Confessions of a Recovering Auditor: Why Enterprise Software with Poor Controls is Bad for Your Health

Let me start with full disclosure: I am a recovering auditor. I began my career as an accountant with the former Deloitte Haskins & Sells in San Francisco. Disclaimers done and dusted, you’ll understand why I’m passionate about the business of audit, compliance, governance, and controls.

Audit and control haven’t always been the biggest concerns for businesses evaluating enterprise software. They typically haven’t viewed these functions as mission critical as transaction processing, as visible as financial reporting, or as intriguing as analytics.

In fairness, years ago in the world before Sarbanes-Oxley, there was little need for companies to dig deeply into the effectiveness of their internal controls, and it wasn’t even technically feasible. With $200,000-per-gigabyte storage and processing power limitations, on-premise systems maxed out just capturing journal entries and rolling them up to ledger balances.

Today is a different story. In the current business climate of heightened corporate accountability, governance can no longer be an afterthought. Without the right controls and governance in place, businesses can suffer serious consequences.

Legacy finance vendors have responded to this need by acquiring new technologies and bolting them to their stacks. However, this “aftermarket” approach comes with a number of drawbacks that create the potential for significant errors and risks. In more detail, this approach is:

• Inefficient. Aftermarket controls add weight to processes that were never designed to handle the load, resulting in “dim-the-lights” performance. As a result, users often turn off system controls and manage compliance manually.
• Hard to document. Legacy software requires manual documentation of controls via spreadsheets, written descriptions, and flow diagrams that then must be manually updated.
• Difficult to maintain. The bolted-on controls model never completely connects people with automated business processes, so control parameters—such as which employees can approve what processes—must be manually updated when there are personnel and organizational changes. In addition, security must be managed separately for each system, making it complex and costly to maintain.
• Not comprehensive. Since concepts like workflow arrived many years after legacy systems were designed, a control framework wasn’t core to the system design. Controls had to be individually established for specific processes. This piecemeal approach isn’t comprehensive and means that for any new or adjusted process, control and audit requirements have to be addressed separately.

Today, an enterprise system must have control concepts and capabilities built-in to the foundation. It is literally impossible to layer control on to a pre-existing enterprise system and be able to ensure an effective, comprehensive, documentable, maintainable, and auditable control environment.

That is why our opportunity at Workday to begin with a clean sheet of paper back in 2005 was so crucial. It allowed us to plan and build governance and control at the foundation of our system and address the challenges facing companies head-on. Here’s how we did this:

We built audit and control directly into the fabric of Workday and on top of workflow—our Business Process Framework—so that all business activity would be modeled and governed in a single system

Having everything in one system―finance, HR, and the controls―eliminates a major control risk when there is a disconnect between the system and its users, which is typical with legacy systems. Privacy and security are embedded in the system, prescribing what each person or role can see and do. When a personnel or organizational change occurs, the Workday system knows and automatically adjusts controls with no costly, time-intensive maintenance required. In fact, I would argue that today an effective compliance environment cannot exist unless the entire enterprise system has intimate knowledge of its users, including their roles, permissions, approval limits, managers, and how they fit into the many organizations in which they participate.

Workday’s modern in-memory data architecture enables all system data to be accessible in real time, allowing continuous access to electronic audit evidence. In addition, the system is self-documenting so that every process change is recorded, including who made a change and when it was made. This gives auditors a comprehensive record of all transactions, simplifying the aggregation of financial and operational records necessary to complete both internal and external audits.

Auditors can create reports based on real-time data directly in Workday, so information is always current. Pre-configured auditor reports and dashboards also show trends in real-time (for example, when an increasing number of employees are submitting out-of-policy expense reports) so that any issues can be addressed quickly.

Controls aren’t always the sexiest discussions, but it’s the fruits and veg, not the sugary stuff, that provides the foundation for good health, and governance and control are the foundation for an enterprise system that supports your organization for the long term. Take it from a recovering auditor: These are the areas that separate modern systems like Workday from the legacy systems of “big ERP.”