ApplicationsWorkday

Harness the Power of Workday’s Business Process Framework

Payal ShahMichael De TelloChristie Kuo
June 16, 2021
6 min read

Workday business processes (BPs) are a set of configurable tasks or workflow steps to be performed, often by multiple system users, to complete a desired objective. Often referred to as the “engine of Workday,” effective business process design helps ensure a business can carry out its day-to-day activities efficiently and in a sound manner. The Workday business process framework is highly configurable and can be a powerful tool to enhance process automation and enforce control points. This blog outlines four key design considerations organizations should evaluate to successfully build Workday business processes.

Simplify business process design

Conditional logic is a powerful tool that is used to customize workflow approvals within Workday BPs. However, with more complex workflows, conditional logic can become difficult to understand and maintain. Therefore, it is best practice to simplify business processes wherever possible and minimize complex conditional logic. Organizations can leverage the following methods to help ensure simplified business process design:

  • Optimize conditional logic and required approvals – To ensure timely and correct processing of transactions, limit the number of required approvals within a single workflow – a good general rule is no more than three for a single transaction. This “rule of three” also applies to entry conditions for each business process step. Adding more entry conditions can make the business process difficult to understand and may result in transactions being processed without required approvals.
  • Create self-maintaining, system-derived conditional logic – For example, if business requirements dictate that expenses for a collection of cost centers require an additional level of approval, consider creating a cost center hierarchy and custom validation to automate this routing. The custom validation will help ensure the cost center is added as a worktag to all expense transactions, while the cost center hierarchy will allow routings to occur based on the hierarchy, rather than adding individual cost centers to the workflow. Using this method, the BP logic will remain stable even as the list of cost centers changes over time.
  • Leverage rule-based business processes – Rule-based BPs provide organizations flexibility in design to meet their requirements. These BPs also improve performance by evaluating condition rules once – rather than at each step, increase ease of business process maintenance and simplify the overall process design.

Segregate, initiate and approve responsibility

Wherever possible, organizations should design BPs to segregate initiating actions and approvals within the same business process. When there is no clear delineation between security groups that can initiate and approve a business process, organizations should leverage routing restrictions to ensure segregation of duties is maintained. This can be completed by selecting the business process approval step, selecting related actions > business process > maintain advanced routing and selecting the exclude initiator checkbox.

Operational and compliance requirements

Organizations should ensure that approvals are configured to optimize use of Workday rather than rely on manual processes outside of Workday. During Workday implementations or post-implementation optimization efforts, system capabilities should be reviewed in conjunction with SOX controls (or internal controls over financial reporting) and other compliance-related controls to identify where Workday’s business process framework and configuration options can automate internal control processes. For example, through an internal control automation assessment process, an organization may identify that a manual control performed outside of the system could be automated, standardized, and reported on using a new step in an existing BP. In addition, and especially during an implementation, an assessment of the available fields within the user interface of each business process should be performed. There are always opportunities to better leverage Workday available fields to centralize and standardize data about a transaction for the downstream control, reporting or review processes.

Restrict ‘correct’ access

Within the business process policy, security groups can be granted ‘correct’ access, which allows them to modify completed transactions. However, when a transaction is modified using ‘correct’ access, the modification does not retrigger the approval workflow. Workday customers often find it challenging to report and monitor corrected transactions. This overall process, however, is possible through custom reports, development of the associated monitoring process and thoughtful implementation of the control on the appropriate business processes. Granting ‘correct’ access presents a high risk that users can modify transactions inappropriately outside of the business process and with little oversight on the modified transaction, unless reporting and monitoring mechanisms are in place. To address this risk, consider the following:

  • Limit the use of ‘correct’ access – ‘Correct’ access should be limited to power users and minimized wherever possible due to risk of improper use or error during correction with little oversight. Many Workday users restrict the access to administrator security groups rather than allowing process owners to perform this action.
  • Document exceptions – Understand and document use cases for granting ‘correct’ access outside of administrator security groups. These can be based on individual use of Workday, team structure or business needs. ‘Correct’ access may be granted to business process owners. However, the reasons and use cases for allowing this high-risk function to be performed in Workday should be thoroughly understood, documented and approved prior to granting the access. Not only is this a good practice from a governance perspective, but it also facilitates knowledge sharing and training opportunities for Workday users to learn other ways or lower risk methods to achieve their transaction processing objective.
  • Configure workflow notifications – While not a hard stop, configuring custom notifications to alert system administrators when a transaction is corrected assists with visibility and aligns with defense in depth concepts.
  • Require comments – Set up the system to require an authorized user to provide an explanation when using the ‘correct’ action for a business process.
  • Develop and implement continuous monitoring controls – Develop custom reports to facilitate periodic monitoring of ‘correct’ access. Responsibility should be assigned to subject matter experts (SMEs), process owners or others who possess appropriate business knowledge to effectively monitor the high-risk transactions, but do not have the ability to correct transactions themselves.

Individually, the four best practice principles outlined above will enhance an organization’s ability to manage Workday business processes. Together, these principles will allow an organization to fully harness the power of Workday’s business process framework.

To learn more about our Workday consulting capabilities, contact us.

Payal Shah

Managing Director
Enterprise Application Solutions

View all posts

Michael De Tello

Manager
Enterprise Application Solutions

View all posts

Christie Kuo

Consultant
Technology Consulting

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More