The New Auditing Paradigm - IAM and SOX Controls Automation

Workday Rising presentation showed an industry use case where Workday, RemedyForce, ADManager (Zoho), Salesforce and various IT Monitoring tools were used in combination to eliminate more than 90% of evidence gathering activities needed to satisfy a SOX compliance program.

View this presentation full screen


To make it easier to find information, we are posting the outline fo this content.

Using Workday to Drive a New Auditing Paradigm

Kendall Tieck, VP Internal Audit, Workday
Robin Basham, Director, Internal Audit and Compliance, Ellie Mae
Safe Harbor Statement
The situation and complication…Companies and organizations are deploying Workday to increase business performance and to assist in achieving key objectives.

However, auditors, armed with little information about Workday’s business and internal control value, struggle to transfer their legacy ERP knowledge to the workflow enabled platform.

Implications and call to action…

While auditors address the learning curve, a burden emerges that slows the business from fully realizing the efficiencies that Workday delivers.

By improving the auditor’s knowledge and understanding of Workdays internal control capabilities and its inherent auditability, companies can not only control costs associated with auditing, but improve the auditor’s ability to contribute business value.

A foundation of a new auditing paradigm

Today we will focus on the core components that auditors need to understand to effectively support their activities in an efficient and effective manner…

…and to embrace a new auditing paradigm.

Auditors:  Contributing to Business Success

Auditors provide assurance that the entity’s activities are sufficient in order to achieve operational, reporting and compliance objectives.

Auditors:  Contributing to Business Success

Workday enables businesses to achieve an effective integrated control environment, and as a result improve the ability to achieve organizational objectives.

Enabling the auditors…

Audits may be performed to fulfill a variety of needs:

Accuracy of Financial Statements
Evaluating effectiveness and efficiency of internal controls, including controls over financial reporting, operations and compliance.
Workday:  Implementing and Auditing Internal Control
While some “GRC” systems report on internal controls, Workday actually does internal control. 

Workday combines the power of workflow, comprehensive security, robust reporting and pervasive auditing of events to achieve more effective internal control that is auditable.

Workday:  Audit Areas of Focus
•Who can do what?
•What has been done?
•When did it occur?
•Who authorized it?
•Who can change what?
•What has changed?
•When was it changed?
•Who made the change?
Different by Design:  An auditor’s View 
Comprehensive, Configurable  Security
Integrated reporting
Robust auditing of events
Workday:  The Customer’s Tenant - Context
All Workday customers are on the same, up to date version.
The customer’s tenant is implemented and configured to meet the unique needs of the business thereby avoiding expensive, difficult to maintain customization.
This session will focus on the Tenant…
Workday Workflow: 
Business Process Framework

Workday is process driven enabled by a Business Process Framework

The Business Process Framework is the foundation for implementing internal controls in Workday.

Workday Business Process Framework
Workday Business Process Framework
Workflow:  Business Process Fundamentals
Onboarding and Termination – Pain Point “Contingent Worker”
Situation FY2012
60% IT controls coverage = authorized and appropriate Access
–Only 30% of contingent worker lifecycle is managed by same process flow as regular hires
–Unacceptable fail rate across 13 critical access control properties
SOX, SOC, and FDIC examination
Zero Tolerance for unauthorized access
Ellie Mae Hiring frequency is increasing at a rate of 400%
Ellie Mae Use Case – Onboarding and Termination – Pain Point “Asset Provisioning”
IT Support manages delivery of consistent and appropriate resources, where daily:
–User requirements change
–Job Titles and Role Assignments evolve
–Management demands that Security Groups be transparently governed, yet adaptable to business requirements
Step One: Understand the Business Process –From Hiring to Onboard and Termination
Step Two: Create Workflow that takes worker from Candidate to Provisioned Employee
Business financial controls
–Roles & Responsibilities
IT Controls
–Triggers and notifications
–Integration using Single Sign On and Active Directory
Step Three: Notifications and Control Gates
Process flow is converted to conditions, triggers, notifications and control gates.
Surprising Audit Efficiencies – Reduce Business Disruptions – Control More Risk
Different by Design:   
Comprehensive, Configurable  Security
Integrated reporting
Robust auditing of events
Secure by Design
Secure in Operation
•Robust technical and organizational security controls  ensure that customer data is safe.
•Strict policies and procedures govern access, use, disclosure, and transfer of customer data.
Managing Security
Security Configurator group sets up security.
Security Administrator group assigns security. 
Workday Configurable Security
Auditing Automated Controls – How Workday Files are Generated and Received
Ellie Mae integrated with RemedyForce ticketing, and Active Directory.
Notification for hire or term is associated with a RemedyForce support ticket and an Active Directory modification.
Summary of all changes to workers is sent out via Workday on a monthly basis. (Reporting)
A Workday Account is a Network Account – Single Sign On
Ellie Mae Configured our Workday application so that your identity in Workday is your identity on the network.  If HR didn’t initiate your access, you have no access. 
All Notifications Post Email and Are Visible from Login
Our processes prompt the next approver
People see where progress against their request
For auditors, there is a system trail on all events
Access Controls Measured Using System Reports from Workday, Active Directory and RemedyForce
Saving snapshot files and uploading monthly evidence to Custom Access Database for analysis
Good bye Complexity and Endless Meetings
Run Monthly Match for Workday Hire/Term, RemedyForce Record, AD Properties
Workday:  Reporting
Standard Report
Custom Reports
Workday:  Reporting – Audit Evidence
Report Definition
Run History
Workday:  Auditing of Events
Events create an audit trail including:
–Changes to security
–Changes to roles
–Changes to configuration
–Changes to report definitions
–And on and on….
View Audit Trail
Workday:  In Summary, what auditors need to understand…

Workday combines the power of workflow, comprehensive security, robust reporting and pervasive auditing of events to achieve more effective internal control that is auditable.n rveys in the mobile application