workday rising remedy admanager wd for role based access testing

Using Workday to Drive a New Auditing Paradigm

Kendall Tieck VP Internal Audit, Workday

Robin Basham Director, Internal Audit and Compliance, Ellie Mae

Safe Harbor Statement

This presentation may contain forward-looking statements for which there are risks, uncertainties, and assumptions. If the risks materialize or assumptions prove incorrect, Workday’s business results and directions could differ materially from results implied by the forward-looking statements. Forward-looking statements include any statements regarding strategies or plans for future operations; any statements concerning new features, enhancements or upgrades to our existing applications or plans for future applications; and any statements of belief. Further information on risks that could affect Workday’s results is included in our filings with the Securities and Exchange Commission which are available on the Workday investor relations webpage: www.workday.com/company/investor_relations.php

Workday assumes no obligation for and does not intend to update any forward-looking statements.

Any unreleased services, features, functionality or enhancements referenced in any Workday document, roadmap, blog, our website, press release or public statement that are not currently available are subject to change at Workday’s discretion and may not be delivered as planned or at all.

Customers who purchase Workday, Inc. services should make their purchase decisions upon services, features, and functions that are currently available.

http://www.workday.com/company/investor_relations.php

Workday Confidential

The situation and complication…

Companies and organizations are deploying Workday to increase business performance and to assist in achieving key objectives.

However, auditors, armed with little information about Workday’s business and internal control value, struggle to transfer their legacy ERP knowledge to the workflow enabled platform.


Implications and call to action…

While auditors address the learning curve, a burden emerges that slows the business from fully realizing the efficiencies that Workday delivers.

By improving the auditor’s knowledge and understanding of Workdays internal control capabilities and its inherent auditability, companies can not only control costs associated with auditing, but improve the auditor’s ability to contribute business value.


Workday: A foundation of a new auditing paradigm

Today we will focus on the core components that auditors need to understand to effectively support their activities in an efficient and effective manner…

…and to embrace a new auditing paradigm.

WORKDAY CONFIDENTIAL

Auditors: Contributing to Business Success

Auditors provide assurance that the entity’s activities are sufficient in order to achieve operational, reporting and compliance objectives.


Auditors: Contributing to Business Success

Workday enables businesses to achieve an effective integrated control environment, and as a result improve the ability to achieve organizational objectives.


Enabling the auditors…

Audits may be performed to fulfill a variety of needs:

Accuracy of Financial StatementsEvaluating effectiveness and

efficiency of internal controls, including controls over financial reporting, operations and compliance.


Workday: Implementing and Auditing Internal Control

While some “GRC” systems report on internal controls, Workday actually does internal control.

Workday combines the power of

workflow, comprehensive security, robust reporting and pervasive auditing of events to achieve more effective internal control that is auditable.


Workday: Audit Areas of Focus

• Access • Who can do what?• What has been done?• When did it occur?• Who authorized it?

• Change • Who can change what?• What has changed?• When was it changed?• Who made the change?


Different by Design: An auditor’s View

Workflow

Comprehensive, Configurable Security

Integrated reporting

Robust auditing of events


Workday: The Customer’s Tenant - Context

All Workday customers are on the same, up to date version.

The customer’s tenant is implemented and configured to meet the unique needs of the business thereby avoiding expensive, difficult to maintain customization.

This session will focus on the Tenant…1

Workday Workflow: Business Process Framework

Workday is process driven enabled by a

Business Process Framework

The Business Process Framework is the

foundation for implementing internal

controls in Workday.



Workday Business Process Framework

Workday’s Business Process Framework seamlessly integrates “machines” and people in a built-in solution that is configurable and traceable with reporting and management tools.


Workday Business Process FrameworkBusiness Process Definitions: Documented and auditable.


