peopletechguide.com

Tag: workday financial compliance

  • Protecting the Books in Workday

    Protecting “the books” in Workday is about more than turning on security. It is about designing Finance securitySegregation of Duties (SoD) and approval controls so that no single person can manipulate critical transactions end‑to‑end, while finance teams can still close the books on time. Workday provides a strong internal control framework—role-based security, domain policies, business process security and audit capabilities—but the value comes from how they are combined.​

    This guide walks through practical patterns Workday practitioners use to protect financial data without locking down the system.

    Understand the Workday security model for finance

    Workday security has three main layers that matter for finance:​

    • Security Groups and Roles
      • Role-Based Security Groups (RBSGs): group users by role (for example, AP Specialist, GL Accountant, Cash Manager, Financial Analyst).​
      • User-Based Security Groups: for specific high‑privilege users (for example, Workday Finance Admin).
      • These groups determine who can access which data and tasks.
    • Domain Security Policies
      • Control access (view, modify, report, integration) to data domains like Journals, Supplier Invoices, Banking, Revenue, Assets.​
      • Govern what data users can see and change—core for protecting the books.
    • Business Process Security Policies
      • Control who can initiate, approve, review and cancel steps in financial processes such as Create Supplier InvoiceCreate JournalBank SettlementAsset Disposal.​

    Together, these determine who can do whatto which data, and in which process steps. Designing them intentionally is what keeps financial controls strong.​

    Build segregation of duties into the model

    Segregation of Duties (SoD) is about ensuring no single user can both initiate and complete high‑risk financial activities (for example, create a supplier and pay them, or create a journal and post it).​

    Key SoD principles for Workday Finance:

    • Separate setup from execution
      • Different roles for configuring Suppliers vs processing Supplier Invoices.
      • Separate bank account maintenance from payment processing.​
    • Separate initiation from approval
      • The person who creates a journal, invoice, payment or asset disposal should not be the only person who can approve or post it.​
    • Limit “super user” roles
      • Avoid giving broad finance admin roles to many users. Restrict them to a very small, monitored group.​

    Practical steps:

    • Define a SoD rule set for finance that lists incompatible duties (for example, “Create Supplier” + “Approve Payment”, “Create Journal” + “Approve Journal”).​
    • Map those rules to Workday security groups and business process roles to ensure no single user holds conflicting roles.​
    • Use tools (Workday reports or marketplace/partner apps) to continuously scan for SoD conflicts in assignments.​

    SoD should be a design constraint from the beginning, not a cleanup exercise after go‑live.​

    Approval controls: business processes that actually protect value

    Workday’s Business Processes are where you embed practical approval controls for finance. The aim is to design workflows that:

    • Enforce SoD (no self‑approval of high‑risk steps).
    • Provide visibility to the right stakeholders.
    • Do not create unnecessary bottlenecks.​

    Examples:

    • Supplier Invoices
      • Initiation by AP or employees (for invoice requests).
      • Approval by cost center managers or project owners based on Worktags and thresholds.
      • Optional second-level approval for invoices over certain amounts or for sensitive Spend Categories.​
    • Journals
      • Initiation by GL Accountants or specific business units.
      • Approval and posting by a different user or by Controllers based on amount or account type.​
    • Bank Payments / Settlements
      • Payment runs initiated by AP or Treasury.
      • Approval of payment batches by authorized signers, potentially with dual approval for large batches.​

    Design tips:

    • Configure conditional steps so approvals vary by company, region, threshold or Worktag (for example, certain Spend Categories always require Finance review).​
    • Use routing rules to avoid initiators approving their own high‑risk actions.​
    • Keep the number of approval steps minimal but meaningful; too many steps encourage pressure to bypass controls.

