Workday SOX Audit Prep: The 12 Controls Auditors Always Check

Control C1 — User access provisioning

Evidence: 'New Hire' BP completion records for a sample of joiners; 'View Worker Security Profile' for each. Auditor verifies access was granted within policy and matched to role.

Control C2 — Deprovisioning

Evidence: termination date vs. account deactivation timestamp from 'View Worker' for terminated sample. The #1 finding when these don't match within 24 hours.

Control C3 — Privileged access review

Evidence: quarterly attestation of HR Admin, System Admin, and Security Admin group membership. Run 'View Members of Security Group' for each and have the data owner sign off.

Control C4 — ISU access scope

Evidence: 'View Integration System User' for every ISU plus the ISSG domain list. Documented business justification per integration.

Control C5 — ISU UI session restriction

Evidence: every ISU shows 'Do Not Allow UI Sessions' = checked.

Control C6 — Integration monitoring

Evidence: 'View Integration System' showing alert subscribers configured; 'Integration Audit' showing failed-run response.

Controls C7–C12

• C7 — Change management: Preview promotion records and change approval tickets.
• C8 — SoD: 'Compare Security Permissions' across conflicting groups.
• C9 — Password & ISU credential rotation log.
• C10 — BP security: 'Business Process View' for material transaction types.
• C11 — Calculated field validation: 'All Calculated Fields' filtered Has Errors = No.
• C12 — SOC 2 review: Workday's SOC 1 Type II + complementary user entity controls.

How to bundle all 12 in one evidence package

Run a Yoetz.ai scan. The export contains one row per control, the test procedure, the Workday source, and the result. Hand it to the auditor on day one of fieldwork.

Continue reading

• Workday and SOX §404
• Workday ISU Over-Access
• HRIS Compliance Guide
• Generate your SOX evidence pack