720-913-5000 auditor@denvergov.org

Audit Report

Workday User Access Controls

The objective of the audit was to evaluate the design and operational effectiveness of user access controls for Workday, the City’s accounting and human resources software application.

 

Watch the Audit Committee presentation here.

Workday is a cloud-based software application for accounting and human resources management.

The City and County of Denver started using Workday in 2017 as its enterprise resource planning system for accounting functions and to manage human resources and payroll functions. Because Workday is cloud-based, the City’s more than 13,000 employees can access the application from any computer or mobile device through an internet connection.

This is our first information technology audit focusing on user access controls for the City and County of Denver’s Workday software application since the City started using Workday in 2017.

We determined the City did not establish effective oversight of Workday after the application was implemented, which resulted in several customer requirements that have not been addressed.

The City Has Not Established Comprehensive Oversight of Workday to Ensure Effective Controls for User Access

We found that, because the City has not established comprehensive governance over Workday since its implementation two years ago and because the City has not established necessary internal controls to protect user access:

  • The City lacks documented policies and procedures for Workday user access;

  • Agencies are inconsistent in how they add new users and privileged users in Workday;

  • The City performs no periodic reviews of user access other than for the proxy users of its test environments; and

  • The City has not fully established a consistent review process related to conflicting job roles and the appropriate segregation of duties in Workday business processes.

1.1 Establish the Governance Committee’s Authority – The City’s Technology Services agency should collaborate with the Office of Human Resources and the Department of Finance to obtain the appropriate authority over Workday processes and procedures and to implement effective controls over user access as soon as possible for all agencies that use Workday. A committee could be established to incorporate input from each City agency to ensure consistent coverage citywide.

Agency Response: Agree, Implementation Date – June 30, 2019

1.2 Implement Complementary Customer Control Considerations – After implementing Recommendation 1.1, the City’s Technology Services agency should work with the established governance committee to develop and implement controls as soon as possible to address the complementary customer considerations outlined in the 2018 Workday service organization controls report.

Agency Response: Agree, Implementation Date – June 30, 2019

1.3 Perform Annual Review of Complementary Customer Control Considerations – After implementing Recommendation 1.2, the governance committee should incorporate an annual review of the complementary customer control considerations from future Workday service organization controls reports to ensure the City maintains effective internal controls for the application.

Agency Response: Agree, Implementation Date – June 30, 2019

1.4 Develop and Implement Policies and Procedures – After implementing Recommendation 1.1, the governance committee should develop and implement policies and procedures for user access as soon as possible. These policies and procedures should be based on standards in the National Institute of Standards and Technology’s Special Publication 800-53, fourth revision, to further prevent inconsistencies in how user access is maintained.

Agency Response: Agree, Implementation Date – June 30, 2019

1.5 Develop and Implement Procedures for Segregation-of-Duties Considerations – After implementing Recommendation 1.4, the governance committee should incorporate guidance as soon as possible so that agencies’ considerations of segregation of duties are documented and tested by the agency responsible whenever there is a change to a Workday business process.

Agency Response: Agree, Implementation Date – August 31, 2019

Follow-up report

A follow-up report is forthcoming. 

Other related reports

None at this time.

Audit Team: Jared Miller, Nicholas Jimroglou, Brian Cheli, Joe Ebiziem, Kevin Sear