart testing tool already in place at Man Group.
“Smart Audit dovetails quite nicely with the Smart automated testing tool. Whilst you are analysing particular scenarios with the Smart Audit tool, for example—who has access to a particular diversity data domain, what the Smart testing tool does then is it looks at this process from end to end, which shows whether defined users have access to particular areas, and highlights any changes” says Tim. “Each product identifies issues at different levels of granularity and from different angles. Combining the two helps us to create an additional layer of error detection and correction, as well as gaining higher confidence around our Workday configuration in terms of security and smooth operation,” explains Tim.
True partnership delivers success
Man Group enjoyed the consultative approach of the Kainos team and the fact that the tool didn’t require any additional staff to maintain the system. Smart Audit was up and running within a few hours, and the organisation is completely self-sufficient in terms of using and maintaining the tool.
“The people that I've worked with on Smart, and with the rest of the team in Kainos, are clearly experts on their subject matter. They’re really adding value to us as a company in a way that we don’t always get from other consultants. It’s a good product and one that’s been worthwhile being a design partner on.”
*as at 30 June 2021
With Kainos Smart Audit, we're working a lot smarter and looking at genuine issues. In terms of compliance and security, we've got a lot more coverage than we had before.
Whilst Workday keeps detailed audit logs, it requires a lot of effort to analyse those, to look for potentially interesting or significant results. Kainos Smart makes that process more manageable.
We're working a lot smarter and looking at genuine issues, and we've got a lot more coverage than we had before.
