I would like to start by saying you should always consult your legal or compliance team to ensure changes you make to your tenant are compliant with your company’s policies and requirements. This article is based on my experiences as both an HR rep and business consultant within this space and is intended to inform and ease the stress of compliance.
What is SOX compliance and does it impact my company?
The Sarbanes-Oxley Act went into effect in 2002 because companies like Enron, WorldCom, and Tyco falsified financial records to make their company look like they were doing better than they really were. This compliance is required of all publicly traded companies.(1)
What does a normal cycle of SOX auditing look like?
SOX compliance requires a series of controls and processes in place that ensure nobody can sneak off with money that they aren’t supposed to have and not have it reported. To ensure companies are doing what they say they will do to be compliant, there are quarterly reviews of transactions that occurred within the quarter. A first round of auditing is completed by internal auditors, who try to find and address any issues and present a thorough documentation of the completed audit to the external auditors (who are required to report any issues to the government).
What are the core components of SOX compliance?
There are 3 main parts that make up SOX compliance:
- Segregation of duties – making sure that if one person enters data (specifically compensation changes), that there is another person auditing or approving that data entry to ensure it is valid
- Data protection – ensuring there is a limited number of people who have access to PI (Personal Information) and compensation details
- Quarterly audits – ‘lucky’ representatives from different organizations of a company are required to pull data samples for SOX auditors to review
What is GDPR compliance and does it impact my company?
The General Data Protection Regulation came into effect on May 25, 2018 and it is to provide EU employees protection for their personal data. Any company that is or was operating in the EU and any company who currently have or previously had employees based in the EU need to comply with GDPR compliance.(2)
What are the requirements for GDPR compliance?
There are strict requirements about who can sign in as another user (even when testing in an IMPL or sandbox tenant), so SSO (Single Sign-On) requirements are normally required by your legal department. Companies are also required to restrict access to PII (Personally Identifiable Information) and report any data breach incident within 72 hours.
What is CCPA compliance and does it impact my company?
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020 and similar to the General Data Protection Regulation, it is intended to provide California residents the right to know what personal data is collected by companies, to opt-out of the sale of their information, to request their information be deleted, and they have the right to non-discrimination through how much they pay for a service or good.(3) California residents can also request an account of all personal data collected (biometric information, internet activity, personal identifiers, educational information, and more) within the prior 12 months. Any company “of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data” are required to comply.(4)
What are the requirements for CCPA compliance?
Requirements are focused on providing information from the past 12 months about what type of personal data was collected about the California resident and where it has been shared or stored as well as deleting personal information or ceasing sharing information with third parties.
The scope of the type of data that is tracked is more granular and inclusive than GDPR requirements and the list is long.
How can I ensure my Workday tenant is compliant?
- Review and revise your business processes (bps) – for any bps that handle compensation, make sure that one person enters the data and there is an approval step following (that is completed by a role that did not enter the data). Be mindful of any review steps where someone is able to make changes after the initiator. Make sure that anyone who can review a change on a business process is appropriate to do so (like a receiving manager or HR Partner for a transfer) and a final approval follows. And whenever you swap out recipients on a review or approval step of a business process, always double check what they can see to ensure that they can see what they need to and they don’t have more security access than they truly need.
- Create and use audit reports – there are Standard Reports available by Workday (see list below at the end of this blog) that may meet your needs for audits, but you’ll likely need to create a couple of custom reports to cover the gaps in existing Workday reports. For SOX compliance, you’ll need reports that show who has what security groups and when those changes were made, as well as what access those security groups have (i.e. domain and business process security policy access). For GDPR compliance, you’ll need to create purge reports that pull all data fields and/or documents that need to be purged from worker accounts after termination or creation of the data or document (according to GDPR timing requirements).
- Audit security access and have a clear approval process for granting new security to users – part of SOX compliance is to review who has what security group assignments and explain why new people were granted that access. So it’s helpful to have a go-to report to run for auditors that pulls in security changes and a full list of all users who have what security groups. It’s also good to establish a clear approval process to follow when someone requests additional security. For example, if someone requests Security Admin access, that grants a lot of system-wide access and you would likely want to question the request and clearly document the request, approval, and reason for approval (i.e. the person is a new HRIT rep who needs this security group to do their job). Lastly, it’s also a good idea to do a thorough audit of all domain and business process security access for all security groups (at least once, if not annually) to ensure the list of people who can see PI and PII are truly limited.
