Harness the Power of Workday’s Business Process Framework

Workday business processes (BPs) are a set of configurable tasks or workflow steps to be performed, often by multiple system users, to complete a desired objective. Often referred to as the “engine of Workday,” effective business process design helps ensure a business can carry out its day-to-day activities efficiently and in a sound manner. The Workday business process framework is highly configurable and can be a powerful tool to enhance process automation and enforce control points. This blog outlines four key design considerations organizations should evaluate to successfully build Workday business processes.

Simplify business process design

Conditional logic is a powerful tool that is used to customize workflow approvals within Workday BPs. However, with more complex workflows, conditional logic can become difficult to understand and maintain. Therefore, it is best practice to simplify business processes wherever possible and minimize complex conditional logic. Organizations can leverage the following methods to help ensure simplified business process design:

  • Optimize conditional logic and required approvals – To ensure timely and correct processing of transactions, limit the number of required approvals within a single workflow – a good general rule is no more than three for a single transaction. This “rule of three” also applies to entry conditions for each business process step. Adding more entry conditions can make the business process difficult to understand and may result in transactions being processed without required approvals.
  • Create self-maintaining, system-derived conditional logic – For example, if business requirements dictate that expenses for a collection of cost centers require an additional level of approval, consider creating a cost center hierarchy and custom validation to automate this routing. The custom validation will help ensure the cost center is added as a worktag to all expense transactions, while the cost center hierarchy will allow routings to occur based on the hierarchy, rather than adding individual cost centers to the workflow. Using this method, the BP logic will remain stable even as the list of cost centers changes over time.
  • Leverage rule-based business processes – Rule-based BPs provide organizations flexibility in design to meet their requirements. These BPs also improve performance by evaluating condition rules once – rather than at each step, increase ease of business process maintenance and simplify the overall process design.

Segregate, initiate and approve responsibility

Wherever possible, organizations should design BPs to segregate initiating actions and approvals within the same business process. When there is no clear delineation between security groups that can initiate and approve a business process, organizations should leverage routing restrictions to ensure segregation of duties is maintained. This can be completed by selecting the business process approval step, selecting related actions > business process > maintain advanced routing and selecting the exclude initiator checkbox.

Operational and compliance requirements

Organizations should ensure that approvals are configured to optimize use of Workday rather than rely on manual processes outside of Workday. During Workday implementations or post-implementation optimization efforts, system capabilities should be reviewed in conjunction with SOX controls (or internal controls over financial reporting) and other compliance-related controls to identify where Workday’s business process framework and configuration options can automate internal control processes. For example, through an internal control automation assessment process, an organization may identify that a manual control performed outside of the system could be automated, standardized, and reported on using a new step in an existing BP. In addition, and especially during an implementation, an assessment of the available fields within the user interface of each business process should be performed. There are always opportunities to better leverage Workday available fields to centralize and standardize data about a transaction for the downstream control, reporting or review processes.

Restrict ‘correct’ access

Within the business process policy, security groups can be granted ‘correct’ access, which allows them to modify completed transactions. However, when a transaction is modified using ‘correct’ access, the modification does not retrigger the approval workflow. Workday customers often find it challenging to report and monitor corrected transactions. This overall process, however, is possible through custom reports, development of the associated monitoring process and thoughtful implementation of the control on the appropriate business processes. Granting ‘correct’ access presents a high risk that users can modify transactions inappropriately outside of the business process and with little oversight on the modified transaction, unless reporting and monitoring mechanisms are in place. To address this risk, consider the following:

  • Limit the use of ‘correct’ access – ‘Correct’ access should be limited to power users and minimized wherever possible due to risk of improper use or error during correction with little oversight. Many Workday users restrict the access to administrator security groups rather than allowing process owners to perform this action.
  • Document exceptions – Understand and document use cases for granting ‘correct’ access outside of administrator security groups. These can be based on individual use of Workday, team structure or business needs. ‘Correct’ access may be granted to business process owners. However, the reasons and use cases for allowing this high-risk function to be performed in Workday should be thoroughly understood, documented and approved prior to granting the access. Not only is this a good practice from a governance perspective, but it also facilitates knowledge sharing and training opportunities for Workday users to learn other ways or lower risk methods to achieve their transaction processing objective.
  • Configure workflow notifications – While not a hard stop, configuring custom notifications to alert system administrators when a transaction is corrected assists with visibility and aligns with defense in depth concepts.
  • Require comments – Set up the system to require an authorized user to provide an explanation when using the ‘correct’ action for a business process.
  • Develop and implement continuous monitoring controls – Develop custom reports to facilitate periodic monitoring of ‘correct’ access. Responsibility should be assigned to subject matter experts (SMEs), process owners or others who possess appropriate business knowledge to effectively monitor the high-risk transactions, but do not have the ability to correct transactions themselves.

Individually, the four best practice principles outlined above will enhance an organization’s ability to manage Workday business processes. Together, these principles will allow an organization to fully harness the power of Workday’s business process framework.

To learn more about our Workday consulting capabilities, contact us.

Payal Shah

Director
Technology Consulting - Enterprise Application Solutions

Michael De Tello

Manager
Enterprise Application Solutions

Christie Kuo

Consultant
Technology Consulting

Subscribe to Topics

Protiviti is happy to announce that Wendy Luebbe has joined as a Managing Director for the Technology Consulting Solution. Based in Orlando and with over 20 years of experience, Wendy will focus on the Enterprise Data & Analytics segment, specializing in financial services.

Join Protiviti's Scott Laliberte and Andrew Struthers-Kennedy for thoughts on how organizations should discuss and evaluate risks and include emerging technologies as part of risk and audit reviews. http://ow.ly/oJ0a50Fx7Hx

#ITaudit #ProtivitiTech #emergingtechrisks #prowebinars

Consumer #privacy is key. Protiviti recommends focusing on three buckets and eleven requirements that cover what an organization must consider when developing personal #data privacy protections and have a relationship with #digital #identitymanagement. http://ow.ly/8BuC50FA5Hj

Protiviti’s Scott Laliberte hosted a panel with three Chief Information Security Officers on July 11th. While all faced their own distinct pandemic-related issues, many common themes emerged during the discussion. Learn more: http://ow.ly/Er9e50FA3Q3

#CISO #ProtivitiTech

Reporting and #analytics are critical for #CIOs because they structure #data to guide businesses in strategic decision making. Learn why companies must harness and use information that propels business goals. http://ow.ly/eGoR50FA2ub

#TechTransformation #enterprisetransformation

Load More...