The COVID-19 pandemic compelled organizations to introduce new or enhanced technology solutions while shifting to a predominantly remote workforce. Meanwhile evolving complex and costly compliance efforts pressured key resources to demonstrate compliance and tackle auditor and regulatory requests.  

Audit Challenges

Keeping pace with audit requests can be challenging and vary between: 

• Having to decipher auditor request lists. 
• Feeling time pressure to finalize audit requests.  
• Demonstrating extracted data is accurate and complete and has not been altered. 
• Finding secure ways to share sensitive data with auditors. 
• Substantiating remediation of prior audit issues.  

Not to mention, the cost of compliance is trending up. A Gartner survey revealed that in 2020 external audit fee increases were reported as “sizable,” with 22% of overall survey respondents reporting “significant” audit fee increases of 6% or more. And in 2021 fees were increasing at 62% of organizations, driven by inflationary pressures, COVID-19 impacts, and acquisitions and divestitures. 

Firms leveraging Workday can find numerous solutions to some of their top audit challenges.

Workday Audit Innovation

Workday takes a leading-edge approach to business and operational challenges with an auditable control environment, self-documenting audit trails, and auditor self-service capabilities to help organizations demonstrate compliance and strive to reduce the cost of it.  

‘Always On’ Auditing

Workday’s “always-on” auditing capabilities means all system data including business process, configuration, and security changes are logged along with who made the change and when, as well as before and after values. This level of transparency is native to Workday and not universally available in other vendor workflow solutions. In addition, Workday has pre-configured auditor reports and dashboards that can show trends in real-time and a self-service mechanism for auditors.  

Auditor Self Service 

Auditors are more efficient when supplied with all the data they need. Delivered Workday security roles include audit roles for Finance and HR that allow transactions and their approval history to be inspected. Internal auditors have their regular employee roles supplemented with this access and external auditors can be added as contingent workers.   

Workday’s Auditor Self Service capabilities can reduce demand on employees and sometimes lower audit fees: 

• Auditors can create and run reports to generate their own transaction sample sets based on real-time data directly in Workday. 

• Auditors are empowered to answer all first-order questions themselves. 
• Workday can be accessed from anywhere, so audit testing can be executed remotely, reducing or eliminating auditor onsite time that may incur travel expenses.  

How CrossVue Can Help

CrossVue can enable Workday audit security roles for auditors and others in the organization. Workday’s pre-configured auditor dashboards include Segregation of Duties reports, SOX-related reporting, Security Audit reports, and Risk Indicator reports. Where needed, pre-configured auditor dashboards can be tailored to the organization to optimally reduce key risks. 

Control concepts and capabilities are built-in to the foundation of Workday, setting it apart from legacy solutions that approach controls as an afterthought. Workday contains powerful capabilities to address risks and concerns unique to each organization through the below key features:  

CrossVue can also determine a strategy for monitoring Workday activity to detect and resolve issues ahead of the auditors. Aside from the pre-configured Auditor dashboards, Workday delivered or custom reports and native logging/alerting functionality can be employed to notify key personnel of potential inappropriate activity prior to the auditors making the discovery.

As a starting point, management should monitor security activity (e.g., changes to security groups, domain security policies, business process security policies, user administration, etc.), configuration (e.g., set up of time calculations, compensation rules, etc.), key master data (e.g., employee, job/position, pay rates, etc.), and key transactional activity (e.g., new employee entry, off-cycle payments, etc.).   

Longer term, documented policies and procedures should be created to guide activity reviews. Documentation should include, but not be limited to, the frequency and timing of reviews, criteria for what constitutes an exception, appropriate resolution and escalation of exceptions noted, and retention of evidence. 

To maximize Workday audit functionality, contact CrossVue today.