With Workday Financials gaining popularity thanks to its customization capabilities, we expect that organizations who have adopted Workday will have their hands full addressing the growing regulatory requirements, particularly around documentation of system controls.

All your departments are affected

Surely, we expect that Corporate Finance, Accounting, and Internal Audit departments will be pressured from management and regulatory bodies to maintain tight controls and processes in response to the adoption of highly configurable solutions like Workday. This is because Workday customers have full ownership and ability to make changes that have material upstream impacts on financial statement reporting to investors.

However, it’s important to note that this will also affect all your departments that interact with Finance and Accounting functions, including your Shared Services, Information Technology, Legal, Valuation, and third-party administrators, and others.

A digital footprint in Workday

Workday has done extremely well by developing an audit trail of changes to every record, configuration, and policy into its platform. The historical log of changes certainly is one of the system’s core strengths. In fact, you can’t even delete instances within the platform. Simply because wiping your history is just not a concept that exists in the world of Workday. Instead, you would need to correct, inactivate, or adjust the component that you’re looking to change.

Let’s take this example: The bank settlement details for one of your suppliers is incorrect. Rather than deleting this, Workday provides the option to “inactivate” or overwrite the details with the correct data for the existing line item. When that item is changed, Workday retains a record of this change activity: the old value, new value, who changed it, and when. 

But what’s missing?

It would be nice if Workday delivered a report that captures the changes to security roles which have the ability to impact financial data. This is an important consideration if you’re familiar with the power of Workday’s security model. A role assignment within the system is not as one-dimensional as providing Sally Hansen the ability to record revenue entries. Such requests should be taken with careful evaluation of the various processes, domains, or functions allowed within that role due to the upstream impacts.

As an example, you may want your payroll processor to post monthly payroll accruals. A seemingly basic function, which is allowed through Workday’s delivered Accountant role to create journal entries. However, you may hesitate before assigning this role as it also allows users to also create cash payments. You can see where things can get complex because someone who has access to both cash and payroll would represent a clear violation of segregation of duties. This would obviously be subject to criticism during an audit as a weakness in the firm’s internal control structure, and required to be remediated to obtain a clean opinion on the financial statements. Therefore, you may want to segment access by creating a new security group with specific access just to post journal entries before deciding to assign roles with core Finance functions.

It goes without saying that the Security Administrator is a very powerful role, one with the ability to change and administer any role within the system without restraint.

So if you don’t have something similar already, it’s worthwhile to create a custom report showing security changes to those key Finance roles. You can hand the report off to senior management, internal and external auditors, and not only will you be addressing a key risk area, but you also gain visibility to what your teams are doing, and you can really manage your people’s roles in a highly configurable platform like Workday.