Three ways to help unlock Workday ROI with better internal controls

Over 58% of SaaS-powered companies fail to incorporate internal controls early enough in their cloud transformation: an oversight which can increase the risk of error, financial loss and non-compliance.

Internal controls can help protect the business and activate the Workday transformation with reduced costs and better risk management that can result in higher ROI. That is why internal controls are an important part of a company’s Workday transformation and critical to post-go-live operations.

To help companies take their Workday internal controls to the next level, consider these three ways you can level-up internal controls with Workday.

1. Put controls front and center

For companies implementing or planning to implement Workday, make sure risk and control teams have a seat at the table by defining a dedicated controls workstream. The job of the controls workstream is to embed risk management into requirements early in the design process. This is especially important for Workday Financials, Supply Change Management, Human Capital Management, and Payroll transformations. The controls workstream should utilize resources that know about risk, compliance, and company operations, as well understand Workday capabilities. A cross-functional team composed of operations and compliance/internal audit team members is suggested.

And the controls workstream should be integrated into the implementation project plan from the beginning, if possible. Many internal control activities occur during discovery and prototyping phases. Waiting until testing (or later) to surface control requirements can be a sure-fire way to increase cost and put pressure on project timelines - or miss the opportunity to automate controls resulting in manual, report-based control processes. So while the operational processes are transformed, internal controls may be left behind.

To help save time, some organizations try to “lift and shift” legacy controls into their Workday transformation. The problem with this approach is that it is often unable to leverage native Workday capabilities that can enhance and automate manual control processes. A dedicated control workstream should pull the legacy control framework forward and focus on transforming manual processes able to help simplify operations and streamline audit requirements.

2. Do a diagnostic

Already live on Workday? Existing Workday customers can reduce compliance effort 30% by enhancing existing controls. Our control diagnostic capabilities for Workday can analyze security and control configurations across many active functional areas to surface control enhancement opportunities and close potential control gaps.

Business requirements typically change over time, and Workday frequently releases new capabilities. A control diagnostic helps you:

• Identify beneficial Workday capabilities not used

• Compare current configurations against industry-leading control practices

• Analyze Workday business process configurations for intended design

• Map and streamline controls for regulatory requirements (e.g. SOX, MAR, FDICIA, OCC, FFIEC)

About to go-live on Workday without a defined controls workstream? Many companies in this situation may benefit from a control diagnostic performed prior to go-live (also known as a pre-implementation assessment) to help surface risks and potential control gaps to be addressed during hyper care.

A control diagnostic helps companies define what good looks like and provides a roadmap forward based on current state and risk management objectives. Performed before or after go-live, control diagnostics baseline control effectiveness and define a plan to help manage risk and reduce the cost of non-compliance.

3. Consider the must-have controls

Workday is built with controls in mind. Our control diagnostic capabilities for Workday consider hundreds of potential controls across active functional areas. But each company has a different risk culture and different control objectives; picking the best controls is often a matter of organizational preference. Nonetheless, some controls are just too good to pass up. Make sure to consider the following “must-have” controls in your Workday transformation.

Workday Financials

• Journal insights: Catch potential journal line errors automatically with this relatively recent AI feature. Journal insights can discover and flags anomalies in journal line entries and can also suggest probable causes and recommend solutions. The feature won’t replace your journal review process, but it might help catch errors earlier.

• Account posting rules: Prevent errors and get journals to the right account the first time with posting rules. Flexible and effective, account posting rules allow the use of sequenced conditions that evaluate attributes (organization, cost center, location, region) to derive both ledger account and work tag.

• Account certifications: Workday provides the ability to perform, review and monitor account reconciliation processes using Account Certifications. The feature is very flexible, allowing the use of custom reconciliation templates, certification workflow roles, journal line matching rules, and dashboards to monitor certification progress.

