Denver has successfully addressed many of the user-access deficiencies in Workday, the city's accounting and human resources software, according to a follow-up report from Denver Auditor Timothy O’Brien.
The original audit, released in April 2019, found that since Denver began using Workday in 2017, the city did not put in place documented policies for user access, and that agencies had inconsistent procedures for adding new users. There was also a lack of periodic reviews of user access to Workday. The software is cloud-based, and any of the city’s 13,000 employees can access it online.
Auditors noted in the new report that the city has since established a committee to oversee Workday policies, which satisfied one of the office’s recommendations. In late 2019, there was a review of user accounts, and the oversight committee has developed guidelines for mitigating risk that stems from unauthorized user access. The guidelines specify who is charged with disabling user access when an employee leaves their city job.
However, the Technology Services agency did not implement a recommendation about “complementary customer controls,” which the original audit referred to as measures to address the security of user data.
“Even though Technology Services personnel told us they are not reviewing the complementary customer control considerations on an annual basis as they had agreed to last year, they provided evidence that Technology Services performs annual risk reviews of the Workday service organization controls report,” auditors wrote. O’Brien’s office countered that it was difficult to tell what the person reviewing the system was doing, and reaffirmed the recommendation.