Workday Separation of Duties (SoD): The 2026 Audit Guide

What Separation of Duties means in Workday

SoD in Workday is not a single switch. It's the combined effect of three layers: which Security Groups a worker belongs to, what those groups can do (Domain Security Policies — Get/Put/Modify), and what those groups can approve (Business Process Security Policies — Initiate/Approve/Review). A real SoD conflict is when one worker (directly or through a Role-Based group) holds two policy permissions that should never sit in the same pair of hands.

The conflicts auditors test most often

In HCM: Hire + Approve Hire, Compensation Change + Approve Compensation, Add Job + Assign Pay Group. In Payroll: Maintain Pay Component + Run Pay Calculation, Enter One-Time Payment + Approve One-Time Payment, Maintain Payroll Input + Settle Payroll. In Financials: Create Supplier + Approve Supplier Invoice, Initiate Journal + Approve Journal, Maintain Bank Account + Settle Payment. In Security itself: Assign Security Group + Approve Security Group Assignment (the conflict that lets one person silently expand their own access).

Why manual SoD reviews miss most conflicts

Manual reviews export Security Group membership and Domain Security Policy assignments to spreadsheets, then VLOOKUP them against a static SoD matrix. The matrix rarely covers Business Process security (where Initiate/Approve conflicts actually live), almost never covers indirect assignment through Role-Based groups inherited from supervisory organizations, and is never re-run between quarterly audits. The result: real conflicts hide in the gap between the layers.

How an automated SoD scan works

An automated Workday security audit walks every Security Group, expands its members (including indirect role-based assignment), maps the group to every Domain Security Policy and Business Process Security Policy it touches, and intersects the result with the SoD matrix. Every conflict is returned with the worker name, the conflicting permission pair, the security groups that grant each side, and the remediation step (move one permission to a separate group, add a compensating approval, or constrain the role).

Compensating controls when full SoD isn't possible

In small HR or finance teams, one worker often has to hold both sides of a conflict. The audit-acceptable answer is a compensating control: a mandatory second-approver step on the Business Process, a downstream audit report owned by a different function, or a time-boxed elevated-access window with after-the-fact review. Yoetz.ai flags the conflict and the compensating control together so auditors can see both halves of the evidence.

SoD evidence auditors expect (SOX, ISO 27001, SOC 2)

SOX §404 ITGC, ISO 27001 A.5.3, and SOC 2 CC6.3 all require evidence that SoD is tested at a defined frequency — not just designed. Acceptable evidence is a timestamped report listing every conflict, the worker affected, the remediation status, and the date of the next test. Automation produces this artifact on every scan; manual reviews rarely do.

Getting started

Run a free Yoetz.ai scan against your Workday tenant. The security category returns the full SoD conflict list across HCM, Payroll, Financials and Security domains in under two hours, with remediation steps for every finding.

Frequently asked questions

Continue reading

• Workday security group audit
• Workday security group best practices
• Workday payroll audit guide
• Workday tenant health check