DENVER – After implementing a new software application in 2017 to manage and integrate important day-to-day financial and human resource functions, the city failed to put effective controls and comprehensive oversight in place to ensure its more than 13,000 employees had only the access they needed for their position in the city, according to an audit out this month from Denver Auditor Timothy M. O’Brien, CPA.
“When Workday was implemented two years ago, it was a sweeping change for how we do business internally in the city,” Auditor O’Brien said. “But in the extensive implementation efforts, some of the key ongoing quality control steps and organizational oversight of the application controls were missed.”
Workday is a cloud-based software application for accounting and human resources management. The audit evaluated the design and operational effectiveness of controls over all user access by city personnel, including how each agency adds, removes, and reviews user access.
The audit team found the city needs to establish comprehensive oversight of Workday. At the time of the audit, policies for granting and reviewing access varied from city agency to city agency. The audit found inconsistent processes for how agencies add new users and how they conduct reviews of user access.
The city failed to implement Workday’s recommended controls for its customers — called “complementary customer control considerations” — which increases the risk the city’s data in Workday could be accessed by unapproved users. We attribute the lack of a prescribed method for implementing the complementary controls — and the resulting inconsistencies — to a lack of ownership by any city agency over the application itself. The lack of centralized ownership has allowed agencies to each develop their own procedures.
For example, agencies are inconsistent in how they add new users and privileged users in Workday, and access was granted for some privileged users without documented approval.
The city first grants users access to Workday during the hiring process. Due to a lack of consistent and documented citywide policies and procedures for this, we found one prospective employee retained an active Workday account, including network access, for 90 days after declining a job offer. In another instance, the audit team found agencies using email correspondence as the only approval method for requesting Workday access for five new users.
The audit team also noted concerns about how some “proxy users,” or users who have administrative access in the Workday test environments, were not properly authorized.
The audit team recommended annual review of Workday’s complementary customer control considerations, after noting a lack of a formal policy to conduct periodic reviews of user access. We found that the city’s Technology Services agency has taken steps to perform a review of one user group — the proxy users — however, we found no evidence of any other city agency performing user access reviews.
The city also has not fully established a consistent review process related to conflicting job roles and the appropriate segregation of duties in Workday business processes (which are tasks that employees can initiate, act on, or complete to accomplish a desired objective, such as approving expenses). Consistent reviews are important, because a change in one business process might create potential segregation-of-duties issues in a different business process.
“This is an important technical issue for the city to get right,” Auditor O’Brien said. “Although the lack of organized oversight might not have led to inappropriate access yet, not addressing this quickly leaves the opportunity for future problems.”
Technology Services thanked the Auditor’s Office for the ideas to improve quality control, and the agency agreed to immediately start implementing all recommendations.