- Document changes – while reports and audit histories can capture a lot of changes, Workday isn’t always clear in descriptions so it’s a good idea to take screen shots of changes to business processes and include the date and time in the corner of your screen to validate when the change was made.
- Set up SSO (Single Sign-On) or 2FA (Two Factor Authentication) – turning on these settings and making them required for all users is a good way to meet GDPR compliance requirements. Keep in mind that you will need to whitelist ISU accounts used in integrations so they aren’t prevented from running as usual and that you’ll need one account whitelisted in case your SSO provider goes down and people need to get into Workday to temporarily change the SSO settings.
- Review Data Being Transmitted on Integrations – understand what type of data is being transmitted to third parties (like benefits carriers or other service providers) and ensure it’s clearly documented how those companies are using and storing that information. See if all fields are absolutely required on the integrations for the other parties or if you can reduce the amount of data that is being transmitted.
What are general compliance practices to follow?
- Always have checks and balances – someone to make sure changes are accurate and approved before they are released in production.
- Be organized and document key changes – have secured folders broken out by quarter where you can save documentation of change requests and screenshots of changes for that quarter to make your audits easier.
- Consistent documentation - require everyone (consultants and employees) to collect and document approvals for configuration and security changes made in a production tenant and ensure ample screenshots are collected for audit purposes.
- Question security requests – don’t blindly grant a security request for more access just because they asked nicely. Take a minute to question and understand the real need (is it temporary or permanent? Will this give them access to PI or PII? What can they see or do to another worker’s account in Workday?) and make sure their manager is aware of and approves the request, as well as anyone else who should be informed of or approve the access change.
- When in doubt, check with legal – if you’re not sure if a practice is compliant or if an event is a data breach, always ask your legal team for guidance. They’ll know if a change or action is needed and how it applies to your company specifically.
To recap, compliance doesn’t have to be scary or a dirty word. If you break it down into core concepts and think about how you can support those concepts in Workday, it makes it easier to digest. Think about who can make changes, who is auditing or approving security changes and compensation changes, who has access to what data, and how you can report on those changes and the people who have access to make those changes or see PII.
For SOX compliance, the following Workday standard reports may come in handy:
- All Workday Accounts - your SOX auditors likely want to make sure that people who have termed no longer have access to Workday and that their access was shut off in a reasonable timeframe. This standard report gives a full list of all accounts, their status (disabled or expired), password age, and if the account is locked. They may use this as a base each quarter and compare it against the last quarter’s results to identify any changes.
- Role Assignment Permissions - this report shows which security group can administer each organization role. But keep in mind that this doesn’t include User Based Security Groups or non-role-based security groups, so you may want to create a custom report that covers all security group types.
- Business Process Security Policy History - your auditors may ask to see a history of all changes made to the Hire, Request Compensation Change, Change Job, and other bps where compensation can be assigned or changed. It’s a slightly more user friendly way to run the audit trail on a business process.
- Security History for User - if your auditors find someone who was given access that they shouldn’t have, they may ask you to run an audit to see when they were assigned the security group. This report would help you see those details for the worker individually along with who made the change and the time stamp.
For GDPR compliance and audits, the following Workday standard reports may come in handy:
- View Proxy Access Policy - your auditors may ask to see who can proxy as who and in which environments. This shows the security groups at play and you’d have to run another report to identify the individuals with those security groups. Note - nobody is able to proxy as another person in production, so that’s always an easy “not possible” answer when they ask you who can do that.
- View Purge Plan - your legal and compliance team will want to see any purge reports and purge plans that you have to ensure you’re meeting data purge requirements for all applicable countries. This report will let you look at individual purge plans and the reports associated with them.
- View Security Health Checkup - this identifies areas where your tenant may have potential gaps with access to Workday (like not utilizing SSO or multi-factor authentication). Your legal team may require that users cannot sign in directly into Workday and that every person must use single sign on or multi-factor authentication to ensure that nobody can sign in as anyone else (even in IMPL tenants) and this would call out if those features are in use.