    Approved business process histories become part of your audit trail, so they are as much a control as domain security.​

    Use tools and automation for SoD and control monitoring

    Given how dynamic Workday roles and organizations can be, manual SoD monitoring quickly becomes unsustainable. Many organizations use:

    • Workday’s own reporting and audit tools
      • Custom reports to analyze domain and business process security assignments against SoD rules.​
      • Dashboards to visualize high‑risk access, recent changes and audit findings.​
    • Marketplace and partner solutions
      • SoD and sensitive access apps in Workday Marketplace (for example, Segregation of Duties and Sensitive Access solutions) to detect conflicting access.​
      • Partner tools like PwC, KPMG, Pathlock or Kainos to automate risk analysis, rulesets and continuous monitoring.​

    Best practices:

    • Run SoD analysis after major org or role changes, not just annually.​
    • Document and approve exceptions (for example, in small entities) with compensating controls like extra approvals or post‑transaction review.​
    • Include SoD and finance security in your internal audit plan and test it regularly.​

    Automation reduces the risk that quietly accumulating access conflicts undermine your internal control environment.​

    Make security and controls usable for finance

    Controls fail when they fight day‑to‑day work. To avoid this:

    • Design with finance users in the room
      • Involve Controllers, AP, AR, Treasury and FP&A in shaping roles and approvals so they match reality.​
    • Keep roles meaningful and comprehensible
      • Use clear naming for finance roles (for example, “AP Specialist – US”, “GL Accountant – EMEA”) instead of generic names that confuse ownership.​
    • Train on “why,” not just “how”
      • Explain to finance teams how security groups, SoD and approvals protect them and the organization (fraud prevention, audit readiness, reputation).​
      • Show how to read business process histories and audit logs when investigating issues.​

    When finance understands and supports the control design, “no access” becomes a signal to fix role design, not to bypass the system.

    Protecting the books in Workday is ultimately about balance: designing Finance securitySoD and approval controls robust enough to satisfy auditors and regulators, but streamlined enough that month‑end still closes on schedule. When roles, domains, business processes and monitoring work together, Workday turns into a controlled, transparent platform where financial integrity is built into every transaction.

  • Tax and Compliance in Workday Financials

    Tax and compliance in Workday Financials is not just a “settings” exercise. It is about using Workday’s tax framework, period close tools and audit capabilities so transactions are taxed correctly, books close on time and auditors can follow the trail without spreadsheets. Workday’s global tax framework, accounting rules and internal control features are built for exactly this, but only pay off when design is intentional.​

    This guide covers three pillars: Tax RulesPeriod Close, and Audit‑Ready Reporting for Workday Financials.

    1. Design a tax framework before touching configuration

    Start with your tax footprint:

    • In which countries do you operate, and which taxes apply (VAT, GST, sales tax, withholding, local levies)?
    • Which transactions need tax (supplier invoices, customer invoices, expenses, P‑Card, journals)?
    • Which roles own tax configuration and sign-off (indirect tax, corporate tax, local controllers)?​

    Workday’s tax framework lets you:

    • Configure Tax AuthoritiesTax Rates and Tax Categories per jurisdiction.​
    • Embed tax logic into Posting Rules and transaction‑level determination so tax is calculated automatically based on rules, not manual selection.​

    Good practice is to mirror your tax policy and compliance needs in Workday as configurations, not workarounds.

    2. Configure tax rules for real transactions, not edge cases

    In Workday, tax logic is driven by a combination of:

    • Tax Authority and Regime – the jurisdiction and overarching rules.
    • Tax Rates – standard, reduced, zero, exempt, etc., effective-dated.
    • Tax Categories – how items are treated for tax (for example, Goods – Standard, Services – Reduced).​

    Key design decisions:

    • For AP and Procurement: decide how tax is determined from Supplier, Ship‑To location, Spend Category and Company. Indirect tax rules can be embedded in posting rules so the right tax code applies automatically.​
    • For AR and Billing: configure tax rules based on Customer, Sold‑To/Ship‑To, Product/Revenue Category and contract terms.​
    • For Expenses: define which Expense Items are taxable and whether tax is recoverable or not, country by country.​

    Patterns that work:

    • Use rule‑based tax determination so end‑users rarely pick tax codes manually.​
    • Keep tax rate tables clean and effective‑dated; avoid leaving old rates active.​
    • Centralize maintenance of tax rules under tax specialists, not general finance users.