Workflow: Business Process Fundamentals

Ellie Mae Use Case


Onboarding and Termination – Pain Point “Contingent Worker” Situation FY2012 60% IT controls coverage = authorized and appropriate Access

– Only 30% of contingent worker lifecycle is managed by same process flow as regular hires

– Unacceptable fail rate across 13 critical access control properties SOX, SOC, and FDIC examination Zero Tolerance for unauthorized access Ellie Mae Hiring frequency is increasing at a rate of 400%


Ellie Mae Use Case – Onboarding and Termination – Pain Point “Asset Provisioning” IT Support manages delivery of consistent and appropriate resources, where daily:

–User requirements change–Job Titles and Role Assignments evolve–Management demands that Security Groups be transparently

governed, yet adaptable to business requirements


Step One: Understand the Business Process –From Hiring to Onboard and Termination

Two days post termination, confirmation that account is disabled

HR Worker Change Process

RemedyForce Request to modify

access

HR sets termination, job change or work start date in

Workday – hits submit

Worker condition change

Conditions to add, modify or end business relationship with worker

Administrators suspend

application access

Notification All Business Application Administrators

Access Review

IRM Notification to confirm access

disabled

Notification Security AuditDomain Acct

Evidence added to ticket, Tasks for term closed

Termination details match system evidence

Verified Change

At 90 day interval, all terminations tickets are

reviewed to determine if application resources were

appropriately disabled

Names for Application Administrators is established by

annual narratives which identify inventory of significant

financial systemsIntegrated Audit is responsible to review semi-annually that all application administrators are

aligned to the systems, and that they are notified of

terminations. Integrated Audit ensures they are removing or

changing rights in a timely manner

Workday and RemedyForce reports are evaluated to determine if notice of termination resulted in appropriate removing of all

access, to confirm that rights assigned are consistent with department profile, and to verify that changes to worker duties

align to access changes appropriate to their new roleIRM provides quarter reports for verification of disabled

accountsWorkday shows Terms, Hires, Changes

Onboarding New Position or Consultant WorkforceNew Worker Role or PO

Exists

Not NewWorker is already in Workday

details known to HR

New Worker

Manager initiates Workday requestNew worker for known

Position - no recquistion

Requires Recquisition

IAO Modifies, Enrolls or

Suspends Access

Facilities Changes Location

Domain Admin remove or modify security groups

Notification Systems Administration

Modify locationPhoneDS8 8.1 Service Desk

HR-3 Hire to Term - Notice of Termination

HR-2 Hire to Term-Offer letter,

compensation, start date, signed

DS5 5.5 Security Testing, Surveillance

and Monitoring


Step Two: Create Workflow that takes worker from Candidate to Provisioned EmployeeBusiness financial controls

–Compensation–Contract–Roles & Responsibilities

IT Controls–Triggers and notifications–Integration using Single

Sign On and Active Directory

Propose Compensation

Request One-Time Payment

Edit Service Dates

Change Organization Assignments

Assign Pay Group

Create Workday Account

Create Email Address for Employee

Onboarding

Change Benefit

Elections


Step Three: Notifications and Control Gates

Process flow is converted to conditions, triggers, notifications and control gates.


Surprising Audit Efficiencies – Reduce Business Disruptions – Control More Risk

FY12 FY13 FY140%

10%20%30%40%50%60%70%80%90%

100%

600600

30

200

507

Manual vs. Automated Evidence Collection

Evidence Interaction with business - There are no collection scripts or automated reportsEvidence from automation - evidence is scripted and delivered via scheduling; Or Evidence is found in functional location based on documented process.


Different by Design:

Workflow

Comprehensive, Configurable Security

Integrated reporting

Robust auditing of events


Secure by Design


• Data is encrypted• Workday employees can’t access

customer data• Points of access are limited to the

application server

Security in Workday is an integral part of the system architecture and is pervasive across applications, business processes, data and configuration.


Secure in Operation

• Robust technical and organizational

security controls ensure that

customer data is safe.

• Strict policies and procedures govern

access, use, disclosure, and transfer

of customer data.