Workday Payroll

Workers expect payroll to be timely and accurate every pay period. Effective controls are often a big part of the process:

• Pay cycle event business process: Automate and streamline payroll processing steps while enforcing routing to authorized security groups. The pay cycle event can serve as a payroll processing checklist for each pay cycle, routing steps in the order they’re required to be performed in. This business process can evidence each activity being performed all within the tenant itself.

• Pay anomalies: Use AI and machine learning to catch possible errors in payroll results. Workday uses machine learning to determine normal pay calculation and result patterns based on historical pay results and worker data. Pay patterns are then used to predict abnormal payroll results for the current pay period. A similar feature is available for time anomalies. Note that these features may require training the machine learning and may only be available to US Payroll customers that opt in to Innovation Services.

• Payroll EIBs: EIBs (Enterprise Interface Builder) are useful in streamlining business operations and reducing manual effort, but EIBs may bypass configured business process controls (e.g. upload of one-time payments to be included within payroll processing). For payroll-impacting EIBs, consider strong assessment and approval processes prior to EIB upload to support integrity of master data and transactional data within Workday.

Cybersecurity

Phishing attacks are a perennial threat to cloud ERPs like Workday. Phishing risk can increase with the number of workers, suppliers and customers using the system. Baseline controls to help limit cyber threats in Workday include:

• Authentication policies: Workday users have differing authentication requirements. Authentication conditions should be used to align access restrictions based on user, related security groups and risk profile. Implement native Workday Access Restrictions for Authentication Conditions to control access by security group and even exclude certain functionality for the Authentication Condition. And of course, make effective use of SSO and MFA, IP address white-lists and black-lists to right-size authentication policy controls. MFA should be enabled for each authentication type.
• Just-in-time detection: Bad actors can be internal or external. And both can get past authentication controls. Timely risk monitoring is highly recommended to help limit the impact of improper activity. There are multiple options in Workday to quickly detect improper or high-risk activity:
  • Make judicious use of condition rules that require approval steps and/or notifications to help increase visibility to the execution of important business processes.
  • The alert framework capabilities can be used to create alerts based on conditions for that can be defined using a Workday Report.
  • User activity can be monitored to detect anomalous activity. Workday’s View User Activity can be mined for higher risk scenarios and incorporated into alerts or integrated into SIEM systems. Just be aware that user activity logs are purged every thirty (30) days in production.

Application security

Workday application security affects worker entitlements and what workers can do in Workday. A battery of application security controls is recommended to limit access to sensitive Workday business processes, task and administration rights. Here are a few security controls to consider:

• User-based security workflows: 2024R1 provides a workflow-enabled task for updating user-based security group assignments. Once configured the workflow supports approval processes for the assignment or removal of sensitive user-based security. The workflow can help improve control the initiation and approval of privileged user-based security entitlements.

• Data privacy: Protect workforce personal information with precise privacy controls that limit who can see personal information and detect potential misuse of personal information. Typical controls leverage Workday’s native domain security to lock down sensitive domains and mine user history logs to help detect improper access.

• Avoid conflicts: Prevent control override by enforcing segregation of duties (“SoD”) through an effective security model and change monitoring. At the very least , use Workday routing rules to help prevent business process initiation and approval conflicts. To systemically prevent and detect conflicts, use a risk-based segregation of duties framework to map out the risks that matter and build rulesets into Workday’s configurable security. Assess compliance with rulesets using custom reports that mine domain security and business process security policies. Or use PwC’s Enterprise Control to help automate Workday SoD controls.

Change management

Protect your production tenant configuration with effective change management. Configuration change controls in Workday can be a little complicated so companies need a sound approach to enable configuration change controls that can be both effective and audit ready. A good approach should be risk-based to limit scope and should leverage Workday capabilities like Object Transporter, audit tags, and audit trail reporting. Read more about our suggested approach here.

By considering these three techniques, companies using Workday can enhance the efficacy and efficiency of their internal controls – which can lead to operational efficiency and higher ROI. Review these strategies to elevate your internal controls and unlock the potential of your Workday transformation.

Contact us or learn more about how PwC can support your Workday journey with effective security and internal controls.