    This reduces mis‑taxed transactions and manual corrections, especially for cross‑border or multi‑rate environments.​

    3. Period close: build discipline into Workday, not outside it

    Workday includes tools to support a structured period close: calendar management, validations, reconciliations and workflow.​

    Core close elements:

    • Ledgers and Periods – define fiscal calendars and periods at Company and Ledger level, with clear open/close states.​
    • Close checklists – many organizations use Workday reports combined with internal checklists (for example, unreconciled accounts, unposted journals, orphaned CIP, tax accruals).​
    • Validations and Posting Rules – enforce that only valid Worktag and tax combinations post, reducing cleanup at month‑end.​

    Best practices from efficient closes:

    • Use Workday’s period close orchestration (tasks, assignments and reminders) to track which teams have completed their steps—AP, AR, Projects, Assets, Tax.​
    • Lock periods progressively: close subledger activity (AP/AR/Projects) before final GL journal posting.​
    • Embed tax accruals and tax control checks into the close (for example, VAT/GST payable vs returns, deferred tax where applicable).​

    When close routines live in Workday instead of spreadsheets, it becomes easier to shorten close cycles and demonstrate control to auditors.​

    4. Make audit and compliance part of the design, not an afterthought

    Workday provides built‑in capabilities for internal controlsaudit trails and compliance reporting.​

    Key features to leverage:

    • Audit Logs and History
      • Workday retains change history for configurations, master data and many transactions (who changed what, when).
      • Use these logs and standard reports during audits to show the lifecycle of key changes (for example, tax rates, posting rules).​
    • Segregation of Duties (SoD) and Access Reviews
      • Combine security model design (domain and role‑based security) with periodic reviews to show that no one person can both configure tax and process high‑risk transactions end‑to‑end.​
    • Compliance and Certifications
      • Workday itself undergoes third-party security and compliance assessments (for example, SOC, ISO), which you can reference in your control framework.​

    Practical steps:

    • Maintain a Risk and Controls Matrix that maps Workday processes (including tax setup and period close) to specific controls and report evidence.​
    • Use targeted reports rather than raw data dumps for auditors—for example, “Tax rate change log”, “Journal entries posted after close”, “User access to tax configuration domains”.​

    This reduces audit time and avoids last‑minute scrambles for evidence.

    5. Build audit-ready tax and financial reporting

    Finally, design reports that answer the questions tax authorities, regulators and auditors will actually ask. Workday’s reporting and analytics engine can support this if wired correctly.​

    Examples:

    • Indirect tax (VAT/GST/Sales tax) reports
      • Summaries of taxable base, tax collected, tax paid and net payable by jurisdiction.
      • Drill‑through from summary to transaction level, showing Customer/Supplier, invoice, tax rate and Worktags.​
    • Statutory reporting
      • Local GAAP/IFRS P&L and Balance Sheet by Company using the relevant Ledger and Worktags.​
      • Tax‑sensitive accounts clearly split (for example, VAT payable vs receivable, income tax expense vs deferred tax).
    • Internal compliance and exception reports
      • Transactions missing tax where it should apply, or with unusual tax codes.​
      • Journals posted directly to tax accounts (bypassing standard flows) for investigation.
      • Close-status dashboards showing outstanding reconciliations or unapproved journals.​

    Design these reports once, then reuse them every period and every audit.

    When you treat Tax RulesPeriod Close and Audit‑Ready Reporting as an integrated design problem in Workday Financials, compliance stops being a manual overlay and becomes part of how the system runs. Tax is determined and posted by rules, closes follow a repeatable pattern, and auditors can see end‑to‑end evidence inside Workday rather than scattered across spreadsheets and emails.