workday rising remedy admanager wd for role based access testing
TRANSCRIPT
Using Workday to Drive a New Auditing Paradigm
Kendall Tieck VP Internal Audit, Workday
Robin Basham Director, Internal Audit and Compliance, Ellie Mae
Safe Harbor Statement
This presentation may contain forward-looking statements for which there are risks, uncertainties, and assumptions. If the risks materialize or assumptions prove incorrect, Workday’s business results and directions could differ materially from results implied by the forward-looking statements. Forward-looking statements include any statements regarding strategies or plans for future operations; any statements concerning new features, enhancements or upgrades to our existing applications or plans for future applications; and any statements of belief. Further information on risks that could affect Workday’s results is included in our filings with the Securities and Exchange Commission which are available on the Workday investor relations webpage: www.workday.com/company/investor_relations.php
Workday assumes no obligation for and does not intend to update any forward-looking statements.
Any unreleased services, features, functionality or enhancements referenced in any Workday document, roadmap, blog, our website, press release or public statement that are not currently available are subject to change at Workday’s discretion and may not be delivered as planned or at all.
Customers who purchase Workday, Inc. services should make their purchase decisions upon services, features, and functions that are currently available.
Workday Confidential
The situation and complication…
Companies and organizations are deploying Workday to increase business performance and to assist in achieving key objectives.
However, auditors, armed with little information about Workday’s business and internal control value, struggle to transfer their legacy ERP knowledge to the workflow enabled platform.
Workday Confidential
Implications and call to action…
While auditors address the learning curve, a burden emerges that slows the business from fully realizing the efficiencies that Workday delivers.
By improving the auditor’s knowledge and understanding of Workdays internal control capabilities and its inherent auditability, companies can not only control costs associated with auditing, but improve the auditor’s ability to contribute business value.
Workday Confidential
Workday: A foundation of a new auditing paradigm
Today we will focus on the core components that auditors need to understand to effectively support their activities in an efficient and effective manner…
…and to embrace a new auditing paradigm.
WORKDAY CONFIDENTIAL
Auditors: Contributing to Business Success
Auditors provide assurance that the entity’s activities are sufficient in order to achieve operational, reporting and compliance objectives.
WORKDAY CONFIDENTIAL
Auditors: Contributing to Business Success
Workday enables businesses to achieve an effective integrated control environment, and as a result improve the ability to achieve organizational objectives.
WORKDAY CONFIDENTIAL
Enabling the auditors…
Audits may be performed to fulfill a variety of needs:
Accuracy of Financial StatementsEvaluating effectiveness and
efficiency of internal controls, including controls over financial reporting, operations and compliance.
WORKDAY CONFIDENTIAL
Workday: Implementing and Auditing Internal Control
While some “GRC” systems report on internal controls, Workday actually does internal control.
Workday combines the power of
workflow, comprehensive security, robust reporting and pervasive auditing of events to achieve more effective internal control that is auditable.
WORKDAY CONFIDENTIAL
Workday: Audit Areas of Focus
• Access • Who can do what?• What has been done?• When did it occur?• Who authorized it?
• Change • Who can change what?• What has changed?• When was it changed?• Who made the change?
WORKDAY CONFIDENTIAL
Different by Design: An auditor’s View
Workflow
Comprehensive, Configurable Security
Integrated reporting
Robust auditing of events
WORKDAY CONFIDENTIAL
Workday: The Customer’s Tenant - Context
All Workday customers are on the same, up to date version.
The customer’s tenant is implemented and configured to meet the unique needs of the business thereby avoiding expensive, difficult to maintain customization.
This session will focus on the Tenant…1
Workday Workflow: Business Process Framework
Workday is process driven enabled by a
Business Process Framework
The Business Process Framework is the
foundation for implementing internal
controls in Workday.
WORKDAY CONFIDENTIAL
WORKDAY CONFIDENTIAL
Workday Business Process Framework
Workday’s Business Process Framework seamlessly integrates “machines” and people in a built-in solution that is configurable and traceable with reporting and management tools.
WORKDAY CONFIDENTIAL
Workday Business Process FrameworkBusiness Process Definitions: Documented and auditable.
