Protecting the Books in Workday

Protecting “the books” in Workday is about more than turning on security. It is about designing Finance security, Segregation of Duties (SoD) and approval controls so that no single person can manipulate critical transactions end‑to‑end, while finance teams can still close the books on time. Workday provides a strong internal control framework—role-based security, domain policies, business process security and audit capabilities—but the value comes from how they are combined.​

This guide walks through practical patterns Workday practitioners use to protect financial data without locking down the system.

Understand the Workday security model for finance

Workday security has three main layers that matter for finance:​

• Security Groups and Roles
  • Role-Based Security Groups (RBSGs): group users by role (for example, AP Specialist, GL Accountant, Cash Manager, Financial Analyst).​
  • User-Based Security Groups: for specific high‑privilege users (for example, Workday Finance Admin).
  • These groups determine who can access which data and tasks.
• Domain Security Policies
  • Control access (view, modify, report, integration) to data domains like Journals, Supplier Invoices, Banking, Revenue, Assets.​
  • Govern what data users can see and change—core for protecting the books.
• Business Process Security Policies
  • Control who can initiate, approve, review and cancel steps in financial processes such as Create Supplier Invoice, Create Journal, Bank Settlement, Asset Disposal.​

Together, these determine who can do what, to which data, and in which process steps. Designing them intentionally is what keeps financial controls strong.​

Build segregation of duties into the model

Segregation of Duties (SoD) is about ensuring no single user can both initiate and complete high‑risk financial activities (for example, create a supplier and pay them, or create a journal and post it).​

Key SoD principles for Workday Finance:

• Separate setup from execution
  • Different roles for configuring Suppliers vs processing Supplier Invoices.
  • Separate bank account maintenance from payment processing.​
• Separate initiation from approval
  • The person who creates a journal, invoice, payment or asset disposal should not be the only person who can approve or post it.​
• Limit “super user” roles
  • Avoid giving broad finance admin roles to many users. Restrict them to a very small, monitored group.​

Practical steps:

• Define a SoD rule set for finance that lists incompatible duties (for example, “Create Supplier” + “Approve Payment”, “Create Journal” + “Approve Journal”).​
• Map those rules to Workday security groups and business process roles to ensure no single user holds conflicting roles.​
• Use tools (Workday reports or marketplace/partner apps) to continuously scan for SoD conflicts in assignments.​

SoD should be a design constraint from the beginning, not a cleanup exercise after go‑live.​

Approval controls: business processes that actually protect value

Workday’s Business Processes are where you embed practical approval controls for finance. The aim is to design workflows that:

• Enforce SoD (no self‑approval of high‑risk steps).
• Provide visibility to the right stakeholders.
• Do not create unnecessary bottlenecks.​

Examples:

• Supplier Invoices
  • Initiation by AP or employees (for invoice requests).
  • Approval by cost center managers or project owners based on Worktags and thresholds.
  • Optional second-level approval for invoices over certain amounts or for sensitive Spend Categories.​
• Journals
  • Initiation by GL Accountants or specific business units.
  • Approval and posting by a different user or by Controllers based on amount or account type.​
• Bank Payments / Settlements
  • Payment runs initiated by AP or Treasury.
  • Approval of payment batches by authorized signers, potentially with dual approval for large batches.​

Design tips:

• Configure conditional steps so approvals vary by company, region, threshold or Worktag (for example, certain Spend Categories always require Finance review).​
• Use routing rules to avoid initiators approving their own high‑risk actions.​
• Keep the number of approval steps minimal but meaningful; too many steps encourage pressure to bypass controls.

Approved business process histories become part of your audit trail, so they are as much a control as domain security.​

Use tools and automation for SoD and control monitoring

Given how dynamic Workday roles and organizations can be, manual SoD monitoring quickly becomes unsustainable. Many organizations use:

• Workday’s own reporting and audit tools
  • Custom reports to analyze domain and business process security assignments against SoD rules.​
  • Dashboards to visualize high‑risk access, recent changes and audit findings.​
• Marketplace and partner solutions
  • SoD and sensitive access apps in Workday Marketplace (for example, Segregation of Duties and Sensitive Access solutions) to detect conflicting access.​
  • Partner tools like PwC, KPMG, Pathlock or Kainos to automate risk analysis, rulesets and continuous monitoring.​​

Best practices:

• Run SoD analysis after major org or role changes, not just annually.​
• Document and approve exceptions (for example, in small entities) with compensating controls like extra approvals or post‑transaction review.​
• Include SoD and finance security in your internal audit plan and test it regularly.​

Automation reduces the risk that quietly accumulating access conflicts undermine your internal control environment.​

Make security and controls usable for finance

Controls fail when they fight day‑to‑day work. To avoid this:

• Design with finance users in the room
  • Involve Controllers, AP, AR, Treasury and FP&A in shaping roles and approvals so they match reality.​
• Keep roles meaningful and comprehensible
  • Use clear naming for finance roles (for example, “AP Specialist – US”, “GL Accountant – EMEA”) instead of generic names that confuse ownership.​
• Train on “why,” not just “how”
  • Explain to finance teams how security groups, SoD and approvals protect them and the organization (fraud prevention, audit readiness, reputation).​
  • Show how to read business process histories and audit logs when investigating issues.​

When finance understands and supports the control design, “no access” becomes a signal to fix role design, not to bypass the system.

Protecting the books in Workday is ultimately about balance: designing Finance security, SoD and approval controls robust enough to satisfy auditors and regulators, but streamlined enough that month‑end still closes on schedule. When roles, domains, business processes and monitoring work together, Workday turns into a controlled, transparent platform where financial integrity is built into every transaction.