Most companies have auditing or corporate governance in place to minimize risk; in the HCM world areas that often require auditing are processes and procedures that relate to hiring, pay changes and terminations. These are areas where fraud can occur, such as the hire/term of a 'ghost' employee, or pay increases that are not authorized.
How do you audit business processes in Workday?
Similar to how there are many routes into a city, there are a variety of ways to get this job done. In our case, our Compliance department decided that these 4 Workday BPs should be audited quarterly:
-Hire
-Change Job
-Request Compensation Change
-Termination
Our Compliance department does not state 'how' you need to do a job, but instead they have requirements of what is necessary to prove at the end. Their requirement from us is to 'show that no unauthorized changes occur on the business processes.'
How do we do this?
Our locked down Word documents are the 'golden copy' and our Workday business processes should always mirror the same tasks, performed by the same roles, with the same conditional logic, etc.
So for each audit, it's a matter of using the Excel button in Workday to download each BP and then bringing our Word documentation steps into this Excel and manually going line by line to make sure that they match on 'who,' 'what' and 'how'.
Isn't there an easier way?
You'd think there should be, as WD always highlights the audit aspects of their system. So I set out to find a way to do this task in a more efficient manner than I just described. In addition, back in the early days of my career, as an auditor myself, it was always easier to pass a process which was locked down systematically and performed automatically, as opposed to one that someone had to remember to do and where eyes can sometimes miss a line or a step.
Here are some items that I looked into:
1. Use the 'Audit trail' feature
One of the nice things about Workday is that it has a built-in audit trail automatically turned on. So while you're on a page, such as the Hire BP, you can click through to "View Audit Trail" and see an audit trail for the object:Does this solve my problem?
Unfortunately, no. While it will cover the 'big things' like if a step or notification is added/deleted it does not show the changes if a step is edited, for example.
2. Use the 'View User or Task or Object Audit Trail' report
This one looked promising, like it would allow you to audit all BPs for changes at once, rather than individually per process. (We'd like to be able to edit more than the four I previously specified, but using the manual method did not justify the risk.)Here's what this one looks like:
When you run it in a Sandbox environment it looks quite interesting showing new value, old value, the operator who made the change, date/time stamp, etc.
Does this solve my problem?
Unfortunately, no. When I ran this one in Production for a one month time frame, I got the message: "The number of transactions found in the specified time range exceeds the report limit of 50,000. Please narrow the time range and try again." Looking on Workday's Customer Connection, it seems that others have the same experience. It seems that something is not indexed correctly or there is some other issue that you're filtering through all transactional audited data rather than only the BP audit data. Those could perhaps be workable if you're a smaller company or have less transactional data or are only auditing on a very narrow time frame, such as a week.
So now what?
I turned to the trusted Workday Community, with the hope that some brighter mind than me has come up with an awesome solution. It seems that the question has been asked many times in the customer forums over the past few years so I sifted through the responses with high hopes.There are some newer features and customers have presented some ideas. I will not bore you with these in the meantime, but the above was meant to illustrate the types of steps that you need to do as a Workday customer to meet a basic business requirement when it's not delivered out of the box.
You would also need to audit the other actions like Edit Step, Edit Notifications, Edit Conditional Rule, etc.. Also, The report limit is on the XLS Output, and not on the ouput itself. If you where to opt for a CSV output, the limit would be 1 000 000 rows.
ReplyDeleteI would recommend to opt for a custom report on the "Processed Transactions for Range, System Account, Task and Business Object" Data source, where you would add some filters to only look a the specific objets and actions you want to ouput in it.
Regards,
Ben