Workday Confidential
Onboarding and Termination – Pain Point “Contingent Worker” Situation FY2012 60% IT controls coverage = authorized and appropriate Access
– Only 30% of contingent worker lifecycle is managed by same process flow as regular hires
– Unacceptable fail rate across 13 critical access control properties SOX, SOC, and FDIC examination Zero Tolerance for unauthorized access Ellie Mae Hiring frequency is increasing at a rate of 400%
Workday Confidential
Ellie Mae Use Case – Onboarding and Termination – Pain Point “Asset Provisioning” IT Support manages delivery of consistent and appropriate resources, where daily:
–User requirements change–Job Titles and Role Assignments evolve–Management demands that Security Groups be transparently
governed, yet adaptable to business requirements
Workday Confidential
Step One: Understand the Business Process –From Hiring to Onboard and Termination
Two days post termination, confirmation that account is disabled
HR Worker Change Process
RemedyForce Request to modify
access
HR sets termination, job change or work start date in
Workday – hits submit
Worker condition change
Conditions to add, modify or end business relationship with worker
Administrators suspend
application access
Notification All Business Application Administrators
Access Review
IRM Notification to confirm access
disabled
Notification Security AuditDomain Acct
Evidence added to ticket, Tasks for term closed
Termination details match system evidence
Verified Change
At 90 day interval, all terminations tickets are
reviewed to determine if application resources were
appropriately disabled
Names for Application Administrators is established by
annual narratives which identify inventory of significant
financial systemsIntegrated Audit is responsible to review semi-annually that all application administrators are
aligned to the systems, and that they are notified of
terminations. Integrated Audit ensures they are removing or
changing rights in a timely manner
Workday and RemedyForce reports are evaluated to determine if notice of termination resulted in appropriate removing of all
access, to confirm that rights assigned are consistent with department profile, and to verify that changes to worker duties
align to access changes appropriate to their new roleIRM provides quarter reports for verification of disabled
accountsWorkday shows Terms, Hires, Changes
Onboarding New Position or Consultant WorkforceNew Worker Role or PO
Exists
Not NewWorker is already in Workday
details known to HR
New Worker
Manager initiates Workday requestNew worker for known
Position - no recquistion
Requires Recquisition
IAO Modifies, Enrolls or
Suspends Access
Facilities Changes Location
Domain Admin remove or modify security groups
Notification Systems Administration
Modify locationPhoneDS8 8.1 Service Desk
HR-3 Hire to Term - Notice of Termination
HR-2 Hire to Term-Offer letter,
compensation, start date, signed
DS5 5.5 Security Testing, Surveillance
and Monitoring
Workday Confidential
Step Two: Create Workflow that takes worker from Candidate to Provisioned EmployeeBusiness financial controls
–Compensation–Contract–Roles & Responsibilities
IT Controls–Triggers and notifications–Integration using Single
Sign On and Active Directory
Propose Compensation
Request One-Time Payment
Edit Service Dates
Change Organization Assignments
Assign Pay Group
Create Workday Account
Create Email Address for Employee
Onboarding
Change Benefit
Elections
Workday Confidential
Step Three: Notifications and Control Gates
Process flow is converted to conditions, triggers, notifications and control gates.
Workday Confidential
Surprising Audit Efficiencies – Reduce Business Disruptions – Control More Risk
FY12 FY13 FY140%
10%20%30%40%50%60%70%80%90%
100%
600600
30
200
507
Manual vs. Automated Evidence Collection
Evidence Interaction with business - There are no collection scripts or automated reportsEvidence from automation - evidence is scripted and delivered via scheduling; Or Evidence is found in functional location based on documented process.
WORKDAY CONFIDENTIAL
Different by Design:
Workflow
Comprehensive, Configurable Security
Integrated reporting
Robust auditing of events
WORKDAY CONFIDENTIAL
Secure by Design
WORKDAY CONFIDENTIAL
• Data is encrypted• Workday employees can’t access
customer data• Points of access are limited to the
application server
Security in Workday is an integral part of the system architecture and is pervasive across applications, business processes, data and configuration.
WORKDAY CONFIDENTIAL
Secure in Operation
• Robust technical and organizational
security controls ensure that
customer data is safe.
• Strict policies and procedures govern
access, use, disclosure, and transfer
of customer data.