System Users Security Groups Security Policies

Functional Area

Functional Area

Domain

Business Process

• View / Modify• Get / Put

• Initiate• Approve• Cancel• Correct

Domain Security Policy

BP Security Policy

Different Types(e.g. role based, user based, location)

Workday Delivered(HR Partner, Accountant)

Workday Assigned (Employee as Self)

Can create your own

+-

High Level

Security

Framework


Managing Security

Security Configurator group sets up security.

Security Administrator group assigns security.

1


Workday Configurable Security

Ellie Mae Use Case


Auditing Automated Controls – How Workday Files are Generated and ReceivedEllie Mae integrated with RemedyForce ticketing, and Active Directory.

Notification for hire or term is associated with a RemedyForce support ticket and an Active Directory modification.

Summary of all changes to workers is sent out via Workday on a monthly basis. (Reporting)


A Workday Account is a Network Account – Single Sign On Ellie Mae Configured our Workday application so that your identity in Workday is your identity on the

network. If HR didn’t initiate your access, you have no access.


All Notifications Post Email and Are Visible from LoginOur processes prompt the next approver

People see where progress against their request

For auditors, there is a system trail on all events


Access Controls Measured Using System Reports from Workday, Active Directory and RemedyForce

Saving snapshot files and uploading monthly evidence to Custom Access Database for analysis


Good bye Complexity and Endless Meetings

Ticket Assigned

Need for resource access

Verified request

Access Established-closed

Ticket RemedyForce – Type User Account

Access

Access Provisioned

Access Tested

Privileges granted

Privileges Tested

Access Confirmed

Ticket Closed

Access Request Closed

Requester Confirmation

Department profiledoes not authorize

Request to create or modify an account is Submitted to RemedyForce via HelpDesk or Workday

User Access Management – IT Support Requests

Authorization Verification

Security Management

Corporate UserProfile includes

Asset Rights

Notification DCO Queue

Asset is defined for Corp or DCO

Trouble ticketowner assigned RemedyForce

Assignedtrouble ticket

User Requires Access to Asset

Notify requester denied rights

Some changes to DCO or Corp Asset

is required

System security role configuration

Asset assigned

After explaining issue, User accepts denied access

Verification recieved

Access Request Closed

Coordination with DCO to confirm

hand-off

No corporate or DCO Asset aligns to Request

Ticket RemedyForce – Type System Administration

Ticket is for System Access Change

Claimed ticket – requires verification

for system access profile

SaaS resource assignedVerification recieved

PO4 4.11 Segregation of Duties

DS5 5.10 Network Security

1.04 Human Resources; On

Boarding

7.02 Access to Programs and Data;

New Hires

7.05 Access to Programs and Data;

Administrative Access Provisioning

DS5 5.3 Identity Management

S_COM10.6 10.6.2 Security of network

services

S_HR8.1 8.1.1 Roles and responsibilities

S_HR8.3 8.3.3 Removal of access

rights

DS8 8.3 Incident Escalation


Run Monthly Match for Workday Hire/Term, RemedyForce Record, AD Properties

It’s as easy as 1-2-3


Workday: Reporting

When used in conjunction with Workday’s built in

auditor roles, the reporting capability offers a self-

service opportunity that reduces the burden on the

business, and enables a more productive and effective

approach to auditing the system of record.


Standard Report


Custom Reports


Workday: Reporting – Audit Evidence

• Delivered Reports• Configurable, customizable• Electronic Audit Evidence (PCAOB)• Change Control

Enabling Continuous Auditing:

• Custom Reports• Scheduling• Alerts


Report Definition


Run History


Workday: Auditing of Events

Events create an audit trail including:

–Transactions–Changes to security–Changes to roles–Changes to configuration–Changes to report definitions–And on and on….


View Audit Trail


Workday: In Summary, what auditors need to understand…

Workday combines the power of workflow, comprehensive security, robust reporting and pervasive auditing of events to achieve more effective internal control that is auditable.


Thank You!

Q & AYour feedback is highly valued!

Please complete your session surveys in the mobile

application

workday rising remedy admanager wd for role based access testing

Documents