To combat these shortcomings, Workday started with one fundamental governance principle: You cannot create governance and control via audit. You can test for them, but you can’t create them. Even cursory reads of governance frameworks such as COBIT and COSO make it very clear that to establish an effective governance environment, control concepts and capabilities must be woven into the very fabric of the system. It is literally impossible to layer control software onto a pre-existing enterprise system and to ensure an effective, comprehensive, documentable, maintainable, economical and auditable control environment.
These characteristics must be purposely developed and built into the system from the beginning, which is why the opportunity for Workday to begin with a clean sheet of paper was so crucial to our approach to governance. Essentially it afforded us the opportunity to build control and governance into the core of our system. Here are the five key elements we used to design Workday Financial Management and that, we believe are necessary, for financial systems to meet the compliance needs of modern businesses:
Controls that map to business process frameworks: All business event activity should be modeled and governed within a dedicated business process framework (BPF). Nothing should move unless it is modeled within the BPF.
Unified with the user system-of-record: An effective compliance environment is possible only if the entire enterprise system has intimate knowledge of the users and their roles, permissions, approval limits, and managers and how they fit into their many organizations. The “worker” object should not be an HR thing separate from finance, it must be a “business thing” shared by finance and HR systems.
Self-documenting: Business processes come defined and documented in Workday’s BPF tool. Any process change is done in the tool so the processes are self-documenting. And since the information is unified across the system, this documentation includes who made the change and when.
Always-on audit: Modern in-memory data structures allow all system data to be accessible at any time and in real time, allowing continuous access to audit evidence. Traditionally, auditing has mostly focused on evaluating the past and ensuring compliance.
Audit the model not the transaction: Transaction testing is often the primary cost driver for audit effort and fees. Legacy systems did not incorporate a true comprehensive governance model and so required significant detail for transaction testing. A system based on a unified control and governance framework supports the much more efficient and effective “test the model” approach.
While discussions around governance and control may not be the most exciting part of finance, it is something that organizations must get right. Successful delivery of governance and control can make a huge long-term difference in enterprise systems, and play a big role in what separates new systems and approaches from legacy ERP systems.
Read part four in Mark Nittler’s blog series, “Partner Perfect: How the Finance Team Can Help Guide Business Strategy.”