WORKDAY CONFIDENTIAL
System Users Security Groups Security Policies
Functional Area
Functional Area
Domain
Business Process
• View / Modify• Get / Put
• Initiate• Approve• Cancel• Correct
Domain Security Policy
BP Security Policy
Different Types(e.g. role based, user based, location)
Workday Delivered(HR Partner, Accountant)
Workday Assigned (Employee as Self)
Can create your own
+-
High Level
Security
Framework
WORKDAY CONFIDENTIAL
Managing Security
Security Configurator group sets up security.
Security Administrator group assigns security.
1
Workday Confidential
Auditing Automated Controls – How Workday Files are Generated and ReceivedEllie Mae integrated with RemedyForce ticketing, and Active Directory.
Notification for hire or term is associated with a RemedyForce support ticket and an Active Directory modification.
Summary of all changes to workers is sent out via Workday on a monthly basis. (Reporting)
Workday Confidential
A Workday Account is a Network Account – Single Sign On Ellie Mae Configured our Workday application so that your identity in Workday is your identity on the
network. If HR didn’t initiate your access, you have no access.
Workday Confidential
All Notifications Post Email and Are Visible from LoginOur processes prompt the next approver
People see where progress against their request
For auditors, there is a system trail on all events
Workday Confidential
Access Controls Measured Using System Reports from Workday, Active Directory and RemedyForce
Saving snapshot files and uploading monthly evidence to Custom Access Database for analysis
Workday Confidential
Good bye Complexity and Endless Meetings
Ticket Assigned
Need for resource access
Verified request
Access Established-closed
Ticket RemedyForce – Type User Account
Access
Access Provisioned
Access Tested
Privileges granted
Privileges Tested
Access Confirmed
Ticket Closed
Access Request Closed
Requester Confirmation
Department profiledoes not authorize
Request to create or modify an account is Submitted to RemedyForce via HelpDesk or Workday
User Access Management – IT Support Requests
Authorization Verification
Security Management
Corporate UserProfile includes
Asset Rights
Notification DCO Queue
Asset is defined for Corp or DCO
Trouble ticketowner assigned RemedyForce
Assignedtrouble ticket
User Requires Access to Asset
Notify requester denied rights
Some changes to DCO or Corp Asset
is required
System security role configuration
Asset assigned
After explaining issue, User accepts denied access
Verification recieved
Access Request Closed
Coordination with DCO to confirm
hand-off
No corporate or DCO Asset aligns to Request
Ticket RemedyForce – Type System Administration
Ticket is for System Access Change
Claimed ticket – requires verification
for system access profile
SaaS resource assignedVerification recieved
PO4 4.11 Segregation of Duties
DS5 5.10 Network Security
1.04 Human Resources; On
Boarding
7.02 Access to Programs and Data;
New Hires
7.05 Access to Programs and Data;
Administrative Access Provisioning
DS5 5.3 Identity Management
S_COM10.6 10.6.2 Security of network
services
S_HR8.1 8.1.1 Roles and responsibilities
S_HR8.3 8.3.3 Removal of access
rights
DS8 8.3 Incident Escalation
Workday Confidential
Run Monthly Match for Workday Hire/Term, RemedyForce Record, AD Properties
It’s as easy as 1-2-3
WORKDAY CONFIDENTIAL
Workday: Reporting
When used in conjunction with Workday’s built in
auditor roles, the reporting capability offers a self-
service opportunity that reduces the burden on the
business, and enables a more productive and effective
approach to auditing the system of record.
WORKDAY CONFIDENTIAL
Workday: Reporting – Audit Evidence
• Delivered Reports• Configurable, customizable• Electronic Audit Evidence (PCAOB)• Change Control
Enabling Continuous Auditing:
• Custom Reports• Scheduling• Alerts
WORKDAY CONFIDENTIAL
Workday: Auditing of Events
Events create an audit trail including:
–Transactions–Changes to security–Changes to roles–Changes to configuration–Changes to report definitions–And on and on….
WORKDAY CONFIDENTIAL
Workday: In Summary, what auditors need to understand…
Workday combines the power of workflow, comprehensive security, robust reporting and pervasive auditing of events to achieve more effective internal control that is auditable.